mirror of
https://github.com/portainer/portainer.git
synced 2025-07-19 05:19:39 +02:00
179df06267
* feat(app): rework private registries and support private registries in kubernetes [EE-30] feat(api): backport private registries backend changes (#5072) * feat(api/bolt): backport bolt changes * feat(api/exec): backport exec changes * feat(api/http): backport http/handler/dockerhub changes * feat(api/http): backport http/handler/endpoints changes * feat(api/http): backport http/handler/registries changes * feat(api/http): backport http/handler/stacks changes * feat(api/http): backport http/handler changes * feat(api/http): backport http/proxy/factory/azure changes * feat(api/http): backport http/proxy/factory/docker changes * feat(api/http): backport http/proxy/factory/utils changes * feat(api/http): backport http/proxy/factory/kubernetes changes * feat(api/http): backport http/proxy/factory changes * feat(api/http): backport http/security changes * feat(api/http): backport http changes * feat(api/internal): backport internal changes * feat(api): backport api changes * feat(api/kubernetes): backport kubernetes changes * fix(api/http): changes on backend following backport feat(app): backport private registries frontend changes (#5056) * feat(app/docker): backport docker/components changes * feat(app/docker): backport docker/helpers changes * feat(app/docker): backport docker/views/container changes * feat(app/docker): backport docker/views/images changes * feat(app/docker): backport docker/views/registries changes * feat(app/docker): backport docker/views/services changes * feat(app/docker): backport docker changes * feat(app/kubernetes): backport kubernetes/components changes * feat(app/kubernetes): backport kubernetes/converters changes * feat(app/kubernetes): backport kubernetes/models changes * feat(app/kubernetes): backport kubernetes/registries changes * feat(app/kubernetes): backport kubernetes/services changes * feat(app/kubernetes): backport kubernetes/views/applications changes * feat(app/kubernetes): backport kubernetes/views/configurations changes * feat(app/kubernetes): backport kubernetes/views/configure changes * feat(app/kubernetes): backport kubernetes/views/resource-pools changes * feat(app/kubernetes): backport kubernetes/views changes * feat(app/portainer): backport portainer/components/accessManagement changes * feat(app/portainer): backport portainer/components/datatables changes * feat(app/portainer): backport portainer/components/forms changes * feat(app/portainer): backport portainer/components/registry-details changes * feat(app/portainer): backport portainer/models changes * feat(app/portainer): backport portainer/rest changes * feat(app/portainer): backport portainer/services changes * feat(app/portainer): backport portainer/views changes * feat(app/portainer): backport portainer changes * feat(app): backport app changes * config(project): gitignore + jsconfig changes gitignore all files under api/cmd/portainer but main.go and enable Code Editor autocomplete on import ... from '@/...' fix(app): fix pull rate limit checker fix(app/registries): sidebar menus and registry accesses users filtering fix(api): add missing kube client factory fix(kube): fetch dockerhub pull limits (#5133) fix(app): pre review fixes (#5142) * fix(app/registries): remove checkbox for endpointRegistries view * fix(endpoints): allow access to default namespace * fix(docker): fetch pull limits * fix(kube/ns): show selected registries for non admin Co-authored-by: Chaim Lev-Ari <chiptus@gmail.com> chore(webpack): ignore missing sourcemaps fix(registries): fetch registry config from url feat(kube/registries): ignore not found when deleting secret feat(db): move migration to db 31 fix(registries): fix bugs in PR EE-869 (#5169) * fix(registries): hide role * fix(endpoints): set empty access policy to edge endpoint * fix(registry): remove double arguments * fix(admin): ignore warning * feat(kube/configurations): tag registry secrets (#5157) * feat(kube/configurations): tag registry secrets * feat(kube/secrets): show registry secrets for admins * fix(registries): move dockerhub to beginning * refactor(registries): use endpoint scoped registries feat(registries): filter by namespace if supplied feat(access-managment): filter users for registry (#5191) * refactor(access-manage): move users selector to component * feat(access-managment): filter users for registry refactor(registries): sync code with CE (#5200) * refactor(registry): add inspect handler under endpoints * refactor(endpoint): sync endpoint_registries_list * refactor(endpoints): sync registry_access * fix(db): rename migration functions * fix(registries): show accesses for admin * fix(kube): set token on transport * refactor(kube): move secret help to bottom * fix(kuberentes): remove shouldLog parameter * style(auth): add description of security.IsAdmin * feat(security): allow admin access to registry * feat(edge): connect to edge endpoint when creating client * style(portainer): change deprecation version * refactor(sidebar): hide manage * refactor(containers): revert changes * style(container): remove whitespace * fix(endpoint): add handler to registy on endpointService * refactor(image): use endpointService.registries * fix(kueb/namespaces): rename resource pool to namespace * fix(kube/namespace): move selected registries * fix(api/registries): hide accesses on registry creation Co-authored-by: LP B <xAt0mZ@users.noreply.github.com> refactor(api): remove code duplication after rebase fix(app/registries): replace last registry api usage by endpoint registry api fix(api/endpoints): update registry access policies on endpoint deletion (#5226) [EE-1027] fix(db): update db version * fix(dockerhub): fetch rate limits * fix(registry/tests): supply restricred context * fix(registries): show proget registry only when selected * fix(registry): create dockerhub registry * feat(db): move migrations to db 32 Co-authored-by: Chaim Lev-Ari <chiptus@gmail.com>
370 lines
14 KiB
Go
370 lines
14 KiB
Go
package stacks
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"path"
|
|
"strconv"
|
|
"time"
|
|
|
|
"github.com/asaskevich/govalidator"
|
|
httperror "github.com/portainer/libhttp/error"
|
|
"github.com/portainer/libhttp/request"
|
|
portainer "github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/filesystem"
|
|
"github.com/portainer/portainer/api/http/security"
|
|
)
|
|
|
|
type composeStackFromFileContentPayload struct {
|
|
// Name of the stack
|
|
Name string `example:"myStack" validate:"required"`
|
|
// Content of the Stack file
|
|
StackFileContent string `example:"version: 3\n services:\n web:\n image:nginx" validate:"required"`
|
|
// A list of environment variables used during stack deployment
|
|
Env []portainer.Pair `example:""`
|
|
}
|
|
|
|
func (payload *composeStackFromFileContentPayload) Validate(r *http.Request) error {
|
|
if govalidator.IsNull(payload.Name) {
|
|
return errors.New("Invalid stack name")
|
|
}
|
|
|
|
if govalidator.IsNull(payload.StackFileContent) {
|
|
return errors.New("Invalid stack file content")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (handler *Handler) createComposeStackFromFileContent(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint, userID portainer.UserID) *httperror.HandlerError {
|
|
var payload composeStackFromFileContentPayload
|
|
err := request.DecodeAndValidateJSONPayload(r, &payload)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
|
|
}
|
|
|
|
payload.Name = handler.ComposeStackManager.NormalizeStackName(payload.Name)
|
|
|
|
isUnique, err := handler.checkUniqueName(endpoint, payload.Name, 0, false)
|
|
if err != nil {
|
|
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to check for name collision", err}
|
|
}
|
|
if !isUnique {
|
|
errorMessage := fmt.Sprintf("A stack with the name '%s' is already running", payload.Name)
|
|
return &httperror.HandlerError{http.StatusConflict, errorMessage, errors.New(errorMessage)}
|
|
}
|
|
|
|
stackID := handler.DataStore.Stack().GetNextIdentifier()
|
|
stack := &portainer.Stack{
|
|
ID: portainer.StackID(stackID),
|
|
Name: payload.Name,
|
|
Type: portainer.DockerComposeStack,
|
|
EndpointID: endpoint.ID,
|
|
EntryPoint: filesystem.ComposeFileDefaultName,
|
|
Env: payload.Env,
|
|
Status: portainer.StackStatusActive,
|
|
CreationDate: time.Now().Unix(),
|
|
}
|
|
|
|
stackFolder := strconv.Itoa(int(stack.ID))
|
|
projectPath, err := handler.FileService.StoreStackFileFromBytes(stackFolder, stack.EntryPoint, []byte(payload.StackFileContent))
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist Compose file on disk", Err: err}
|
|
}
|
|
stack.ProjectPath = projectPath
|
|
|
|
doCleanUp := true
|
|
defer handler.cleanUp(stack, &doCleanUp)
|
|
|
|
config, configErr := handler.createComposeDeployConfig(r, stack, endpoint)
|
|
if configErr != nil {
|
|
return configErr
|
|
}
|
|
|
|
err = handler.deployComposeStack(config)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
|
|
}
|
|
|
|
stack.CreatedBy = config.user.Username
|
|
|
|
err = handler.DataStore.Stack().CreateStack(stack)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist the stack inside the database", Err: err}
|
|
}
|
|
|
|
doCleanUp = false
|
|
return handler.decorateStackResponse(w, stack, userID)
|
|
}
|
|
|
|
type composeStackFromGitRepositoryPayload struct {
|
|
// Name of the stack
|
|
Name string `example:"myStack" validate:"required"`
|
|
|
|
// URL of a Git repository hosting the Stack file
|
|
RepositoryURL string `example:"https://github.com/openfaas/faas" validate:"required"`
|
|
// Reference name of a Git repository hosting the Stack file
|
|
RepositoryReferenceName string `example:"refs/heads/master"`
|
|
// Use basic authentication to clone the Git repository
|
|
RepositoryAuthentication bool `example:"true"`
|
|
// Username used in basic authentication. Required when RepositoryAuthentication is true.
|
|
RepositoryUsername string `example:"myGitUsername"`
|
|
// Password used in basic authentication. Required when RepositoryAuthentication is true.
|
|
RepositoryPassword string `example:"myGitPassword"`
|
|
// Path to the Stack file inside the Git repository
|
|
ComposeFilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
|
|
|
|
// A list of environment variables used during stack deployment
|
|
Env []portainer.Pair
|
|
}
|
|
|
|
func (payload *composeStackFromGitRepositoryPayload) Validate(r *http.Request) error {
|
|
if govalidator.IsNull(payload.Name) {
|
|
return errors.New("Invalid stack name")
|
|
}
|
|
|
|
if govalidator.IsNull(payload.RepositoryURL) || !govalidator.IsURL(payload.RepositoryURL) {
|
|
return errors.New("Invalid repository URL. Must correspond to a valid URL format")
|
|
}
|
|
if payload.RepositoryAuthentication && (govalidator.IsNull(payload.RepositoryUsername) || govalidator.IsNull(payload.RepositoryPassword)) {
|
|
return errors.New("Invalid repository credentials. Username and password must be specified when authentication is enabled")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (handler *Handler) createComposeStackFromGitRepository(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint, userID portainer.UserID) *httperror.HandlerError {
|
|
var payload composeStackFromGitRepositoryPayload
|
|
err := request.DecodeAndValidateJSONPayload(r, &payload)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
|
|
}
|
|
|
|
payload.Name = handler.ComposeStackManager.NormalizeStackName(payload.Name)
|
|
if payload.ComposeFilePathInRepository == "" {
|
|
payload.ComposeFilePathInRepository = filesystem.ComposeFileDefaultName
|
|
}
|
|
|
|
isUnique, err := handler.checkUniqueName(endpoint, payload.Name, 0, false)
|
|
if err != nil {
|
|
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to check for name collision", err}
|
|
}
|
|
if !isUnique {
|
|
errorMessage := fmt.Sprintf("A stack with the name '%s' already exists", payload.Name)
|
|
return &httperror.HandlerError{http.StatusConflict, errorMessage, errors.New(errorMessage)}
|
|
}
|
|
|
|
stackID := handler.DataStore.Stack().GetNextIdentifier()
|
|
stack := &portainer.Stack{
|
|
ID: portainer.StackID(stackID),
|
|
Name: payload.Name,
|
|
Type: portainer.DockerComposeStack,
|
|
EndpointID: endpoint.ID,
|
|
EntryPoint: payload.ComposeFilePathInRepository,
|
|
Env: payload.Env,
|
|
Status: portainer.StackStatusActive,
|
|
CreationDate: time.Now().Unix(),
|
|
}
|
|
|
|
projectPath := handler.FileService.GetStackProjectPath(strconv.Itoa(int(stack.ID)))
|
|
stack.ProjectPath = projectPath
|
|
|
|
doCleanUp := true
|
|
defer handler.cleanUp(stack, &doCleanUp)
|
|
|
|
err = handler.cloneAndSaveConfig(stack, projectPath, payload.RepositoryURL, payload.RepositoryReferenceName, payload.ComposeFilePathInRepository, payload.RepositoryAuthentication, payload.RepositoryUsername, payload.RepositoryPassword)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to clone git repository", Err: err}
|
|
}
|
|
|
|
config, configErr := handler.createComposeDeployConfig(r, stack, endpoint)
|
|
if configErr != nil {
|
|
return configErr
|
|
}
|
|
|
|
err = handler.deployComposeStack(config)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
|
|
}
|
|
|
|
stack.CreatedBy = config.user.Username
|
|
|
|
err = handler.DataStore.Stack().CreateStack(stack)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist the stack inside the database", Err: err}
|
|
}
|
|
|
|
doCleanUp = false
|
|
return handler.decorateStackResponse(w, stack, userID)
|
|
}
|
|
|
|
type composeStackFromFileUploadPayload struct {
|
|
Name string
|
|
StackFileContent []byte
|
|
Env []portainer.Pair
|
|
}
|
|
|
|
func decodeRequestForm(r *http.Request) (*composeStackFromFileUploadPayload, error) {
|
|
payload := &composeStackFromFileUploadPayload{}
|
|
name, err := request.RetrieveMultiPartFormValue(r, "Name", false)
|
|
if err != nil {
|
|
return nil, errors.New("Invalid stack name")
|
|
}
|
|
payload.Name = name
|
|
|
|
composeFileContent, _, err := request.RetrieveMultiPartFormFile(r, "file")
|
|
if err != nil {
|
|
return nil, errors.New("Invalid Compose file. Ensure that the Compose file is uploaded correctly")
|
|
}
|
|
payload.StackFileContent = composeFileContent
|
|
|
|
var env []portainer.Pair
|
|
err = request.RetrieveMultiPartFormJSONValue(r, "Env", &env, true)
|
|
if err != nil {
|
|
return nil, errors.New("Invalid Env parameter")
|
|
}
|
|
payload.Env = env
|
|
return payload, nil
|
|
}
|
|
|
|
func (handler *Handler) createComposeStackFromFileUpload(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint, userID portainer.UserID) *httperror.HandlerError {
|
|
payload, err := decodeRequestForm(r)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
|
|
}
|
|
|
|
payload.Name = handler.ComposeStackManager.NormalizeStackName(payload.Name)
|
|
|
|
isUnique, err := handler.checkUniqueName(endpoint, payload.Name, 0, false)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to check for name collision", Err: err}
|
|
}
|
|
if !isUnique {
|
|
errorMessage := fmt.Sprintf("A stack with the name '%s' already exists", payload.Name)
|
|
return &httperror.HandlerError{StatusCode: http.StatusConflict, Message: errorMessage, Err: errors.New(errorMessage)}
|
|
}
|
|
|
|
stackID := handler.DataStore.Stack().GetNextIdentifier()
|
|
stack := &portainer.Stack{
|
|
ID: portainer.StackID(stackID),
|
|
Name: payload.Name,
|
|
Type: portainer.DockerComposeStack,
|
|
EndpointID: endpoint.ID,
|
|
EntryPoint: filesystem.ComposeFileDefaultName,
|
|
Env: payload.Env,
|
|
Status: portainer.StackStatusActive,
|
|
CreationDate: time.Now().Unix(),
|
|
}
|
|
|
|
stackFolder := strconv.Itoa(int(stack.ID))
|
|
projectPath, err := handler.FileService.StoreStackFileFromBytes(stackFolder, stack.EntryPoint, payload.StackFileContent)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist Compose file on disk", Err: err}
|
|
}
|
|
stack.ProjectPath = projectPath
|
|
|
|
doCleanUp := true
|
|
defer handler.cleanUp(stack, &doCleanUp)
|
|
|
|
config, configErr := handler.createComposeDeployConfig(r, stack, endpoint)
|
|
if configErr != nil {
|
|
return configErr
|
|
}
|
|
|
|
err = handler.deployComposeStack(config)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
|
|
}
|
|
|
|
stack.CreatedBy = config.user.Username
|
|
|
|
err = handler.DataStore.Stack().CreateStack(stack)
|
|
if err != nil {
|
|
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist the stack inside the database", Err: err}
|
|
}
|
|
|
|
doCleanUp = false
|
|
return handler.decorateStackResponse(w, stack, userID)
|
|
}
|
|
|
|
type composeStackDeploymentConfig struct {
|
|
stack *portainer.Stack
|
|
endpoint *portainer.Endpoint
|
|
registries []portainer.Registry
|
|
isAdmin bool
|
|
user *portainer.User
|
|
}
|
|
|
|
func (handler *Handler) createComposeDeployConfig(r *http.Request, stack *portainer.Stack, endpoint *portainer.Endpoint) (*composeStackDeploymentConfig, *httperror.HandlerError) {
|
|
securityContext, err := security.RetrieveRestrictedRequestContext(r)
|
|
if err != nil {
|
|
return nil, &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve info from request context", Err: err}
|
|
}
|
|
|
|
user, err := handler.DataStore.User().User(securityContext.UserID)
|
|
if err != nil {
|
|
return nil, &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to load user information from the database", Err: err}
|
|
}
|
|
|
|
registries, err := handler.DataStore.Registry().Registries()
|
|
if err != nil {
|
|
return nil, &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve registries from the database", Err: err}
|
|
}
|
|
filteredRegistries := security.FilterRegistries(registries, user, securityContext.UserMemberships, endpoint.ID)
|
|
|
|
config := &composeStackDeploymentConfig{
|
|
stack: stack,
|
|
endpoint: endpoint,
|
|
registries: filteredRegistries,
|
|
isAdmin: securityContext.IsAdmin,
|
|
user: user,
|
|
}
|
|
|
|
return config, nil
|
|
}
|
|
|
|
// TODO: libcompose uses credentials store into a config.json file to pull images from
|
|
// private registries. Right now the only solution is to re-use the embedded Docker binary
|
|
// to login/logout, which will generate the required data in the config.json file and then
|
|
// clean it. Hence the use of the mutex.
|
|
// We should contribute to libcompose to support authentication without using the config.json file.
|
|
func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig) error {
|
|
isAdminOrEndpointAdmin, err := handler.userIsAdminOrEndpointAdmin(config.user, config.endpoint.ID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
securitySettings := &config.endpoint.SecuritySettings
|
|
|
|
if (!securitySettings.AllowBindMountsForRegularUsers ||
|
|
!securitySettings.AllowPrivilegedModeForRegularUsers ||
|
|
!securitySettings.AllowHostNamespaceForRegularUsers ||
|
|
!securitySettings.AllowDeviceMappingForRegularUsers ||
|
|
!securitySettings.AllowSysctlSettingForRegularUsers ||
|
|
!securitySettings.AllowContainerCapabilitiesForRegularUsers) &&
|
|
!isAdminOrEndpointAdmin {
|
|
|
|
composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
|
|
stackContent, err := handler.FileService.GetFileContent(composeFilePath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = handler.isValidStackFile(stackContent, securitySettings)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
handler.stackCreationMutex.Lock()
|
|
defer handler.stackCreationMutex.Unlock()
|
|
|
|
handler.SwarmStackManager.Login(config.registries, config.endpoint)
|
|
|
|
err = handler.ComposeStackManager.Up(config.stack, config.endpoint)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return handler.SwarmStackManager.Logout(config.endpoint)
|
|
}
|