mirror of
https://github.com/portainer/portainer.git
synced 2025-07-21 14:29:40 +02:00
12a512f01f
* feat(edge): fix webconsole and agent deployment command * feat(edge): display agent features when connected to IoT endpoint * feat(edge): add -e CAP_HOST_MANAGEMENT=1 to agent command * feat(edge): add -v /:/host and --name portainer_agent_iot to agent command * style(endpoint-creation): refactor IoT agent to Edge agent * refactor(api): rename AgentIoTEnvironment to AgentEdgeEnvironment * refactor(api): rename AgentIoTEnvironment to AgentEdgeEnvironment * feat(endpoint-creation): update Edge agent deployment instructions * feat(edge): wip edge * feat(edge): refactor key creation * feat(edge): update deployment instructions * feat(home): update Edge agent endpoint item * feat(edge): support dynamic ports * feat(edge): support sleep/wake and snapshots * feat(edge): support offline mode * feat(edge): host job support for Edge endpoints * feat(edge): introduce STANDBY state * feat(edge): update Edge agent deployment command * feat(edge): introduce EDGE_ID support * feat(edge): update default inactivity interval to 5min * feat(edge): reload Edge schedules after restart * fix(edge): fix execution of endpoint job against an Edge endpoint * fix(edge): fix minor issues with scheduling UI/UX * feat(edge): introduce EdgeSchedule version management * feat(edge): switch back to REQUIRED state from ACTIVE on error * refactor(edge): remove comment * feat(edge): updated tunnel status management * feat(edge): fix flickering UI when accessing Edge endpoint from home view * feat(edge): remove STANDBY status * fix(edge): fix an issue with console and Swarm endpoint * fix(edge): fix an issue with stack deployment * fix(edge): reset timer when applying active status * feat(edge): add background ping for Edge endpoints * fix(edge): fix infinite loading loop after Edge endpoint connection failure * fix(home): fix an issue with merge * feat(api): remove SnapshotRaw from EndpointList response * feat(api): add pagination for EndpointList operation * feat(api): rename last_id query parameter to start * feat(api): implement filter for EndpointList operation * fix(edge): prevent a pointer issue after removing an active Edge endpoint * feat(home): front - endpoint backend pagination (#2990) * feat(home): endpoint pagination with backend * feat(api): remove default limit value * fix(endpoints): fix a minor issue with column span * fix(endpointgroup-create): fix an issue with endpoint group creation * feat(app): minor loading optimizations * refactor(api): small refactor of EndpointList operation * fix(home): fix minor loading text display issue * refactor(api): document bolt services functions * feat(home): minor optimization * fix(api): replace seek with index scanning for EndpointPaginated * fix(api): fix invalid starting index issue * fix(api): first implementation of working filter * fix(home): endpoints list keeps backend pagination when it needs to * fix(api): endpoint pagination doesn't drop the first item on pages >=2 anymore * fix(home): UI flickering on page/filter load/change * feat(auth): login spinner * feat(api): support searching in associated endpoint group data * refactor(api): remove unused API endpoint * refactor(api): remove comment * refactor(api): refactor proxy manager * feat(api): declare EndpointList params as optional * feat(api): support groupID filter on endpoints route * feat(api): add new API operations endpointGroupAddEndpoint and endpointGroupDeleteEndpoint * feat(edge): new icon for Edge agent endpoint * fix(edge): fix missing exec quick action * fix(edge): add loading indicator when connecting to Edge endpoint * feat(edge): disable service webhooks for Edge endpoints * feat(endpoints): backend pagination for endpoints view (#3004) * feat(edge): dynamic loading for stack migration feature * feat(edge): wordwrap edge key * feat(endpoint-groups): backend pagination support for create and edit * feat(endpoint-groups): debounce on filter for create/edit views * feat(endpoint-groups): filter assigned on create view * (endpoint-groups): unassigned endpoints edit view * refactor(endpoint-groups): code clean * feat(endpoint-groups): remove message for Unassigned group * refactor(websocket): minor refactor associated to Edge agent * feat(endpoint-group): enable backend pagination (#3017) * feat(api): support groupID filter on endpoints route * feat(api): add new API operations endpointGroupAddEndpoint and endpointGroupDeleteEndpoint * feat(endpoint-groups): backend pagination support for create and edit * feat(endpoint-groups): debounce on filter for create/edit views * feat(endpoint-groups): filter assigned on create view * (endpoint-groups): unassigned endpoints edit view * refactor(endpoint-groups): code clean * feat(endpoint-groups): remove message for Unassigned group * refactor(api): endpoint group endpoint association refactor * refactor(api): rename files and remove comments * refactor(api): remove usage of utils * refactor(api): optional parameters * Merge branch 'feat-endpoint-backend-pagination' into edge # Conflicts: # api/bolt/endpoint/endpoint.go # api/http/handler/endpointgroups/endpointgroup_update.go # api/http/handler/endpointgroups/handler.go # api/http/handler/endpoints/endpoint_list.go # app/portainer/services/api/endpointService.js * fix(api): fix default tunnel server credentials * feat(api): update endpointListOperation behavior and parameters * fix(api): fix interface declaration * feat(edge): support configurable Edge agent checkin interval * feat(edge): support dynamic tunnel credentials * feat(edge): update Edge agent deployment commands * style(edge): update Edge agent settings text * refactor(edge): remove unused credentials management methods * feat(edge): associate a remote addr to tunnel credentials * style(edge): update Edge endpoint icon * feat(edge): support encrypted tunnel credentials * fix(edge): fix invalid pointer cast * feat(bolt): decode endpoints with jsoniter * feat(edge): persist reverse tunnel keyseed * refactor(edge): minor refactor * feat(edge): update chisel library usage * refactor(endpoint): use controller function * feat(api): database migration to DBVersion 19 * refactor(api): refactor AddSchedule function * refactor(schedules): remove comment * refactor(api): remove comment * refactor(api): remove comment * feat(api): tunnel manager now only manage Edge endpoints * refactor(api): clean-up and clarification of the Edge service * refactor(api): clean-up and clarification of the Edge service * fix(api): fix an issue with Edge agent snapshots * refactor(api): add missing comments * refactor(api): update constant description * style(home): remove loading text on error * feat(endpoint): remove 15s timeout for ping request * style(home): display information about associated Edge endpoints * feat(home): redirect to endpoint details on click on unassociated Edge endpoint * feat(settings): remove 60s Edge poll frequency option
389 lines
13 KiB
Go
389 lines
13 KiB
Go
package endpoints
|
|
|
|
import (
|
|
"errors"
|
|
"log"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"runtime"
|
|
"strconv"
|
|
|
|
httperror "github.com/portainer/libhttp/error"
|
|
"github.com/portainer/libhttp/request"
|
|
"github.com/portainer/libhttp/response"
|
|
"github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/crypto"
|
|
"github.com/portainer/portainer/api/http/client"
|
|
)
|
|
|
|
type endpointCreatePayload struct {
|
|
Name string
|
|
URL string
|
|
EndpointType int
|
|
PublicURL string
|
|
GroupID int
|
|
TLS bool
|
|
TLSSkipVerify bool
|
|
TLSSkipClientVerify bool
|
|
TLSCACertFile []byte
|
|
TLSCertFile []byte
|
|
TLSKeyFile []byte
|
|
AzureApplicationID string
|
|
AzureTenantID string
|
|
AzureAuthenticationKey string
|
|
Tags []string
|
|
}
|
|
|
|
func (payload *endpointCreatePayload) Validate(r *http.Request) error {
|
|
name, err := request.RetrieveMultiPartFormValue(r, "Name", false)
|
|
if err != nil {
|
|
return portainer.Error("Invalid endpoint name")
|
|
}
|
|
payload.Name = name
|
|
|
|
endpointType, err := request.RetrieveNumericMultiPartFormValue(r, "EndpointType", false)
|
|
if err != nil || endpointType == 0 {
|
|
return portainer.Error("Invalid endpoint type value. Value must be one of: 1 (Docker environment), 2 (Agent environment), 3 (Azure environment) or 4 (Edge Agent environment)")
|
|
}
|
|
payload.EndpointType = endpointType
|
|
|
|
groupID, _ := request.RetrieveNumericMultiPartFormValue(r, "GroupID", true)
|
|
if groupID == 0 {
|
|
groupID = 1
|
|
}
|
|
payload.GroupID = groupID
|
|
|
|
var tags []string
|
|
err = request.RetrieveMultiPartFormJSONValue(r, "Tags", &tags, true)
|
|
if err != nil {
|
|
return portainer.Error("Invalid Tags parameter")
|
|
}
|
|
payload.Tags = tags
|
|
if payload.Tags == nil {
|
|
payload.Tags = make([]string, 0)
|
|
}
|
|
|
|
useTLS, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLS", true)
|
|
payload.TLS = useTLS
|
|
|
|
if payload.TLS {
|
|
skipTLSServerVerification, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLSSkipVerify", true)
|
|
payload.TLSSkipVerify = skipTLSServerVerification
|
|
skipTLSClientVerification, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLSSkipClientVerify", true)
|
|
payload.TLSSkipClientVerify = skipTLSClientVerification
|
|
|
|
if !payload.TLSSkipVerify {
|
|
caCert, _, err := request.RetrieveMultiPartFormFile(r, "TLSCACertFile")
|
|
if err != nil {
|
|
return portainer.Error("Invalid CA certificate file. Ensure that the file is uploaded correctly")
|
|
}
|
|
payload.TLSCACertFile = caCert
|
|
}
|
|
|
|
if !payload.TLSSkipClientVerify {
|
|
cert, _, err := request.RetrieveMultiPartFormFile(r, "TLSCertFile")
|
|
if err != nil {
|
|
return portainer.Error("Invalid certificate file. Ensure that the file is uploaded correctly")
|
|
}
|
|
payload.TLSCertFile = cert
|
|
|
|
key, _, err := request.RetrieveMultiPartFormFile(r, "TLSKeyFile")
|
|
if err != nil {
|
|
return portainer.Error("Invalid key file. Ensure that the file is uploaded correctly")
|
|
}
|
|
payload.TLSKeyFile = key
|
|
}
|
|
}
|
|
|
|
switch portainer.EndpointType(payload.EndpointType) {
|
|
case portainer.AzureEnvironment:
|
|
azureApplicationID, err := request.RetrieveMultiPartFormValue(r, "AzureApplicationID", false)
|
|
if err != nil {
|
|
return portainer.Error("Invalid Azure application ID")
|
|
}
|
|
payload.AzureApplicationID = azureApplicationID
|
|
|
|
azureTenantID, err := request.RetrieveMultiPartFormValue(r, "AzureTenantID", false)
|
|
if err != nil {
|
|
return portainer.Error("Invalid Azure tenant ID")
|
|
}
|
|
payload.AzureTenantID = azureTenantID
|
|
|
|
azureAuthenticationKey, err := request.RetrieveMultiPartFormValue(r, "AzureAuthenticationKey", false)
|
|
if err != nil {
|
|
return portainer.Error("Invalid Azure authentication key")
|
|
}
|
|
payload.AzureAuthenticationKey = azureAuthenticationKey
|
|
default:
|
|
url, err := request.RetrieveMultiPartFormValue(r, "URL", true)
|
|
if err != nil {
|
|
return portainer.Error("Invalid endpoint URL")
|
|
}
|
|
payload.URL = url
|
|
|
|
publicURL, _ := request.RetrieveMultiPartFormValue(r, "PublicURL", true)
|
|
payload.PublicURL = publicURL
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// POST request on /api/endpoints
|
|
func (handler *Handler) endpointCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
|
|
if !handler.authorizeEndpointManagement {
|
|
return &httperror.HandlerError{http.StatusServiceUnavailable, "Endpoint management is disabled", ErrEndpointManagementDisabled}
|
|
}
|
|
|
|
payload := &endpointCreatePayload{}
|
|
err := payload.Validate(r)
|
|
if err != nil {
|
|
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
|
|
}
|
|
|
|
endpoint, endpointCreationError := handler.createEndpoint(payload)
|
|
if endpointCreationError != nil {
|
|
return endpointCreationError
|
|
}
|
|
|
|
return response.JSON(w, endpoint)
|
|
}
|
|
|
|
func (handler *Handler) createEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
|
|
if portainer.EndpointType(payload.EndpointType) == portainer.AzureEnvironment {
|
|
return handler.createAzureEndpoint(payload)
|
|
} else if portainer.EndpointType(payload.EndpointType) == portainer.EdgeAgentEnvironment {
|
|
return handler.createEdgeAgentEndpoint(payload)
|
|
}
|
|
|
|
if payload.TLS {
|
|
return handler.createTLSSecuredEndpoint(payload)
|
|
}
|
|
return handler.createUnsecuredEndpoint(payload)
|
|
}
|
|
|
|
func (handler *Handler) createAzureEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
|
|
credentials := portainer.AzureCredentials{
|
|
ApplicationID: payload.AzureApplicationID,
|
|
TenantID: payload.AzureTenantID,
|
|
AuthenticationKey: payload.AzureAuthenticationKey,
|
|
}
|
|
|
|
httpClient := client.NewHTTPClient()
|
|
_, err := httpClient.ExecuteAzureAuthenticationRequest(&credentials)
|
|
if err != nil {
|
|
return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate against Azure", err}
|
|
}
|
|
|
|
endpointID := handler.EndpointService.GetNextIdentifier()
|
|
endpoint := &portainer.Endpoint{
|
|
ID: portainer.EndpointID(endpointID),
|
|
Name: payload.Name,
|
|
URL: "https://management.azure.com",
|
|
Type: portainer.AzureEnvironment,
|
|
GroupID: portainer.EndpointGroupID(payload.GroupID),
|
|
PublicURL: payload.PublicURL,
|
|
UserAccessPolicies: portainer.UserAccessPolicies{},
|
|
TeamAccessPolicies: portainer.TeamAccessPolicies{},
|
|
Extensions: []portainer.EndpointExtension{},
|
|
AzureCredentials: credentials,
|
|
Tags: payload.Tags,
|
|
Status: portainer.EndpointStatusUp,
|
|
Snapshots: []portainer.Snapshot{},
|
|
}
|
|
|
|
err = handler.EndpointService.CreateEndpoint(endpoint)
|
|
if err != nil {
|
|
return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint inside the database", err}
|
|
}
|
|
|
|
return endpoint, nil
|
|
}
|
|
|
|
func (handler *Handler) createEdgeAgentEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
|
|
endpointType := portainer.EdgeAgentEnvironment
|
|
endpointID := handler.EndpointService.GetNextIdentifier()
|
|
|
|
portainerURL, err := url.Parse(payload.URL)
|
|
if err != nil {
|
|
return nil, &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint URL", err}
|
|
}
|
|
|
|
portainerHost, _, err := net.SplitHostPort(portainerURL.Host)
|
|
if err != nil {
|
|
portainerHost = portainerURL.Host
|
|
}
|
|
|
|
if portainerHost == "localhost" {
|
|
return nil, &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint URL", errors.New("cannot use localhost as endpoint URL")}
|
|
}
|
|
|
|
edgeKey := handler.ReverseTunnelService.GenerateEdgeKey(payload.URL, portainerHost, endpointID)
|
|
|
|
endpoint := &portainer.Endpoint{
|
|
ID: portainer.EndpointID(endpointID),
|
|
Name: payload.Name,
|
|
URL: portainerHost,
|
|
Type: endpointType,
|
|
GroupID: portainer.EndpointGroupID(payload.GroupID),
|
|
TLSConfig: portainer.TLSConfiguration{
|
|
TLS: false,
|
|
},
|
|
AuthorizedUsers: []portainer.UserID{},
|
|
AuthorizedTeams: []portainer.TeamID{},
|
|
Extensions: []portainer.EndpointExtension{},
|
|
Tags: payload.Tags,
|
|
Status: portainer.EndpointStatusUp,
|
|
Snapshots: []portainer.Snapshot{},
|
|
EdgeKey: edgeKey,
|
|
}
|
|
|
|
err = handler.EndpointService.CreateEndpoint(endpoint)
|
|
if err != nil {
|
|
return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint inside the database", err}
|
|
}
|
|
|
|
return endpoint, nil
|
|
}
|
|
|
|
func (handler *Handler) createUnsecuredEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
|
|
endpointType := portainer.DockerEnvironment
|
|
|
|
if payload.URL == "" {
|
|
payload.URL = "unix:///var/run/docker.sock"
|
|
if runtime.GOOS == "windows" {
|
|
payload.URL = "npipe:////./pipe/docker_engine"
|
|
}
|
|
} else {
|
|
agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.URL, nil)
|
|
if err != nil {
|
|
return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to ping Docker environment", err}
|
|
}
|
|
if agentOnDockerEnvironment {
|
|
endpointType = portainer.AgentOnDockerEnvironment
|
|
}
|
|
}
|
|
|
|
endpointID := handler.EndpointService.GetNextIdentifier()
|
|
endpoint := &portainer.Endpoint{
|
|
ID: portainer.EndpointID(endpointID),
|
|
Name: payload.Name,
|
|
URL: payload.URL,
|
|
Type: endpointType,
|
|
GroupID: portainer.EndpointGroupID(payload.GroupID),
|
|
PublicURL: payload.PublicURL,
|
|
TLSConfig: portainer.TLSConfiguration{
|
|
TLS: false,
|
|
},
|
|
UserAccessPolicies: portainer.UserAccessPolicies{},
|
|
TeamAccessPolicies: portainer.TeamAccessPolicies{},
|
|
Extensions: []portainer.EndpointExtension{},
|
|
Tags: payload.Tags,
|
|
Status: portainer.EndpointStatusUp,
|
|
Snapshots: []portainer.Snapshot{},
|
|
}
|
|
|
|
err := handler.snapshotAndPersistEndpoint(endpoint)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return endpoint, nil
|
|
}
|
|
|
|
func (handler *Handler) createTLSSecuredEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
|
|
tlsConfig, err := crypto.CreateTLSConfigurationFromBytes(payload.TLSCACertFile, payload.TLSCertFile, payload.TLSKeyFile, payload.TLSSkipClientVerify, payload.TLSSkipVerify)
|
|
if err != nil {
|
|
return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to create TLS configuration", err}
|
|
}
|
|
|
|
agentOnDockerEnvironment, err := client.ExecutePingOperation(payload.URL, tlsConfig)
|
|
if err != nil {
|
|
return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to ping Docker environment", err}
|
|
}
|
|
|
|
endpointType := portainer.DockerEnvironment
|
|
if agentOnDockerEnvironment {
|
|
endpointType = portainer.AgentOnDockerEnvironment
|
|
}
|
|
|
|
endpointID := handler.EndpointService.GetNextIdentifier()
|
|
endpoint := &portainer.Endpoint{
|
|
ID: portainer.EndpointID(endpointID),
|
|
Name: payload.Name,
|
|
URL: payload.URL,
|
|
Type: endpointType,
|
|
GroupID: portainer.EndpointGroupID(payload.GroupID),
|
|
PublicURL: payload.PublicURL,
|
|
TLSConfig: portainer.TLSConfiguration{
|
|
TLS: payload.TLS,
|
|
TLSSkipVerify: payload.TLSSkipVerify,
|
|
},
|
|
UserAccessPolicies: portainer.UserAccessPolicies{},
|
|
TeamAccessPolicies: portainer.TeamAccessPolicies{},
|
|
Extensions: []portainer.EndpointExtension{},
|
|
Tags: payload.Tags,
|
|
Status: portainer.EndpointStatusUp,
|
|
Snapshots: []portainer.Snapshot{},
|
|
}
|
|
|
|
filesystemError := handler.storeTLSFiles(endpoint, payload)
|
|
if err != nil {
|
|
return nil, filesystemError
|
|
}
|
|
|
|
endpointCreationError := handler.snapshotAndPersistEndpoint(endpoint)
|
|
if endpointCreationError != nil {
|
|
return nil, endpointCreationError
|
|
}
|
|
|
|
return endpoint, nil
|
|
}
|
|
|
|
func (handler *Handler) snapshotAndPersistEndpoint(endpoint *portainer.Endpoint) *httperror.HandlerError {
|
|
snapshot, err := handler.Snapshotter.CreateSnapshot(endpoint)
|
|
endpoint.Status = portainer.EndpointStatusUp
|
|
if err != nil {
|
|
log.Printf("http error: endpoint snapshot error (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
|
|
endpoint.Status = portainer.EndpointStatusDown
|
|
}
|
|
|
|
if snapshot != nil {
|
|
endpoint.Snapshots = []portainer.Snapshot{*snapshot}
|
|
}
|
|
|
|
err = handler.EndpointService.CreateEndpoint(endpoint)
|
|
if err != nil {
|
|
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint inside the database", err}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (handler *Handler) storeTLSFiles(endpoint *portainer.Endpoint, payload *endpointCreatePayload) *httperror.HandlerError {
|
|
folder := strconv.Itoa(int(endpoint.ID))
|
|
|
|
if !payload.TLSSkipVerify {
|
|
caCertPath, err := handler.FileService.StoreTLSFileFromBytes(folder, portainer.TLSFileCA, payload.TLSCACertFile)
|
|
if err != nil {
|
|
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist TLS CA certificate file on disk", err}
|
|
}
|
|
endpoint.TLSConfig.TLSCACertPath = caCertPath
|
|
}
|
|
|
|
if !payload.TLSSkipClientVerify {
|
|
certPath, err := handler.FileService.StoreTLSFileFromBytes(folder, portainer.TLSFileCert, payload.TLSCertFile)
|
|
if err != nil {
|
|
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist TLS certificate file on disk", err}
|
|
}
|
|
endpoint.TLSConfig.TLSCertPath = certPath
|
|
|
|
keyPath, err := handler.FileService.StoreTLSFileFromBytes(folder, portainer.TLSFileKey, payload.TLSKeyFile)
|
|
if err != nil {
|
|
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist TLS key file on disk", err}
|
|
}
|
|
endpoint.TLSConfig.TLSKeyPath = keyPath
|
|
}
|
|
|
|
return nil
|
|
}
|