refactor(azure): remove Azure ACI endpoint support (#3803)

* feat(templates): remove template management features (#3719) * feat(api): remove template management features * feat(templates): remove template management features * refactor(azure): remove Azure ACI endpoint support
2025-07-24 15:59:41 +02:00 · 2020-05-19 15:08:57 +12:00 · 2020-05-19 15:08:57 +12:00 · 493de20540
commit 493de20540
parent 6b41b5ec5d
65 changed files with 47 additions and 1791 deletions
--- a/api/http/client/client.go
+++ b/api/http/client/client.go
@ -2,12 +2,9 @@ package client

 import (
 	"crypto/tls"
-	"encoding/json"
-	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
-	"net/url"
 	"strings"
 	"time"

@ -19,55 +16,6 @@ const (
 	defaultHTTPTimeout       = 5
 )

-// HTTPClient represents a client to send HTTP requests.
-type HTTPClient struct {
-	*http.Client
-}
-
-// NewHTTPClient is used to build a new HTTPClient.
-func NewHTTPClient() *HTTPClient {
-	return &HTTPClient{
-		&http.Client{
-			Timeout: time.Second * time.Duration(defaultHTTPTimeout),
-		},
-	}
-}
-
-// AzureAuthenticationResponse represents an Azure API authentication response.
-type AzureAuthenticationResponse struct {
-	AccessToken string `json:"access_token"`
-	ExpiresOn   string `json:"expires_on"`
-}
-
-// ExecuteAzureAuthenticationRequest is used to execute an authentication request
-// against the Azure API. It re-uses the same http.Client.
-func (client *HTTPClient) ExecuteAzureAuthenticationRequest(credentials *portainer.AzureCredentials) (*AzureAuthenticationResponse, error) {
-	loginURL := fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/token", credentials.TenantID)
-	params := url.Values{
-		"grant_type":    {"client_credentials"},
-		"client_id":     {credentials.ApplicationID},
-		"client_secret": {credentials.AuthenticationKey},
-		"resource":      {"https://management.azure.com/"},
-	}
-
-	response, err := client.PostForm(loginURL, params)
-	if err != nil {
-		return nil, err
-	}
-
-	if response.StatusCode != http.StatusOK {
-		return nil, portainer.ErrAzureInvalidCredentials
-	}
-
-	var token AzureAuthenticationResponse
-	err = json.NewDecoder(response.Body).Decode(&token)
-	if err != nil {
-		return nil, err
-	}
-
-	return &token, nil
-}
-
 // Get executes a simple HTTP GET to the specified URL and returns
 // the content of the response body. Timeout can be specified via the timeout parameter,
 // will default to defaultHTTPTimeout if set to 0.
--- a/api/http/handler/endpointproxy/handler.go
+++ b/api/http/handler/endpointproxy/handler.go
@ -24,8 +24,6 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		Router:         mux.NewRouter(),
 		requestBouncer: bouncer,
 	}
-	h.PathPrefix("/{id}/azure").Handler(
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToAzureAPI)))
 	h.PathPrefix("/{id}/docker").Handler(
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToDockerAPI)))
 	h.PathPrefix("/{id}/storidge").Handler(
--- a/api/http/handler/endpointproxy/proxy_azure.go
+++ b/api/http/handler/endpointproxy/proxy_azure.go
@ -1,43 +0,0 @@
-package endpointproxy
-
-import (
-	"strconv"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/portainer/api"
-
-	"net/http"
-)
-
-func (handler *Handler) proxyRequestsToAzureAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
-	}
-
-	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
-	}
-
-	err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint, false)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
-	}
-
-	var proxy http.Handler
-	proxy = handler.ProxyManager.GetEndpointProxy(endpoint)
-	if proxy == nil {
-		proxy, err = handler.ProxyManager.CreateAndRegisterEndpointProxy(endpoint)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create proxy", err}
-		}
-	}
-
-	id := strconv.Itoa(endpointID)
-	http.StripPrefix("/"+id+"/azure", proxy).ServeHTTP(w, r)
-	return nil
-}
--- a/api/http/handler/endpoints/endpoint_create.go
+++ b/api/http/handler/endpoints/endpoint_create.go
@ -18,21 +18,18 @@ import (
 )

 type endpointCreatePayload struct {
-	Name                   string
-	URL                    string
-	EndpointType           int
-	PublicURL              string
-	GroupID                int
-	TLS                    bool
-	TLSSkipVerify          bool
-	TLSSkipClientVerify    bool
-	TLSCACertFile          []byte
-	TLSCertFile            []byte
-	TLSKeyFile             []byte
-	AzureApplicationID     string
-	AzureTenantID          string
-	AzureAuthenticationKey string
-	TagIDs                 []portainer.TagID
+	Name                string
+	URL                 string
+	EndpointType        int
+	PublicURL           string
+	GroupID             int
+	TLS                 bool
+	TLSSkipVerify       bool
+	TLSSkipClientVerify bool
+	TLSCACertFile       []byte
+	TLSCertFile         []byte
+	TLSKeyFile          []byte
+	TagIDs              []portainer.TagID
 }

 func (payload *endpointCreatePayload) Validate(r *http.Request) error {
@ -44,7 +41,7 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {

 	endpointType, err := request.RetrieveNumericMultiPartFormValue(r, "EndpointType", false)
 	if err != nil || endpointType == 0 {
-		return portainer.Error("Invalid endpoint type value. Value must be one of: 1 (Docker environment), 2 (Agent environment), 3 (Azure environment) or 4 (Edge Agent environment)")
+		return portainer.Error("Invalid endpoint type value. Value must be one of: 1 (Docker environment), 2 (Agent environment) or 4 (Edge Agent environment)")
 	}
 	payload.EndpointType = endpointType

@ -96,35 +93,14 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 		}
 	}

-	switch portainer.EndpointType(payload.EndpointType) {
-	case portainer.AzureEnvironment:
-		azureApplicationID, err := request.RetrieveMultiPartFormValue(r, "AzureApplicationID", false)
-		if err != nil {
-			return portainer.Error("Invalid Azure application ID")
-		}
-		payload.AzureApplicationID = azureApplicationID
-
-		azureTenantID, err := request.RetrieveMultiPartFormValue(r, "AzureTenantID", false)
-		if err != nil {
-			return portainer.Error("Invalid Azure tenant ID")
-		}
-		payload.AzureTenantID = azureTenantID
-
-		azureAuthenticationKey, err := request.RetrieveMultiPartFormValue(r, "AzureAuthenticationKey", false)
-		if err != nil {
-			return portainer.Error("Invalid Azure authentication key")
-		}
-		payload.AzureAuthenticationKey = azureAuthenticationKey
-	default:
-		url, err := request.RetrieveMultiPartFormValue(r, "URL", true)
-		if err != nil {
-			return portainer.Error("Invalid endpoint URL")
-		}
-		payload.URL = url
-
-		publicURL, _ := request.RetrieveMultiPartFormValue(r, "PublicURL", true)
-		payload.PublicURL = publicURL
+	endpointURL, err := request.RetrieveMultiPartFormValue(r, "URL", true)
+	if err != nil {
+		return portainer.Error("Invalid endpoint URL")
 	}
+	payload.URL = endpointURL
+
+	publicURL, _ := request.RetrieveMultiPartFormValue(r, "PublicURL", true)
+	payload.PublicURL = publicURL

 	return nil
 }
@ -178,9 +154,7 @@ func (handler *Handler) endpointCreate(w http.ResponseWriter, r *http.Request) *
 }

 func (handler *Handler) createEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
-	if portainer.EndpointType(payload.EndpointType) == portainer.AzureEnvironment {
-		return handler.createAzureEndpoint(payload)
-	} else if portainer.EndpointType(payload.EndpointType) == portainer.EdgeAgentEnvironment {
+	if portainer.EndpointType(payload.EndpointType) == portainer.EdgeAgentEnvironment {
 		return handler.createEdgeAgentEndpoint(payload)
 	}

@ -190,44 +164,6 @@ func (handler *Handler) createEndpoint(payload *endpointCreatePayload) (*portain
 	return handler.createUnsecuredEndpoint(payload)
 }

-func (handler *Handler) createAzureEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
-	credentials := portainer.AzureCredentials{
-		ApplicationID:     payload.AzureApplicationID,
-		TenantID:          payload.AzureTenantID,
-		AuthenticationKey: payload.AzureAuthenticationKey,
-	}
-
-	httpClient := client.NewHTTPClient()
-	_, err := httpClient.ExecuteAzureAuthenticationRequest(&credentials)
-	if err != nil {
-		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate against Azure", err}
-	}
-
-	endpointID := handler.EndpointService.GetNextIdentifier()
-	endpoint := &portainer.Endpoint{
-		ID:                 portainer.EndpointID(endpointID),
-		Name:               payload.Name,
-		URL:                "https://management.azure.com",
-		Type:               portainer.AzureEnvironment,
-		GroupID:            portainer.EndpointGroupID(payload.GroupID),
-		PublicURL:          payload.PublicURL,
-		UserAccessPolicies: portainer.UserAccessPolicies{},
-		TeamAccessPolicies: portainer.TeamAccessPolicies{},
-		Extensions:         []portainer.EndpointExtension{},
-		AzureCredentials:   credentials,
-		TagIDs:             payload.TagIDs,
-		Status:             portainer.EndpointStatusUp,
-		Snapshots:          []portainer.Snapshot{},
-	}
-
-	err = handler.saveEndpointAndUpdateAuthorizations(endpoint)
-	if err != nil {
-		return nil, &httperror.HandlerError{http.StatusInternalServerError, "An error occured while trying to create the endpoint", err}
-	}
-
-	return endpoint, nil
-}
-
 func (handler *Handler) createEdgeAgentEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
 	endpointType := portainer.EdgeAgentEnvironment
 	endpointID := handler.EndpointService.GetNextIdentifier()
--- a/api/http/handler/endpoints/endpoint_snapshot.go
+++ b/api/http/handler/endpoints/endpoint_snapshot.go
@ -23,10 +23,6 @@ func (handler *Handler) endpointSnapshot(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
 	}

-	if endpoint.Type == portainer.AzureEnvironment {
-		return &httperror.HandlerError{http.StatusBadRequest, "Snapshots not supported for Azure endpoints", err}
-	}
-
 	snapshot, snapshotError := handler.Snapshotter.CreateSnapshot(endpoint)

 	latestEndpointReference, err := handler.EndpointService.Endpoint(endpoint.ID)
--- a/api/http/handler/endpoints/endpoint_snapshots.go
+++ b/api/http/handler/endpoints/endpoint_snapshots.go
@ -17,10 +17,6 @@ func (handler *Handler) endpointSnapshots(w http.ResponseWriter, r *http.Request
 	}

 	for _, endpoint := range endpoints {
-		if endpoint.Type == portainer.AzureEnvironment {
-			continue
-		}
-
 		snapshot, snapshotError := handler.Snapshotter.CreateSnapshot(&endpoint)

 		latestEndpointReference, err := handler.EndpointService.Endpoint(endpoint.ID)
--- a/api/http/handler/endpoints/endpoint_update.go
+++ b/api/http/handler/endpoints/endpoint_update.go
@ -9,24 +9,20 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/client"
 )

 type endpointUpdatePayload struct {
-	Name                   *string
-	URL                    *string
-	PublicURL              *string
-	GroupID                *int
-	TLS                    *bool
-	TLSSkipVerify          *bool
-	TLSSkipClientVerify    *bool
-	Status                 *int
-	AzureApplicationID     *string
-	AzureTenantID          *string
-	AzureAuthenticationKey *string
-	TagIDs                 []portainer.TagID
-	UserAccessPolicies     portainer.UserAccessPolicies
-	TeamAccessPolicies     portainer.TeamAccessPolicies
+	Name                *string
+	URL                 *string
+	PublicURL           *string
+	GroupID             *int
+	TLS                 *bool
+	TLSSkipVerify       *bool
+	TLSSkipClientVerify *bool
+	Status              *int
+	TagIDs              []portainer.TagID
+	UserAccessPolicies  portainer.UserAccessPolicies
+	TeamAccessPolicies  portainer.TeamAccessPolicies
 }

 func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
@ -137,26 +133,6 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

-	if endpoint.Type == portainer.AzureEnvironment {
-		credentials := endpoint.AzureCredentials
-		if payload.AzureApplicationID != nil {
-			credentials.ApplicationID = *payload.AzureApplicationID
-		}
-		if payload.AzureTenantID != nil {
-			credentials.TenantID = *payload.AzureTenantID
-		}
-		if payload.AzureAuthenticationKey != nil {
-			credentials.AuthenticationKey = *payload.AzureAuthenticationKey
-		}
-
-		httpClient := client.NewHTTPClient()
-		_, authErr := httpClient.ExecuteAzureAuthenticationRequest(&credentials)
-		if authErr != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate against Azure", authErr}
-		}
-		endpoint.AzureCredentials = credentials
-	}
-
 	if payload.TLS != nil {
 		folder := strconv.Itoa(endpointID)

@ -201,7 +177,7 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

-	if payload.URL != nil || payload.TLS != nil || endpoint.Type == portainer.AzureEnvironment {
+	if payload.URL != nil || payload.TLS != nil {
 		_, err = handler.ProxyManager.CreateAndRegisterEndpointProxy(endpoint)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to register HTTP proxy for the endpoint", err}
--- a/api/http/handler/endpoints/handler.go
+++ b/api/http/handler/endpoints/handler.go
@ -12,7 +12,6 @@ import (
 )

 func hideFields(endpoint *portainer.Endpoint) {
-	endpoint.AzureCredentials = portainer.AzureCredentials{}
 	if len(endpoint.Snapshots) > 0 {
 		endpoint.Snapshots[0].SnapshotRaw = portainer.SnapshotRaw{}
 	}
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@ -90,8 +90,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
 		case strings.Contains(r.URL.Path, "/storidge/"):
 			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
-		case strings.Contains(r.URL.Path, "/azure/"):
-			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
 		case strings.Contains(r.URL.Path, "/edge/"):
 			http.StripPrefix("/api/endpoints", h.EndpointEdgeHandler).ServeHTTP(w, r)
 		default:
--- a/api/http/proxy/factory/azure.go
+++ b/api/http/proxy/factory/azure.go
@ -1,20 +0,0 @@
-package factory
-
-import (
-	"net/http"
-	"net/url"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/proxy/factory/azure"
-)
-
-func newAzureProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
-	remoteURL, err := url.Parse(azureAPIBaseURL)
-	if err != nil {
-		return nil, err
-	}
-
-	proxy := newSingleHostReverseProxyWithHostHeader(remoteURL)
-	proxy.Transport = azure.NewTransport(&endpoint.AzureCredentials)
-	return proxy, nil
-}
--- a/api/http/proxy/factory/azure/transport.go
+++ b/api/http/proxy/factory/azure/transport.go
@ -1,80 +0,0 @@
-package azure
-
-import (
-	"net/http"
-	"strconv"
-	"sync"
-	"time"
-
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/client"
-)
-
-type (
-	azureAPIToken struct {
-		value          string
-		expirationTime time.Time
-	}
-
-	Transport struct {
-		credentials *portainer.AzureCredentials
-		client      *client.HTTPClient
-		token       *azureAPIToken
-		mutex       sync.Mutex
-	}
-)
-
-// NewTransport returns a pointer to a new instance of Transport that implements the HTTP Transport
-// interface for proxying requests to the Azure API.
-func NewTransport(credentials *portainer.AzureCredentials) *Transport {
-	return &Transport{
-		credentials: credentials,
-		client:      client.NewHTTPClient(),
-	}
-}
-
-// RoundTrip is the implementation of the the http.RoundTripper interface
-func (transport *Transport) RoundTrip(request *http.Request) (*http.Response, error) {
-	err := transport.retrieveAuthenticationToken()
-	if err != nil {
-		return nil, err
-	}
-
-	request.Header.Set("Authorization", "Bearer "+transport.token.value)
-	return http.DefaultTransport.RoundTrip(request)
-}
-
-func (transport *Transport) authenticate() error {
-	token, err := transport.client.ExecuteAzureAuthenticationRequest(transport.credentials)
-	if err != nil {
-		return err
-	}
-
-	expiresOn, err := strconv.ParseInt(token.ExpiresOn, 10, 64)
-	if err != nil {
-		return err
-	}
-
-	transport.token = &azureAPIToken{
-		value:          token.AccessToken,
-		expirationTime: time.Unix(expiresOn, 0),
-	}
-
-	return nil
-}
-
-func (transport *Transport) retrieveAuthenticationToken() error {
-	transport.mutex.Lock()
-	defer transport.mutex.Unlock()
-
-	if transport.token == nil {
-		return transport.authenticate()
-	}
-
-	timeLimit := time.Now().Add(-5 * time.Minute)
-	if timeLimit.After(transport.token.expirationTime) {
-		return transport.authenticate()
-	}
-
-	return nil
-}
--- a/api/http/proxy/factory/factory.go
+++ b/api/http/proxy/factory/factory.go
@ -10,8 +10,6 @@ import (
 	"github.com/portainer/portainer/api/docker"
 )

-const azureAPIBaseURL = "https://management.azure.com"
-
 var extensionPorts = map[portainer.ExtensionID]string{
 	portainer.RegistryManagementExtension:  "7001",
 	portainer.OAuthAuthenticationExtension: "7002",
@ -100,11 +98,6 @@ func (factory *ProxyFactory) NewLegacyExtensionProxy(extensionAPIURL string) (ht

 // NewEndpointProxy returns a new reverse proxy (filesystem based or HTTP) to an endpoint API server
 func (factory *ProxyFactory) NewEndpointProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
-	switch endpoint.Type {
-	case portainer.AzureEnvironment:
-		return newAzureProxy(endpoint)
-	}
-
 	return factory.newDockerProxy(endpoint)
 }