mirror of
https://github.com/portainer/portainer.git
synced 2025-07-25 08:19:40 +02:00
fix(kubernetes): kube env permissions when down [EE-5427] (#10327)
This commit is contained in:
Prabhat Khera
GitHub
parent
cc37ccfe4d
commit
14853f6da0
18 changed files with 282 additions and 103 deletions
|
|
@ -7,7 +7,6 @@ import (
|
|||
|
||||
portainer "github.com/portainer/portainer/api"
|
||||
"github.com/portainer/portainer/api/dataservices"
|
||||
"github.com/portainer/portainer/api/http/utils"
|
||||
"github.com/portainer/portainer/api/internal/tag"
|
||||
httperror "github.com/portainer/portainer/pkg/libhttp/error"
|
||||
"github.com/portainer/portainer/pkg/libhttp/request"
|
||||
|
|
@ -156,9 +155,12 @@ func (handler *Handler) updateEndpointGroup(tx dataservices.DataStoreTx, endpoin
|
|||
err = handler.AuthorizationService.CleanNAPWithOverridePolicies(tx, &endpoint, endpointGroup)
|
||||
if err != nil {
|
||||
// Update flag with endpoint and continue
|
||||
endpoint.PendingActions = utils.GetUpdatedEndpointPendingActions(&endpoint, "CleanNAPWithOverridePolicies", endpointGroup.ID)
|
||||
err = tx.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
|
||||
log.Warn().Err(err).Msgf("Unable to update user authorizations for endpoint (%d) and endpopint group (%d)", endpoint.ID, endpointGroup.ID)
|
||||
handler.PendingActionsService.Create(portainer.PendingActions{
|
||||
EndpointID: endpoint.ID,
|
||||
Action: "CleanNAPWithOverridePolicies",
|
||||
ActionData: endpointGroup.ID,
|
||||
})
|
||||
log.Warn().Err(err).Msgf("Unable to update user authorizations for endpoint (%d) and endpoint group (%d).", endpoint.ID, endpointGroup.ID)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ import (
|
|||
"github.com/portainer/portainer/api/dataservices"
|
||||
"github.com/portainer/portainer/api/http/security"
|
||||
"github.com/portainer/portainer/api/internal/authorization"
|
||||
"github.com/portainer/portainer/api/pendingactions"
|
||||
httperror "github.com/portainer/portainer/pkg/libhttp/error"
|
||||
|
||||
"github.com/gorilla/mux"
|
||||
|
|
@ -14,8 +15,9 @@ import (
|
|||
// Handler is the HTTP handler used to handle environment(endpoint) group operations.
|
||||
type Handler struct {
|
||||
*mux.Router
|
||||
AuthorizationService *authorization.Service
|
||||
DataStore dataservices.DataStore
|
||||
AuthorizationService *authorization.Service
|
||||
DataStore dataservices.DataStore
|
||||
PendingActionsService *pendingactions.PendingActionsService
|
||||
}
|
||||
|
||||
// NewHandler creates a handler to manage environment(endpoint) group operations.
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ import (
|
|||
"net/http"
|
||||
|
||||
portainer "github.com/portainer/portainer/api"
|
||||
"github.com/portainer/portainer/api/http/utils"
|
||||
"github.com/portainer/portainer/api/internal/endpointutils"
|
||||
httperror "github.com/portainer/portainer/pkg/libhttp/error"
|
||||
"github.com/portainer/portainer/pkg/libhttp/request"
|
||||
|
|
@ -79,8 +78,8 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
|
|||
}
|
||||
}
|
||||
|
||||
// Run the pending actions
|
||||
utils.RunPendingActions(endpoint, handler.DataStore, handler.AuthorizationService)
|
||||
// Execute endpoint pending actions
|
||||
handler.PendingActionsService.Execute(endpoint.ID)
|
||||
|
||||
return response.JSON(w, endpoint)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -196,7 +196,7 @@ func setupEndpointListHandler(t *testing.T, endpoints []portainer.Endpoint) *Han
|
|||
handler := NewHandler(bouncer, nil)
|
||||
handler.DataStore = store
|
||||
handler.ComposeStackManager = testhelpers.NewComposeStackManager()
|
||||
handler.SnapshotService, _ = snapshot.NewService("1s", store, nil, nil, nil)
|
||||
handler.SnapshotService, _ = snapshot.NewService("1s", store, nil, nil, nil, nil)
|
||||
|
||||
return handler
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ import (
|
|||
httperror "github.com/portainer/portainer/pkg/libhttp/error"
|
||||
"github.com/portainer/portainer/pkg/libhttp/request"
|
||||
"github.com/portainer/portainer/pkg/libhttp/response"
|
||||
"github.com/rs/zerolog/log"
|
||||
)
|
||||
|
||||
type endpointUpdatePayload struct {
|
||||
|
|
@ -264,7 +265,12 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
|
|||
if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
|
||||
err = handler.AuthorizationService.CleanNAPWithOverridePolicies(handler.DataStore, endpoint, nil)
|
||||
if err != nil {
|
||||
return httperror.InternalServerError("Unable to update user authorizations", err)
|
||||
handler.PendingActionsService.Create(portainer.PendingActions{
|
||||
EndpointID: endpoint.ID,
|
||||
Action: "CleanNAPWithOverridePolicies",
|
||||
ActionData: nil,
|
||||
})
|
||||
log.Warn().Err(err).Msgf("Unable to clean NAP with override policies for endpoint (%d). Will try to update when endpoint is online.", endpoint.ID)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ import (
|
|||
"github.com/portainer/portainer/api/http/security"
|
||||
"github.com/portainer/portainer/api/internal/authorization"
|
||||
"github.com/portainer/portainer/api/kubernetes/cli"
|
||||
"github.com/portainer/portainer/api/pendingactions"
|
||||
httperror "github.com/portainer/portainer/pkg/libhttp/error"
|
||||
|
||||
"github.com/gorilla/mux"
|
||||
|
|
@ -25,18 +26,19 @@ func hideFields(endpoint *portainer.Endpoint) {
|
|||
// Handler is the HTTP handler used to handle environment(endpoint) operations.
|
||||
type Handler struct {
|
||||
*mux.Router
|
||||
requestBouncer security.BouncerService
|
||||
demoService *demo.Service
|
||||
DataStore dataservices.DataStore
|
||||
FileService portainer.FileService
|
||||
ProxyManager *proxy.Manager
|
||||
ReverseTunnelService portainer.ReverseTunnelService
|
||||
SnapshotService portainer.SnapshotService
|
||||
K8sClientFactory *cli.ClientFactory
|
||||
ComposeStackManager portainer.ComposeStackManager
|
||||
AuthorizationService *authorization.Service
|
||||
BindAddress string
|
||||
BindAddressHTTPS string
|
||||
requestBouncer security.BouncerService
|
||||
demoService *demo.Service
|
||||
DataStore dataservices.DataStore
|
||||
FileService portainer.FileService
|
||||
ProxyManager *proxy.Manager
|
||||
ReverseTunnelService portainer.ReverseTunnelService
|
||||
SnapshotService portainer.SnapshotService
|
||||
K8sClientFactory *cli.ClientFactory
|
||||
ComposeStackManager portainer.ComposeStackManager
|
||||
AuthorizationService *authorization.Service
|
||||
BindAddress string
|
||||
BindAddressHTTPS string
|
||||
PendingActionsService *pendingactions.PendingActionsService
|
||||
}
|
||||
|
||||
// NewHandler creates a handler to manage environment(endpoint) operations.
|
||||
|
|
|
|||
|
|
@ -64,6 +64,7 @@ import (
|
|||
"github.com/portainer/portainer/api/internal/upgrade"
|
||||
k8s "github.com/portainer/portainer/api/kubernetes"
|
||||
"github.com/portainer/portainer/api/kubernetes/cli"
|
||||
"github.com/portainer/portainer/api/pendingactions"
|
||||
"github.com/portainer/portainer/api/scheduler"
|
||||
"github.com/portainer/portainer/api/stacks/deployments"
|
||||
"github.com/portainer/portainer/pkg/libhelm"
|
||||
|
|
@ -110,6 +111,7 @@ type Server struct {
|
|||
DemoService *demo.Service
|
||||
UpgradeService upgrade.Service
|
||||
AdminCreationDone chan struct{}
|
||||
PendingActionsService *pendingactions.PendingActionsService
|
||||
}
|
||||
|
||||
// Start starts the HTTP server
|
||||
|
|
@ -178,12 +180,14 @@ func (server *Server) Start() error {
|
|||
endpointHandler.AuthorizationService = server.AuthorizationService
|
||||
endpointHandler.BindAddress = server.BindAddress
|
||||
endpointHandler.BindAddressHTTPS = server.BindAddressHTTPS
|
||||
endpointHandler.PendingActionsService = server.PendingActionsService
|
||||
|
||||
var endpointEdgeHandler = endpointedge.NewHandler(requestBouncer, server.DataStore, server.FileService, server.ReverseTunnelService)
|
||||
|
||||
var endpointGroupHandler = endpointgroups.NewHandler(requestBouncer)
|
||||
endpointGroupHandler.AuthorizationService = server.AuthorizationService
|
||||
endpointGroupHandler.DataStore = server.DataStore
|
||||
endpointGroupHandler.PendingActionsService = server.PendingActionsService
|
||||
|
||||
var endpointProxyHandler = endpointproxy.NewHandler(requestBouncer)
|
||||
endpointProxyHandler.DataStore = server.DataStore
|
||||
|
|
|
|||
|
|
@ -1,61 +0,0 @@
|
|||
package utils
|
||||
|
||||
import (
|
||||
portainer "github.com/portainer/portainer/api"
|
||||
"github.com/portainer/portainer/api/dataservices"
|
||||
"github.com/portainer/portainer/api/internal/authorization"
|
||||
"github.com/rs/zerolog/log"
|
||||
)
|
||||
|
||||
func EndpointPendingActions(endpoint *portainer.Endpoint) *portainer.EndpointPendingActions {
|
||||
return endpoint.PendingActions
|
||||
}
|
||||
|
||||
func GetUpdatedEndpointPendingActions(endpoint *portainer.Endpoint, action string, value interface{}) *portainer.EndpointPendingActions {
|
||||
if endpoint.PendingActions == nil {
|
||||
endpoint.PendingActions = &portainer.EndpointPendingActions{}
|
||||
}
|
||||
|
||||
switch action {
|
||||
case "CleanNAPWithOverridePolicies":
|
||||
endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups = append(endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups, value.(portainer.EndpointGroupID))
|
||||
}
|
||||
|
||||
return endpoint.PendingActions
|
||||
}
|
||||
|
||||
func RunPendingActions(endpoint *portainer.Endpoint, dataStore dataservices.DataStoreTx, authorizationService *authorization.Service) error {
|
||||
|
||||
if endpoint.PendingActions == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
log.Info().Msgf("Running pending actions for endpoint %d", endpoint.ID)
|
||||
|
||||
if endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups != nil {
|
||||
log.Info().Int("endpoint_id", int(endpoint.ID)).Msgf("Cleaning NAP with override policies for endpoint groups %v", endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups)
|
||||
failedEndpointGroupIDs := make([]portainer.EndpointGroupID, 0)
|
||||
for _, endpointGroupID := range endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups {
|
||||
endpointGroup, err := dataStore.EndpointGroup().Read(portainer.EndpointGroupID(endpointGroupID))
|
||||
if err != nil {
|
||||
log.Error().Err(err).Msgf("Error reading endpoint group to clean NAP with override policies for endpoint %d and endpoint group %d", endpoint.ID, endpointGroup.ID)
|
||||
failedEndpointGroupIDs = append(failedEndpointGroupIDs, endpointGroupID)
|
||||
continue
|
||||
}
|
||||
err = authorizationService.CleanNAPWithOverridePolicies(dataStore, endpoint, endpointGroup)
|
||||
if err != nil {
|
||||
failedEndpointGroupIDs = append(failedEndpointGroupIDs, endpointGroupID)
|
||||
log.Error().Err(err).Msgf("Error cleaning NAP with override policies for endpoint %d and endpoint group %d", endpoint.ID, endpointGroup.ID)
|
||||
}
|
||||
}
|
||||
|
||||
endpoint.PendingActions.CleanNAPWithOverridePolicies.EndpointGroups = failedEndpointGroupIDs
|
||||
err := dataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
|
||||
if err != nil {
|
||||
log.Error().Err(err).Msgf("While running pending actions, error updating endpoint %d", endpoint.ID)
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue