vvzvlad/portainer
1
0
Fork 0
Code Issues 8 Pull Requests 4 Packages Projects Releases Wiki Activity

Compare commits

base: vvzvlad:2.6.2
Branches Tags
vvzvlad:develop vvzvlad:feat/2-stream-logs vvzvlad:feat/4-stack-breadcrumbs vvzvlad:feat/1-remove-ee-ui vvzvlad:feat/3-auto-update vvzvlad:release/2.43 vvzvlad:release/2.39 vvzvlad:community vvzvlad:release/2.39.3 vvzvlad:release/2.33 vvzvlad:release/2.42.0 vvzvlad:release/2.42 vvzvlad:release/2.41.1 vvzvlad:release/2.41 vvzvlad:release/2.39.2 vvzvlad:release/2.33.8 vvzvlad:release/2.41.0 vvzvlad:release/2.40.0 vvzvlad:release/2.40 vvzvlad:release/2.39.1 vvzvlad:release/2.39.0 vvzvlad:release/2.38.1 vvzvlad:release/2.38 vvzvlad:release/2.33.7 vvzvlad:release/2.38.0 vvzvlad:release/2.33.6 vvzvlad:release/2.37.0 vvzvlad:release/2.37 vvzvlad:release/2.33.5 vvzvlad:release/2.36.0 vvzvlad:release/2.36 vvzvlad:release/2.33.4 vvzvlad:release/2.33.3 vvzvlad:release/2.35.0 vvzvlad:release/2.35 vvzvlad:release/2.33.2 vvzvlad:release/2.34.0 vvzvlad:release/2.34 vvzvlad:release/2.33.1 vvzvlad:release/2.33.0 vvzvlad:release/2.33.0-rc2 vvzvlad:release/2.33.0-rc1 vvzvlad:release/2.32.0 vvzvlad:release/2.32 vvzvlad:release/2.32.0-rc1 vvzvlad:release/2.31.3 vvzvlad:release/2.31 vvzvlad:release/2.27.9 vvzvlad:release/2.27 vvzvlad:release/2.31.2 vvzvlad:release/2.27.8 vvzvlad:release/2.31.1 vvzvlad:release/2.27.7 vvzvlad:release/2.31.0 vvzvlad:release/2.30.1 vvzvlad:release/2.30 vvzvlad:release/2.30.0 vvzvlad:release/2.27.6 vvzvlad:release/2.27.5 vvzvlad:release/2.29.2 vvzvlad:release/2.29 vvzvlad:release/2.29.1 vvzvlad:release/2.29.0 vvzvlad:release/2.27.4 vvzvlad:release/2.27.3 vvzvlad:release/2.28.1 vvzvlad:release/2.28 vvzvlad:release/2.27.2 vvzvlad:release/2.28.0 vvzvlad:yd-develop vvzvlad:release/2.27.1 vvzvlad:release/2.27.0 vvzvlad:release/2.27.0-rc3 vvzvlad:lp-test-branch2 vvzvlad:release/2.27.0-rc2 vvzvlad:release/2.27.0-rc1 vvzvlad:release/2.26.1 vvzvlad:release/2.26 vvzvlad:release/2.26.0 vvzvlad:release/2.25.1 vvzvlad:release/2.25 vvzvlad:release/2.21.5 vvzvlad:release/2.21 vvzvlad:release/2.25.0 vvzvlad:release/2.24.1 vvzvlad:release/2.24 vvzvlad:release/2.24.0 vvzvlad:release/2.23 vvzvlad:release/2.22 vvzvlad:release/2.21.4 vvzvlad:placeholder vvzvlad:fix/r8s-120/app-table-settings-persistence vvzvlad:fix/r8s-109/alow-standard-user-to-edit-volumes vvzvlad:fix/r8s-103/more-resources-system-filtering vvzvlad:fix/BE-11102/force-redeploy-edge-stack vvzvlad:test-update vvzvlad:vault/release-2.21 vvzvlad:lp-test-branch1 vvzvlad:vault/develop vvzvlad:refactor/EE-7128/webeditor-doc-type vvzvlad:test-version-semver vvzvlad:feat/be-11276/be-ce-agent-change vvzvlad:feat/be-11276/be-ce-agent-change-lts vvzvlad:feat/be-11275/be-ce-change vvzvlad:feat/be-11275/change-be-ce-lts vvzvlad:vault/release-2.22 vvzvlad:fix/r8s-99/create-application-ns-dropdown vvzvlad:rc/2.22.0-rc1 vvzvlad:chore/BE-11236/change-linode-branding-to-akamai-connected-cloud vvzvlad:rc/2.21.0-rc2 vvzvlad:refactor/k8s-namespaces vvzvlad:rc/2.21.0-rc1 vvzvlad:fix/EE-7284/show-services-explaination vvzvlad:refactor/EE-2229/docker-images-list-view vvzvlad:refactor/EE-2208/docker-configs-list-view vvzvlad:refactor/EE-2300/env-item-view-react vvzvlad:develop-james-nfs vvzvlad:refactor/EE-6923/settings-api vvzvlad:fix/EE-7150/tls-cipher-suites-2.20 vvzvlad:release/2.20 vvzvlad:fix/7011/refactor3 vvzvlad:fix/EE-6631/wait-in-defer-close-websocket vvzvlad:fix/EE-7049/update-reachable-check-release vvzvlad:fix/EE-6705/namespace-yaml-no-rq vvzvlad:release/2.19 vvzvlad:refactor/data-cy vvzvlad:fix/EE-6855/removed-user-cause-auto-update-fail vvzvlad:fix/release/EE-6855/removed-user-cause-auto-update-failure vvzvlad:fix/release/EE-6855/removed-user-cause-auto-update-fail vvzvlad:fix/release/EE-6808/add-api-endpoint-access-check-1 vvzvlad:chore/XT-1188/add-data-cy-for-backup-and-restore vvzvlad:fix/EE-6843/tunnel-timeout vvzvlad:fix/EE-6818/api-error-message-rel vvzvlad:fix/EE-6818/api-error-message vvzvlad:fix/EE-6744/compose-runc-develop vvzvlad:fix/EE-5936/EE-6736/reject-to-assign-edge-admin vvzvlad:fix/release/EE-5936/EE-6736/reject-to-assign-edge-admin vvzvlad:fix/release/EE-6627/lint-failure vvzvlad:fix/EE-6627/lint-failure vvzvlad:fix/EE-6723/use-pure-admin-release vvzvlad:fix/EE-6723/use-pure-admin vvzvlad:fix/EE-6647/tables-correct-external-display-for-resource-release vvzvlad:fix/EE-6647/tables-correct-external-display-for-resource vvzvlad:fix/EE-6596/edge-stack-create-template vvzvlad:feat/EE-6454/support-docker-compose-run vvzvlad:refactor/EE-6549/EE-6444/git-redeploy-form-section vvzvlad:fix/EE-6411/env-vars-cursor-shift vvzvlad:fix/EE-6459/CVEs vvzvlad:fix/EE-661/staticcheck vvzvlad:fix/EE-6435/close-before-restore-release vvzvlad:revert-10718-fix/EE-6392/show-edit-external-app vvzvlad:fix/EE-6346/gitops-commit-links-2-release vvzvlad:fix/EE-5664/oauth-show-asterisks-placeholder-release vvzvlad:fix/release/EE-6373/target-path-exist-error-when-upgrade vvzvlad:fix/EE-6373/target-path-exist-error-when-upgrade vvzvlad:fix/EE-661/enable-ineffassign vvzvlad:fix/EE-6377/singleflight-gitops-rel vvzvlad:fix/EE-6114/gitops-data-race-rel vvzvlad:fix/EE-6114/gitops-data-race-dev vvzvlad:fix/EE-6373/upgrade-target-path-exists vvzvlad:fix/EE-6321/gitops-online-check-rel vvzvlad:fix/EE-6211/stack-build-context-validation-rel vvzvlad:fix/EE-6211/stack-build-context-validation-dev vvzvlad:release/2.19.2 vvzvlad:feat/EE-5573/related-changes vvzvlad:refactor/with-form-validation-set-field-value vvzvlad:refactor/EE-5521/migrate-app-create-form-to-react vvzvlad:refactor/EE-2307/EE-5207/container-base-form vvzvlad:fix/EE-4602/switch-color-fix-rel vvzvlad:fix/EE-4602/switch-color-fix-rel-new vvzvlad:feat/EE-4337/EE-4484/CE/docker-networks-datatable vvzvlad:refactor/EE-4337/service-task-datatable vvzvlad:fix/EE-5980/version-stack-backward-capability vvzvlad:snyk-fix-0fc01e6b5b4266e90ae8d7d367ac399f vvzvlad:feat/EE-4500/gorm-sqlite-poc vvzvlad:release/2.18 vvzvlad:fix/EE-5695/env-manage-access vvzvlad:fix/EE-5497/helm-repo-url-update vvzvlad:fix/EE-5406/remove-path-ingress-host-rel vvzvlad:fix/EE-3841/fix-associated-environments vvzvlad:refactor/EE-2270/EE-5502/settings-components vvzvlad:feat/EE-4986/enable-lb-np-type-ingresses vvzvlad:fix/EE-1976/support-copy-paste-in-container-console vvzvlad:fix/revert-makefile-218 vvzvlad:fix/dev-build-scripts vvzvlad:fix/EE-5311/endpoint-api-swagger-doc vvzvlad:fix/EE-3059/security-scan-debug vvzvlad:feat/EE-5028/security_teaser vvzvlad:fix/EE-5234/non-existent-pvc-rel vvzvlad:fix/EE-5234/non-existent-pvc vvzvlad:fix/EE-5149/namespace-cache-refresh-rel vvzvlad:fix/EE-4498/fix-swagger-id-types vvzvlad:fix/EE-4839/normalize-project-name vvzvlad:release/2.17 vvzvlad:feat/EE-4754/omit-empty vvzvlad:chore/update-tool-versions vvzvlad:fix/EE-4991/kube-storage-detection vvzvlad:chore/EE-4951/update-edgestack-test vvzvlad:chore/remove-old-pkg-path vvzvlad:feat/EE-4752/go-json vvzvlad:fix/release/EE-4781/no-error-message-if-ce-upgrade-fails vvzvlad:fix/EE-4766/fix-data-race-in-edgeJobTasksCollect vvzvlad:fix/EE-4781/no-error-message-if-ce-upgrade-fails vvzvlad:feat/EE-3604/ui-edge-devices vvzvlad:feat/EE-3417/EE-3418/multiple-git-repository vvzvlad:release/2.16 vvzvlad:fix/EE-4548/vulnerable-to-path-traversal-attacks vvzvlad:fix/EE-3155/cannot-save-internal-authentication vvzvlad:fix/EE-4286/update-tls-cert-for-docker-env vvzvlad:feat/fedex/sqlite vvzvlad:feat/fedex/sqlite-settings vvzvlad:revert-7749-bug/EE-4311/ingressclass-disallowed-rel vvzvlad:fix/EE-4322/namespace-disallow vvzvlad:fix/EE-4312/js-paths vvzvlad:release/2.15 vvzvlad:fix/EE-3641/page-title-fix vvzvlad:fix/root-provider vvzvlad:feat-fdo-1.1 vvzvlad:feat/EE-3894/ui-waiting-room-icon vvzvlad:snyk-fix-afd68b0b2e0ac933fa52b1544ba67c24 vvzvlad:feat/EE-3513/ui-docker-volume-browser-2 vvzvlad:feat/EE-3388/EE-3478/ui-improvements-namespace-access vvzvlad:feat/EE-3505/ui-docker-images-item-test vvzvlad:fix/EE-3683/stack-permissions-are-ignored vvzvlad:feat/EE-3576/portainer-wizard-ui-change vvzvlad:feat/EE-3375/ce/wizard-add-identifiers-for-TA vvzvlad:feat/EE-3491/new-docker-create-ui vvzvlad:release/2.14 vvzvlad:feat/DTD-102/new-logger vvzvlad:feat/EE-3533/ui-edge-stacks-create vvzvlad:fix/EE-2907/ce/missing-kubernetes-sidebar-entries vvzvlad:fix/EE-3686/fix-tooltip-double-issue vvzvlad:fix/ee-3506/update-image-list-ui vvzvlad:fix/EE-3521/swarm-service-list-ui vvzvlad:feature/EE-3636/icon-styling vvzvlad:fix/EE-3512/swarm-secrets-list-ui vvzvlad:fix/EE-3488/swarm-config-list-ui vvzvlad:fix/ee-3509/update-network-list-ui vvzvlad:fix/ee-3516/update-vol-list-ui vvzvlad:feat/EE-2552/EE-3451/-be-supply-build-info vvzvlad:oscarzhou-portainer-patch-1 vvzvlad:feat/EE-3079/edge-stack-logs vvzvlad:fix/EE-3445/open-tooltip-on-hover vvzvlad:fix/EE-3324/password-change-error vvzvlad:feat/EE-3252/remove-unused-port-on-extension vvzvlad:feat/3143-nvidia-container-toolkit vvzvlad:edge-wss vvzvlad:podman-2022 vvzvlad:release/2.13 vvzvlad:debug-api-endpoint vvzvlad:fix/EE-3152/tls-downgrade-release vvzvlad:feat/EE-3152/tls-downgrade vvzvlad:feat/EE-3062/EE-3085/document-extension vvzvlad:feat/ce-220-security-scan vvzvlad:fix/EE-2835/add-edge-groups-column-in-edge-device-view vvzvlad:feat/EE-2680/allow-env-vars-passed-on-webhooks vvzvlad:fix/EE-2966/migration-test-dev vvzvlad:feat/EE-2747/docker-desktop-extension-auto-generation vvzvlad:snyk-fix-bcb96aa2f9b730b2f44c3825ceba182a vvzvlad:fix/EE-2594/empty-network-option-in-windows vvzvlad:EE-2691-experiment vvzvlad:snyk-fix-af06d21279ebae87a2d003141849185d vvzvlad:fix/broken-go-lint-settings vvzvlad:release/1.25 vvzvlad:snyk-fix-411816fd9cf6e70ce95f0fc76a2e8f42 vvzvlad:feat/EE-810/EE-2691/disable-instance-if-not-initialized vvzvlad:fix/EE-2167/Migrate-124-users-to-213 vvzvlad:refactor/EE-2545/migration-improvements vvzvlad:feat/EE-2597/create-object-with-string-id vvzvlad:feat/EE-2404/async-edge-command-queue vvzvlad:1.24 vvzvlad:feat/support-agent-auto-upgrade vvzvlad:chore/reduce-dependency-obfuscation vvzvlad:fix/EE-2167/Migrate-1x-users-to-2x vvzvlad:feat/EE-2493/poc-mtls-for-edge-agent vvzvlad:spike/DTD-58/DTD-72/useractivity-middleware vvzvlad:fix/EE-2432/edge-stacks-status-update vvzvlad:master vvzvlad:release/2.11 vvzvlad:feat/dev-metrics vvzvlad:fix/EE-2489/release/amt-devices-table-hide-expand vvzvlad:2.11.1-fdo vvzvlad:fix/release/remove-double-import vvzvlad:feat/EE-1905/environment-type-filter vvzvlad:db-fixture-support vvzvlad:feat/edge-devices-view-react vvzvlad:feat/INT-32/intel-images-openamt vvzvlad:feat/EE-1852/EE-1983/encryption-key-with-store-refactor vvzvlad:feat/ee-1977/rollup-duplicated-volumes vvzvlad:feat/EE-1852/EE-1983/encryption-key vvzvlad:feat/EE-506/release-2.11-support-base-url vvzvlad:revert-6182-revert-6172-fix/INT-6/open-amt-config vvzvlad:fix/ee-2060/support-upload-huge-file vvzvlad:feat/INT-16/poc-amt-api-rpc-handler vvzvlad:fix/EE-1939/provide-right-order-to-registries-in-dropdown-menu vvzvlad:fix/EE-1973/container-logs-download-extra-CR vvzvlad:feat/INT-15/proxy-mps vvzvlad:release/2.9 vvzvlad:fix/swagger/restore-params vvzvlad:fork_branch vvzvlad:feat/EE-1942/resource-setting-update vvzvlad:toolkit-v2 vvzvlad:fix/EE-1922/harden-filesystem-service vvzvlad:fix/EE-1971/bubble-panic-error vvzvlad:fix/EE-1971/bubble-panic-error-release vvzvlad:chore/upgrade-to-bbolt vvzvlad:poc-searchbar vvzvlad:fix/EE-1867/standard-user-unable-to-access-pod-and-node-stats vvzvlad:fix/EE-1911/can-not-update-application-publishing-mode-develop vvzvlad:fix/EE-1911/can-not-update-application-publishing-mode vvzvlad:feat/EE-1611/EE-1878/pull-and-redeploy-button-visibility vvzvlad:fix/EE-1872/namespaces-stack-deletion-develop vvzvlad:fix/EE-1872/namespaces-stack-deletion vvzvlad:feat/EE-568/admin-auto-population-ldap-ce vvzvlad:fix/release-conflicts vvzvlad:feat/EE-568/admin-auto-population-ldap vvzvlad:snyk-fix-234920d529b1716a428f2b20a3048d37 vvzvlad:fix/EE-1845/ldap-user-enable-release vvzvlad:fix/EE-1845/ldap-user-enable vvzvlad:fix/EE-882/EE-1793/box-selector-icon-position vvzvlad:fix/EE-1316/jwt-is-exposed-in-the-activity-log vvzvlad:feat/EE-1543/Allow-Services-to-be-managed-for-external-kube-apps vvzvlad:feat/EE-189/EE-577/support-git-automated-sync-for-k8s-applications vvzvlad:feat/EE-577/EE-1760/remove-stack-when-no-app vvzvlad:XT-807-ui-automation-kube-smoke-tests-helm vvzvlad:feat/EE-1627/introduce-the-ability-to-filter-applications-by-type vvzvlad:bug/EE-1734/Registry-page-displays-No-registry-available-despite-being-dockerhub-registry-available vvzvlad:feat/EE-882/EE-1672/registry-view vvzvlad:feat/EE882/EE-1675/logs vvzvlad:fix/EE-1439/modify-new-data-store-check-logic vvzvlad:docs/add-tool-versions vvzvlad:fix/EE-1696/polling-webhook-of-stack-from vvzvlad:fix-release-production vvzvlad:fix/EE-1714/add-debug-log-for-volume-migration-develop vvzvlad:fix/EE-1714/add-debug-log-for-volume-migration vvzvlad:fix/EE-1707/cannot-deploy-git-stack-without-username-de vvzvlad:fix/EE-1707/cannot-deploy-git-stack-without-username vvzvlad:fix/EE-1678/failed-to-create-namespace-when-having-registry-de vvzvlad:feat/EE-1635/remove-stack-from-app-list vvzvlad:fix/EE-1710/Error-message-in-stats-view-non-admin-missing-description vvzvlad:fix/EE-1710/error-message-in-stats-view-non-admin-missing-description vvzvlad:fix/EE-1709/Fix-git-stack-authentication-on-by-default vvzvlad:fix/EE-1709/fix-git-stack-authentication-on-by-default vvzvlad:fix/EE-1712/no-icon-displayed-when-template-created-via-upload-file vvzvlad:fix/EE-1712/No-icon-displayed-when-template-created-via-upload-file vvzvlad:fix/EE-1678/failed-to-create-namespace-when-having-registry vvzvlad:fix/EE-1661/fully-rename-endpoint-to-environment-in-swagger-doc vvzvlad:fix/EE-1660/fix-custom-logo-not-updated vvzvlad:fix/EE-1636/fix-question-mark-alignment-in-PAT-field vvzvlad:test/node_env vvzvlad:fix/EE-1653/wrong_table_background_color_for_helm_application_listing vvzvlad:feat/ee-834/fix-openapi-errors vvzvlad:fix/EE-1073/fix_difficulties_selecting_mixed_protocols_for_k8s vvzvlad:feat/EE-1635/removed-stack-deletion-in-app-list-page vvzvlad:feat/EE-1089/First-UX-experience vvzvlad:fix/EE-1586/file-not-persisted-after-deployed-with-url vvzvlad:feat/EE-577/EE-1594/use-user-token-for-autoupdate vvzvlad:chore/EE-1052/Replace-all-the-references-to-deviantony vvzvlad:fix/EE-1591/non-admin-users-cannot-deploy-charts-containing-secrets vvzvlad:feat/EE-909/Dark_high_contrast_mode_supported vvzvlad:feat/EE-1206/Rename_endpoints_to_environments vvzvlad:snyk-fix-ed0fa419898eea7805b20ec7511ebde2 vvzvlad:fix/EE-1553/unable-to-apply-note-to-k8s-application vvzvlad:feat/EE-809/EE-466/kube-advanced-apps vvzvlad:feat/EE-1278/swagger-doc-fixes vvzvlad:fix/EE-1454/tag-not-attached-to-local-k8s-endpoint vvzvlad:fix/EE-1564/CE-missing-header-namespace-create-view vvzvlad:feat/EE-1096/CE-registry-delete-warning-modal vvzvlad:default-namespace-selector-behavior vvzvlad:snyk-fix-f52082e2df9f9108004d0a670eeb3f6a vvzvlad:snyk-fix-491ba6a89fe0b2b0e65e3b4c0ef0fd14 vvzvlad:fix/EE-1505/CE-update-default-namespace vvzvlad:fix/EE-1424/CE-equal-in-env-vars vvzvlad:fix/EE-1291/EE-1292/git-stack-form-validation-improvements vvzvlad:fix/release-commits-cherrypick vvzvlad:fix/EE-1540/fix_changing_helm_repo_not_refresh_issue vvzvlad:fix/EE-1540/changing_the_default_helm_repo_still_shows_old_charts vvzvlad:fix/EE-1511/robust-kubernetes-API-proxy vvzvlad:poc-kube-deploy-from-url vvzvlad:toolkit-update vvzvlad:release/2.6 vvzvlad:chore/EE-1509/replace-stalebot-with-action vvzvlad:feat/EE-466/EE-1199/front-end-CE-backport vvzvlad:release/2.6.3/EE-1143/update-networking-v1beta1-to-v1 vvzvlad:feat/EE-1502/auth-detail-not-remembered vvzvlad:feat/EE-466/EE-1189/backport-to-ce vvzvlad:feat/EE-248/EE-1425/enable-save-button-when-password-exists vvzvlad:fix/EE-1402/increment-api-version vvzvlad:feat/EE-1178/CE-clarify-metrics-switch vvzvlad:demo-v2 vvzvlad:feat/EE-248/EE-1323/dont-return-password-back vvzvlad:feat/EE-248/EE-1310/substituting-from-env-file-in vvzvlad:feat/update-github-banner vvzvlad:feat/update-readme-from-marketing vvzvlad:snyk-fix-6a198797807c43d474095224f758f0b8 vvzvlad:refactor/EE-1053/CE-rename-storage-section vvzvlad:feat/EE-951/CE-registries-accesses-relocation-indicator vvzvlad:feat/EE-883/CE-getting-started-page vvzvlad:snyk-fix-8976c3e2173dcb1c31a7b3f2e97ebc23 vvzvlad:fix/EE-1152/importing-images vvzvlad:feat/EE-1148/modify-ldap-get-groups-func vvzvlad:feat/EE-986/add-admin-mapping-section-inLDAP vvzvlad:feat/EE-1021/fe-backport-automated-sync-for-stacks vvzvlad:528 vvzvlad:feat/ee-370/ee-515/ce-update-to-1-16 vvzvlad:fix/EE-1072/ingresses-hostname-fields-fix vvzvlad:feat/EE-992/update-ldap-settings vvzvlad:feat/EE-930/admin-auto-population-oauth vvzvlad:feat/EE-971/admin-mapping-section-oauth vvzvlad:snyk-fix-f7a7da24eb70f58d73a6949d4765aa68 vvzvlad:feat/EE-975/mapping-oauth-group-to-admin-role vvzvlad:refactor4071-constants-step2 vvzvlad:feat/EE-971/admin-mapping-section vvzvlad:feat/EE-161/redeploy-stack-from-git vvzvlad:feat/EE-781/change-edit-stack-view vvzvlad:feat/EE-829/implement-edit-git-deploy-stack-endpoint vvzvlad:feat/EE-780/change-add-stack-view vvzvlad:snyk-fix-e6fed59bc40accf75940b773b4175580 vvzvlad:snyk-fix-536f1662b19d0dec5659b4501ba650d2 vvzvlad:feat/EE-447/k8s-advanced-deployment-from-git-repo vvzvlad:snyk-fix-6f2c5f2ac6b982591828a069f9645d54 vvzvlad:Testing-merge-of-161-446-447 vvzvlad:fix/EE-948/swagger-param-name-fix-for-endpoint-create vvzvlad:release/2.5 vvzvlad:feat/EE-786/create-stack-updates-for-git-sync vvzvlad:feat/GH/827-service-healthchecks vvzvlad:epic/CE-309/backup-private-registries-20210531 vvzvlad:fix/EE-812/can-not-deploy-stack-app-templates vvzvlad:snyk-fix-19f7491fbb67710fad7da7da2d291d88 vvzvlad:epic/CE-309/feat/CE-512/backport-ee-30-backend vvzvlad:feat/EE-608/update-store-and-retrieve-settings-handler vvzvlad:epic/CE-309/feat/CE-513/backport-ee-30-frontend vvzvlad:feat/EE-643/logout-logic-changes vvzvlad:feat/EE-672/CE-reorder-placement-policies-options vvzvlad:feat/EE-607/settings-view vvzvlad:fix/CE-575/type-downgrade-error vvzvlad:fix/EE-645/ACI-UAC-breaks-when-redeploying-container-with-same-name-as-one-already-existing vvzvlad:revert-5021-feat/EE-596/update-agent-version-in-deployment-instructions vvzvlad:feat/CE-223/migrate-selector vvzvlad:snyk-fix-520e95e409cb8ddd217a7f0aa2160ce9 vvzvlad:feat/EE-596/update-agent-version-in-deployment-instructions vvzvlad:snyk-fix-6fd487252f28262d8a4f0f6a99808327 vvzvlad:snyk-fix-5aff38ac9bd148fe8a3b5d45adb2dcc8 vvzvlad:snyk-fix-bdfbcf8def6d0925eb3a3090aa4fec17 vvzvlad:snyk-fix-c741bd40fab715925bb9221fefb7f1d9 vvzvlad:revert-4952-feat/CE-414/add-UAC-to-ACI vvzvlad:refactor/EE-31/use-docker-compose-wrapper vvzvlad:snyk-fix-89cdb3c26b67f4a51e27f70eeefcb3c4 vvzvlad:feat(backup)-backup-restore-system vvzvlad:feat(backup)-add-s3-stubs-to-ce vvzvlad:snyk-fix-a8022c23ed6afd9c00eb9dd4441da8ef vvzvlad:snyk-fix-b72acb2aca16fd54a76ac2eda18230d2 vvzvlad:fix/EE-458/pull-latest-image-toggle-missing vvzvlad:snyk-fix-dbde1a343d9bd699ea8bb876f27953de vvzvlad:snyk-fix-9de633ccccac0fa6c366b8c9747b637e vvzvlad:snyk-fix-d3a07bfe2eea4450b0c42fa6adb9007c vvzvlad:Chore--Add-Licenses-attributions vvzvlad:feat-1.24.2 vvzvlad:feat/CE/487-registry-access-control-merge vvzvlad:epic/CE-309/private-registries-backup vvzvlad:feat/CE/487-registry-access-control vvzvlad:fix/CE-478/Unable-to-save-cluster-configuration-with-fresh-deployment vvzvlad:feat/CE-493/update-docker-swarm-kubernetes-sidebars vvzvlad:feat/CE-490/kubernetes-registries-support vvzvlad:feat/CE-485/remove-registry-usage-information-panel vvzvlad:feat/CE-486/introduce-dockerhub-authenticated vvzvlad:feat/GH/4419-kubernetes-create-volume vvzvlad:feat/GH/4240-show-error-reason-when-custom-template-creation-fails vvzvlad:fix/CE-471/config-vars-showing-on-environment-variables-section-on-application-edit-screen vvzvlad:fix/CE/466-app-templates-not-loading-error vvzvlad:fix/CE/466-app-templates-not-loading vvzvlad:fix/CE-463/cluster-configuration-fresh-deployment vvzvlad:fix/CE/4843-update-application-persisted-data vvzvlad:fix/ce-51-labels vvzvlad:feat(dev)--CE-420-Add-automatic-rebase-to-github vvzvlad:2.1.1 vvzvlad:feat/GH/3143-nvidia-container-toolkit vvzvlad:feat/GH/4743-not-filter-custom-templates vvzvlad:release/2.1 vvzvlad:fix/private-registries vvzvlad:fix/ce-401-private-registry vvzvlad:feat/GH/4779-kubernetes-edit-yaml vvzvlad:fix-ce395-parse-empty-configuration-as-empty-string-yaml vvzvlad:fix-ce#394-trigger-port-validation-while-changing-protocol vvzvlad:fix-ce394-trigger-port-validation-while-changing-protocol vvzvlad:fix/missing-kubectl-download vvzvlad:sec/utils-extend vvzvlad:fix/compose-Bump-docker-compose-to-1.28.2 vvzvlad:feat/cd-187-docker-compose-wrapper vvzvlad:feat-4728-better-form-validation-for-configuration-keys vvzvlad:feat/cd-187-add-auth-proxy-to-docker-compose vvzvlad:chore-4473-bump-kompose-version vvzvlad:fix-4503-cannot-access-configuration-details-view-containing-binary-data vvzvlad:release/2.0.1 vvzvlad:feat/GH/4419-create-volume vvzvlad:fix/201-api-version vvzvlad:revert-4475-chore-ce-86-bump-kompose-version vvzvlad:CE-185-build-static-docker-compose-linux-binary vvzvlad:revert-4418-feat/gh/3889-stacks-create-update-dates vvzvlad:fix-4595-transform-username-to-be-dns-compliant vvzvlad:feat/GH/4011-pods-as-applications vvzvlad:fix-4553-revalidate-configuration-name-when-change-resource-pool vvzvlad:fix-4547-override-confgiuration-keys-disappear vvzvlad:feat4545-matomo vvzvlad:fix4463-resourcecontrol-deletion vvzvlad:feat95-applications-configurations-modals vvzvlad:fix/GH/4502-update-sensitive-configuration vvzvlad:feat/GH/4404-start-without-endpoint vvzvlad:fix/GH/4488-refreshing-yaml-panel-change-panel vvzvlad:fix/GH/4492-cluster-setup-incorrectly-expand-endpoint-sidebar vvzvlad:fix/GH/4490-invalid-display-load-balancer-panel vvzvlad:chore56-add-JS-source-map vvzvlad:Disable-Container-Capabilities-for-non-admins vvzvlad:fix/gh/4390-sort-labels vvzvlad:fix-k8s-daemonset-noschedule vvzvlad:fix-k8s-volume-filter vvzvlad:fix-k8s-system-volumes-filter vvzvlad:feat4204-banner vvzvlad:revert-4197-fix-login-after-restart vvzvlad:telemetry-matomo vvzvlad:mockup4003-placement vvzvlad:demo vvzvlad:feat-db-migration-1.24.1 vvzvlad:revert-3966-feat454-endpoint-url vvzvlad:fix3604-remove-runtime-persistence vvzvlad:fix3936-add-database-migration vvzvlad:feat-rbac-tests vvzvlad:poc-orphaned-stack vvzvlad:2.0 vvzvlad:feat3742-telemetry vvzvlad:feat3744-aci vvzvlad:feat3580-username-lowercase vvzvlad:fix3272-bad-volume-ownership vvzvlad:fix-windows-multiarch-build vvzvlad:feat-1807-service-network-management vvzvlad:fix3429-networks-object-undefined vvzvlad:hotfix-1.22.2 vvzvlad:feat2901-introduce-backup vvzvlad:feat2928-dockerhub-registry vvzvlad:feat1752-introduce-deploymentkeys vvzvlad:feat-upload-files-container vvzvlad:storidge-standalone vvzvlad:dbg11042019 vvzvlad:refactor-es9-migration vvzvlad:fix2626-endpoint-management-cmd-line vvzvlad:feat2456-ux-high-latency vvzvlad:feat1752-stack-deploy-keys vvzvlad:adsense vvzvlad:feat807-i18n vvzvlad:gh-pages-bkp
vvzvlad:2.39.3 vvzvlad:2.42.0 vvzvlad:2.41.1 vvzvlad:2.39.2 vvzvlad:2.33.8 vvzvlad:2.41.0 vvzvlad:2.40.0 vvzvlad:2.39.1 vvzvlad:2.39.0 vvzvlad:2.38.1 vvzvlad:2.33.7 vvzvlad:2.38.0 vvzvlad:2.33.6 vvzvlad:2.37.0 vvzvlad:2.33.5 vvzvlad:2.36.0 vvzvlad:2.33.4 vvzvlad:2.33.3 vvzvlad:2.35.0 vvzvlad:2.33.2 vvzvlad:2.34.0 vvzvlad:2.33.1 vvzvlad:2.33.0 vvzvlad:2.33.0-rc2 vvzvlad:2.33.0-rc1 vvzvlad:2.32.0 vvzvlad:2.32.0-rc1 vvzvlad:2.31.3 vvzvlad:2.27.9 vvzvlad:2.31.2 vvzvlad:2.27.8 vvzvlad:2.31.1 vvzvlad:2.27.7 vvzvlad:2.31.0 vvzvlad:2.30.1 vvzvlad:2.30.0 vvzvlad:2.27.6 vvzvlad:2.27.5 vvzvlad:2.29.2 vvzvlad:2.29.1 vvzvlad:2.29.0 vvzvlad:2.27.4 vvzvlad:2.27.3 vvzvlad:2.28.1 vvzvlad:2.27.2 vvzvlad:2.28.0 vvzvlad:2.27.1 vvzvlad:2.27.0 vvzvlad:2.27.0-rc3 vvzvlad:2.27.0-rc2 vvzvlad:2.27.0-rc1 vvzvlad:2.26.1 vvzvlad:2.26.0 vvzvlad:2.25.1 vvzvlad:2.21.5 vvzvlad:2.25.0 vvzvlad:2.24.1 vvzvlad:2.24.0 vvzvlad:2.21.4 vvzvlad:2.23.0 vvzvlad:2.21.3 vvzvlad:2.22.0 vvzvlad:2.22.0-rc1 vvzvlad:2.21.2 vvzvlad:2.21.1 vvzvlad:2.21.0 vvzvlad:2.21.0-rc2 vvzvlad:2.21.0-rc1 vvzvlad:2.20.3 vvzvlad:2.20.2 vvzvlad:2.19.5 vvzvlad:2.20.1 vvzvlad:2.20.0 vvzvlad:2.19.4 vvzvlad:2.19.3 vvzvlad:2.19.2 vvzvlad:2.19.1 vvzvlad:2.19.0 vvzvlad:2.18.4 vvzvlad:2.18.3 vvzvlad:2.18.2 vvzvlad:2.18.1 vvzvlad:2.17.1 vvzvlad:2.17.0 vvzvlad:2.16.2 vvzvlad:2.16.1 vvzvlad:2.16.0 vvzvlad:2.15.1 vvzvlad:2.15.0 vvzvlad:2.14.2 vvzvlad:2.14.1 vvzvlad:2.14.0 vvzvlad:2.13.1 vvzvlad:2.13.0 vvzvlad:1.25.0 vvzvlad:2.11.1 vvzvlad:2.11.0 vvzvlad:2.9.3 vvzvlad:2.9.2 vvzvlad:2.9.1 vvzvlad:2.9.0 vvzvlad:2.6.3 vvzvlad:2.6.2 vvzvlad:2.6.1 vvzvlad:2.6.0 vvzvlad:2.5.1 vvzvlad:2.5.0 vvzvlad:1.24.2 vvzvlad:2.1.1 vvzvlad:2.1.0 vvzvlad:2.0.1 vvzvlad:2.0.0 vvzvlad:1.24.1 vvzvlad:1.24.0 vvzvlad:1.23.2 vvzvlad:1.23.1 vvzvlad:1.23.0 vvzvlad:1.22.2 vvzvlad:1.22.1 vvzvlad:1.22.0 vvzvlad:edge_m2 vvzvlad:1.21.0 vvzvlad:1.20.2 vvzvlad:1.20.1 vvzvlad:1.20.0 vvzvlad:1.19.2 vvzvlad:1.19.1 vvzvlad:1.19.0 vvzvlad:1.18.1 vvzvlad:1.18.0 vvzvlad:1.17.1 vvzvlad:1.17.0 vvzvlad:1.16.5 vvzvlad:1.16.4 vvzvlad:1.16.3 vvzvlad:1.16.2 vvzvlad:1.16.1 vvzvlad:1.16.0 vvzvlad:1.15.5 vvzvlad:1.15.4 vvzvlad:1.15.3 vvzvlad:1.15.2 vvzvlad:1.15.1 vvzvlad:1.15.0 vvzvlad:1.14.3 vvzvlad:1.14.2 vvzvlad:1.14.1 vvzvlad:1.14.0 vvzvlad:1.13.6 vvzvlad:1.13.5 vvzvlad:1.13.4 vvzvlad:1.13.3 vvzvlad:1.13.2 vvzvlad:1.13.1 vvzvlad:1.13.0 vvzvlad:1.12.4 vvzvlad:1.12.3 vvzvlad:1.12.2 vvzvlad:1.12.1 vvzvlad:1.12.0 vvzvlad:1.11.4 vvzvlad:1.11.3 vvzvlad:1.11.2 vvzvlad:1.11.1 vvzvlad:1.11.0 vvzvlad:1.10.2 vvzvlad:1.10.1 vvzvlad:1.10.0 vvzvlad:1.9.3 vvzvlad:1.9.2 vvzvlad:1.9.1 vvzvlad:1.9.0 vvzvlad:internal-1.8.1 vvzvlad:1.8.1 vvzvlad:internal-1.8.0 vvzvlad:1.8.0 vvzvlad:internal-1.7.0 vvzvlad:1.7.0 vvzvlad:internal-1.6.0 vvzvlad:1.6.0 vvzvlad:internal-1.5.0 vvzvlad:1.5.0 vvzvlad:internal-1.4.0 vvzvlad:1.4.0 vvzvlad:internal-1.3.0 vvzvlad:1.3.0 vvzvlad:internal-1.2.0 vvzvlad:1.2.0 vvzvlad:1.1.0 vvzvlad:1.0.4 vvzvlad:1.0.3 vvzvlad:1.0.2 vvzvlad:1.0.1 vvzvlad:1.0.0 vvzvlad:v0.10.1 vvzvlad:v0.10.0 vvzvlad:v0.9.0 vvzvlad:v0.8.1 vvzvlad:v0.8.0 vvzvlad:v0.7.0 vvzvlad:v0.6.0 vvzvlad:v0.5
..
compare: vvzvlad:feat/EE-786/create-stack-updates-for-git-sync
Branches Tags
vvzvlad:feat/2-stream-logs vvzvlad:feat/4-stack-breadcrumbs vvzvlad:feat/1-remove-ee-ui vvzvlad:feat/3-auto-update vvzvlad:develop vvzvlad:release/2.43 vvzvlad:release/2.39 vvzvlad:community vvzvlad:release/2.39.3 vvzvlad:release/2.33 vvzvlad:release/2.42.0 vvzvlad:release/2.42 vvzvlad:release/2.41.1 vvzvlad:release/2.41 vvzvlad:release/2.39.2 vvzvlad:release/2.33.8 vvzvlad:release/2.41.0 vvzvlad:release/2.40.0 vvzvlad:release/2.40 vvzvlad:release/2.39.1 vvzvlad:release/2.39.0 vvzvlad:release/2.38.1 vvzvlad:release/2.38 vvzvlad:release/2.33.7 vvzvlad:release/2.38.0 vvzvlad:release/2.33.6 vvzvlad:release/2.37.0 vvzvlad:release/2.37 vvzvlad:release/2.33.5 vvzvlad:release/2.36.0 vvzvlad:release/2.36 vvzvlad:release/2.33.4 vvzvlad:release/2.33.3 vvzvlad:release/2.35.0 vvzvlad:release/2.35 vvzvlad:release/2.33.2 vvzvlad:release/2.34.0 vvzvlad:release/2.34 vvzvlad:release/2.33.1 vvzvlad:release/2.33.0 vvzvlad:release/2.33.0-rc2 vvzvlad:release/2.33.0-rc1 vvzvlad:release/2.32.0 vvzvlad:release/2.32 vvzvlad:release/2.32.0-rc1 vvzvlad:release/2.31.3 vvzvlad:release/2.31 vvzvlad:release/2.27.9 vvzvlad:release/2.27 vvzvlad:release/2.31.2 vvzvlad:release/2.27.8 vvzvlad:release/2.31.1 vvzvlad:release/2.27.7 vvzvlad:release/2.31.0 vvzvlad:release/2.30.1 vvzvlad:release/2.30 vvzvlad:release/2.30.0 vvzvlad:release/2.27.6 vvzvlad:release/2.27.5 vvzvlad:release/2.29.2 vvzvlad:release/2.29 vvzvlad:release/2.29.1 vvzvlad:release/2.29.0 vvzvlad:release/2.27.4 vvzvlad:release/2.27.3 vvzvlad:release/2.28.1 vvzvlad:release/2.28 vvzvlad:release/2.27.2 vvzvlad:release/2.28.0 vvzvlad:yd-develop vvzvlad:release/2.27.1 vvzvlad:release/2.27.0 vvzvlad:release/2.27.0-rc3 vvzvlad:lp-test-branch2 vvzvlad:release/2.27.0-rc2 vvzvlad:release/2.27.0-rc1 vvzvlad:release/2.26.1 vvzvlad:release/2.26 vvzvlad:release/2.26.0 vvzvlad:release/2.25.1 vvzvlad:release/2.25 vvzvlad:release/2.21.5 vvzvlad:release/2.21 vvzvlad:release/2.25.0 vvzvlad:release/2.24.1 vvzvlad:release/2.24 vvzvlad:release/2.24.0 vvzvlad:release/2.23 vvzvlad:release/2.22 vvzvlad:release/2.21.4 vvzvlad:placeholder vvzvlad:fix/r8s-120/app-table-settings-persistence vvzvlad:fix/r8s-109/alow-standard-user-to-edit-volumes vvzvlad:fix/r8s-103/more-resources-system-filtering vvzvlad:fix/BE-11102/force-redeploy-edge-stack vvzvlad:test-update vvzvlad:vault/release-2.21 vvzvlad:lp-test-branch1 vvzvlad:vault/develop vvzvlad:refactor/EE-7128/webeditor-doc-type vvzvlad:test-version-semver vvzvlad:feat/be-11276/be-ce-agent-change vvzvlad:feat/be-11276/be-ce-agent-change-lts vvzvlad:feat/be-11275/be-ce-change vvzvlad:feat/be-11275/change-be-ce-lts vvzvlad:vault/release-2.22 vvzvlad:fix/r8s-99/create-application-ns-dropdown vvzvlad:rc/2.22.0-rc1 vvzvlad:chore/BE-11236/change-linode-branding-to-akamai-connected-cloud vvzvlad:rc/2.21.0-rc2 vvzvlad:refactor/k8s-namespaces vvzvlad:rc/2.21.0-rc1 vvzvlad:fix/EE-7284/show-services-explaination vvzvlad:refactor/EE-2229/docker-images-list-view vvzvlad:refactor/EE-2208/docker-configs-list-view vvzvlad:refactor/EE-2300/env-item-view-react vvzvlad:develop-james-nfs vvzvlad:refactor/EE-6923/settings-api vvzvlad:fix/EE-7150/tls-cipher-suites-2.20 vvzvlad:release/2.20 vvzvlad:fix/7011/refactor3 vvzvlad:fix/EE-6631/wait-in-defer-close-websocket vvzvlad:fix/EE-7049/update-reachable-check-release vvzvlad:fix/EE-6705/namespace-yaml-no-rq vvzvlad:release/2.19 vvzvlad:refactor/data-cy vvzvlad:fix/EE-6855/removed-user-cause-auto-update-fail vvzvlad:fix/release/EE-6855/removed-user-cause-auto-update-failure vvzvlad:fix/release/EE-6855/removed-user-cause-auto-update-fail vvzvlad:fix/release/EE-6808/add-api-endpoint-access-check-1 vvzvlad:chore/XT-1188/add-data-cy-for-backup-and-restore vvzvlad:fix/EE-6843/tunnel-timeout vvzvlad:fix/EE-6818/api-error-message-rel vvzvlad:fix/EE-6818/api-error-message vvzvlad:fix/EE-6744/compose-runc-develop vvzvlad:fix/EE-5936/EE-6736/reject-to-assign-edge-admin vvzvlad:fix/release/EE-5936/EE-6736/reject-to-assign-edge-admin vvzvlad:fix/release/EE-6627/lint-failure vvzvlad:fix/EE-6627/lint-failure vvzvlad:fix/EE-6723/use-pure-admin-release vvzvlad:fix/EE-6723/use-pure-admin vvzvlad:fix/EE-6647/tables-correct-external-display-for-resource-release vvzvlad:fix/EE-6647/tables-correct-external-display-for-resource vvzvlad:fix/EE-6596/edge-stack-create-template vvzvlad:feat/EE-6454/support-docker-compose-run vvzvlad:refactor/EE-6549/EE-6444/git-redeploy-form-section vvzvlad:fix/EE-6411/env-vars-cursor-shift vvzvlad:fix/EE-6459/CVEs vvzvlad:fix/EE-661/staticcheck vvzvlad:fix/EE-6435/close-before-restore-release vvzvlad:revert-10718-fix/EE-6392/show-edit-external-app vvzvlad:fix/EE-6346/gitops-commit-links-2-release vvzvlad:fix/EE-5664/oauth-show-asterisks-placeholder-release vvzvlad:fix/release/EE-6373/target-path-exist-error-when-upgrade vvzvlad:fix/EE-6373/target-path-exist-error-when-upgrade vvzvlad:fix/EE-661/enable-ineffassign vvzvlad:fix/EE-6377/singleflight-gitops-rel vvzvlad:fix/EE-6114/gitops-data-race-rel vvzvlad:fix/EE-6114/gitops-data-race-dev vvzvlad:fix/EE-6373/upgrade-target-path-exists vvzvlad:fix/EE-6321/gitops-online-check-rel vvzvlad:fix/EE-6211/stack-build-context-validation-rel vvzvlad:fix/EE-6211/stack-build-context-validation-dev vvzvlad:release/2.19.2 vvzvlad:feat/EE-5573/related-changes vvzvlad:refactor/with-form-validation-set-field-value vvzvlad:refactor/EE-5521/migrate-app-create-form-to-react vvzvlad:refactor/EE-2307/EE-5207/container-base-form vvzvlad:fix/EE-4602/switch-color-fix-rel vvzvlad:fix/EE-4602/switch-color-fix-rel-new vvzvlad:feat/EE-4337/EE-4484/CE/docker-networks-datatable vvzvlad:refactor/EE-4337/service-task-datatable vvzvlad:fix/EE-5980/version-stack-backward-capability vvzvlad:snyk-fix-0fc01e6b5b4266e90ae8d7d367ac399f vvzvlad:feat/EE-4500/gorm-sqlite-poc vvzvlad:release/2.18 vvzvlad:fix/EE-5695/env-manage-access vvzvlad:fix/EE-5497/helm-repo-url-update vvzvlad:fix/EE-5406/remove-path-ingress-host-rel vvzvlad:fix/EE-3841/fix-associated-environments vvzvlad:refactor/EE-2270/EE-5502/settings-components vvzvlad:feat/EE-4986/enable-lb-np-type-ingresses vvzvlad:fix/EE-1976/support-copy-paste-in-container-console vvzvlad:fix/revert-makefile-218 vvzvlad:fix/dev-build-scripts vvzvlad:fix/EE-5311/endpoint-api-swagger-doc vvzvlad:fix/EE-3059/security-scan-debug vvzvlad:feat/EE-5028/security_teaser vvzvlad:fix/EE-5234/non-existent-pvc-rel vvzvlad:fix/EE-5234/non-existent-pvc vvzvlad:fix/EE-5149/namespace-cache-refresh-rel vvzvlad:fix/EE-4498/fix-swagger-id-types vvzvlad:fix/EE-4839/normalize-project-name vvzvlad:release/2.17 vvzvlad:feat/EE-4754/omit-empty vvzvlad:chore/update-tool-versions vvzvlad:fix/EE-4991/kube-storage-detection vvzvlad:chore/EE-4951/update-edgestack-test vvzvlad:chore/remove-old-pkg-path vvzvlad:feat/EE-4752/go-json vvzvlad:fix/release/EE-4781/no-error-message-if-ce-upgrade-fails vvzvlad:fix/EE-4766/fix-data-race-in-edgeJobTasksCollect vvzvlad:fix/EE-4781/no-error-message-if-ce-upgrade-fails vvzvlad:feat/EE-3604/ui-edge-devices vvzvlad:feat/EE-3417/EE-3418/multiple-git-repository vvzvlad:release/2.16 vvzvlad:fix/EE-4548/vulnerable-to-path-traversal-attacks vvzvlad:fix/EE-3155/cannot-save-internal-authentication vvzvlad:fix/EE-4286/update-tls-cert-for-docker-env vvzvlad:feat/fedex/sqlite vvzvlad:feat/fedex/sqlite-settings vvzvlad:revert-7749-bug/EE-4311/ingressclass-disallowed-rel vvzvlad:fix/EE-4322/namespace-disallow vvzvlad:fix/EE-4312/js-paths vvzvlad:release/2.15 vvzvlad:fix/EE-3641/page-title-fix vvzvlad:fix/root-provider vvzvlad:feat-fdo-1.1 vvzvlad:feat/EE-3894/ui-waiting-room-icon vvzvlad:snyk-fix-afd68b0b2e0ac933fa52b1544ba67c24 vvzvlad:feat/EE-3513/ui-docker-volume-browser-2 vvzvlad:feat/EE-3388/EE-3478/ui-improvements-namespace-access vvzvlad:feat/EE-3505/ui-docker-images-item-test vvzvlad:fix/EE-3683/stack-permissions-are-ignored vvzvlad:feat/EE-3576/portainer-wizard-ui-change vvzvlad:feat/EE-3375/ce/wizard-add-identifiers-for-TA vvzvlad:feat/EE-3491/new-docker-create-ui vvzvlad:release/2.14 vvzvlad:feat/DTD-102/new-logger vvzvlad:feat/EE-3533/ui-edge-stacks-create vvzvlad:fix/EE-2907/ce/missing-kubernetes-sidebar-entries vvzvlad:fix/EE-3686/fix-tooltip-double-issue vvzvlad:fix/ee-3506/update-image-list-ui vvzvlad:fix/EE-3521/swarm-service-list-ui vvzvlad:feature/EE-3636/icon-styling vvzvlad:fix/EE-3512/swarm-secrets-list-ui vvzvlad:fix/EE-3488/swarm-config-list-ui vvzvlad:fix/ee-3509/update-network-list-ui vvzvlad:fix/ee-3516/update-vol-list-ui vvzvlad:feat/EE-2552/EE-3451/-be-supply-build-info vvzvlad:oscarzhou-portainer-patch-1 vvzvlad:feat/EE-3079/edge-stack-logs vvzvlad:fix/EE-3445/open-tooltip-on-hover vvzvlad:fix/EE-3324/password-change-error vvzvlad:feat/EE-3252/remove-unused-port-on-extension vvzvlad:feat/3143-nvidia-container-toolkit vvzvlad:edge-wss vvzvlad:podman-2022 vvzvlad:release/2.13 vvzvlad:debug-api-endpoint vvzvlad:fix/EE-3152/tls-downgrade-release vvzvlad:feat/EE-3152/tls-downgrade vvzvlad:feat/EE-3062/EE-3085/document-extension vvzvlad:feat/ce-220-security-scan vvzvlad:fix/EE-2835/add-edge-groups-column-in-edge-device-view vvzvlad:feat/EE-2680/allow-env-vars-passed-on-webhooks vvzvlad:fix/EE-2966/migration-test-dev vvzvlad:feat/EE-2747/docker-desktop-extension-auto-generation vvzvlad:snyk-fix-bcb96aa2f9b730b2f44c3825ceba182a vvzvlad:fix/EE-2594/empty-network-option-in-windows vvzvlad:EE-2691-experiment vvzvlad:snyk-fix-af06d21279ebae87a2d003141849185d vvzvlad:fix/broken-go-lint-settings vvzvlad:release/1.25 vvzvlad:snyk-fix-411816fd9cf6e70ce95f0fc76a2e8f42 vvzvlad:feat/EE-810/EE-2691/disable-instance-if-not-initialized vvzvlad:fix/EE-2167/Migrate-124-users-to-213 vvzvlad:refactor/EE-2545/migration-improvements vvzvlad:feat/EE-2597/create-object-with-string-id vvzvlad:feat/EE-2404/async-edge-command-queue vvzvlad:1.24 vvzvlad:feat/support-agent-auto-upgrade vvzvlad:chore/reduce-dependency-obfuscation vvzvlad:fix/EE-2167/Migrate-1x-users-to-2x vvzvlad:feat/EE-2493/poc-mtls-for-edge-agent vvzvlad:spike/DTD-58/DTD-72/useractivity-middleware vvzvlad:fix/EE-2432/edge-stacks-status-update vvzvlad:master vvzvlad:release/2.11 vvzvlad:feat/dev-metrics vvzvlad:fix/EE-2489/release/amt-devices-table-hide-expand vvzvlad:2.11.1-fdo vvzvlad:fix/release/remove-double-import vvzvlad:feat/EE-1905/environment-type-filter vvzvlad:db-fixture-support vvzvlad:feat/edge-devices-view-react vvzvlad:feat/INT-32/intel-images-openamt vvzvlad:feat/EE-1852/EE-1983/encryption-key-with-store-refactor vvzvlad:feat/ee-1977/rollup-duplicated-volumes vvzvlad:feat/EE-1852/EE-1983/encryption-key vvzvlad:feat/EE-506/release-2.11-support-base-url vvzvlad:revert-6182-revert-6172-fix/INT-6/open-amt-config vvzvlad:fix/ee-2060/support-upload-huge-file vvzvlad:feat/INT-16/poc-amt-api-rpc-handler vvzvlad:fix/EE-1939/provide-right-order-to-registries-in-dropdown-menu vvzvlad:fix/EE-1973/container-logs-download-extra-CR vvzvlad:feat/INT-15/proxy-mps vvzvlad:release/2.9 vvzvlad:fix/swagger/restore-params vvzvlad:fork_branch vvzvlad:feat/EE-1942/resource-setting-update vvzvlad:toolkit-v2 vvzvlad:fix/EE-1922/harden-filesystem-service vvzvlad:fix/EE-1971/bubble-panic-error vvzvlad:fix/EE-1971/bubble-panic-error-release vvzvlad:chore/upgrade-to-bbolt vvzvlad:poc-searchbar vvzvlad:fix/EE-1867/standard-user-unable-to-access-pod-and-node-stats vvzvlad:fix/EE-1911/can-not-update-application-publishing-mode-develop vvzvlad:fix/EE-1911/can-not-update-application-publishing-mode vvzvlad:feat/EE-1611/EE-1878/pull-and-redeploy-button-visibility vvzvlad:fix/EE-1872/namespaces-stack-deletion-develop vvzvlad:fix/EE-1872/namespaces-stack-deletion vvzvlad:feat/EE-568/admin-auto-population-ldap-ce vvzvlad:fix/release-conflicts vvzvlad:feat/EE-568/admin-auto-population-ldap vvzvlad:snyk-fix-234920d529b1716a428f2b20a3048d37 vvzvlad:fix/EE-1845/ldap-user-enable-release vvzvlad:fix/EE-1845/ldap-user-enable vvzvlad:fix/EE-882/EE-1793/box-selector-icon-position vvzvlad:fix/EE-1316/jwt-is-exposed-in-the-activity-log vvzvlad:feat/EE-1543/Allow-Services-to-be-managed-for-external-kube-apps vvzvlad:feat/EE-189/EE-577/support-git-automated-sync-for-k8s-applications vvzvlad:feat/EE-577/EE-1760/remove-stack-when-no-app vvzvlad:XT-807-ui-automation-kube-smoke-tests-helm vvzvlad:feat/EE-1627/introduce-the-ability-to-filter-applications-by-type vvzvlad:bug/EE-1734/Registry-page-displays-No-registry-available-despite-being-dockerhub-registry-available vvzvlad:feat/EE-882/EE-1672/registry-view vvzvlad:feat/EE882/EE-1675/logs vvzvlad:fix/EE-1439/modify-new-data-store-check-logic vvzvlad:docs/add-tool-versions vvzvlad:fix/EE-1696/polling-webhook-of-stack-from vvzvlad:fix-release-production vvzvlad:fix/EE-1714/add-debug-log-for-volume-migration-develop vvzvlad:fix/EE-1714/add-debug-log-for-volume-migration vvzvlad:fix/EE-1707/cannot-deploy-git-stack-without-username-de vvzvlad:fix/EE-1707/cannot-deploy-git-stack-without-username vvzvlad:fix/EE-1678/failed-to-create-namespace-when-having-registry-de vvzvlad:feat/EE-1635/remove-stack-from-app-list vvzvlad:fix/EE-1710/Error-message-in-stats-view-non-admin-missing-description vvzvlad:fix/EE-1710/error-message-in-stats-view-non-admin-missing-description vvzvlad:fix/EE-1709/Fix-git-stack-authentication-on-by-default vvzvlad:fix/EE-1709/fix-git-stack-authentication-on-by-default vvzvlad:fix/EE-1712/no-icon-displayed-when-template-created-via-upload-file vvzvlad:fix/EE-1712/No-icon-displayed-when-template-created-via-upload-file vvzvlad:fix/EE-1678/failed-to-create-namespace-when-having-registry vvzvlad:fix/EE-1661/fully-rename-endpoint-to-environment-in-swagger-doc vvzvlad:fix/EE-1660/fix-custom-logo-not-updated vvzvlad:fix/EE-1636/fix-question-mark-alignment-in-PAT-field vvzvlad:test/node_env vvzvlad:fix/EE-1653/wrong_table_background_color_for_helm_application_listing vvzvlad:feat/ee-834/fix-openapi-errors vvzvlad:fix/EE-1073/fix_difficulties_selecting_mixed_protocols_for_k8s vvzvlad:feat/EE-1635/removed-stack-deletion-in-app-list-page vvzvlad:feat/EE-1089/First-UX-experience vvzvlad:fix/EE-1586/file-not-persisted-after-deployed-with-url vvzvlad:feat/EE-577/EE-1594/use-user-token-for-autoupdate vvzvlad:chore/EE-1052/Replace-all-the-references-to-deviantony vvzvlad:fix/EE-1591/non-admin-users-cannot-deploy-charts-containing-secrets vvzvlad:feat/EE-909/Dark_high_contrast_mode_supported vvzvlad:feat/EE-1206/Rename_endpoints_to_environments vvzvlad:snyk-fix-ed0fa419898eea7805b20ec7511ebde2 vvzvlad:fix/EE-1553/unable-to-apply-note-to-k8s-application vvzvlad:feat/EE-809/EE-466/kube-advanced-apps vvzvlad:feat/EE-1278/swagger-doc-fixes vvzvlad:fix/EE-1454/tag-not-attached-to-local-k8s-endpoint vvzvlad:fix/EE-1564/CE-missing-header-namespace-create-view vvzvlad:feat/EE-1096/CE-registry-delete-warning-modal vvzvlad:default-namespace-selector-behavior vvzvlad:snyk-fix-f52082e2df9f9108004d0a670eeb3f6a vvzvlad:snyk-fix-491ba6a89fe0b2b0e65e3b4c0ef0fd14 vvzvlad:fix/EE-1505/CE-update-default-namespace vvzvlad:fix/EE-1424/CE-equal-in-env-vars vvzvlad:fix/EE-1291/EE-1292/git-stack-form-validation-improvements vvzvlad:fix/release-commits-cherrypick vvzvlad:fix/EE-1540/fix_changing_helm_repo_not_refresh_issue vvzvlad:fix/EE-1540/changing_the_default_helm_repo_still_shows_old_charts vvzvlad:fix/EE-1511/robust-kubernetes-API-proxy vvzvlad:poc-kube-deploy-from-url vvzvlad:toolkit-update vvzvlad:release/2.6 vvzvlad:chore/EE-1509/replace-stalebot-with-action vvzvlad:feat/EE-466/EE-1199/front-end-CE-backport vvzvlad:release/2.6.3/EE-1143/update-networking-v1beta1-to-v1 vvzvlad:feat/EE-1502/auth-detail-not-remembered vvzvlad:feat/EE-466/EE-1189/backport-to-ce vvzvlad:feat/EE-248/EE-1425/enable-save-button-when-password-exists vvzvlad:fix/EE-1402/increment-api-version vvzvlad:feat/EE-1178/CE-clarify-metrics-switch vvzvlad:demo-v2 vvzvlad:feat/EE-248/EE-1323/dont-return-password-back vvzvlad:feat/EE-248/EE-1310/substituting-from-env-file-in vvzvlad:feat/update-github-banner vvzvlad:feat/update-readme-from-marketing vvzvlad:snyk-fix-6a198797807c43d474095224f758f0b8 vvzvlad:refactor/EE-1053/CE-rename-storage-section vvzvlad:feat/EE-951/CE-registries-accesses-relocation-indicator vvzvlad:feat/EE-883/CE-getting-started-page vvzvlad:snyk-fix-8976c3e2173dcb1c31a7b3f2e97ebc23 vvzvlad:fix/EE-1152/importing-images vvzvlad:feat/EE-1148/modify-ldap-get-groups-func vvzvlad:feat/EE-986/add-admin-mapping-section-inLDAP vvzvlad:feat/EE-1021/fe-backport-automated-sync-for-stacks vvzvlad:528 vvzvlad:feat/ee-370/ee-515/ce-update-to-1-16 vvzvlad:fix/EE-1072/ingresses-hostname-fields-fix vvzvlad:feat/EE-992/update-ldap-settings vvzvlad:feat/EE-930/admin-auto-population-oauth vvzvlad:feat/EE-971/admin-mapping-section-oauth vvzvlad:snyk-fix-f7a7da24eb70f58d73a6949d4765aa68 vvzvlad:feat/EE-975/mapping-oauth-group-to-admin-role vvzvlad:refactor4071-constants-step2 vvzvlad:feat/EE-971/admin-mapping-section vvzvlad:feat/EE-161/redeploy-stack-from-git vvzvlad:feat/EE-781/change-edit-stack-view vvzvlad:feat/EE-829/implement-edit-git-deploy-stack-endpoint vvzvlad:feat/EE-780/change-add-stack-view vvzvlad:snyk-fix-e6fed59bc40accf75940b773b4175580 vvzvlad:snyk-fix-536f1662b19d0dec5659b4501ba650d2 vvzvlad:feat/EE-447/k8s-advanced-deployment-from-git-repo vvzvlad:snyk-fix-6f2c5f2ac6b982591828a069f9645d54 vvzvlad:Testing-merge-of-161-446-447 vvzvlad:fix/EE-948/swagger-param-name-fix-for-endpoint-create vvzvlad:release/2.5 vvzvlad:feat/EE-786/create-stack-updates-for-git-sync vvzvlad:feat/GH/827-service-healthchecks vvzvlad:epic/CE-309/backup-private-registries-20210531 vvzvlad:fix/EE-812/can-not-deploy-stack-app-templates vvzvlad:snyk-fix-19f7491fbb67710fad7da7da2d291d88 vvzvlad:epic/CE-309/feat/CE-512/backport-ee-30-backend vvzvlad:feat/EE-608/update-store-and-retrieve-settings-handler vvzvlad:epic/CE-309/feat/CE-513/backport-ee-30-frontend vvzvlad:feat/EE-643/logout-logic-changes vvzvlad:feat/EE-672/CE-reorder-placement-policies-options vvzvlad:feat/EE-607/settings-view vvzvlad:fix/CE-575/type-downgrade-error vvzvlad:fix/EE-645/ACI-UAC-breaks-when-redeploying-container-with-same-name-as-one-already-existing vvzvlad:revert-5021-feat/EE-596/update-agent-version-in-deployment-instructions vvzvlad:feat/CE-223/migrate-selector vvzvlad:snyk-fix-520e95e409cb8ddd217a7f0aa2160ce9 vvzvlad:feat/EE-596/update-agent-version-in-deployment-instructions vvzvlad:snyk-fix-6fd487252f28262d8a4f0f6a99808327 vvzvlad:snyk-fix-5aff38ac9bd148fe8a3b5d45adb2dcc8 vvzvlad:snyk-fix-bdfbcf8def6d0925eb3a3090aa4fec17 vvzvlad:snyk-fix-c741bd40fab715925bb9221fefb7f1d9 vvzvlad:revert-4952-feat/CE-414/add-UAC-to-ACI vvzvlad:refactor/EE-31/use-docker-compose-wrapper vvzvlad:snyk-fix-89cdb3c26b67f4a51e27f70eeefcb3c4 vvzvlad:feat(backup)-backup-restore-system vvzvlad:feat(backup)-add-s3-stubs-to-ce vvzvlad:snyk-fix-a8022c23ed6afd9c00eb9dd4441da8ef vvzvlad:snyk-fix-b72acb2aca16fd54a76ac2eda18230d2 vvzvlad:fix/EE-458/pull-latest-image-toggle-missing vvzvlad:snyk-fix-dbde1a343d9bd699ea8bb876f27953de vvzvlad:snyk-fix-9de633ccccac0fa6c366b8c9747b637e vvzvlad:snyk-fix-d3a07bfe2eea4450b0c42fa6adb9007c vvzvlad:Chore--Add-Licenses-attributions vvzvlad:feat-1.24.2 vvzvlad:feat/CE/487-registry-access-control-merge vvzvlad:epic/CE-309/private-registries-backup vvzvlad:feat/CE/487-registry-access-control vvzvlad:fix/CE-478/Unable-to-save-cluster-configuration-with-fresh-deployment vvzvlad:feat/CE-493/update-docker-swarm-kubernetes-sidebars vvzvlad:feat/CE-490/kubernetes-registries-support vvzvlad:feat/CE-485/remove-registry-usage-information-panel vvzvlad:feat/CE-486/introduce-dockerhub-authenticated vvzvlad:feat/GH/4419-kubernetes-create-volume vvzvlad:feat/GH/4240-show-error-reason-when-custom-template-creation-fails vvzvlad:fix/CE-471/config-vars-showing-on-environment-variables-section-on-application-edit-screen vvzvlad:fix/CE/466-app-templates-not-loading-error vvzvlad:fix/CE/466-app-templates-not-loading vvzvlad:fix/CE-463/cluster-configuration-fresh-deployment vvzvlad:fix/CE/4843-update-application-persisted-data vvzvlad:fix/ce-51-labels vvzvlad:feat(dev)--CE-420-Add-automatic-rebase-to-github vvzvlad:2.1.1 vvzvlad:feat/GH/3143-nvidia-container-toolkit vvzvlad:feat/GH/4743-not-filter-custom-templates vvzvlad:release/2.1 vvzvlad:fix/private-registries vvzvlad:fix/ce-401-private-registry vvzvlad:feat/GH/4779-kubernetes-edit-yaml vvzvlad:fix-ce395-parse-empty-configuration-as-empty-string-yaml vvzvlad:fix-ce#394-trigger-port-validation-while-changing-protocol vvzvlad:fix-ce394-trigger-port-validation-while-changing-protocol vvzvlad:fix/missing-kubectl-download vvzvlad:sec/utils-extend vvzvlad:fix/compose-Bump-docker-compose-to-1.28.2 vvzvlad:feat/cd-187-docker-compose-wrapper vvzvlad:feat-4728-better-form-validation-for-configuration-keys vvzvlad:feat/cd-187-add-auth-proxy-to-docker-compose vvzvlad:chore-4473-bump-kompose-version vvzvlad:fix-4503-cannot-access-configuration-details-view-containing-binary-data vvzvlad:release/2.0.1 vvzvlad:feat/GH/4419-create-volume vvzvlad:fix/201-api-version vvzvlad:revert-4475-chore-ce-86-bump-kompose-version vvzvlad:CE-185-build-static-docker-compose-linux-binary vvzvlad:revert-4418-feat/gh/3889-stacks-create-update-dates vvzvlad:fix-4595-transform-username-to-be-dns-compliant vvzvlad:feat/GH/4011-pods-as-applications vvzvlad:fix-4553-revalidate-configuration-name-when-change-resource-pool vvzvlad:fix-4547-override-confgiuration-keys-disappear vvzvlad:feat4545-matomo vvzvlad:fix4463-resourcecontrol-deletion vvzvlad:feat95-applications-configurations-modals vvzvlad:fix/GH/4502-update-sensitive-configuration vvzvlad:feat/GH/4404-start-without-endpoint vvzvlad:fix/GH/4488-refreshing-yaml-panel-change-panel vvzvlad:fix/GH/4492-cluster-setup-incorrectly-expand-endpoint-sidebar vvzvlad:fix/GH/4490-invalid-display-load-balancer-panel vvzvlad:chore56-add-JS-source-map vvzvlad:Disable-Container-Capabilities-for-non-admins vvzvlad:fix/gh/4390-sort-labels vvzvlad:fix-k8s-daemonset-noschedule vvzvlad:fix-k8s-volume-filter vvzvlad:fix-k8s-system-volumes-filter vvzvlad:feat4204-banner vvzvlad:revert-4197-fix-login-after-restart vvzvlad:telemetry-matomo vvzvlad:mockup4003-placement vvzvlad:demo vvzvlad:feat-db-migration-1.24.1 vvzvlad:revert-3966-feat454-endpoint-url vvzvlad:fix3604-remove-runtime-persistence vvzvlad:fix3936-add-database-migration vvzvlad:feat-rbac-tests vvzvlad:poc-orphaned-stack vvzvlad:2.0 vvzvlad:feat3742-telemetry vvzvlad:feat3744-aci vvzvlad:feat3580-username-lowercase vvzvlad:fix3272-bad-volume-ownership vvzvlad:fix-windows-multiarch-build vvzvlad:feat-1807-service-network-management vvzvlad:fix3429-networks-object-undefined vvzvlad:hotfix-1.22.2 vvzvlad:feat2901-introduce-backup vvzvlad:feat2928-dockerhub-registry vvzvlad:feat1752-introduce-deploymentkeys vvzvlad:feat-upload-files-container vvzvlad:storidge-standalone vvzvlad:dbg11042019 vvzvlad:refactor-es9-migration vvzvlad:fix2626-endpoint-management-cmd-line vvzvlad:feat2456-ux-high-latency vvzvlad:feat1752-stack-deploy-keys vvzvlad:adsense vvzvlad:feat807-i18n vvzvlad:gh-pages-bkp
vvzvlad:2.39.3 vvzvlad:2.42.0 vvzvlad:2.41.1 vvzvlad:2.39.2 vvzvlad:2.33.8 vvzvlad:2.41.0 vvzvlad:2.40.0 vvzvlad:2.39.1 vvzvlad:2.39.0 vvzvlad:2.38.1 vvzvlad:2.33.7 vvzvlad:2.38.0 vvzvlad:2.33.6 vvzvlad:2.37.0 vvzvlad:2.33.5 vvzvlad:2.36.0 vvzvlad:2.33.4 vvzvlad:2.33.3 vvzvlad:2.35.0 vvzvlad:2.33.2 vvzvlad:2.34.0 vvzvlad:2.33.1 vvzvlad:2.33.0 vvzvlad:2.33.0-rc2 vvzvlad:2.33.0-rc1 vvzvlad:2.32.0 vvzvlad:2.32.0-rc1 vvzvlad:2.31.3 vvzvlad:2.27.9 vvzvlad:2.31.2 vvzvlad:2.27.8 vvzvlad:2.31.1 vvzvlad:2.27.7 vvzvlad:2.31.0 vvzvlad:2.30.1 vvzvlad:2.30.0 vvzvlad:2.27.6 vvzvlad:2.27.5 vvzvlad:2.29.2 vvzvlad:2.29.1 vvzvlad:2.29.0 vvzvlad:2.27.4 vvzvlad:2.27.3 vvzvlad:2.28.1 vvzvlad:2.27.2 vvzvlad:2.28.0 vvzvlad:2.27.1 vvzvlad:2.27.0 vvzvlad:2.27.0-rc3 vvzvlad:2.27.0-rc2 vvzvlad:2.27.0-rc1 vvzvlad:2.26.1 vvzvlad:2.26.0 vvzvlad:2.25.1 vvzvlad:2.21.5 vvzvlad:2.25.0 vvzvlad:2.24.1 vvzvlad:2.24.0 vvzvlad:2.21.4 vvzvlad:2.23.0 vvzvlad:2.21.3 vvzvlad:2.22.0 vvzvlad:2.22.0-rc1 vvzvlad:2.21.2 vvzvlad:2.21.1 vvzvlad:2.21.0 vvzvlad:2.21.0-rc2 vvzvlad:2.21.0-rc1 vvzvlad:2.20.3 vvzvlad:2.20.2 vvzvlad:2.19.5 vvzvlad:2.20.1 vvzvlad:2.20.0 vvzvlad:2.19.4 vvzvlad:2.19.3 vvzvlad:2.19.2 vvzvlad:2.19.1 vvzvlad:2.19.0 vvzvlad:2.18.4 vvzvlad:2.18.3 vvzvlad:2.18.2 vvzvlad:2.18.1 vvzvlad:2.17.1 vvzvlad:2.17.0 vvzvlad:2.16.2 vvzvlad:2.16.1 vvzvlad:2.16.0 vvzvlad:2.15.1 vvzvlad:2.15.0 vvzvlad:2.14.2 vvzvlad:2.14.1 vvzvlad:2.14.0 vvzvlad:2.13.1 vvzvlad:2.13.0 vvzvlad:1.25.0 vvzvlad:2.11.1 vvzvlad:2.11.0 vvzvlad:2.9.3 vvzvlad:2.9.2 vvzvlad:2.9.1 vvzvlad:2.9.0 vvzvlad:2.6.3 vvzvlad:2.6.2 vvzvlad:2.6.1 vvzvlad:2.6.0 vvzvlad:2.5.1 vvzvlad:2.5.0 vvzvlad:1.24.2 vvzvlad:2.1.1 vvzvlad:2.1.0 vvzvlad:2.0.1 vvzvlad:2.0.0 vvzvlad:1.24.1 vvzvlad:1.24.0 vvzvlad:1.23.2 vvzvlad:1.23.1 vvzvlad:1.23.0 vvzvlad:1.22.2 vvzvlad:1.22.1 vvzvlad:1.22.0 vvzvlad:edge_m2 vvzvlad:1.21.0 vvzvlad:1.20.2 vvzvlad:1.20.1 vvzvlad:1.20.0 vvzvlad:1.19.2 vvzvlad:1.19.1 vvzvlad:1.19.0 vvzvlad:1.18.1 vvzvlad:1.18.0 vvzvlad:1.17.1 vvzvlad:1.17.0 vvzvlad:1.16.5 vvzvlad:1.16.4 vvzvlad:1.16.3 vvzvlad:1.16.2 vvzvlad:1.16.1 vvzvlad:1.16.0 vvzvlad:1.15.5 vvzvlad:1.15.4 vvzvlad:1.15.3 vvzvlad:1.15.2 vvzvlad:1.15.1 vvzvlad:1.15.0 vvzvlad:1.14.3 vvzvlad:1.14.2 vvzvlad:1.14.1 vvzvlad:1.14.0 vvzvlad:1.13.6 vvzvlad:1.13.5 vvzvlad:1.13.4 vvzvlad:1.13.3 vvzvlad:1.13.2 vvzvlad:1.13.1 vvzvlad:1.13.0 vvzvlad:1.12.4 vvzvlad:1.12.3 vvzvlad:1.12.2 vvzvlad:1.12.1 vvzvlad:1.12.0 vvzvlad:1.11.4 vvzvlad:1.11.3 vvzvlad:1.11.2 vvzvlad:1.11.1 vvzvlad:1.11.0 vvzvlad:1.10.2 vvzvlad:1.10.1 vvzvlad:1.10.0 vvzvlad:1.9.3 vvzvlad:1.9.2 vvzvlad:1.9.1 vvzvlad:1.9.0 vvzvlad:internal-1.8.1 vvzvlad:1.8.1 vvzvlad:internal-1.8.0 vvzvlad:1.8.0 vvzvlad:internal-1.7.0 vvzvlad:1.7.0 vvzvlad:internal-1.6.0 vvzvlad:1.6.0 vvzvlad:internal-1.5.0 vvzvlad:1.5.0 vvzvlad:internal-1.4.0 vvzvlad:1.4.0 vvzvlad:internal-1.3.0 vvzvlad:1.3.0 vvzvlad:internal-1.2.0 vvzvlad:1.2.0 vvzvlad:1.1.0 vvzvlad:1.0.4 vvzvlad:1.0.3 vvzvlad:1.0.2 vvzvlad:1.0.1 vvzvlad:1.0.0 vvzvlad:v0.10.1 vvzvlad:v0.10.0 vvzvlad:v0.9.0 vvzvlad:v0.8.1 vvzvlad:v0.8.0 vvzvlad:v0.7.0 vvzvlad:v0.6.0 vvzvlad:v0.5

1 Commits
2.6.2 ... feat/EE-78

Author SHA1 Message Date
Hui
b21e88bb3c compose and swarm stack updates 2021-06-08 17:24:30 +12:00
210 changed files with 1713 additions and 4745 deletions
Expand all files Collapse all files

1
.github/ISSUE_TEMPLATE/Bug_report.md vendored
View File

@@ -4,6 +4,7 @@ about: Create a bug report
title: ''
labels: bug/need-confirmation, kind/bug
assignees: ''
---
<!--

2
.github/ISSUE_TEMPLATE/Custom.md vendored
View File

@@ -4,8 +4,8 @@ about: Ask us a question about Portainer usage or deployment
title: ''
labels: ''
assignees: ''
---
---
Before you start, we need a little bit more information from you:
Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commerical setup.

73
api/bolt/bolttest/datastore.go
View File

@@ -1,73 +0,0 @@
package bolttest
import (
"io/ioutil"
"log"
"os"
"github.com/pkg/errors"
"github.com/portainer/portainer/api/bolt"
"github.com/portainer/portainer/api/filesystem"
)
var errTempDir = errors.New("can't create a temp dir")
func MustNewTestStore(init bool) (*bolt.Store, func()) {
store, teardown, err := NewTestStore(init)
if err != nil {
if !errors.Is(err, errTempDir) {
teardown()
}
log.Fatal(err)
}
return store, teardown
}
func NewTestStore(init bool) (*bolt.Store, func(), error) {
// Creates unique temp directory in a concurrency friendly manner.
dataStorePath, err := ioutil.TempDir("", "boltdb")
if err != nil {
return nil, nil, errors.Wrap(errTempDir, err.Error())
}
fileService, err := filesystem.NewService(dataStorePath, "")
if err != nil {
return nil, nil, err
}
store, err := bolt.NewStore(dataStorePath, fileService)
if err != nil {
return nil, nil, err
}
err = store.Open()
if err != nil {
return nil, nil, err
}
if init {
err = store.Init()
if err != nil {
return nil, nil, err
}
}
teardown := func() {
teardown(store, dataStorePath)
}
return store, teardown, nil
}
func teardown(store *bolt.Store, dataStorePath string) {
err := store.Close()
if err != nil {
log.Fatalln(err)
}
err = os.RemoveAll(dataStorePath)
if err != nil {
log.Fatalln(err)
}
}

18
api/bolt/migrator/migrate_dbversion30.go
View File

@@ -1,18 +0,0 @@
package migrator
func (m *Migrator) migrateDBVersionTo30() error {
if err := m.migrateSettings(); err != nil {
return err
}
return nil
}
func (m *Migrator) migrateSettings() error {
legacySettings, err := m.settingsService.Settings()
if err != nil {
return err
}
legacySettings.OAuthSettings.SSO = false
legacySettings.OAuthSettings.LogoutURI = ""
return m.settingsService.UpdateSettings(legacySettings)
}

95
api/bolt/migrator/migrate_dbversion30_test.go
View File

@@ -1,95 +0,0 @@
package migrator
import (
"os"
"path"
"testing"
"time"
"github.com/boltdb/bolt"
"github.com/portainer/portainer/api/bolt/internal"
"github.com/portainer/portainer/api/bolt/settings"
)
var (
testingDBStorePath string
testingDBFileName string
dummyLogoURL string
dbConn *bolt.DB
settingsService *settings.Service
)
// initTestingDBConn creates a raw bolt DB connection
// for unit testing usage only since using NewStore will cause cycle import inside migrator pkg
func initTestingDBConn(storePath, fileName string) (*bolt.DB, error) {
databasePath := path.Join(storePath, fileName)
dbConn, err := bolt.Open(databasePath, 0600, &bolt.Options{Timeout: 1 * time.Second})
if err != nil {
return nil, err
}
return dbConn, nil
}
// initTestingDBConn creates a settings service with raw bolt DB connection
// for unit testing usage only since using NewStore will cause cycle import inside migrator pkg
func initTestingSettingsService(dbConn *bolt.DB, preSetObj map[string]interface{}) (*settings.Service, error) {
internalDBConn := &internal.DbConnection{
DB: dbConn,
}
settingsService, err := settings.NewService(internalDBConn)
if err != nil {
return nil, err
}
//insert a obj
if err := internal.UpdateObject(internalDBConn, "settings", []byte("SETTINGS"), preSetObj); err != nil {
return nil, err
}
return settingsService, nil
}
func setup() error {
testingDBStorePath, _ = os.Getwd()
testingDBFileName = "portainer-ee-mig-30.db"
dummyLogoURL = "example.com"
var err error
dbConn, err = initTestingDBConn(testingDBStorePath, testingDBFileName)
if err != nil {
return err
}
dummySettingsObj := map[string]interface{}{
"LogoURL": dummyLogoURL,
}
settingsService, err = initTestingSettingsService(dbConn, dummySettingsObj)
if err != nil {
return err
}
return nil
}
func TestMigrateSettings(t *testing.T) {
if err := setup(); err != nil {
t.Errorf("failed to complete testing setups, err: %v", err)
}
defer dbConn.Close()
defer os.Remove(testingDBFileName)
m := &Migrator{
db: dbConn,
settingsService: settingsService,
}
if err := m.migrateSettings(); err != nil {
t.Errorf("failed to update settings: %v", err)
}
updatedSettings, err := m.settingsService.Settings()
if err != nil {
t.Errorf("failed to retrieve the updated settings: %v", err)
}
if updatedSettings.LogoURL != dummyLogoURL {
t.Errorf("unexpected value changes in the updated settings, want LogoURL value: %s, got LogoURL value: %s", dummyLogoURL, updatedSettings.LogoURL)
}
if updatedSettings.OAuthSettings.SSO != false {
t.Errorf("unexpected default OAuth SSO setting, want: false, got: %t", updatedSettings.OAuthSettings.SSO)
}
if updatedSettings.OAuthSettings.LogoutURI != "" {
t.Errorf("unexpected default OAuth HideInternalAuth setting, want:, got: %s", updatedSettings.OAuthSettings.LogoutURI)
}
}

8
api/bolt/migrator/migrator.go
View File

@@ -358,13 +358,5 @@ func (m *Migrator) Migrate() error {
}
}
// Portainer 2.6.0
if m.currentDBVersion < 30 {
err := m.migrateDBVersionTo30()
if err != nil {
return err
}
}
return m.versionService.StoreDBVersion(portainer.DBVersion)
}

5
api/bolt/stack/stack.go
View File

@@ -133,3 +133,8 @@ func (service *Service) DeleteStack(ID portainer.StackID) error {
identifier := internal.Itob(int(ID))
return internal.DeleteObject(service.connection, BucketName, identifier)
}
// StackByWebhookID returns a stack via searching with webhook ID
func (service *Service) StackByWebhookID(id string) (*portainer.Stack, error) {
return nil, errors.ErrObjectNotFound
}

23
api/cmd/portainer/main.go
View File

@@ -20,7 +20,6 @@ import (
"github.com/portainer/portainer/api/http/client"
"github.com/portainer/portainer/api/http/proxy"
kubeproxy "github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
"github.com/portainer/portainer/api/internal/authorization"
"github.com/portainer/portainer/api/internal/edge"
"github.com/portainer/portainer/api/internal/snapshot"
"github.com/portainer/portainer/api/jwt"
@@ -77,20 +76,21 @@ func initDataStore(dataStorePath string, fileService portainer.FileService) port
}
func initComposeStackManager(assetsPath string, dataStorePath string, reverseTunnelService portainer.ReverseTunnelService, proxyManager *proxy.Manager) portainer.ComposeStackManager {
composeWrapper := exec.NewComposeWrapper(assetsPath, dataStorePath, proxyManager)
if composeWrapper != nil {
return composeWrapper
composeWrapper, err := exec.NewComposeStackManager(assetsPath, dataStorePath, proxyManager)
if err != nil {
log.Printf("[INFO] [main,compose] [message: falling-back to libcompose] [error: %s]", err)
return libcompose.NewComposeStackManager(dataStorePath, reverseTunnelService)
}
return libcompose.NewComposeStackManager(dataStorePath, reverseTunnelService)
return composeWrapper
}
func initSwarmStackManager(assetsPath string, dataStorePath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) (portainer.SwarmStackManager, error) {
return exec.NewSwarmStackManager(assetsPath, dataStorePath, signatureService, fileService, reverseTunnelService)
}
func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore portainer.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, assetsPath string) portainer.KubernetesDeployer {
return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, assetsPath)
func initKubernetesDeployer(assetsPath string) portainer.KubernetesDeployer {
return exec.NewKubernetesDeployer(assetsPath)
}
func initJWTService(dataStore portainer.DataStore) (portainer.JWTService, error) {
@@ -166,7 +166,6 @@ func updateSettingsFromFlags(dataStore portainer.DataStore, flags *portainer.CLI
settings.SnapshotInterval = *flags.SnapshotInterval
settings.EnableEdgeComputeFeatures = *flags.EnableEdgeComputeFeatures
settings.EnableTelemetry = true
settings.OAuthSettings.SSO = true
if *flags.Templates != "" {
settings.TemplatesURL = *flags.Templates
@@ -242,7 +241,6 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
AllowVolumeBrowserForRegularUsers: false,
EnableHostManagementFeatures: false,
AllowSysctlSettingForRegularUsers: true,
AllowBindMountsForRegularUsers: true,
AllowPrivilegedModeForRegularUsers: true,
AllowHostNamespaceForRegularUsers: true,
@@ -304,7 +302,6 @@ func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore,
AllowVolumeBrowserForRegularUsers: false,
EnableHostManagementFeatures: false,
AllowSysctlSettingForRegularUsers: true,
AllowBindMountsForRegularUsers: true,
AllowPrivilegedModeForRegularUsers: true,
AllowHostNamespaceForRegularUsers: true,
@@ -390,9 +387,6 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
}
snapshotService.Start()
authorizationService := authorization.NewService(dataStore)
authorizationService.K8sClientFactory = kubernetesClientFactory
swarmStackManager, err := initSwarmStackManager(*flags.Assets, *flags.Data, digitalSignatureService, fileService, reverseTunnelService)
if err != nil {
log.Fatalf("failed initializing swarm stack manager: %v", err)
@@ -402,7 +396,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
composeStackManager := initComposeStackManager(*flags.Assets, *flags.Data, reverseTunnelService, proxyManager)
kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, digitalSignatureService, *flags.Assets)
kubernetesDeployer := initKubernetesDeployer(*flags.Assets)
if dataStore.IsNew() {
err = updateSettingsFromFlags(dataStore, flags)
@@ -465,7 +459,6 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
}
return &http.Server{
AuthorizationService: authorizationService,
ReverseTunnelService: reverseTunnelService,
Status: applicationStatus,
BindAddress: *flags.Addr,

116
api/exec/compose_stack.go Normal file
View File

@@ -0,0 +1,116 @@
package exec
import (
"fmt"
"os"
"path"
"strings"
wrapper "github.com/portainer/docker-compose-wrapper"
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/http/proxy"
"github.com/portainer/portainer/api/http/proxy/factory"
)
// ComposeStackManager is a wrapper for docker-compose binary
type ComposeStackManager struct {
wrapper *wrapper.ComposeWrapper
dataPath string
proxyManager *proxy.Manager
}
// NewComposeStackManager returns a docker-compose wrapper if corresponding binary present, otherwise nil
func NewComposeStackManager(binaryPath string, dataPath string, proxyManager *proxy.Manager) (*ComposeStackManager, error) {
wrap, err := wrapper.NewComposeWrapper(binaryPath)
if err != nil {
return nil, err
}
return &ComposeStackManager{
wrapper: wrap,
proxyManager: proxyManager,
dataPath: dataPath,
}, nil
}
// ComposeSyntaxMaxVersion returns the maximum supported version of the docker compose syntax
func (w *ComposeStackManager) ComposeSyntaxMaxVersion() string {
return portainer.ComposeSyntaxMaxVersion
}
// Up builds, (re)creates and starts containers in the background. Wraps `docker-compose up -d` command
func (w *ComposeStackManager) Up(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
url, proxy, err := w.fetchEndpointProxy(endpoint)
if err != nil {
return err
}
if proxy != nil {
defer proxy.Close()
}
envFilePath, err := createEnvFile(stack)
if err != nil {
return err
}
filePaths := getStackFilePaths(stack)
_, err = w.wrapper.Up(filePaths, url, stack.Name, envFilePath, w.dataPath)
return err
}
// Down stops and removes containers, networks, images, and volumes. Wraps `docker-compose down --remove-orphans` command
func (w *ComposeStackManager) Down(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
url, proxy, err := w.fetchEndpointProxy(endpoint)
if err != nil {
return err
}
if proxy != nil {
defer proxy.Close()
}
filePaths := getStackFilePaths(stack)
_, err = w.wrapper.Down(filePaths, url, stack.Name)
return err
}
// NormalizeStackName returns the passed stack name, for interface implementation only
func (w *ComposeStackManager) NormalizeStackName(name string) string {
return name
}
func (w *ComposeStackManager) fetchEndpointProxy(endpoint *portainer.Endpoint) (string, *factory.ProxyServer, error) {
if strings.HasPrefix(endpoint.URL, "unix://") || strings.HasPrefix(endpoint.URL, "npipe://") {
return "", nil, nil
}
proxy, err := w.proxyManager.CreateComposeProxyServer(endpoint)
if err != nil {
return "", nil, err
}
return fmt.Sprintf("http://127.0.0.1:%d", proxy.Port), proxy, nil
}
func createEnvFile(stack *portainer.Stack) (string, error) {
if stack.Env == nil || len(stack.Env) == 0 {
return "", nil
}
envFilePath := path.Join(stack.ProjectPath, "stack.env")
envfile, err := os.OpenFile(envFilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return "", err
}
for _, v := range stack.Env {
envfile.WriteString(fmt.Sprintf("%s=%s\n", v.Name, v.Value))
}
envfile.Close()
return envFilePath, nil
}

71
api/exec/compose_stack_test.go Normal file
View File

@@ -0,0 +1,71 @@
package exec
import (
"io/ioutil"
"os"
"path"
"testing"
portainer "github.com/portainer/portainer/api"
"github.com/stretchr/testify/assert"
)
func Test_createEnvFile(t *testing.T) {
dir := t.TempDir()
tests := []struct {
name string
stack *portainer.Stack
expected string
expectedFile bool
}{
// {
// name: "should not add env file option if stack is missing",
// stack: nil,
// expected: "",
// },
{
name: "should not add env file option if stack doesn't have env variables",
stack: &portainer.Stack{
ProjectPath: dir,
},
expected: "",
},
{
name: "should not add env file option if stack's env variables are empty",
stack: &portainer.Stack{
ProjectPath: dir,
Env: []portainer.Pair{},
},
expected: "",
},
{
name: "should add env file option if stack has env variables",
stack: &portainer.Stack{
ProjectPath: dir,
Env: []portainer.Pair{
{Name: "var1", Value: "value1"},
{Name: "var2", Value: "value2"},
},
},
expected: "var1=value1\nvar2=value2\n",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result, _ := createEnvFile(tt.stack)
if tt.expected != "" {
assert.Equal(t, path.Join(tt.stack.ProjectPath, "stack.env"), result)
f, _ := os.Open(path.Join(dir, "stack.env"))
content, _ := ioutil.ReadAll(f)
assert.Equal(t, tt.expected, string(content))
} else {
assert.Equal(t, "", result)
}
})
}
}

15
api/exec/helper.go Normal file
View File

@@ -0,0 +1,15 @@
package exec
import (
"path"
portainer "github.com/portainer/portainer/api"
)
func getStackFilePaths(stack *portainer.Stack) []string {
var filePaths []string
for _, file := range append([]string{stack.EntryPoint}, stack.AdditionalFiles...) {
filePaths = append(filePaths, path.Join(stack.ProjectPath, file))
}
return filePaths
}

26
api/exec/helper_test.go Normal file
View File

@@ -0,0 +1,26 @@
package exec
import (
"testing"
portainer "github.com/portainer/portainer/api"
"github.com/stretchr/testify/assert"
)
func Test_getStackFilePaths(t *testing.T) {
stack := &portainer.Stack{
ProjectPath: "/tmp/stack/1",
EntryPoint: "file-one.yml",
}
t.Run("stack doesn't have additional files", func(t *testing.T) {
expected := []string{"/tmp/stack/1/file-one.yml"}
assert.ElementsMatch(t, expected, getStackFilePaths(stack))
})
t.Run("stack has additional files", func(t *testing.T) {
stack.AdditionalFiles = []string{"file-two.yml", "file-three.yml"}
expected := []string{"/tmp/stack/1/file-one.yml", "/tmp/stack/1/file-two.yml", "/tmp/stack/1/file-three.yml"}
assert.ElementsMatch(t, expected, getStackFilePaths(stack))
})
}

227
api/exec/kubernetes_deploy.go
View File

@@ -2,234 +2,71 @@ package exec
import (
"bytes"
"encoding/json"
"errors"
"fmt"
"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
"github.com/portainer/portainer/api/http/security"
"github.com/portainer/portainer/api/kubernetes/cli"
"io/ioutil"
"net/http"
"net/url"
"os/exec"
"path"
"runtime"
"strings"
"time"
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/crypto"
)
// KubernetesDeployer represents a service to deploy resources inside a Kubernetes environment.
type KubernetesDeployer struct {
binaryPath string
dataStore portainer.DataStore
reverseTunnelService portainer.ReverseTunnelService
signatureService portainer.DigitalSignatureService
kubernetesClientFactory *cli.ClientFactory
kubernetesTokenCacheManager *kubernetes.TokenCacheManager
binaryPath string
}
// NewKubernetesDeployer initializes a new KubernetesDeployer service.
func NewKubernetesDeployer(kubernetesTokenCacheManager *kubernetes.TokenCacheManager, kubernetesClientFactory *cli.ClientFactory, datastore portainer.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, binaryPath string) *KubernetesDeployer {
func NewKubernetesDeployer(binaryPath string) *KubernetesDeployer {
return &KubernetesDeployer{
binaryPath: binaryPath,
dataStore: datastore,
reverseTunnelService: reverseTunnelService,
signatureService: signatureService,
kubernetesClientFactory: kubernetesClientFactory,
kubernetesTokenCacheManager: kubernetesTokenCacheManager,
binaryPath: binaryPath,
}
}
func (deployer *KubernetesDeployer) getToken(request *http.Request, endpoint *portainer.Endpoint, setLocalAdminToken bool) (string, error) {
tokenData, err := security.RetrieveTokenData(request)
if err != nil {
return "", err
}
kubecli, err := deployer.kubernetesClientFactory.GetKubeClient(endpoint)
if err != nil {
return "", err
}
tokenCache := deployer.kubernetesTokenCacheManager.GetOrCreateTokenCache(int(endpoint.ID))
tokenManager, err := kubernetes.NewTokenManager(kubecli, deployer.dataStore, tokenCache, setLocalAdminToken)
if err != nil {
return "", err
}
if tokenData.Role == portainer.AdministratorRole {
return tokenManager.GetAdminServiceAccountToken(), nil
}
token, err := tokenManager.GetUserServiceAccountToken(int(tokenData.ID))
if err != nil {
return "", err
}
if token == "" {
return "", fmt.Errorf("can not get a valid user service account token")
}
return token, nil
}
// Deploy will deploy a Kubernetes manifest inside a specific namespace in a Kubernetes endpoint.
// If composeFormat is set to true, it will leverage the kompose binary to deploy a compose compliant manifest.
// Otherwise it will use kubectl to deploy the manifest.
func (deployer *KubernetesDeployer) Deploy(request *http.Request, endpoint *portainer.Endpoint, stackConfig string, namespace string) (string, error) {
if endpoint.Type == portainer.KubernetesLocalEnvironment {
token, err := deployer.getToken(request, endpoint, true);
func (deployer *KubernetesDeployer) Deploy(endpoint *portainer.Endpoint, data string, composeFormat bool, namespace string) ([]byte, error) {
if composeFormat {
convertedData, err := deployer.convertComposeData(data)
if err != nil {
return "", err
return nil, err
}
command := path.Join(deployer.binaryPath, "kubectl")
if runtime.GOOS == "windows" {
command = path.Join(deployer.binaryPath, "kubectl.exe")
}
args := make([]string, 0)
args = append(args, "--server", endpoint.URL)
args = append(args, "--insecure-skip-tls-verify")
args = append(args, "--token", token)
args = append(args, "--namespace", namespace)
args = append(args, "apply", "-f", "-")
var stderr bytes.Buffer
cmd := exec.Command(command, args...)
cmd.Stderr = &stderr
cmd.Stdin = strings.NewReader(stackConfig)
output, err := cmd.Output()
if err != nil {
return "", errors.New(stderr.String())
}
return string(output), nil
data = string(convertedData)
}
// agent
endpointURL := endpoint.URL
if endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
tunnel := deployer.reverseTunnelService.GetTunnelDetails(endpoint.ID)
if tunnel.Status == portainer.EdgeAgentIdle {
err := deployer.reverseTunnelService.SetTunnelStatusToRequired(endpoint.ID)
if err != nil {
return "", err
}
settings, err := deployer.dataStore.Settings().Settings()
if err != nil {
return "", err
}
waitForAgentToConnect := time.Duration(settings.EdgeAgentCheckinInterval) * time.Second
time.Sleep(waitForAgentToConnect * 2)
}
endpointURL = fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)
}
transport := &http.Transport{}
if endpoint.TLSConfig.TLS {
tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
if err != nil {
return "", err
}
transport.TLSClientConfig = tlsConfig
}
httpCli := &http.Client{
Transport: transport,
}
if !strings.HasPrefix(endpointURL, "http") {
endpointURL = fmt.Sprintf("https://%s", endpointURL)
}
url, err := url.Parse(fmt.Sprintf("%s/v2/kubernetes/stack", endpointURL))
token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
if err != nil {
return "", err
return nil, err
}
reqPayload, err := json.Marshal(
struct {
StackConfig string
Namespace string
}{
StackConfig: stackConfig,
Namespace: namespace,
})
command := path.Join(deployer.binaryPath, "kubectl")
if runtime.GOOS == "windows" {
command = path.Join(deployer.binaryPath, "kubectl.exe")
}
args := make([]string, 0)
args = append(args, "--server", endpoint.URL)
args = append(args, "--insecure-skip-tls-verify")
args = append(args, "--token", string(token))
args = append(args, "--namespace", namespace)
args = append(args, "apply", "-f", "-")
var stderr bytes.Buffer
cmd := exec.Command(command, args...)
cmd.Stderr = &stderr
cmd.Stdin = strings.NewReader(data)
output, err := cmd.Output()
if err != nil {
return "", err
return nil, errors.New(stderr.String())
}
req, err := http.NewRequest(http.MethodPost, url.String(), bytes.NewReader(reqPayload))
if err != nil {
return "", err
}
signature, err := deployer.signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
if err != nil {
return "", err
}
token, err := deployer.getToken(request, endpoint, false);
if err != nil {
return "", err
}
req.Header.Set(portainer.PortainerAgentPublicKeyHeader, deployer.signatureService.EncodedPublicKey())
req.Header.Set(portainer.PortainerAgentSignatureHeader, signature)
req.Header.Set(portainer.PortainerAgentKubernetesSATokenHeader, token)
resp, err := httpCli.Do(req)
if err != nil {
return "", err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
var errorResponseData struct {
Message string
Details string
}
err = json.NewDecoder(resp.Body).Decode(&errorResponseData)
if err != nil {
output, parseStringErr := ioutil.ReadAll(resp.Body)
if parseStringErr != nil {
return "", parseStringErr
}
return "", fmt.Errorf("Failed parsing, body: %s, error: %w", output, err)
}
return "", fmt.Errorf("Deployment to agent failed: %s", errorResponseData.Details)
}
var responseData struct{ Output string }
err = json.NewDecoder(resp.Body).Decode(&responseData)
if err != nil {
parsedOutput, parseStringErr := ioutil.ReadAll(resp.Body)
if parseStringErr != nil {
return "", parseStringErr
}
return "", fmt.Errorf("Failed decoding, body: %s, err: %w", parsedOutput, err)
}
return responseData.Output, nil
return output, nil
}
// ConvertCompose leverages the kompose binary to deploy a compose compliant manifest.
func (deployer *KubernetesDeployer) ConvertCompose(data string) ([]byte, error) {
func (deployer *KubernetesDeployer) convertComposeData(data string) ([]byte, error) {
command := path.Join(deployer.binaryPath, "kompose")
if runtime.GOOS == "windows" {
command = path.Join(deployer.binaryPath, "kompose.exe")

22
api/exec/swarm_stack.go
View File

@@ -10,7 +10,7 @@ import (
"path"
"runtime"
"github.com/portainer/portainer/api"
portainer "github.com/portainer/portainer/api"
)
// SwarmStackManager represents a service for managing stacks.
@@ -66,22 +66,23 @@ func (manager *SwarmStackManager) Logout(endpoint *portainer.Endpoint) error {
// Deploy executes the docker stack deploy command.
func (manager *SwarmStackManager) Deploy(stack *portainer.Stack, prune bool, endpoint *portainer.Endpoint) error {
stackFilePath := path.Join(stack.ProjectPath, stack.EntryPoint)
filePaths := getStackFilePaths(stack)
command, args := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.dataPath, endpoint)
if prune {
args = append(args, "stack", "deploy", "--prune", "--with-registry-auth", "--compose-file", stackFilePath, stack.Name)
args = append(args, "stack", "deploy", "--prune", "--with-registry-auth")
} else {
args = append(args, "stack", "deploy", "--with-registry-auth", "--compose-file", stackFilePath, stack.Name)
args = append(args, "stack", "deploy", "--with-registry-auth")
}
args = configureFilePaths(args, filePaths)
args = append(args, stack.Name)
env := make([]string, 0)
for _, envvar := range stack.Env {
env = append(env, envvar.Name+"="+envvar.Value)
}
stackFolder := path.Dir(stackFilePath)
return runCommandAndCaptureStdErr(command, args, env, stackFolder)
return runCommandAndCaptureStdErr(command, args, env, stack.ProjectPath)
}
// Remove executes the docker stack rm command.
@@ -189,3 +190,10 @@ func (manager *SwarmStackManager) retrieveConfigurationFromDisk(path string) (ma
return config, nil
}
func configureFilePaths(args []string, filePaths []string) []string {
for _, path := range filePaths {
args = append(args, "--compose-file", path)
}
return args
}

15
api/exec/swarm_stack_test.go Normal file
View File

@@ -0,0 +1,15 @@
package exec
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestConfigFilePaths(t *testing.T) {
args := []string{"stack", "deploy", "--with-registry-auth"}
filePaths := []string{"dir/file", "dir/file-two", "dir/file-three"}
expected := []string{"stack", "deploy", "--with-registry-auth", "--compose-file", "dir/file", "--compose-file", "dir/file-two", "--compose-file", "dir/file-three"}
output := configureFilePaths(args, filePaths)
assert.ElementsMatch(t, expected, output, "wrong output file paths")
}

38
api/filesystem/filesystem.go
View File

@@ -31,8 +31,6 @@ const (
ComposeStorePath = "compose"
// ComposeFileDefaultName represents the default name of a compose file.
ComposeFileDefaultName = "docker-compose.yml"
// ManifestFileDefaultName represents the default name of a k8s manifest file.
ManifestFileDefaultName = "k8s-deployment.yml"
// EdgeStackStorePath represents the subfolder where edge stack files are stored in the file store folder.
EdgeStackStorePath = "edge_stacks"
// PrivateKeyFile represents the name on disk of the file containing the private key.
@@ -281,7 +279,13 @@ func (service *Service) WriteJSONToFile(path string, content interface{}) error
// FileExists checks for the existence of the specified file.
func (service *Service) FileExists(filePath string) (bool, error) {
return FileExists(filePath)
if _, err := os.Stat(filePath); err != nil {
if os.IsNotExist(err) {
return false, nil
}
return false, err
}
return true, nil
}
// KeyPairFilesExist checks for the existence of the key files.
@@ -506,31 +510,3 @@ func (service *Service) GetTemporaryPath() (string, error) {
func (service *Service) GetDatastorePath() string {
return service.dataStorePath
}
// FileExists checks for the existence of the specified file.
func FileExists(filePath string) (bool, error) {
if _, err := os.Stat(filePath); err != nil {
if os.IsNotExist(err) {
return false, nil
}
return false, err
}
return true, nil
}
func MoveDirectory(originalPath, newPath string) error {
if _, err := os.Stat(originalPath); err != nil {
return err
}
alreadyExists, err := FileExists(newPath)
if err != nil {
return err
}
if alreadyExists {
return errors.New("Target path already exists")
}
return os.Rename(originalPath, newPath)
}

55
api/filesystem/filesystem_fileexists_test.go
View File

@@ -1,55 +0,0 @@
package filesystem
import (
"fmt"
"math/rand"
"os"
"path"
"testing"
"github.com/stretchr/testify/assert"
)
func Test_fileSystemService_FileExists_whenFileExistsShouldReturnTrue(t *testing.T) {
service := createService(t)
testHelperFileExists_fileExists(t, service.FileExists)
}
func Test_fileSystemService_FileExists_whenFileNotExistsShouldReturnFalse(t *testing.T) {
service := createService(t)
testHelperFileExists_fileNotExists(t, service.FileExists)
}
func Test_FileExists_whenFileExistsShouldReturnTrue(t *testing.T) {
testHelperFileExists_fileExists(t, FileExists)
}
func Test_FileExists_whenFileNotExistsShouldReturnFalse(t *testing.T) {
testHelperFileExists_fileNotExists(t, FileExists)
}
func testHelperFileExists_fileExists(t *testing.T, checker func(path string) (bool, error)) {
file, err := os.CreateTemp("", t.Name())
assert.NoError(t, err, "CreateTemp should not fail")
t.Cleanup(func() {
os.RemoveAll(file.Name())
})
exists, err := checker(file.Name())
assert.NoError(t, err, "FileExists should not fail")
assert.True(t, exists)
}
func testHelperFileExists_fileNotExists(t *testing.T, checker func(path string) (bool, error)) {
filePath := path.Join(os.TempDir(), fmt.Sprintf("%s%d", t.Name(), rand.Int()))
err := os.RemoveAll(filePath)
assert.NoError(t, err, "RemoveAll should not fail")
exists, err := checker(filePath)
assert.NoError(t, err, "FileExists should not fail")
assert.False(t, exists)
}

49
api/filesystem/filesystem_move_test.go
View File

@@ -1,49 +0,0 @@
package filesystem
import (
"fmt"
"os"
"path"
"testing"
"github.com/stretchr/testify/assert"
)
// temporary function until upgrade to 1.16
func tempDir(t *testing.T) string {
tmpDir, err := os.MkdirTemp("", "dir")
assert.NoError(t, err, "MkdirTemp should not fail")
return tmpDir
}
func Test_movePath_shouldFailIfOriginalPathDoesntExist(t *testing.T) {
tmpDir := tempDir(t)
missingPath := path.Join(tmpDir, "missing")
targetPath := path.Join(tmpDir, "target")
defer os.RemoveAll(tmpDir)
err := MoveDirectory(missingPath, targetPath)
assert.Error(t, err, "move directory should fail when target path exists")
}
func Test_movePath_shouldFailIfTargetPathDoesExist(t *testing.T) {
originalPath := tempDir(t)
missingPath := tempDir(t)
defer os.RemoveAll(originalPath)
defer os.RemoveAll(missingPath)
err := MoveDirectory(originalPath, missingPath)
assert.Error(t, err, "move directory should fail when target path exists")
}
func Test_movePath_success(t *testing.T) {
originalPath := tempDir(t)
defer os.RemoveAll(originalPath)
err := MoveDirectory(originalPath, fmt.Sprintf("%s-old", originalPath))
assert.NoError(t, err)
}

22
api/filesystem/filesystem_test.go
View File

@@ -1,22 +0,0 @@
package filesystem
import (
"os"
"path"
"testing"
"github.com/stretchr/testify/assert"
)
func createService(t *testing.T) *Service {
dataStorePath := path.Join(os.TempDir(), t.Name())
service, err := NewService(dataStorePath, "")
assert.NoError(t, err, "NewService should not fail")
t.Cleanup(func() {
os.RemoveAll(dataStorePath)
})
return service
}

11
api/git/azure_integration_test.go
View File

@@ -2,13 +2,12 @@ package git
import (
"fmt"
"os"
"path/filepath"
"testing"
"github.com/docker/docker/pkg/ioutils"
_ "github.com/joho/godotenv/autoload"
"github.com/stretchr/testify/assert"
"os"
"path/filepath"
"testing"
)
func TestService_ClonePublicRepository_Azure(t *testing.T) {
@@ -55,7 +54,7 @@ func TestService_ClonePublicRepository_Azure(t *testing.T) {
assert.NoError(t, err)
defer os.RemoveAll(dst)
repositoryUrl := fmt.Sprintf(tt.args.repositoryURLFormat, tt.args.password)
err = service.CloneRepository(dst, repositoryUrl, tt.args.referenceName, "", "")
err = service.ClonePublicRepository(repositoryUrl, tt.args.referenceName, dst)
assert.NoError(t, err)
assert.FileExists(t, filepath.Join(dst, "README.md"))
})
@@ -73,7 +72,7 @@ func TestService_ClonePrivateRepository_Azure(t *testing.T) {
defer os.RemoveAll(dst)
repositoryUrl := "https://portainer.visualstudio.com/Playground/_git/dev_integration"
err = service.CloneRepository(dst, repositoryUrl, "refs/heads/main", "", pat)
err = service.ClonePrivateRepositoryWithBasicAuth(repositoryUrl, "refs/heads/main", dst, "", pat)
assert.NoError(t, err)
assert.FileExists(t, filepath.Join(dst, "README.md"))
}

25
api/git/git.go
View File

@@ -3,13 +3,12 @@ package git
import (
"context"
"crypto/tls"
"github.com/pkg/errors"
"net/http"
"os"
"path/filepath"
"time"
"github.com/pkg/errors"
"github.com/go-git/go-git/v5"
"github.com/go-git/go-git/v5/plumbing"
"github.com/go-git/go-git/v5/plumbing/transport/client"
@@ -28,7 +27,7 @@ type downloader interface {
download(ctx context.Context, dst string, opt cloneOptions) error
}
type gitClient struct {
type gitClient struct{
preserveGitDirectory bool
}
@@ -87,18 +86,26 @@ func NewService() *Service {
}
}
// CloneRepository clones a git repository using the specified URL in the specified
// ClonePublicRepository clones a public git repository using the specified URL in the specified
// destination folder.
func (service *Service) CloneRepository(destination, repositoryURL, referenceName, username, password string) error {
options := cloneOptions{
func (service *Service) ClonePublicRepository(repositoryURL, referenceName, destination string) error {
return service.cloneRepository(destination, cloneOptions{
repositoryUrl: repositoryURL,
referenceName: referenceName,
depth: 1,
})
}
// ClonePrivateRepositoryWithBasicAuth clones a private git repository using the specified URL in the specified
// destination folder. It will use the specified Username and Password for basic HTTP authentication.
func (service *Service) ClonePrivateRepositoryWithBasicAuth(repositoryURL, referenceName, destination, username, password string) error {
return service.cloneRepository(destination, cloneOptions{
repositoryUrl: repositoryURL,
username: username,
password: password,
referenceName: referenceName,
depth: 1,
}
return service.cloneRepository(destination, options)
})
}
func (service *Service) cloneRepository(destination string, options cloneOptions) error {

7
api/git/git_integration_test.go
View File

@@ -1,12 +1,11 @@
package git
import (
"github.com/docker/docker/pkg/ioutils"
"github.com/stretchr/testify/assert"
"os"
"path/filepath"
"testing"
"github.com/docker/docker/pkg/ioutils"
"github.com/stretchr/testify/assert"
)
func TestService_ClonePrivateRepository_GitHub(t *testing.T) {
@@ -21,7 +20,7 @@ func TestService_ClonePrivateRepository_GitHub(t *testing.T) {
defer os.RemoveAll(dst)
repositoryUrl := "https://github.com/portainer/private-test-repository.git"
err = service.CloneRepository(dst, repositoryUrl, "refs/heads/main", username, pat)
err = service.ClonePrivateRepositoryWithBasicAuth(repositoryUrl, "refs/heads/main", dst, username, pat)
assert.NoError(t, err)
assert.FileExists(t, filepath.Join(dst, "README.md"))
}

17
api/git/git_test.go
View File

@@ -2,17 +2,16 @@ package git
import (
"context"
"io/ioutil"
"log"
"os"
"path/filepath"
"testing"
"github.com/go-git/go-git/v5"
"github.com/go-git/go-git/v5/plumbing/object"
"github.com/pkg/errors"
"github.com/portainer/portainer/api/archive"
"github.com/stretchr/testify/assert"
"io/ioutil"
"log"
"os"
"path/filepath"
"testing"
)
var bareRepoDir string
@@ -60,7 +59,7 @@ func Test_ClonePublicRepository_Shallow(t *testing.T) {
}
defer os.RemoveAll(dir)
t.Logf("Cloning into %s", dir)
err = service.CloneRepository(dir, repositoryURL, referenceName, "", "")
err = service.ClonePublicRepository(repositoryURL, referenceName, dir)
assert.NoError(t, err)
assert.Equal(t, 1, getCommitHistoryLength(t, err, dir), "cloned repo has incorrect depth")
}
@@ -75,11 +74,9 @@ func Test_ClonePublicRepository_NoGitDirectory(t *testing.T) {
if err != nil {
t.Fatalf("failed to create a temp dir")
}
defer os.RemoveAll(dir)
t.Logf("Cloning into %s", dir)
err = service.CloneRepository(dir, repositoryURL, referenceName, "", "")
err = service.ClonePublicRepository(repositoryURL, referenceName, dir)
assert.NoError(t, err)
assert.NoDirExists(t, filepath.Join(dir, ".git"))
}

10
api/git/types/types.go
View File

@@ -1,10 +0,0 @@
package gittypes
type RepoConfig struct {
// The repo url
URL string `example:"https://github.com/portainer/portainer-ee.git"`
// The reference name
ReferenceName string `example:"refs/heads/branch_name"`
// Path to where the config file is in this url/refName
ConfigFilePath string `example:"docker-compose.yml"`
}

1
api/go.mod
View File

@@ -27,6 +27,7 @@ require (
github.com/mitchellh/mapstructure v1.1.2 // indirect
github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
github.com/pkg/errors v0.9.1
github.com/portainer/docker-compose-wrapper v0.0.0-20210527221011-0a1418224b92
github.com/portainer/libcompose v0.5.3
github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2
github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33

11
api/go.sum
View File

@@ -80,7 +80,6 @@ github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkg
github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
github.com/evanphx/json-patch v4.2.0+incompatible h1:fUDGZCv/7iAN7u0puUVhvKCcsR6vRfwrJatElLBEf0I=
github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
@@ -154,7 +153,6 @@ github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
@@ -221,10 +219,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo=
github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420 h1:Yu3681ykYHDfLoI6XVjL4JWmkE+3TX9yfIWwRCh1kFM=
github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -242,6 +238,10 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/portainer/docker-compose-wrapper v0.0.0-20210415235931-d457f9aba1cc h1:MvSEkOvhW3m2D3L0/Ymrjgg0t3CpHlHwpZfpgpIGNiw=
github.com/portainer/docker-compose-wrapper v0.0.0-20210415235931-d457f9aba1cc/go.mod h1:No8p8iZt9N2HOtDS9aWkh1ILxmQVoOTZZjHGlOij/ec=
github.com/portainer/docker-compose-wrapper v0.0.0-20210527221011-0a1418224b92 h1:Hh7SHCf3SJblVywU0TTn5lpTKsH5W23LAKH5sqWggig=
github.com/portainer/docker-compose-wrapper v0.0.0-20210527221011-0a1418224b92/go.mod h1:PF2O2O4UNYWdtPcp6n/mIKpKk+f1jhFTezS8txbf+XM=
github.com/portainer/libcompose v0.5.3 h1:tE4WcPuGvo+NKeDkDWpwNavNLZ5GHIJ4RvuZXsI9uI8=
github.com/portainer/libcompose v0.5.3/go.mod h1:7SKd/ho69rRKHDFSDUwkbMcol2TMKU5OslDsajr8Ro8=
github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2 h1:0PfgGLys9yHr4rtnirg0W0Cjvv6/DzxBIZk5sV59208=
@@ -370,11 +370,9 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
@@ -401,7 +399,6 @@ k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUc
k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a h1:UcxjrRMyNx/i/y8G7kPvLyy7rfbeuf1PYyBf973pgyU=
k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
k8s.io/utils v0.0.0-20191114184206-e782cd3c129f h1:GiPwtSzdP43eI1hpPCbROQCCIgCuiMMNF8YUVLF3vJo=
k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=

18
api/http/handler/auth/authenticate.go
View File

@@ -130,13 +130,19 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
}
func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User) *httperror.HandlerError {
return handler.persistAndWriteToken(w, composeTokenData(user))
tokenData := &portainer.TokenData{
ID: user.ID,
Username: user.Username,
Role: user.Role,
}
return handler.persistAndWriteToken(w, tokenData)
}
func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *portainer.TokenData) *httperror.HandlerError {
token, err := handler.JWTService.GenerateToken(tokenData)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to generate JWT token", Err: err}
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to generate JWT token", err}
}
return response.JSON(w, &authenticateResponse{JWT: token})
@@ -198,11 +204,3 @@ func teamMembershipExists(teamID portainer.TeamID, memberships []portainer.TeamM
}
return false
}
func composeTokenData(user *portainer.User) *portainer.TokenData {
return &portainer.TokenData{
ID: user.ID,
Username: user.Username,
Role: user.Role,
}
}

40
api/http/handler/auth/authenticate_oauth.go
View File

@@ -25,6 +25,17 @@ func (payload *oauthPayload) Validate(r *http.Request) error {
return nil
}
// @id AuthenticateOauth
// @summary Authenticate with OAuth
// @tags auth
// @accept json
// @produce json
// @param body body oauthPayload true "OAuth Credentials used for authentication"
// @success 200 {object} authenticateResponse "Success"
// @failure 400 "Invalid request"
// @failure 422 "Invalid Credentials"
// @failure 500 "Server error"
// @router /auth/oauth/validate [post]
func (handler *Handler) authenticateOAuth(code string, settings *portainer.OAuthSettings) (string, error) {
if code == "" {
return "", errors.New("Invalid OAuth authorization code")
@@ -42,46 +53,35 @@ func (handler *Handler) authenticateOAuth(code string, settings *portainer.OAuth
return username, nil
}
// @id ValidateOAuth
// @summary Authenticate with OAuth
// @tags auth
// @accept json
// @produce json
// @param body body oauthPayload true "OAuth Credentials used for authentication"
// @success 200 {object} authenticateResponse "Success"
// @failure 400 "Invalid request"
// @failure 422 "Invalid Credentials"
// @failure 500 "Server error"
// @router /auth/oauth/validate [post]
func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
var payload oauthPayload
err := request.DecodeAndValidateJSONPayload(r, &payload)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
}
settings, err := handler.DataStore.Settings().Settings()
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve settings from the database", Err: err}
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
}
if settings.AuthenticationMethod != portainer.AuthenticationOAuth {
return &httperror.HandlerError{StatusCode: http.StatusForbidden, Message: "OAuth authentication is not enabled", Err: errors.New("OAuth authentication is not enabled")}
if settings.AuthenticationMethod != 3 {
return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", errors.New("OAuth authentication is not enabled")}
}
username, err := handler.authenticateOAuth(payload.Code, &settings.OAuthSettings)
if err != nil {
log.Printf("[DEBUG] - OAuth authentication error: %s", err)
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to authenticate through OAuth", Err: httperrors.ErrUnauthorized}
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate through OAuth", httperrors.ErrUnauthorized}
}
user, err := handler.DataStore.User().UserByUsername(username)
if err != nil && err != bolterrors.ErrObjectNotFound {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve a user with the specified username from the database", Err: err}
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
}
if user == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
return &httperror.HandlerError{StatusCode: http.StatusForbidden, Message: "Account not created beforehand in Portainer and automatic user provisioning not enabled", Err: httperrors.ErrUnauthorized}
return &httperror.HandlerError{http.StatusForbidden, "Account not created beforehand in Portainer and automatic user provisioning not enabled", httperrors.ErrUnauthorized}
}
if user == nil {
@@ -92,7 +92,7 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
err = handler.DataStore.User().CreateUser(user)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist user inside the database", Err: err}
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
}
if settings.OAuthSettings.DefaultTeamID != 0 {
@@ -104,7 +104,7 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
err = handler.DataStore.TeamMembership().CreateTeamMembership(membership)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist team membership inside the database", Err: err}
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist team membership inside the database", err}
}
}

14
api/http/handler/customtemplates/customtemplate_create.go
View File

@@ -236,14 +236,16 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
projectPath := handler.FileService.GetCustomTemplateProjectPath(strconv.Itoa(customTemplateID))
customTemplate.ProjectPath = projectPath
repositoryUsername := payload.RepositoryUsername
repositoryPassword := payload.RepositoryPassword
if !payload.RepositoryAuthentication {
repositoryUsername = ""
repositoryPassword = ""
gitCloneParams := &cloneRepositoryParameters{
url: payload.RepositoryURL,
referenceName: payload.RepositoryReferenceName,
path: projectPath,
authentication: payload.RepositoryAuthentication,
username: payload.RepositoryUsername,
password: payload.RepositoryPassword,
}
err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, payload.RepositoryReferenceName, repositoryUsername, repositoryPassword)
err = handler.cloneGitRepository(gitCloneParams)
if err != nil {
return nil, err
}

17
api/http/handler/customtemplates/git.go Normal file
View File

@@ -0,0 +1,17 @@
package customtemplates
type cloneRepositoryParameters struct {
url string
referenceName string
path string
authentication bool
username string
password string
}
func (handler *Handler) cloneGitRepository(parameters *cloneRepositoryParameters) error {
if parameters.authentication {
return handler.GitService.ClonePrivateRepositoryWithBasicAuth(parameters.url, parameters.referenceName, parameters.path, parameters.username, parameters.password)
}
return handler.GitService.ClonePublicRepository(parameters.url, parameters.referenceName, parameters.path)
}

14
api/http/handler/edgestacks/edgestack_create.go
View File

@@ -212,14 +212,16 @@ func (handler *Handler) createSwarmStackFromGitRepository(r *http.Request) (*por
projectPath := handler.FileService.GetEdgeStackProjectPath(strconv.Itoa(int(stack.ID)))
stack.ProjectPath = projectPath
repositoryUsername := payload.RepositoryUsername
repositoryPassword := payload.RepositoryPassword
if !payload.RepositoryAuthentication {
repositoryUsername = ""
repositoryPassword = ""
gitCloneParams := &cloneRepositoryParameters{
url: payload.RepositoryURL,
referenceName: payload.RepositoryReferenceName,
path: projectPath,
authentication: payload.RepositoryAuthentication,
username: payload.RepositoryUsername,
password: payload.RepositoryPassword,
}
err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, payload.RepositoryReferenceName, repositoryUsername, repositoryPassword)
err = handler.cloneGitRepository(gitCloneParams)
if err != nil {
return nil, err
}

17
api/http/handler/edgestacks/git.go Normal file
View File

@@ -0,0 +1,17 @@
package edgestacks
type cloneRepositoryParameters struct {
url string
referenceName string
path string
authentication bool
username string
password string
}
func (handler *Handler) cloneGitRepository(parameters *cloneRepositoryParameters) error {
if parameters.authentication {
return handler.GitService.ClonePrivateRepositoryWithBasicAuth(parameters.url, parameters.referenceName, parameters.path, parameters.username, parameters.password)
}
return handler.GitService.ClonePublicRepository(parameters.url, parameters.referenceName, parameters.path)
}

21
api/http/handler/endpointgroups/endpointgroup_update.go
View File

@@ -109,33 +109,12 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
}
}
updateAuthorizations := false
if payload.UserAccessPolicies != nil && !reflect.DeepEqual(payload.UserAccessPolicies, endpointGroup.UserAccessPolicies) {
endpointGroup.UserAccessPolicies = payload.UserAccessPolicies
updateAuthorizations = true
}
if payload.TeamAccessPolicies != nil && !reflect.DeepEqual(payload.TeamAccessPolicies, endpointGroup.TeamAccessPolicies) {
endpointGroup.TeamAccessPolicies = payload.TeamAccessPolicies
updateAuthorizations = true
}
if updateAuthorizations {
endpoints, err := handler.DataStore.Endpoint().Endpoints()
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
}
for _, endpoint := range endpoints {
if endpoint.GroupID == endpointGroup.ID {
if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
err = handler.AuthorizationService.CleanNAPWithOverridePolicies(&endpoint, endpointGroup)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
}
}
}
}
}
err = handler.DataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, endpointGroup)

2
api/http/handler/endpointgroups/handler.go
View File

@@ -1,7 +1,6 @@
package endpointgroups
import (
"github.com/portainer/portainer/api/internal/authorization"
"net/http"
"github.com/gorilla/mux"
@@ -13,7 +12,6 @@ import (
// Handler is the HTTP handler used to handle endpoint group operations.
type Handler struct {
*mux.Router
AuthorizationService *authorization.Service
DataStore portainer.DataStore
}

3
api/http/handler/endpoints/endpoint_create.go
View File

@@ -156,7 +156,7 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
// @accept multipart/form-data
// @produce json
// @param Name formData string true "Name that will be used to identify this endpoint (example: my-endpoint)"
// @param EndpointCreationType formData integer true "Environment type. Value must be one of: 1 (Local Docker environment), 2 (Agent environment), 3 (Azure environment), 4 (Edge agent environment) or 5 (Local Kubernetes Environment" Enum(1,2,3,4,5)
// @param EndpointType formData integer true "Environment type. Value must be one of: 1 (Local Docker environment), 2 (Agent environment), 3 (Azure environment), 4 (Edge agent environment) or 5 (Local Kubernetes Environment" Enum(1,2,3,4,5)
// @param URL formData string false "URL or IP address of a Docker host (example: docker.mydomain.tld:2375). Defaults to local if not specified (Linux: /var/run/docker.sock, Windows: //./pipe/docker_engine)"
// @param PublicURL formData string false "URL or IP address where exposed containers will be reachable. Defaults to URL if not specified (example: docker.mydomain.tld:2375)"
// @param GroupID formData int false "Endpoint group identifier. If not specified will default to 1 (unassigned)."
@@ -471,7 +471,6 @@ func (handler *Handler) saveEndpointAndUpdateAuthorizations(endpoint *portainer.
AllowVolumeBrowserForRegularUsers: false,
EnableHostManagementFeatures: false,
AllowSysctlSettingForRegularUsers: true,
AllowBindMountsForRegularUsers: true,
AllowPrivilegedModeForRegularUsers: true,
AllowHostNamespaceForRegularUsers: true,

10
api/http/handler/endpoints/endpoint_dockerhub_status.go
View File

@@ -115,18 +115,8 @@ func getDockerHubLimits(httpClient *client.HTTPClient, token string) (*dockerhub
return nil, errors.New("failed fetching dockerhub limits")
}
// An error with rateLimit-Limit or RateLimit-Remaining is likely for dockerhub pro accounts where there is no rate limit.
// In that specific case the headers will not be present. Don't bubble up the error as its normal
// See: https://docs.docker.com/docker-hub/download-rate-limit/
rateLimit, err := parseRateLimitHeader(resp.Header, "RateLimit-Limit")
if err != nil {
return nil, nil
}
rateLimitRemaining, err := parseRateLimitHeader(resp.Header, "RateLimit-Remaining")
if err != nil {
return nil, nil
}
return &dockerhubStatusResponse{
Limit: rateLimit,

12
api/http/handler/endpoints/endpoint_update.go
View File

@@ -155,14 +155,11 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
endpoint.Kubernetes = *payload.Kubernetes
}
updateAuthorizations := false
if payload.UserAccessPolicies != nil && !reflect.DeepEqual(payload.UserAccessPolicies, endpoint.UserAccessPolicies) {
updateAuthorizations = true
endpoint.UserAccessPolicies = payload.UserAccessPolicies
}
if payload.TeamAccessPolicies != nil && !reflect.DeepEqual(payload.TeamAccessPolicies, endpoint.TeamAccessPolicies) {
updateAuthorizations = true
endpoint.TeamAccessPolicies = payload.TeamAccessPolicies
}
@@ -255,15 +252,6 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
}
}
if updateAuthorizations {
if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
err = handler.AuthorizationService.CleanNAPWithOverridePolicies(endpoint, nil)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
}
}
}
err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}

2
api/http/handler/endpoints/handler.go
View File

@@ -5,7 +5,6 @@ import (
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/http/proxy"
"github.com/portainer/portainer/api/http/security"
"github.com/portainer/portainer/api/internal/authorization"
"net/http"
@@ -29,7 +28,6 @@ type Handler struct {
ReverseTunnelService portainer.ReverseTunnelService
SnapshotService portainer.SnapshotService
ComposeStackManager portainer.ComposeStackManager
AuthorizationService *authorization.Service
}
// NewHandler creates a handler to manage endpoint operations.

2
api/http/handler/handler.go
View File

@@ -67,7 +67,7 @@ type Handler struct {
}
// @title PortainerCE API
// @version 2.6.2
// @version 2.1.1
// @description.markdown api-description.md
// @termsOfService

40
api/http/handler/settings/settings_public.go
View File

@@ -18,8 +18,6 @@ type publicSettingsResponse struct {
EnableEdgeComputeFeatures bool `json:"EnableEdgeComputeFeatures" example:"true"`
// The URL used for oauth login
OAuthLoginURI string `json:"OAuthLoginURI" example:"https://gitlab.com/oauth"`
// The URL used for oauth logout
OAuthLogoutURI string `json:"OAuthLogoutURI" example:"https://gitlab.com/oauth/logout"`
// Whether telemetry is enabled
EnableTelemetry bool `json:"EnableTelemetry" example:"true"`
}
@@ -36,32 +34,20 @@ type publicSettingsResponse struct {
func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
settings, err := handler.DataStore.Settings().Settings()
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to retrieve the settings from the database", Err: err}
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve the settings from the database", err}
}
publicSettings := &publicSettingsResponse{
LogoURL: settings.LogoURL,
AuthenticationMethod: settings.AuthenticationMethod,
EnableEdgeComputeFeatures: settings.EnableEdgeComputeFeatures,
EnableTelemetry: settings.EnableTelemetry,
OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&prompt=login",
settings.OAuthSettings.AuthorizationURI,
settings.OAuthSettings.ClientID,
settings.OAuthSettings.RedirectURI,
settings.OAuthSettings.Scopes),
}
publicSettings := generatePublicSettings(settings)
return response.JSON(w, publicSettings)
}
func generatePublicSettings(appSettings *portainer.Settings) *publicSettingsResponse {
publicSettings := &publicSettingsResponse{
LogoURL: appSettings.LogoURL,
AuthenticationMethod: appSettings.AuthenticationMethod,
EnableEdgeComputeFeatures: appSettings.EnableEdgeComputeFeatures,
EnableTelemetry: appSettings.EnableTelemetry,
}
//if OAuth authentication is on, compose the related fields from application settings
if publicSettings.AuthenticationMethod == portainer.AuthenticationOAuth {
publicSettings.OAuthLogoutURI = appSettings.OAuthSettings.LogoutURI
publicSettings.OAuthLoginURI = fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s",
appSettings.OAuthSettings.AuthorizationURI,
appSettings.OAuthSettings.ClientID,
appSettings.OAuthSettings.RedirectURI,
appSettings.OAuthSettings.Scopes)
//control prompt=login param according to the SSO setting
if !appSettings.OAuthSettings.SSO {
publicSettings.OAuthLoginURI += "&prompt=login"
}
}
return publicSettings
}

70
api/http/handler/settings/settings_public_test.go
View File

@@ -1,70 +0,0 @@
package settings
import (
"fmt"
"testing"
portainer "github.com/portainer/portainer/api"
)
const (
dummyOAuthClientID = "1a2b3c4d"
dummyOAuthScopes = "scopes"
dummyOAuthAuthenticationURI = "example.com/auth"
dummyOAuthRedirectURI = "example.com/redirect"
dummyOAuthLogoutURI = "example.com/logout"
)
var (
dummyOAuthLoginURI string
mockAppSettings *portainer.Settings
)
func setup() {
dummyOAuthLoginURI = fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s",
dummyOAuthAuthenticationURI,
dummyOAuthClientID,
dummyOAuthRedirectURI,
dummyOAuthScopes)
mockAppSettings = &portainer.Settings{
AuthenticationMethod: portainer.AuthenticationOAuth,
OAuthSettings: portainer.OAuthSettings{
AuthorizationURI: dummyOAuthAuthenticationURI,
ClientID: dummyOAuthClientID,
Scopes: dummyOAuthScopes,
RedirectURI: dummyOAuthRedirectURI,
LogoutURI: dummyOAuthLogoutURI,
},
}
}
func TestGeneratePublicSettingsWithSSO(t *testing.T) {
setup()
mockAppSettings.OAuthSettings.SSO = true
publicSettings := generatePublicSettings(mockAppSettings)
if publicSettings.AuthenticationMethod != portainer.AuthenticationOAuth {
t.Errorf("wrong AuthenticationMethod, want: %d, got: %d", portainer.AuthenticationOAuth, publicSettings.AuthenticationMethod)
}
if publicSettings.OAuthLoginURI != dummyOAuthLoginURI {
t.Errorf("wrong OAuthLoginURI when SSO is switched on, want: %s, got: %s", dummyOAuthLoginURI, publicSettings.OAuthLoginURI)
}
if publicSettings.OAuthLogoutURI != dummyOAuthLogoutURI {
t.Errorf("wrong OAuthLogoutURI, want: %s, got: %s", dummyOAuthLogoutURI, publicSettings.OAuthLogoutURI)
}
}
func TestGeneratePublicSettingsWithoutSSO(t *testing.T) {
setup()
mockAppSettings.OAuthSettings.SSO = false
publicSettings := generatePublicSettings(mockAppSettings)
if publicSettings.AuthenticationMethod != portainer.AuthenticationOAuth {
t.Errorf("wrong AuthenticationMethod, want: %d, got: %d", portainer.AuthenticationOAuth, publicSettings.AuthenticationMethod)
}
expectedOAuthLoginURI := dummyOAuthLoginURI + "&prompt=login"
if publicSettings.OAuthLoginURI != expectedOAuthLoginURI {
t.Errorf("wrong OAuthLoginURI when SSO is switched off, want: %s, got: %s", expectedOAuthLoginURI, publicSettings.OAuthLoginURI)
}
if publicSettings.OAuthLogoutURI != dummyOAuthLogoutURI {
t.Errorf("wrong OAuthLogoutURI, want: %s, got: %s", dummyOAuthLogoutURI, publicSettings.OAuthLogoutURI)
}
}

81
api/http/handler/stacks/create_compose_stack.go
View File

@@ -112,8 +112,9 @@ type composeStackFromGitRepositoryPayload struct {
// Password used in basic authentication. Required when RepositoryAuthentication is true.
RepositoryPassword string `example:"myGitPassword"`
// Path to the Stack file inside the Git repository
ComposeFilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
ComposeFile string `example:"docker-compose.yml" default:"docker-compose.yml"`
AdditionalFiles []string
AutoUpdate *portainer.StackAutoUpdate
// A list of environment variables used during stack deployment
Env []portainer.Pair
}
@@ -122,14 +123,15 @@ func (payload *composeStackFromGitRepositoryPayload) Validate(r *http.Request) e
if govalidator.IsNull(payload.Name) {
return errors.New("Invalid stack name")
}
if govalidator.IsNull(payload.RepositoryURL) || !govalidator.IsURL(payload.RepositoryURL) {
return errors.New("Invalid repository URL. Must correspond to a valid URL format")
}
if payload.RepositoryAuthentication && (govalidator.IsNull(payload.RepositoryUsername) || govalidator.IsNull(payload.RepositoryPassword)) {
return errors.New("Invalid repository credentials. Username and password must be specified when authentication is enabled")
}
if err := validateStackAutoUpdate(payload.AutoUpdate); err != nil {
return err
}
return nil
}
@@ -141,38 +143,59 @@ func (handler *Handler) createComposeStackFromGitRepository(w http.ResponseWrite
}
payload.Name = handler.ComposeStackManager.NormalizeStackName(payload.Name)
if payload.ComposeFilePathInRepository == "" {
payload.ComposeFilePathInRepository = filesystem.ComposeFileDefaultName
if payload.ComposeFile == "" {
payload.ComposeFile = filesystem.ComposeFileDefaultName
}
isUnique, err := handler.checkUniqueName(endpoint, payload.Name, 0, false)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to check for name collision", err}
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to check for name collision", Err: err}
}
if !isUnique {
errorMessage := fmt.Sprintf("A stack with the name '%s' already exists", payload.Name)
return &httperror.HandlerError{http.StatusConflict, errorMessage, errors.New(errorMessage)}
return &httperror.HandlerError{StatusCode: http.StatusConflict, Message: fmt.Sprintf("A stack with the name '%s' already exists", payload.Name), Err: errStackAlreadyExists}
}
//make sure the webhook ID is unique
if payload.AutoUpdate.Webhook != "" {
isUnique, err := handler.checkUniqueWebhookID(payload.AutoUpdate.Webhook)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to check for webhook ID collision", Err: err}
}
if !isUnique {
return &httperror.HandlerError{StatusCode: http.StatusConflict, Message: fmt.Sprintf("Webhook ID: %s already exists", payload.AutoUpdate.Webhook), Err: errWebhookIDAlreadyExists}
}
}
stackID := handler.DataStore.Stack().GetNextIdentifier()
stack := &portainer.Stack{
ID: portainer.StackID(stackID),
Name: payload.Name,
Type: portainer.DockerComposeStack,
EndpointID: endpoint.ID,
EntryPoint: payload.ComposeFilePathInRepository,
Env: payload.Env,
Status: portainer.StackStatusActive,
CreationDate: time.Now().Unix(),
ID: portainer.StackID(stackID),
Name: payload.Name,
Type: portainer.DockerComposeStack,
EndpointID: endpoint.ID,
EntryPoint: payload.ComposeFile,
AdditionalFiles: payload.AdditionalFiles,
AutoUpdate: payload.AutoUpdate,
Env: payload.Env,
Status: portainer.StackStatusActive,
CreationDate: time.Now().Unix(),
}
projectPath := handler.FileService.GetStackProjectPath(strconv.Itoa(int(stack.ID)))
stack.ProjectPath = projectPath
gitCloneParams := &cloneRepositoryParameters{
url: payload.RepositoryURL,
referenceName: payload.RepositoryReferenceName,
path: projectPath,
authentication: payload.RepositoryAuthentication,
username: payload.RepositoryUsername,
password: payload.RepositoryPassword,
}
doCleanUp := true
defer handler.cleanUp(stack, &doCleanUp)
err = handler.cloneAndSaveConfig(stack, projectPath, payload.RepositoryURL, payload.RepositoryReferenceName, payload.ComposeFilePathInRepository, payload.RepositoryAuthentication, payload.RepositoryUsername, payload.RepositoryPassword)
err = handler.cloneGitRepository(gitCloneParams)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to clone git repository", Err: err}
}
@@ -237,11 +260,11 @@ func (handler *Handler) createComposeStackFromFileUpload(w http.ResponseWriter,
isUnique, err := handler.checkUniqueName(endpoint, payload.Name, 0, false)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to check for name collision", Err: err}
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to check for name collision", err}
}
if !isUnique {
errorMessage := fmt.Sprintf("A stack with the name '%s' already exists", payload.Name)
return &httperror.HandlerError{StatusCode: http.StatusConflict, Message: errorMessage, Err: errors.New(errorMessage)}
return &httperror.HandlerError{http.StatusConflict, errorMessage, errors.New(errorMessage)}
}
stackID := handler.DataStore.Stack().GetNextIdentifier()
@@ -351,15 +374,17 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
!securitySettings.AllowContainerCapabilitiesForRegularUsers) &&
!isAdminOrEndpointAdmin {
composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
stackContent, err := handler.FileService.GetFileContent(composeFilePath)
if err != nil {
return err
}
for _, file := range append([]string{config.stack.EntryPoint}, config.stack.AdditionalFiles...) {
path := path.Join(config.stack.ProjectPath, file)
stackContent, err := handler.FileService.GetFileContent(path)
if err != nil {
return err
}
err = handler.isValidStackFile(stackContent, securitySettings)
if err != nil {
return err
err = handler.isValidStackFile(stackContent, securitySettings)
if err != nil {
return err
}
}
}

154
api/http/handler/stacks/create_kubernetes_stack.go
View File

@@ -2,11 +2,7 @@ package stacks
import (
"errors"
"io/ioutil"
"net/http"
"path/filepath"
"strconv"
"time"
"github.com/asaskevich/govalidator"
@@ -14,29 +10,15 @@ import (
"github.com/portainer/libhttp/request"
"github.com/portainer/libhttp/response"
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/filesystem"
)
const defaultReferenceName = "refs/heads/master"
type kubernetesStringDeploymentPayload struct {
type kubernetesStackPayload struct {
ComposeFormat bool
Namespace string
StackFileContent string
}
type kubernetesGitDeploymentPayload struct {
ComposeFormat bool
Namespace string
RepositoryURL string
RepositoryReferenceName string
RepositoryAuthentication bool
RepositoryUsername string
RepositoryPassword string
FilePathInRepository string
}
func (payload *kubernetesStringDeploymentPayload) Validate(r *http.Request) error {
func (payload *kubernetesStackPayload) Validate(r *http.Request) error {
if govalidator.IsNull(payload.StackFileContent) {
return errors.New("Invalid stack file content")
}
@@ -46,146 +28,32 @@ func (payload *kubernetesStringDeploymentPayload) Validate(r *http.Request) erro
return nil
}
func (payload *kubernetesGitDeploymentPayload) Validate(r *http.Request) error {
if govalidator.IsNull(payload.Namespace) {
return errors.New("Invalid namespace")
}
if govalidator.IsNull(payload.RepositoryURL) || !govalidator.IsURL(payload.RepositoryURL) {
return errors.New("Invalid repository URL. Must correspond to a valid URL format")
}
if payload.RepositoryAuthentication && govalidator.IsNull(payload.RepositoryPassword) {
return errors.New("Invalid repository credentials. Password must be specified when authentication is enabled")
}
if govalidator.IsNull(payload.FilePathInRepository) {
return errors.New("Invalid file path in repository")
}
if govalidator.IsNull(payload.RepositoryReferenceName) {
payload.RepositoryReferenceName = defaultReferenceName
}
return nil
}
type createKubernetesStackResponse struct {
Output string `json:"Output"`
}
func (handler *Handler) createKubernetesStackFromFileContent(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint) *httperror.HandlerError {
var payload kubernetesStringDeploymentPayload
if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
}
stackID := handler.DataStore.Stack().GetNextIdentifier()
stack := &portainer.Stack{
ID: portainer.StackID(stackID),
Type: portainer.KubernetesStack,
EndpointID: endpoint.ID,
EntryPoint: filesystem.ManifestFileDefaultName,
Status: portainer.StackStatusActive,
CreationDate: time.Now().Unix(),
}
stackFolder := strconv.Itoa(int(stack.ID))
projectPath, err := handler.FileService.StoreStackFileFromBytes(stackFolder, stack.EntryPoint, []byte(payload.StackFileContent))
func (handler *Handler) createKubernetesStack(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint) *httperror.HandlerError {
var payload kubernetesStackPayload
err := request.DecodeAndValidateJSONPayload(r, &payload)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist Kubernetes manifest file on disk", Err: err}
}
stack.ProjectPath = projectPath
doCleanUp := true
defer handler.cleanUp(stack, &doCleanUp)
output, err := handler.deployKubernetesStack(r, endpoint, payload.StackFileContent, payload.ComposeFormat, payload.Namespace)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to deploy Kubernetes stack", Err: err}
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
}
err = handler.DataStore.Stack().CreateStack(stack)
output, err := handler.deployKubernetesStack(endpoint, payload.StackFileContent, payload.ComposeFormat, payload.Namespace)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist the Kubernetes stack inside the database", Err: err}
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to deploy Kubernetes stack", err}
}
resp := &createKubernetesStackResponse{
Output: output,
Output: string(output),
}
return response.JSON(w, resp)
}
func (handler *Handler) createKubernetesStackFromGitRepository(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint) *httperror.HandlerError {
var payload kubernetesGitDeploymentPayload
if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
}
stackID := handler.DataStore.Stack().GetNextIdentifier()
stack := &portainer.Stack{
ID: portainer.StackID(stackID),
Type: portainer.KubernetesStack,
EndpointID: endpoint.ID,
EntryPoint: payload.FilePathInRepository,
Status: portainer.StackStatusActive,
CreationDate: time.Now().Unix(),
}
projectPath := handler.FileService.GetStackProjectPath(strconv.Itoa(int(stack.ID)))
stack.ProjectPath = projectPath
doCleanUp := true
defer handler.cleanUp(stack, &doCleanUp)
stackFileContent, err := handler.cloneManifestContentFromGitRepo(&payload, stack.ProjectPath)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Failed to process manifest from Git repository", Err: err}
}
output, err := handler.deployKubernetesStack(r, endpoint, stackFileContent, payload.ComposeFormat, payload.Namespace)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to deploy Kubernetes stack", Err: err}
}
err = handler.DataStore.Stack().CreateStack(stack)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist the stack inside the database", Err: err}
}
resp := &createKubernetesStackResponse{
Output: output,
}
return response.JSON(w, resp)
}
func (handler *Handler) deployKubernetesStack(request *http.Request, endpoint *portainer.Endpoint, stackConfig string, composeFormat bool, namespace string) (string, error) {
func (handler *Handler) deployKubernetesStack(endpoint *portainer.Endpoint, data string, composeFormat bool, namespace string) ([]byte, error) {
handler.stackCreationMutex.Lock()
defer handler.stackCreationMutex.Unlock()
if composeFormat {
convertedConfig, err := handler.KubernetesDeployer.ConvertCompose(stackConfig)
if err != nil {
return "", err
}
stackConfig = string(convertedConfig)
}
return handler.KubernetesDeployer.Deploy(request, endpoint, stackConfig, namespace)
}
func (handler *Handler) cloneManifestContentFromGitRepo(gitInfo *kubernetesGitDeploymentPayload, projectPath string) (string, error) {
repositoryUsername := gitInfo.RepositoryUsername
repositoryPassword := gitInfo.RepositoryPassword
if !gitInfo.RepositoryAuthentication {
repositoryUsername = ""
repositoryPassword = ""
}
err := handler.GitService.CloneRepository(projectPath, gitInfo.RepositoryURL, gitInfo.RepositoryReferenceName, repositoryUsername, repositoryPassword)
if err != nil {
return "", err
}
content, err := ioutil.ReadFile(filepath.Join(projectPath, gitInfo.FilePathInRepository))
if err != nil {
return "", err
}
return string(content), nil
return handler.KubernetesDeployer.Deploy(endpoint, data, composeFormat, namespace)
}

64
api/http/handler/stacks/create_kubernetes_stack_test.go
View File

@@ -1,64 +0,0 @@
package stacks
import (
"io/ioutil"
"os"
"path"
"testing"
"github.com/stretchr/testify/assert"
)
type git struct {
content string
}
func (g *git) CloneRepository(destination string, repositoryURL, referenceName, username, password string) error {
return g.ClonePublicRepository(repositoryURL, referenceName, destination)
}
func (g *git) ClonePublicRepository(repositoryURL string, referenceName string, destination string) error {
return ioutil.WriteFile(path.Join(destination, "deployment.yml"), []byte(g.content), 0755)
}
func (g *git) ClonePrivateRepositoryWithBasicAuth(repositoryURL, referenceName string, destination, username, password string) error {
return g.ClonePublicRepository(repositoryURL, referenceName, destination)
}
func TestCloneAndConvertGitRepoFile(t *testing.T) {
dir, err := os.MkdirTemp("", "kube-create-stack")
assert.NoError(t, err, "failed to create a tmp dir")
defer os.RemoveAll(dir)
content := `apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80`
h := &Handler{
GitService: &git{
content: content,
},
}
gitInfo := &kubernetesGitDeploymentPayload{
FilePathInRepository: "deployment.yml",
}
fileContent, err := h.cloneManifestContentFromGitRepo(gitInfo, dir)
assert.NoError(t, err, "failed to clone or convert the file from Git repo")
assert.Equal(t, content, fileContent)
}

80
api/http/handler/stacks/create_swarm_stack.go
View File

@@ -119,7 +119,9 @@ type swarmStackFromGitRepositoryPayload struct {
// Password used in basic authentication. Required when RepositoryAuthentication is true.
RepositoryPassword string `example:"myGitPassword"`
// Path to the Stack file inside the Git repository
ComposeFilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
ComposeFile string `example:"docker-compose.yml" default:"docker-compose.yml"`
AdditionalFiles []string
AutoUpdate *portainer.StackAutoUpdate
}
func (payload *swarmStackFromGitRepositoryPayload) Validate(r *http.Request) error {
@@ -135,8 +137,8 @@ func (payload *swarmStackFromGitRepositoryPayload) Validate(r *http.Request) err
if payload.RepositoryAuthentication && (govalidator.IsNull(payload.RepositoryUsername) || govalidator.IsNull(payload.RepositoryPassword)) {
return errors.New("Invalid repository credentials. Username and password must be specified when authentication is enabled")
}
if govalidator.IsNull(payload.ComposeFilePathInRepository) {
payload.ComposeFilePathInRepository = filesystem.ComposeFileDefaultName
if err := validateStackAutoUpdate(payload.AutoUpdate); err != nil {
return err
}
return nil
}
@@ -145,38 +147,59 @@ func (handler *Handler) createSwarmStackFromGitRepository(w http.ResponseWriter,
var payload swarmStackFromGitRepositoryPayload
err := request.DecodeAndValidateJSONPayload(r, &payload)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
}
isUnique, err := handler.checkUniqueName(endpoint, payload.Name, 0, true)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to check for name collision", err}
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to check for name collision", Err: err}
}
if !isUnique {
errorMessage := fmt.Sprintf("A stack with the name '%s' is already running", payload.Name)
return &httperror.HandlerError{http.StatusConflict, errorMessage, errors.New(errorMessage)}
return &httperror.HandlerError{StatusCode: http.StatusConflict, Message: fmt.Sprintf("A stack with the name '%s' already exists", payload.Name), Err: errStackAlreadyExists}
}
//make sure the webhook ID is unique
if payload.AutoUpdate.Webhook != "" {
isUnique, err := handler.checkUniqueWebhookID(payload.AutoUpdate.Webhook)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to check for webhook ID collision", Err: err}
}
if !isUnique {
return &httperror.HandlerError{StatusCode: http.StatusConflict, Message: fmt.Sprintf("Webhook ID: %s already exists", payload.AutoUpdate.Webhook), Err: errWebhookIDAlreadyExists}
}
}
stackID := handler.DataStore.Stack().GetNextIdentifier()
stack := &portainer.Stack{
ID: portainer.StackID(stackID),
Name: payload.Name,
Type: portainer.DockerSwarmStack,
SwarmID: payload.SwarmID,
EndpointID: endpoint.ID,
EntryPoint: payload.ComposeFilePathInRepository,
Env: payload.Env,
Status: portainer.StackStatusActive,
CreationDate: time.Now().Unix(),
ID: portainer.StackID(stackID),
Name: payload.Name,
Type: portainer.DockerSwarmStack,
SwarmID: payload.SwarmID,
EndpointID: endpoint.ID,
EntryPoint: payload.ComposeFile,
AdditionalFiles: payload.AdditionalFiles,
AutoUpdate: payload.AutoUpdate,
Env: payload.Env,
Status: portainer.StackStatusActive,
CreationDate: time.Now().Unix(),
}
projectPath := handler.FileService.GetStackProjectPath(strconv.Itoa(int(stack.ID)))
stack.ProjectPath = projectPath
gitCloneParams := &cloneRepositoryParameters{
url: payload.RepositoryURL,
referenceName: payload.RepositoryReferenceName,
path: projectPath,
authentication: payload.RepositoryAuthentication,
username: payload.RepositoryUsername,
password: payload.RepositoryPassword,
}
doCleanUp := true
defer handler.cleanUp(stack, &doCleanUp)
err = handler.cloneAndSaveConfig(stack, projectPath, payload.RepositoryURL, payload.RepositoryReferenceName, payload.ComposeFilePathInRepository, payload.RepositoryAuthentication, payload.RepositoryUsername, payload.RepositoryPassword)
err = handler.cloneGitRepository(gitCloneParams)
if err != nil {
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to clone git repository", Err: err}
}
@@ -188,14 +211,14 @@ func (handler *Handler) createSwarmStackFromGitRepository(w http.ResponseWriter,
err = handler.deploySwarmStack(config)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
}
stack.CreatedBy = config.user.Username
err = handler.DataStore.Stack().CreateStack(stack)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack inside the database", err}
return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist the stack inside the database", Err: err}
}
doCleanUp = false
@@ -351,16 +374,17 @@ func (handler *Handler) deploySwarmStack(config *swarmStackDeploymentConfig) err
settings := &config.endpoint.SecuritySettings
if !settings.AllowBindMountsForRegularUsers && !isAdminOrEndpointAdmin {
composeFilePath := path.Join(config.stack.ProjectPath, config.stack.EntryPoint)
for _, file := range append([]string{config.stack.EntryPoint}, config.stack.AdditionalFiles...) {
path := path.Join(config.stack.ProjectPath, file)
stackContent, err := handler.FileService.GetFileContent(path)
if err != nil {
return err
}
stackContent, err := handler.FileService.GetFileContent(composeFilePath)
if err != nil {
return err
}
err = handler.isValidStackFile(stackContent, settings)
if err != nil {
return err
err = handler.isValidStackFile(stackContent, settings)
if err != nil {
return err
}
}
}

17
api/http/handler/stacks/git.go Normal file
View File

@@ -0,0 +1,17 @@
package stacks
type cloneRepositoryParameters struct {
url string
referenceName string
path string
authentication bool
username string
password string
}
func (handler *Handler) cloneGitRepository(parameters *cloneRepositoryParameters) error {
if parameters.authentication {
return handler.GitService.ClonePrivateRepositoryWithBasicAuth(parameters.url, parameters.referenceName, parameters.path, parameters.username, parameters.password)
}
return handler.GitService.ClonePublicRepository(parameters.url, parameters.referenceName, parameters.path)
}

18
api/http/handler/stacks/handler.go
View File

@@ -11,14 +11,16 @@ import (
"github.com/gorilla/mux"
httperror "github.com/portainer/libhttp/error"
portainer "github.com/portainer/portainer/api"
dberrors "github.com/portainer/portainer/api/bolt/errors"
"github.com/portainer/portainer/api/docker"
"github.com/portainer/portainer/api/http/security"
"github.com/portainer/portainer/api/internal/authorization"
)
var (
errStackAlreadyExists = errors.New("A stack already exists with this name")
errStackNotExternal = errors.New("Not an external stack")
errStackAlreadyExists = errors.New("A stack already exists with this name")
errWebhookIDAlreadyExists = errors.New("A webhook ID already exists")
errStackNotExternal = errors.New("Not an external stack")
)
// Handler is the HTTP handler used to handle stack operations.
@@ -52,12 +54,8 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackInspect))).Methods(http.MethodGet)
h.Handle("/stacks/{id}",
bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackDelete))).Methods(http.MethodDelete)
h.Handle("/stacks/{id}/associate",
bouncer.AdminAccess(httperror.LoggerHandler(h.stackAssociate))).Methods(http.MethodPut)
h.Handle("/stacks/{id}",
bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackUpdate))).Methods(http.MethodPut)
h.Handle("/stacks/{id}/git",
bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackUpdateGit))).Methods(http.MethodPut)
h.Handle("/stacks/{id}/file",
bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackFile))).Methods(http.MethodGet)
h.Handle("/stacks/{id}/migrate",
@@ -159,3 +157,11 @@ func (handler *Handler) checkUniqueName(endpoint *portainer.Endpoint, name strin
return true, nil
}
func (handler *Handler) checkUniqueWebhookID(webhookID string) (bool, error) {
_, err := handler.DataStore.Stack().StackByWebhookID(webhookID)
if err == dberrors.ErrObjectNotFound {
return true, nil
}
return false, err
}

27
api/http/handler/stacks/helper.go Normal file
View File

@@ -0,0 +1,27 @@
package stacks
import (
"errors"
"time"
"github.com/asaskevich/govalidator"
portainer "github.com/portainer/portainer/api"
)
func validateStackAutoUpdate(autoUpdate *portainer.StackAutoUpdate) error {
if autoUpdate == nil {
return nil
}
if autoUpdate.Interval == "" && autoUpdate.Webhook == "" {
return errors.New("Both Interval and Webhook fields are empty")
}
if autoUpdate.Webhook != "" && !govalidator.IsUUID(autoUpdate.Webhook) {
return errors.New("Invalid Webhook format")
}
if autoUpdate.Interval != "" {
if _, err := time.ParseDuration(autoUpdate.Interval); err != nil {
return errors.New("Invalid Interval format")
}
}
return nil
}

31
api/http/handler/stacks/helper_test.go Normal file
View File

@@ -0,0 +1,31 @@
package stacks
import (
"testing"
portainer "github.com/portainer/portainer/api"
"github.com/stretchr/testify/assert"
)
func Test_ValidateStackAutoUpdate_Valid(t *testing.T) {
mock := &portainer.StackAutoUpdate{
Webhook: "8dce8c2f-9ca1-482b-ad20-271e86536ada",
Interval: "5h30m40s10ms",
}
if err := validateStackAutoUpdate(mock); err != nil {
t.Errorf("wrong validation, mock data: %v should be valid, but got error: %v", mock, err)
}
}
func Test_ValidateStackAutoUpdate_InValid(t *testing.T) {
mock := &portainer.StackAutoUpdate{}
err := validateStackAutoUpdate(mock)
assert.Error(t, err)
mock.Webhook = "fake-web-hook"
err = validateStackAutoUpdate(mock)
assert.Error(t, err)
mock.Webhook = ""
mock.Interval = "1dd2hh3mm"
err = validateStackAutoUpdate(mock)
assert.Error(t, err)
}

91
api/http/handler/stacks/stack_associate.go
View File

@@ -1,91 +0,0 @@
package stacks
import (
"fmt"
httperror "github.com/portainer/libhttp/error"
"github.com/portainer/libhttp/request"
"github.com/portainer/libhttp/response"
portainer "github.com/portainer/portainer/api"
bolterrors "github.com/portainer/portainer/api/bolt/errors"
"github.com/portainer/portainer/api/http/security"
"github.com/portainer/portainer/api/internal/stackutils"
"net/http"
"time"
)
// PUT request on /api/stacks/:id/associate?endpointId=<endpointId>&swarmId=<swarmId>&orphanedRunning=<orphanedRunning>
func (handler *Handler) stackAssociate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid stack identifier route variable", err}
}
endpointID, err := request.RetrieveNumericQueryParameter(r, "endpointId", false)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: endpointId", err}
}
swarmId, err := request.RetrieveQueryParameter(r, "swarmId", true)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: swarmId", err}
}
orphanedRunning, err := request.RetrieveBooleanQueryParameter(r, "orphanedRunning", false)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: orphanedRunning", err}
}
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
}
user, err := handler.DataStore.User().User(securityContext.UserID)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to load user information from the database", err}
}
stack, err := handler.DataStore.Stack().Stack(portainer.StackID(stackID))
if err == bolterrors.ErrObjectNotFound {
return &httperror.HandlerError{http.StatusNotFound, "Unable to find a stack with the specified identifier inside the database", err}
} else if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a stack with the specified identifier inside the database", err}
}
resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
}
if resourceControl != nil {
resourceControl.ResourceID = fmt.Sprintf("%d_%s", endpointID, stack.Name)
err = handler.DataStore.ResourceControl().UpdateResourceControl(resourceControl.ID, resourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist resource control changes inside the database", err}
}
}
stack.EndpointID = portainer.EndpointID(endpointID)
stack.SwarmID = swarmId
if orphanedRunning {
stack.Status = portainer.StackStatusActive
} else {
stack.Status = portainer.StackStatusInactive
}
stack.CreationDate = time.Now().Unix()
stack.CreatedBy = user.Username
stack.UpdateDate = 0
stack.UpdatedBy = ""
err = handler.DataStore.Stack().UpdateStack(stack.ID, stack)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack changes inside the database", err}
}
stack.ResourceControl = resourceControl
return response.JSON(w, stack)
}

45
api/http/handler/stacks/stack_create.go
View File

@@ -2,7 +2,6 @@ package stacks
import (
"errors"
"fmt"
"log"
"net/http"
@@ -13,10 +12,9 @@ import (
"github.com/portainer/libhttp/response"
portainer "github.com/portainer/portainer/api"
bolterrors "github.com/portainer/portainer/api/bolt/errors"
gittypes "github.com/portainer/portainer/api/git/types"
httperrors "github.com/portainer/portainer/api/http/errors"
"github.com/portainer/portainer/api/http/security"
"github.com/portainer/portainer/api/internal/authorization"
"github.com/portainer/portainer/api/internal/endpointutils"
"github.com/portainer/portainer/api/internal/stackutils"
)
@@ -78,7 +76,7 @@ func (handler *Handler) stackCreate(w http.ResponseWriter, r *http.Request) *htt
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
}
if endpointutils.IsDockerEndpoint(endpoint) && !endpoint.SecuritySettings.AllowStackManagementForRegularUsers {
if !endpoint.SecuritySettings.AllowStackManagementForRegularUsers {
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user info from request context", err}
@@ -112,7 +110,11 @@ func (handler *Handler) stackCreate(w http.ResponseWriter, r *http.Request) *htt
case portainer.DockerComposeStack:
return handler.createComposeStack(w, r, method, endpoint, tokenData.ID)
case portainer.KubernetesStack:
return handler.createKubernetesStack(w, r, method, endpoint)
if tokenData.Role != portainer.AdministratorRole {
return &httperror.HandlerError{http.StatusForbidden, "Access denied", httperrors.ErrUnauthorized}
}
return handler.createKubernetesStack(w, r, endpoint)
}
return &httperror.HandlerError{http.StatusBadRequest, "Invalid value for query parameter: type. Value must be one of: 1 (Swarm stack) or 2 (Compose stack)", errors.New(request.ErrInvalidQueryParameter)}
@@ -129,7 +131,7 @@ func (handler *Handler) createComposeStack(w http.ResponseWriter, r *http.Reques
return handler.createComposeStackFromFileUpload(w, r, endpoint, userID)
}
return &httperror.HandlerError{http.StatusBadRequest, "Invalid value for query parameter: method. Value must be one of: string, repository or file", errors.New(request.ErrInvalidQueryParameter)}
return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid value for query parameter: method. Value must be one of: string, repository or file", Err: errors.New(request.ErrInvalidQueryParameter)}
}
func (handler *Handler) createSwarmStack(w http.ResponseWriter, r *http.Request, method string, endpoint *portainer.Endpoint, userID portainer.UserID) *httperror.HandlerError {
@@ -142,17 +144,7 @@ func (handler *Handler) createSwarmStack(w http.ResponseWriter, r *http.Request,
return handler.createSwarmStackFromFileUpload(w, r, endpoint, userID)
}
return &httperror.HandlerError{http.StatusBadRequest, "Invalid value for query parameter: method. Value must be one of: string, repository or file", errors.New(request.ErrInvalidQueryParameter)}
}
func (handler *Handler) createKubernetesStack(w http.ResponseWriter, r *http.Request, method string, endpoint *portainer.Endpoint) *httperror.HandlerError {
switch method {
case "string":
return handler.createKubernetesStackFromFileContent(w, r, endpoint)
case "repository":
return handler.createKubernetesStackFromGitRepository(w, r, endpoint)
}
return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid value for query parameter: method. Value must be one of: string or repository", Err: errors.New(request.ErrInvalidQueryParameter)}
return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid value for query parameter: method. Value must be one of: string, repository or file", Err: errors.New(request.ErrInvalidQueryParameter)}
}
func (handler *Handler) isValidStackFile(stackFileContent []byte, securitySettings *portainer.EndpointSecuritySettings) error {
@@ -234,22 +226,3 @@ func (handler *Handler) decorateStackResponse(w http.ResponseWriter, stack *port
stack.ResourceControl = resourceControl
return response.JSON(w, stack)
}
func (handler *Handler) cloneAndSaveConfig(stack *portainer.Stack, projectPath, repositoryURL, refName, configFilePath string, auth bool, username, password string) error {
if !auth {
username = ""
password = ""
}
err := handler.GitService.CloneRepository(projectPath, repositoryURL, refName, username, password)
if err != nil {
return fmt.Errorf("unable to clone git repository: %w", err)
}
stack.GitConfig = &gittypes.RepoConfig{
URL: repositoryURL,
ReferenceName: refName,
ConfigFilePath: configFilePath,
}
return nil
}

29
api/http/handler/stacks/stack_create_test.go
View File

@@ -1,29 +0,0 @@
package stacks
import (
"testing"
portainer "github.com/portainer/portainer/api"
gittypes "github.com/portainer/portainer/api/git/types"
"github.com/portainer/portainer/api/http/security"
"github.com/portainer/portainer/api/internal/testhelpers"
"github.com/stretchr/testify/assert"
)
func Test_stackHandler_cloneAndSaveConfig_shouldCallGitCloneAndSaveConfigOnStack(t *testing.T) {
handler := NewHandler(&security.RequestBouncer{})
handler.GitService = testhelpers.NewGitService()
url := "url"
refName := "ref"
configPath := "path"
stack := &portainer.Stack{}
err := handler.cloneAndSaveConfig(stack, "", url, refName, configPath, false, "", "")
assert.NoError(t, err, "clone and save should not fail")
assert.Equal(t, gittypes.RepoConfig{
URL: url,
ReferenceName: refName,
ConfigFilePath: configPath,
}, *stack.GitConfig)
}

40
api/http/handler/stacks/stack_delete.go
View File

@@ -27,7 +27,7 @@ import (
// @success 204 "Success"
// @failure 400 "Invalid request"
// @failure 403 "Permission denied"
// @failure 404 "Not found"
// @failure 404 " not found"
// @failure 500 "Server error"
// @router /stacks/{id} [delete]
func (handler *Handler) stackDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
@@ -58,42 +58,42 @@ func (handler *Handler) stackDelete(w http.ResponseWriter, r *http.Request) *htt
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a stack with the specified identifier inside the database", err}
}
// TODO: this is a work-around for stacks created with Portainer version >= 1.17.1
// The EndpointID property is not available for these stacks, this API endpoint
// can use the optional EndpointID query parameter to set a valid endpoint identifier to be
// used in the context of this request.
endpointID, err := request.RetrieveNumericQueryParameter(r, "endpointId", true)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: endpointId", err}
}
isOrphaned := portainer.EndpointID(endpointID) != stack.EndpointID
if isOrphaned && !securityContext.IsAdmin {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to remove orphaned stack", errors.New("Permission denied to remove orphaned stack")}
endpointIdentifier := stack.EndpointID
if endpointID != 0 {
endpointIdentifier = portainer.EndpointID(endpointID)
}
endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointIdentifier)
if err == bolterrors.ErrObjectNotFound {
return &httperror.HandlerError{http.StatusNotFound, "Unable to find the endpoint associated to the stack inside the database", err}
} else if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find the endpoint associated to the stack inside the database", err}
}
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
}
resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
}
if !isOrphaned {
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
}
access, err := handler.userCanAccessStack(securityContext, endpoint.ID, resourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack access", err}
}
if !access {
return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied}
}
access, err := handler.userCanAccessStack(securityContext, endpoint.ID, resourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack access", err}
}
if !access {
return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied}
}
err = handler.deleteStack(stack, endpoint)

48
api/http/handler/stacks/stack_file.go
View File

@@ -46,38 +46,34 @@ func (handler *Handler) stackFile(w http.ResponseWriter, r *http.Request) *httpe
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a stack with the specified identifier inside the database", err}
}
endpoint, err := handler.DataStore.Endpoint().Endpoint(stack.EndpointID)
if err == bolterrors.ErrObjectNotFound {
return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
} else if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
}
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
}
resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
}
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
}
endpoint, err := handler.DataStore.Endpoint().Endpoint(stack.EndpointID)
if err == bolterrors.ErrObjectNotFound {
if !securityContext.IsAdmin {
return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
}
} else if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
access, err := handler.userCanAccessStack(securityContext, endpoint.ID, resourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack access", err}
}
if endpoint != nil {
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
}
resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
}
access, err := handler.userCanAccessStack(securityContext, endpoint.ID, resourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack access", err}
}
if !access {
return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", errors.ErrResourceAccessDenied}
}
if !access {
return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", errors.ErrResourceAccessDenied}
}
stackFileContent, err := handler.FileService.GetFileContent(path.Join(stack.ProjectPath, stack.EntryPoint))

52
api/http/handler/stacks/stack_inspect.go
View File

@@ -1,7 +1,6 @@
package stacks
import (
"github.com/portainer/portainer/api/http/errors"
"net/http"
httperror "github.com/portainer/libhttp/error"
@@ -9,6 +8,7 @@ import (
"github.com/portainer/libhttp/response"
portainer "github.com/portainer/portainer/api"
bolterrors "github.com/portainer/portainer/api/bolt/errors"
"github.com/portainer/portainer/api/http/errors"
"github.com/portainer/portainer/api/http/security"
"github.com/portainer/portainer/api/internal/stackutils"
)
@@ -40,42 +40,38 @@ func (handler *Handler) stackInspect(w http.ResponseWriter, r *http.Request) *ht
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a stack with the specified identifier inside the database", err}
}
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
}
endpoint, err := handler.DataStore.Endpoint().Endpoint(stack.EndpointID)
if err == bolterrors.ErrObjectNotFound {
if !securityContext.IsAdmin {
return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
}
return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
} else if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
}
if endpoint != nil {
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
}
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
}
resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
}
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user info from request context", err}
}
access, err := handler.userCanAccessStack(securityContext, endpoint.ID, resourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack access", err}
}
if !access {
return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", errors.ErrResourceAccessDenied}
}
resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
}
if resourceControl != nil {
stack.ResourceControl = resourceControl
}
access, err := handler.userCanAccessStack(securityContext, endpoint.ID, resourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack access", err}
}
if !access {
return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", errors.ErrResourceAccessDenied}
}
if resourceControl != nil {
stack.ResourceControl = resourceControl
}
return response.JSON(w, stack)

36
api/http/handler/stacks/stack_list.go
View File

@@ -1,7 +1,6 @@
package stacks
import (
httperrors "github.com/portainer/portainer/api/http/errors"
"net/http"
httperror "github.com/portainer/libhttp/error"
@@ -13,9 +12,8 @@ import (
)
type stackListOperationFilters struct {
SwarmID string `json:"SwarmID"`
EndpointID int `json:"EndpointID"`
IncludeOrphanedStacks bool `json:"IncludeOrphanedStacks"`
SwarmID string `json:"SwarmID"`
EndpointID int `json:"EndpointID"`
}
// @id StackList
@@ -39,16 +37,11 @@ func (handler *Handler) stackList(w http.ResponseWriter, r *http.Request) *httpe
return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: filters", err}
}
endpoints, err := handler.DataStore.Endpoint().Endpoints()
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from database", err}
}
stacks, err := handler.DataStore.Stack().Stacks()
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve stacks from the database", err}
}
stacks = filterStacks(stacks, &filters, endpoints)
stacks = filterStacks(stacks, &filters)
resourceControls, err := handler.DataStore.ResourceControl().ResourceControls()
if err != nil {
@@ -63,10 +56,6 @@ func (handler *Handler) stackList(w http.ResponseWriter, r *http.Request) *httpe
stacks = authorization.DecorateStacks(stacks, resourceControls)
if !securityContext.IsAdmin {
if filters.IncludeOrphanedStacks {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access orphaned stacks", httperrors.ErrUnauthorized}
}
user, err := handler.DataStore.User().User(securityContext.UserID)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user information from the database", err}
@@ -83,20 +72,13 @@ func (handler *Handler) stackList(w http.ResponseWriter, r *http.Request) *httpe
return response.JSON(w, stacks)
}
func filterStacks(stacks []portainer.Stack, filters *stackListOperationFilters, endpoints []portainer.Endpoint) []portainer.Stack {
func filterStacks(stacks []portainer.Stack, filters *stackListOperationFilters) []portainer.Stack {
if filters.EndpointID == 0 && filters.SwarmID == "" {
return stacks
}
filteredStacks := make([]portainer.Stack, 0, len(stacks))
for _, stack := range stacks {
if filters.IncludeOrphanedStacks && isOrphanedStack(stack, endpoints) {
if (stack.Type == portainer.DockerComposeStack && filters.SwarmID == "") || (stack.Type == portainer.DockerSwarmStack && filters.SwarmID != "") {
filteredStacks = append(filteredStacks, stack)
}
continue
}
if stack.Type == portainer.DockerComposeStack && stack.EndpointID == portainer.EndpointID(filters.EndpointID) {
filteredStacks = append(filteredStacks, stack)
}
@@ -107,13 +89,3 @@ func filterStacks(stacks []portainer.Stack, filters *stackListOperationFilters,
return filteredStacks
}
func isOrphanedStack(stack portainer.Stack, endpoints []portainer.Endpoint) bool {
for _, endpoint := range endpoints {
if stack.EndpointID == endpoint.ID {
return false
}
}
return true
}

2
api/http/handler/stacks/stack_start.go
View File

@@ -26,7 +26,7 @@ import (
// @success 200 {object} portainer.Stack "Success"
// @failure 400 "Invalid request"
// @failure 403 "Permission denied"
// @failure 404 "Not found"
// @failure 404 " not found"
// @failure 500 "Server error"
// @router /stacks/{id}/start [post]
func (handler *Handler) stackStart(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {

2
api/http/handler/stacks/stack_stop.go
View File

@@ -24,7 +24,7 @@ import (
// @success 200 {object} portainer.Stack "Success"
// @failure 400 "Invalid request"
// @failure 403 "Permission denied"
// @failure 404 "Not found"
// @failure 404 " not found"
// @failure 500 "Server error"
// @router /stacks/{id}/stop [post]
func (handler *Handler) stackStop(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {

1
api/http/handler/stacks/stack_update.go
View File

@@ -191,7 +191,6 @@ func (handler *Handler) updateSwarmStack(r *http.Request, stack *portainer.Stack
stack.UpdateDate = time.Now().Unix()
stack.UpdatedBy = config.user.Username
stack.Status = portainer.StackStatusActive
err = handler.deploySwarmStack(config)
if err != nil {

196
api/http/handler/stacks/stack_update_git.go
View File

@@ -1,196 +0,0 @@
package stacks
import (
"errors"
"fmt"
"log"
"net/http"
"time"
"github.com/asaskevich/govalidator"
httperror "github.com/portainer/libhttp/error"
"github.com/portainer/libhttp/request"
"github.com/portainer/libhttp/response"
portainer "github.com/portainer/portainer/api"
bolterrors "github.com/portainer/portainer/api/bolt/errors"
"github.com/portainer/portainer/api/filesystem"
httperrors "github.com/portainer/portainer/api/http/errors"
"github.com/portainer/portainer/api/http/security"
"github.com/portainer/portainer/api/internal/stackutils"
)
type updateStackGitPayload struct {
RepositoryReferenceName string
RepositoryAuthentication bool
RepositoryUsername string
RepositoryPassword string
}
func (payload *updateStackGitPayload) Validate(r *http.Request) error {
if payload.RepositoryAuthentication && (govalidator.IsNull(payload.RepositoryUsername) || govalidator.IsNull(payload.RepositoryPassword)) {
return errors.New("Invalid repository credentials. Username and password must be specified when authentication is enabled")
}
return nil
}
// @id StackUpdateGit
// @summary Redeploy a stack
// @description Pull and redeploy a stack via Git
// @description **Access policy**: restricted
// @tags stacks
// @security jwt
// @accept json
// @produce json
// @param id path int true "Stack identifier"
// @param endpointId query int false "Stacks created before version 1.18.0 might not have an associated endpoint identifier. Use this optional parameter to set the endpoint identifier used by the stack."
// @param body body updateStackGitPayload true "Git configs for pull and redeploy a stack"
// @success 200 {object} portainer.Stack "Success"
// @failure 400 "Invalid request"
// @failure 403 "Permission denied"
// @failure 404 "Not found"
// @failure 500 "Server error"
// @router /stacks/{id}/git [put]
func (handler *Handler) stackUpdateGit(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid stack identifier route variable", err}
}
stack, err := handler.DataStore.Stack().Stack(portainer.StackID(stackID))
if err == bolterrors.ErrObjectNotFound {
return &httperror.HandlerError{http.StatusNotFound, "Unable to find a stack with the specified identifier inside the database", err}
} else if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a stack with the specified identifier inside the database", err}
}
if stack.GitConfig == nil {
return &httperror.HandlerError{http.StatusBadRequest, "Stack is not created from git", err}
}
// TODO: this is a work-around for stacks created with Portainer version >= 1.17.1
// The EndpointID property is not available for these stacks, this API endpoint
// can use the optional EndpointID query parameter to associate a valid endpoint identifier to the stack.
endpointID, err := request.RetrieveNumericQueryParameter(r, "endpointId", true)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: endpointId", err}
}
if endpointID != int(stack.EndpointID) {
stack.EndpointID = portainer.EndpointID(endpointID)
}
endpoint, err := handler.DataStore.Endpoint().Endpoint(stack.EndpointID)
if err == bolterrors.ErrObjectNotFound {
return &httperror.HandlerError{http.StatusNotFound, "Unable to find the endpoint associated to the stack inside the database", err}
} else if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find the endpoint associated to the stack inside the database", err}
}
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
}
resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(stackutils.ResourceControlID(stack.EndpointID, stack.Name), portainer.StackResourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the stack", err}
}
securityContext, err := security.RetrieveRestrictedRequestContext(r)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
}
access, err := handler.userCanAccessStack(securityContext, endpoint.ID, resourceControl)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack access", err}
}
if !access {
return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied}
}
var payload updateStackGitPayload
err = request.DecodeAndValidateJSONPayload(r, &payload)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
}
stack.GitConfig.ReferenceName = payload.RepositoryReferenceName
backupProjectPath := fmt.Sprintf("%s-old", stack.ProjectPath)
err = filesystem.MoveDirectory(stack.ProjectPath, backupProjectPath)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to move git repository directory", err}
}
repositoryUsername := payload.RepositoryUsername
repositoryPassword := payload.RepositoryPassword
if !payload.RepositoryAuthentication {
repositoryUsername = ""
repositoryPassword = ""
}
err = handler.GitService.CloneRepository(stack.ProjectPath, stack.GitConfig.URL, payload.RepositoryReferenceName, repositoryUsername, repositoryPassword)
if err != nil {
restoreError := filesystem.MoveDirectory(backupProjectPath, stack.ProjectPath)
if restoreError != nil {
log.Printf("[WARN] [http,stacks,git] [error: %s] [message: failed restoring backup folder]", restoreError)
}
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to clone git repository", err}
}
defer func() {
err = handler.FileService.RemoveDirectory(backupProjectPath)
if err != nil {
log.Printf("[WARN] [http,stacks,git] [error: %s] [message: unable to remove git repository directory]", err)
}
}()
httpErr := handler.deployStack(r, stack, endpoint)
if httpErr != nil {
return httpErr
}
err = handler.DataStore.Stack().UpdateStack(stack.ID, stack)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack changes inside the database", err}
}
return response.JSON(w, stack)
}
func (handler *Handler) deployStack(r *http.Request, stack *portainer.Stack, endpoint *portainer.Endpoint) *httperror.HandlerError {
if stack.Type == portainer.DockerSwarmStack {
config, httpErr := handler.createSwarmDeployConfig(r, stack, endpoint, false)
if httpErr != nil {
return httpErr
}
err := handler.deploySwarmStack(config)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
}
stack.UpdateDate = time.Now().Unix()
stack.UpdatedBy = config.user.Username
stack.Status = portainer.StackStatusActive
return nil
}
config, httpErr := handler.createComposeDeployConfig(r, stack, endpoint)
if httpErr != nil {
return httpErr
}
err := handler.deployComposeStack(config)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
}
stack.UpdateDate = time.Now().Unix()
stack.UpdatedBy = config.user.Username
stack.Status = portainer.StackStatusActive
return nil
}

17
api/http/handler/templates/git.go Normal file
View File

@@ -0,0 +1,17 @@
package templates
type cloneRepositoryParameters struct {
url string
referenceName string
path string
authentication bool
username string
password string
}
func (handler *Handler) cloneGitRepository(parameters *cloneRepositoryParameters) error {
if parameters.authentication {
return handler.GitService.ClonePrivateRepositoryWithBasicAuth(parameters.url, parameters.referenceName, parameters.path, parameters.username, parameters.password)
}
return handler.GitService.ClonePublicRepository(parameters.url, parameters.referenceName, parameters.path)
}

7
api/http/handler/templates/template_file.go
View File

@@ -63,7 +63,12 @@ func (handler *Handler) templateFile(w http.ResponseWriter, r *http.Request) *ht
defer handler.cleanUp(projectPath)
err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, "", "", "")
gitCloneParams := &cloneRepositoryParameters{
url: payload.RepositoryURL,
path: projectPath,
}
err = handler.cloneGitRepository(gitCloneParams)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to clone git repository", err}
}

17
api/http/handler/websocket/handler.go
View File

@@ -5,7 +5,6 @@ import (
"github.com/gorilla/websocket"
httperror "github.com/portainer/libhttp/error"
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
"github.com/portainer/portainer/api/http/security"
"github.com/portainer/portainer/api/kubernetes/cli"
)
@@ -13,22 +12,20 @@ import (
// Handler is the HTTP handler used to handle websocket operations.
type Handler struct {
*mux.Router
DataStore portainer.DataStore
SignatureService portainer.DigitalSignatureService
ReverseTunnelService portainer.ReverseTunnelService
KubernetesClientFactory *cli.ClientFactory
requestBouncer *security.RequestBouncer
connectionUpgrader websocket.Upgrader
kubernetesTokenCacheManager *kubernetes.TokenCacheManager
DataStore portainer.DataStore
SignatureService portainer.DigitalSignatureService
ReverseTunnelService portainer.ReverseTunnelService
KubernetesClientFactory *cli.ClientFactory
requestBouncer *security.RequestBouncer
connectionUpgrader websocket.Upgrader
}
// NewHandler creates a handler to manage websocket operations.
func NewHandler(kubernetesTokenCacheManager *kubernetes.TokenCacheManager, bouncer *security.RequestBouncer) *Handler {
func NewHandler(bouncer *security.RequestBouncer) *Handler {
h := &Handler{
Router: mux.NewRouter(),
connectionUpgrader: websocket.Upgrader{},
requestBouncer: bouncer,
kubernetesTokenCacheManager: kubernetesTokenCacheManager,
}
h.PathPrefix("/websocket/exec").Handler(
bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.websocketExec)))

45
api/http/handler/websocket/pod.go
View File

@@ -1,8 +1,6 @@
package websocket
import (
"fmt"
"github.com/portainer/portainer/api/http/security"
"io"
"log"
"net/http"
@@ -13,7 +11,6 @@ import (
"github.com/portainer/libhttp/request"
portainer "github.com/portainer/portainer/api"
bolterrors "github.com/portainer/portainer/api/bolt/errors"
"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
)
// @summary Execute a websocket on pod
@@ -73,14 +70,8 @@ func (handler *Handler) websocketPodExec(w http.ResponseWriter, r *http.Request)
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
}
token, useAdminToken, err := handler.getToken(r, endpoint, false)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to get user service account token", err}
}
params := &webSocketRequestParams{
endpoint: endpoint,
token: token,
}
r.Header.Del("Origin")
@@ -121,7 +112,7 @@ func (handler *Handler) websocketPodExec(w http.ResponseWriter, r *http.Request)
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create Kubernetes client", err}
}
err = cli.StartExecProcess(token, useAdminToken, namespace, podName, containerName, commandArray, stdinReader, stdoutWriter)
err = cli.StartExecProcess(namespace, podName, containerName, commandArray, stdinReader, stdoutWriter)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to start exec process inside container", err}
}
@@ -133,37 +124,3 @@ func (handler *Handler) websocketPodExec(w http.ResponseWriter, r *http.Request)
return nil
}
func (handler *Handler) getToken(request *http.Request, endpoint *portainer.Endpoint, setLocalAdminToken bool) (string, bool, error) {
tokenData, err := security.RetrieveTokenData(request)
if err != nil {
return "", false, err
}
kubecli, err := handler.KubernetesClientFactory.GetKubeClient(endpoint)
if err != nil {
return "", false, err
}
tokenCache := handler.kubernetesTokenCacheManager.GetOrCreateTokenCache(int(endpoint.ID))
tokenManager, err := kubernetes.NewTokenManager(kubecli, handler.DataStore, tokenCache, setLocalAdminToken)
if err != nil {
return "", false, err
}
if tokenData.Role == portainer.AdministratorRole {
return tokenManager.GetAdminServiceAccountToken(), true, nil
}
token, err := tokenManager.GetUserServiceAccountToken(int(tokenData.ID))
if err != nil {
return "", false, err
}
if token == "" {
return "", false, fmt.Errorf("can not get a valid user service account token")
}
return token, false, nil
}

2
api/http/handler/websocket/proxy.go
View File

@@ -24,7 +24,6 @@ func (handler *Handler) proxyEdgeAgentWebsocketRequest(w http.ResponseWriter, r
proxy.Director = func(incoming *http.Request, out http.Header) {
out.Set(portainer.PortainerAgentTargetHeader, params.nodeName)
out.Set(portainer.PortainerAgentKubernetesSATokenHeader, params.token)
}
handler.ReverseTunnelService.SetTunnelStatusToActive(params.endpoint.ID)
@@ -65,7 +64,6 @@ func (handler *Handler) proxyAgentWebsocketRequest(w http.ResponseWriter, r *htt
out.Set(portainer.PortainerAgentPublicKeyHeader, handler.SignatureService.EncodedPublicKey())
out.Set(portainer.PortainerAgentSignatureHeader, signature)
out.Set(portainer.PortainerAgentTargetHeader, params.nodeName)
out.Set(portainer.PortainerAgentKubernetesSATokenHeader, params.token)
}
proxy.ServeHTTP(w, r)

1
api/http/handler/websocket/types.go
View File

@@ -8,5 +8,4 @@ type webSocketRequestParams struct {
ID string
nodeName string
endpoint *portainer.Endpoint
token string
}

6
api/http/proxy/factory/kubernetes.go
View File

@@ -39,7 +39,7 @@ func (factory *ProxyFactory) newKubernetesLocalProxy(endpoint *portainer.Endpoin
return nil, err
}
transport, err := kubernetes.NewLocalTransport(tokenManager, endpoint, factory.dataStore)
transport, err := kubernetes.NewLocalTransport(tokenManager)
if err != nil {
return nil, err
}
@@ -72,7 +72,7 @@ func (factory *ProxyFactory) newKubernetesEdgeHTTPProxy(endpoint *portainer.Endp
endpointURL.Scheme = "http"
proxy := newSingleHostReverseProxyWithHostHeader(endpointURL)
proxy.Transport = kubernetes.NewEdgeTransport(factory.dataStore, factory.reverseTunnelService, endpoint, tokenManager)
proxy.Transport = kubernetes.NewEdgeTransport(factory.dataStore, factory.reverseTunnelService, endpoint.ID, tokenManager)
return proxy, nil
}
@@ -103,7 +103,7 @@ func (factory *ProxyFactory) newKubernetesAgentHTTPSProxy(endpoint *portainer.En
}
proxy := newSingleHostReverseProxyWithHostHeader(remoteURL)
proxy.Transport = kubernetes.NewAgentTransport(factory.dataStore, factory.signatureService, tlsConfig, tokenManager, endpoint)
proxy.Transport = kubernetes.NewAgentTransport(factory.dataStore, factory.signatureService, tlsConfig, tokenManager)
return proxy, nil
}

55
api/http/proxy/factory/kubernetes/agent_transport.go
View File

@@ -1,55 +0,0 @@
package kubernetes
import (
"crypto/tls"
"net/http"
"strings"
portainer "github.com/portainer/portainer/api"
)
type agentTransport struct {
*baseTransport
signatureService portainer.DigitalSignatureService
}
// NewAgentTransport returns a new transport that can be used to send signed requests to a Portainer agent
func NewAgentTransport(dataStore portainer.DataStore, signatureService portainer.DigitalSignatureService, tlsConfig *tls.Config, tokenManager *tokenManager, endpoint *portainer.Endpoint) *agentTransport {
transport := &agentTransport{
signatureService: signatureService,
baseTransport: newBaseTransport(
&http.Transport{
TLSClientConfig: tlsConfig,
},
tokenManager,
endpoint,
dataStore,
),
}
return transport
}
// RoundTrip is the implementation of the the http.RoundTripper interface
func (transport *agentTransport) RoundTrip(request *http.Request) (*http.Response, error) {
token, err := getRoundTripToken(request, transport.tokenManager, transport.endpoint.ID)
if err != nil {
return nil, err
}
request.Header.Set(portainer.PortainerAgentKubernetesSATokenHeader, token)
if strings.HasPrefix(request.URL.Path, "/v2") {
decorateAgentRequest(request, transport.dataStore)
}
signature, err := transport.signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
if err != nil {
return nil, err
}
request.Header.Set(portainer.PortainerAgentPublicKeyHeader, transport.signatureService.EncodedPublicKey())
request.Header.Set(portainer.PortainerAgentSignatureHeader, signature)
return transport.baseTransport.RoundTrip(request)
}

52
api/http/proxy/factory/kubernetes/edge_transport.go
View File

@@ -1,52 +0,0 @@
package kubernetes
import (
"net/http"
"strings"
portainer "github.com/portainer/portainer/api"
)
type edgeTransport struct {
*baseTransport
reverseTunnelService portainer.ReverseTunnelService
}
// NewAgentTransport returns a new transport that can be used to send signed requests to a Portainer Edge agent
func NewEdgeTransport(dataStore portainer.DataStore, reverseTunnelService portainer.ReverseTunnelService, endpoint *portainer.Endpoint, tokenManager *tokenManager) *edgeTransport {
transport := &edgeTransport{
reverseTunnelService: reverseTunnelService,
baseTransport: newBaseTransport(
&http.Transport{},
tokenManager,
endpoint,
dataStore,
),
}
return transport
}
// RoundTrip is the implementation of the the http.RoundTripper interface
func (transport *edgeTransport) RoundTrip(request *http.Request) (*http.Response, error) {
token, err := getRoundTripToken(request, transport.tokenManager, transport.endpoint.ID)
if err != nil {
return nil, err
}
request.Header.Set(portainer.PortainerAgentKubernetesSATokenHeader, token)
if strings.HasPrefix(request.URL.Path, "/v2") {
decorateAgentRequest(request, transport.dataStore)
}
response, err := transport.baseTransport.RoundTrip(request)
if err == nil {
transport.reverseTunnelService.SetTunnelStatusToActive(transport.endpoint.ID)
} else {
transport.reverseTunnelService.SetTunnelStatusToIdle(transport.endpoint.ID)
}
return response, err
}

46
api/http/proxy/factory/kubernetes/local_transport.go
View File

@@ -1,46 +0,0 @@
package kubernetes
import (
"fmt"
"net/http"
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/crypto"
)
type localTransport struct {
*baseTransport
}
// NewLocalTransport returns a new transport that can be used to send requests to the local Kubernetes API
func NewLocalTransport(tokenManager *tokenManager, endpoint *portainer.Endpoint, dataStore portainer.DataStore) (*localTransport, error) {
config, err := crypto.CreateTLSConfigurationFromBytes(nil, nil, nil, true, true)
if err != nil {
return nil, err
}
transport := &localTransport{
baseTransport: newBaseTransport(
&http.Transport{
TLSClientConfig: config,
},
tokenManager,
endpoint,
dataStore,
),
}
return transport, nil
}
// RoundTrip is the implementation of the the http.RoundTripper interface
func (transport *localTransport) RoundTrip(request *http.Request) (*http.Response, error) {
token, err := getRoundTripToken(request, transport.tokenManager, transport.endpoint.ID)
if err != nil {
return nil, err
}
request.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
return transport.baseTransport.RoundTrip(request)
}

15
api/http/proxy/factory/kubernetes/namespaces.go
View File

@@ -1,15 +0,0 @@
package kubernetes
import (
"net/http"
"github.com/pkg/errors"
)
func (transport *baseTransport) deleteNamespaceRequest(request *http.Request, namespace string) (*http.Response, error) {
if err := transport.tokenManager.kubecli.NamespaceAccessPoliciesDeleteNamespace(namespace); err != nil {
return nil, errors.WithMessagef(err, "failed to delete a namespace [%s] from portainer config", namespace)
}
return transport.executeKubernetesRequest(request, true)
}

14
api/http/proxy/factory/kubernetes/token.go
View File

@@ -1,8 +1,10 @@
package kubernetes
import (
portainer "github.com/portainer/portainer/api"
"io/ioutil"
"sync"
portainer "github.com/portainer/portainer/api"
)
const defaultServiceAccountTokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
@@ -11,6 +13,7 @@ type tokenManager struct {
tokenCache *tokenCache
kubecli portainer.KubeClient
dataStore portainer.DataStore
mutex sync.Mutex
adminToken string
}
@@ -22,6 +25,7 @@ func NewTokenManager(kubecli portainer.KubeClient, dataStore portainer.DataStore
tokenCache: cache,
kubecli: kubecli,
dataStore: dataStore,
mutex: sync.Mutex{},
adminToken: "",
}
@@ -37,13 +41,13 @@ func NewTokenManager(kubecli portainer.KubeClient, dataStore portainer.DataStore
return tokenManager, nil
}
func (manager *tokenManager) GetAdminServiceAccountToken() string {
func (manager *tokenManager) getAdminServiceAccountToken() string {
return manager.adminToken
}
func (manager *tokenManager) GetUserServiceAccountToken(userID int) (string, error) {
manager.tokenCache.mutex.Lock()
defer manager.tokenCache.mutex.Unlock()
func (manager *tokenManager) getUserServiceAccountToken(userID int) (string, error) {
manager.mutex.Lock()
defer manager.mutex.Unlock()
token, ok := manager.tokenCache.getToken(userID)
if !ok {

15
api/http/proxy/factory/kubernetes/token_cache.go
View File

@@ -2,7 +2,6 @@ package kubernetes
import (
"strconv"
"sync"
"github.com/orcaman/concurrent-map"
)
@@ -15,7 +14,6 @@ type (
tokenCache struct {
userTokenCache cmap.ConcurrentMap
mutex sync.Mutex
}
)
@@ -37,18 +35,6 @@ func (manager *TokenCacheManager) CreateTokenCache(endpointID int) *tokenCache {
return tokenCache
}
// GetOrCreateTokenCache will get the tokenCache from the manager map of caches if it exists,
// otherwise it will create a new tokenCache object, associate it to the manager map of caches
// and return a pointer to that tokenCache instance.
func (manager *TokenCacheManager) GetOrCreateTokenCache(endpointID int) *tokenCache {
key := strconv.Itoa(endpointID)
if epCache, ok := manager.tokenCaches.Get(key); ok {
return epCache.(*tokenCache)
}
return manager.CreateTokenCache(endpointID)
}
// RemoveUserFromCache will ensure that the specific userID is removed from all registered caches.
func (manager *TokenCacheManager) RemoveUserFromCache(userID int) {
for cache := range manager.tokenCaches.IterBuffered() {
@@ -59,7 +45,6 @@ func (manager *TokenCacheManager) RemoveUserFromCache(userID int) {
func newTokenCache() *tokenCache {
return &tokenCache{
userTokenCache: cmap.New(),
mutex: sync.Mutex{},
}
}

174
api/http/proxy/factory/kubernetes/transport.go
View File

@@ -2,73 +2,147 @@ package kubernetes
import (
"bytes"
"crypto/tls"
"encoding/json"
"fmt"
"io/ioutil"
"log"
"net/http"
"regexp"
"strings"
"github.com/portainer/portainer/api/http/security"
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/crypto"
)
type baseTransport struct {
httpTransport *http.Transport
tokenManager *tokenManager
endpoint *portainer.Endpoint
dataStore portainer.DataStore
}
func newBaseTransport(httpTransport *http.Transport, tokenManager *tokenManager, endpoint *portainer.Endpoint, dataStore portainer.DataStore) *baseTransport {
return &baseTransport{
httpTransport: httpTransport,
tokenManager: tokenManager,
endpoint: endpoint,
dataStore: dataStore,
}
}
func (transport *baseTransport) RoundTrip(request *http.Request) (*http.Response, error) {
apiVersionRe := regexp.MustCompile(`^(/kubernetes)?/api/v[0-9](\.[0-9])?`)
requestPath := apiVersionRe.ReplaceAllString(request.URL.Path, "")
switch {
case strings.EqualFold(requestPath, "/namespaces"):
return transport.executeKubernetesRequest(request, true)
case strings.HasPrefix(requestPath, "/namespaces"):
return transport.proxyNamespacedRequest(request, requestPath)
default:
return transport.executeKubernetesRequest(request, true)
}
}
func (transport *baseTransport) proxyNamespacedRequest(request *http.Request, fullRequestPath string) (*http.Response, error) {
requestPath := strings.TrimPrefix(fullRequestPath, "/namespaces/")
split := strings.SplitN(requestPath, "/", 2)
namespace := split[0]
requestPath = ""
if len(split) > 1 {
requestPath = split[1]
type (
localTransport struct {
httpTransport *http.Transport
tokenManager *tokenManager
endpointIdentifier portainer.EndpointID
}
switch {
case requestPath == "" && request.Method == "DELETE":
return transport.deleteNamespaceRequest(request, namespace)
default:
return transport.executeKubernetesRequest(request, true)
agentTransport struct {
dataStore portainer.DataStore
httpTransport *http.Transport
tokenManager *tokenManager
signatureService portainer.DigitalSignatureService
endpointIdentifier portainer.EndpointID
}
edgeTransport struct {
dataStore portainer.DataStore
httpTransport *http.Transport
tokenManager *tokenManager
reverseTunnelService portainer.ReverseTunnelService
endpointIdentifier portainer.EndpointID
}
)
// NewLocalTransport returns a new transport that can be used to send requests to the local Kubernetes API
func NewLocalTransport(tokenManager *tokenManager) (*localTransport, error) {
config, err := crypto.CreateTLSConfigurationFromBytes(nil, nil, nil, true, true)
if err != nil {
return nil, err
}
transport := &localTransport{
httpTransport: &http.Transport{
TLSClientConfig: config,
},
tokenManager: tokenManager,
}
return transport, nil
}
func (transport *baseTransport) executeKubernetesRequest(request *http.Request, shouldLog bool) (*http.Response, error) {
// RoundTrip is the implementation of the the http.RoundTripper interface
func (transport *localTransport) RoundTrip(request *http.Request) (*http.Response, error) {
token, err := getRoundTripToken(request, transport.tokenManager, transport.endpointIdentifier)
if err != nil {
return nil, err
}
request.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
return transport.httpTransport.RoundTrip(request)
}
var (
namespaceRegex = regexp.MustCompile(`^/namespaces/([^/]*)$`)
)
// NewAgentTransport returns a new transport that can be used to send signed requests to a Portainer agent
func NewAgentTransport(datastore portainer.DataStore, signatureService portainer.DigitalSignatureService, tlsConfig *tls.Config, tokenManager *tokenManager) *agentTransport {
transport := &agentTransport{
dataStore: datastore,
httpTransport: &http.Transport{
TLSClientConfig: tlsConfig,
},
tokenManager: tokenManager,
signatureService: signatureService,
}
return transport
}
// RoundTrip is the implementation of the the http.RoundTripper interface
func (transport *agentTransport) RoundTrip(request *http.Request) (*http.Response, error) {
token, err := getRoundTripToken(request, transport.tokenManager, transport.endpointIdentifier)
if err != nil {
return nil, err
}
request.Header.Set(portainer.PortainerAgentKubernetesSATokenHeader, token)
if strings.HasPrefix(request.URL.Path, "/v2") {
decorateAgentRequest(request, transport.dataStore)
}
signature, err := transport.signatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
if err != nil {
return nil, err
}
request.Header.Set(portainer.PortainerAgentPublicKeyHeader, transport.signatureService.EncodedPublicKey())
request.Header.Set(portainer.PortainerAgentSignatureHeader, signature)
return transport.httpTransport.RoundTrip(request)
}
// NewEdgeTransport returns a new transport that can be used to send signed requests to a Portainer Edge agent
func NewEdgeTransport(datastore portainer.DataStore, reverseTunnelService portainer.ReverseTunnelService, endpointIdentifier portainer.EndpointID, tokenManager *tokenManager) *edgeTransport {
transport := &edgeTransport{
dataStore: datastore,
httpTransport: &http.Transport{},
tokenManager: tokenManager,
reverseTunnelService: reverseTunnelService,
endpointIdentifier: endpointIdentifier,
}
return transport
}
// RoundTrip is the implementation of the the http.RoundTripper interface
func (transport *edgeTransport) RoundTrip(request *http.Request) (*http.Response, error) {
token, err := getRoundTripToken(request, transport.tokenManager, transport.endpointIdentifier)
if err != nil {
return nil, err
}
request.Header.Set(portainer.PortainerAgentKubernetesSATokenHeader, token)
if strings.HasPrefix(request.URL.Path, "/v2") {
decorateAgentRequest(request, transport.dataStore)
}
response, err := transport.httpTransport.RoundTrip(request)
if err == nil {
transport.reverseTunnelService.SetTunnelStatusToActive(transport.endpointIdentifier)
} else {
transport.reverseTunnelService.SetTunnelStatusToIdle(transport.endpointIdentifier)
}
return response, err
}
func getRoundTripToken(
request *http.Request,
@@ -82,9 +156,9 @@ func getRoundTripToken(
var token string
if tokenData.Role == portainer.AdministratorRole {
token = tokenManager.GetAdminServiceAccountToken()
token = tokenManager.getAdminServiceAccountToken()
} else {
token, err = tokenManager.GetUserServiceAccountToken(int(tokenData.ID))
token, err = tokenManager.getUserServiceAccountToken(int(tokenData.ID))
if err != nil {
log.Printf("Failed retrieving service account token: %v", err)
return "", err

6
api/http/server.go
View File

@@ -45,13 +45,11 @@ import (
"github.com/portainer/portainer/api/http/proxy"
"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
"github.com/portainer/portainer/api/http/security"
"github.com/portainer/portainer/api/internal/authorization"
"github.com/portainer/portainer/api/kubernetes/cli"
)
// Server implements the portainer.Server interface
type Server struct {
AuthorizationService *authorization.Service
BindAddress string
AssetsPath string
Status *portainer.Status
@@ -137,7 +135,6 @@ func (server *Server) Start() error {
endpointHandler.SnapshotService = server.SnapshotService
endpointHandler.ReverseTunnelService = server.ReverseTunnelService
endpointHandler.ComposeStackManager = server.ComposeStackManager
endpointHandler.AuthorizationService = server.AuthorizationService
var endpointEdgeHandler = endpointedge.NewHandler(requestBouncer)
endpointEdgeHandler.DataStore = server.DataStore
@@ -145,7 +142,6 @@ func (server *Server) Start() error {
endpointEdgeHandler.ReverseTunnelService = server.ReverseTunnelService
var endpointGroupHandler = endpointgroups.NewHandler(requestBouncer)
endpointGroupHandler.AuthorizationService = server.AuthorizationService
endpointGroupHandler.DataStore = server.DataStore
var endpointProxyHandler = endpointproxy.NewHandler(requestBouncer)
@@ -204,7 +200,7 @@ func (server *Server) Start() error {
userHandler.DataStore = server.DataStore
userHandler.CryptoService = server.CryptoService
var websocketHandler = websocket.NewHandler(server.KubernetesTokenCacheManager, requestBouncer)
var websocketHandler = websocket.NewHandler(requestBouncer)
websocketHandler.DataStore = server.DataStore
websocketHandler.SignatureService = server.SignatureService
websocketHandler.ReverseTunnelService = server.ReverseTunnelService

6
api/internal/authorization/authorizations.go
View File

@@ -1,15 +1,11 @@
package authorization
import (
"github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/kubernetes/cli"
)
import "github.com/portainer/portainer/api"
// Service represents a service used to
// update authorizations associated to a user or team.
type Service struct {
dataStore portainer.DataStore
K8sClientFactory *cli.ClientFactory
}
// NewService returns a point to a new Service instance.

134
api/internal/authorization/endpint_role_with_override.go
View File

@@ -1,134 +0,0 @@
package authorization
import portainer "github.com/portainer/portainer/api"
// CleanNAPWithOverridePolicies Clean Namespace Access Policies with override policies
func (service *Service) CleanNAPWithOverridePolicies(
endpoint *portainer.Endpoint,
endpointGroup *portainer.EndpointGroup,
) error {
kubecli, err := service.K8sClientFactory.GetKubeClient(endpoint)
if err != nil {
return err
}
accessPolicies, err := kubecli.GetNamespaceAccessPolicies()
if err != nil {
return err
}
hasChange := false
for namespace, policy := range accessPolicies {
for teamID := range policy.TeamAccessPolicies {
access, err := service.getTeamEndpointAccessWithPolicies(teamID, endpoint, endpointGroup)
if err != nil {
return err
}
if !access {
delete(accessPolicies[namespace].TeamAccessPolicies, teamID)
hasChange = true
}
}
for userID := range policy.UserAccessPolicies {
access, err := service.getUserEndpointAccessWithPolicies(userID, endpoint, endpointGroup)
if err != nil {
return err
}
if !access {
delete(accessPolicies[namespace].UserAccessPolicies, userID)
hasChange = true
}
}
}
if hasChange {
err = kubecli.UpdateNamespaceAccessPolicies(accessPolicies)
if err != nil {
return err
}
}
return nil
}
func (service *Service) getUserEndpointAccessWithPolicies(
userID portainer.UserID,
endpoint *portainer.Endpoint,
endpointGroup *portainer.EndpointGroup,
) (bool, error) {
memberships, err := service.dataStore.TeamMembership().TeamMembershipsByUserID(userID)
if err != nil {
return false, err
}
if endpointGroup == nil {
endpointGroup, err = service.dataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
if err != nil {
return false, err
}
}
if userAccess(userID, endpoint.UserAccessPolicies, endpoint.TeamAccessPolicies, memberships) {
return true, nil
}
if userAccess(userID, endpointGroup.UserAccessPolicies, endpointGroup.TeamAccessPolicies, memberships) {
return true, nil
}
return false, nil
}
func userAccess(
userID portainer.UserID,
userAccessPolicies portainer.UserAccessPolicies,
teamAccessPolicies portainer.TeamAccessPolicies,
memberships []portainer.TeamMembership,
) bool {
if _, ok := userAccessPolicies[userID]; ok {
return true
}
for _, membership := range memberships {
if _, ok := teamAccessPolicies[membership.TeamID]; ok {
return true
}
}
return false
}
func (service *Service) getTeamEndpointAccessWithPolicies(
teamID portainer.TeamID,
endpoint *portainer.Endpoint,
endpointGroup *portainer.EndpointGroup,
) (bool, error) {
if endpointGroup == nil {
var err error
endpointGroup, err = service.dataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
if err != nil {
return false, err
}
}
if teamAccess(teamID, endpoint.TeamAccessPolicies) {
return true, nil
}
if teamAccess(teamID, endpointGroup.TeamAccessPolicies) {
return true, nil
}
return false, nil
}
func teamAccess(
teamID portainer.TeamID,
teamAccessPolicies portainer.TeamAccessPolicies,
) bool {
_, ok := teamAccessPolicies[teamID];
return ok
}

17
api/internal/endpoint/endpoint.go
View File

@@ -1,17 +0,0 @@
package endpoint
import portainer "github.com/portainer/portainer/api"
// IsKubernetesEndpoint returns true if this is a kubernetes endpoint
func IsKubernetesEndpoint(endpoint *portainer.Endpoint) bool {
return endpoint.Type == portainer.KubernetesLocalEnvironment ||
endpoint.Type == portainer.AgentOnKubernetesEnvironment ||
endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment
}
// IsDocketEndpoint returns true if this is a docker endpoint
func IsDocketEndpoint(endpoint *portainer.Endpoint) bool {
return endpoint.Type == portainer.DockerEnvironment ||
endpoint.Type == portainer.AgentOnDockerEnvironment ||
endpoint.Type == portainer.EdgeAgentOnDockerEnvironment
}

14
api/internal/endpointutils/endpointutils.go
View File

@@ -9,17 +9,3 @@ import (
func IsLocalEndpoint(endpoint *portainer.Endpoint) bool {
return strings.HasPrefix(endpoint.URL, "unix://") || strings.HasPrefix(endpoint.URL, "npipe://") || endpoint.Type == 5
}
// IsKubernetesEndpoint returns true if this is a kubernetes endpoint
func IsKubernetesEndpoint(endpoint *portainer.Endpoint) bool {
return endpoint.Type == portainer.KubernetesLocalEnvironment ||
endpoint.Type == portainer.AgentOnKubernetesEnvironment ||
endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment
}
// IsDockerEndpoint returns true if this is a docker endpoint
func IsDockerEndpoint(endpoint *portainer.Endpoint) bool {
return endpoint.Type == portainer.DockerEnvironment ||
endpoint.Type == portainer.AgentOnDockerEnvironment ||
endpoint.Type == portainer.EdgeAgentOnDockerEnvironment
}

12
api/internal/testhelpers/git_service.go
View File

@@ -1,12 +0,0 @@
package testhelpers
type gitService struct{}
// NewGitService creates new mock for portainer.GitService.
func NewGitService() *gitService {
return &gitService{}
}
func (service *gitService) CloneRepository(destination string, repositoryURL, referenceName string, username, password string) error {
return nil
}

47
api/jwt/jwt.go
View File

@@ -3,7 +3,7 @@ package jwt
import (
"errors"
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api"
"fmt"
"time"
@@ -51,13 +51,23 @@ func NewService(userSessionDuration string) (*Service, error) {
// GenerateToken generates a new JWT token.
func (service *Service) GenerateToken(data *portainer.TokenData) (string, error) {
return service.generateSignedToken(data, nil)
}
expireToken := time.Now().Add(service.userSessionTimeout).Unix()
cl := claims{
UserID: int(data.ID),
Username: data.Username,
Role: int(data.Role),
StandardClaims: jwt.StandardClaims{
ExpiresAt: expireToken,
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, cl)
// GenerateTokenForOAuth generates a new JWT for OAuth login
// token expiry time from the OAuth provider is considered
func (service *Service) GenerateTokenForOAuth(data *portainer.TokenData, expiryTime *time.Time) (string, error) {
return service.generateSignedToken(data, expiryTime)
signedToken, err := token.SignedString(service.secret)
if err != nil {
return "", err
}
return signedToken, nil
}
// ParseAndVerifyToken parses a JWT token and verify its validity. It returns an error if token is invalid.
@@ -87,26 +97,3 @@ func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData,
func (service *Service) SetUserSessionDuration(userSessionDuration time.Duration) {
service.userSessionTimeout = userSessionDuration
}
func (service *Service) generateSignedToken(data *portainer.TokenData, expiryTime *time.Time) (string, error) {
expireToken := time.Now().Add(service.userSessionTimeout).Unix()
if expiryTime != nil && !expiryTime.IsZero() {
expireToken = expiryTime.Unix()
}
cl := claims{
UserID: int(data.ID),
Username: data.Username,
Role: int(data.Role),
StandardClaims: jwt.StandardClaims{
ExpiresAt: expireToken,
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, cl)
signedToken, err := token.SignedString(service.secret)
if err != nil {
return "", err
}
return signedToken, nil
}

38
api/jwt/jwt_test.go
View File

@@ -1,38 +0,0 @@
package jwt
import (
"testing"
"time"
"github.com/dgrijalva/jwt-go"
portainer "github.com/portainer/portainer/api"
"github.com/stretchr/testify/assert"
)
func TestGenerateSignedToken(t *testing.T) {
svc, err := NewService("24h")
assert.NoError(t, err, "failed to create a copy of service")
token := &portainer.TokenData{
Username: "Joe",
ID: 1,
Role: 1,
}
expirtationTime := time.Now().Add(1 * time.Hour)
generatedToken, err := svc.generateSignedToken(token, &expirtationTime)
assert.NoError(t, err, "failed to generate a signed token")
parsedToken, err := jwt.ParseWithClaims(generatedToken, &claims{}, func(token *jwt.Token) (interface{}, error) {
return svc.secret, nil
})
assert.NoError(t, err, "failed to parse generated token")
tokenClaims, ok := parsedToken.Claims.(*claims)
assert.Equal(t, true, ok, "failed to claims out of generated ticket")
assert.Equal(t, token.Username, tokenClaims.Username)
assert.Equal(t, int(token.ID), tokenClaims.UserID)
assert.Equal(t, int(token.Role), tokenClaims.Role)
assert.Equal(t, expirtationTime.Unix(), tokenClaims.ExpiresAt)
}

72
api/kubernetes/cli/access.go
View File

@@ -3,14 +3,18 @@ package cli
import (
"encoding/json"
"github.com/pkg/errors"
portainer "github.com/portainer/portainer/api"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type (
namespaceAccessPolicies map[string]portainer.K8sNamespaceAccessPolicy
accessPolicies struct {
UserAccessPolicies portainer.UserAccessPolicies `json:"UserAccessPolicies"`
TeamAccessPolicies portainer.TeamAccessPolicies `json:"TeamAccessPolicies"`
}
namespaceAccessPolicies map[string]accessPolicies
)
func (kcl *KubeClient) setupNamespaceAccesses(userID int, teamIDs []int, serviceAccountName string) error {
@@ -65,7 +69,7 @@ func (kcl *KubeClient) setupNamespaceAccesses(userID int, teamIDs []int, service
return nil
}
func hasUserAccessToNamespace(userID int, teamIDs []int, policies portainer.K8sNamespaceAccessPolicy) bool {
func hasUserAccessToNamespace(userID int, teamIDs []int, policies accessPolicies) bool {
_, userAccess := policies.UserAccessPolicies[portainer.UserID(userID)]
if userAccess {
return true
@@ -80,65 +84,3 @@ func hasUserAccessToNamespace(userID int, teamIDs []int, policies portainer.K8sN
return false
}
// NamespaceAccessPoliciesDeleteNamespace removes stored policies associated with a given namespace
func (kcl *KubeClient) NamespaceAccessPoliciesDeleteNamespace(ns string) error {
kcl.lock.Lock()
defer kcl.lock.Unlock()
policies, err := kcl.GetNamespaceAccessPolicies()
if err != nil {
return errors.WithMessage(err, "failed to fetch access policies")
}
delete(policies, ns)
return kcl.UpdateNamespaceAccessPolicies(policies)
}
// GetNamespaceAccessPolicies gets the namespace access policies
// from config maps in the portainer namespace
func (kcl *KubeClient) GetNamespaceAccessPolicies() (map[string]portainer.K8sNamespaceAccessPolicy, error) {
configMap, err := kcl.cli.CoreV1().ConfigMaps(portainerNamespace).Get(portainerConfigMapName, metav1.GetOptions{})
if k8serrors.IsNotFound(err) {
return nil, nil
}
if err != nil {
return nil, err
}
accessData := configMap.Data[portainerConfigMapAccessPoliciesKey]
var policies map[string]portainer.K8sNamespaceAccessPolicy
err = json.Unmarshal([]byte(accessData), &policies)
if err != nil {
return nil, err
}
return policies, nil
}
// UpdateNamespaceAccessPolicies updates the namespace access policies
func (kcl *KubeClient) UpdateNamespaceAccessPolicies(accessPolicies map[string]portainer.K8sNamespaceAccessPolicy) error {
data, err := json.Marshal(accessPolicies)
if err != nil {
return err
}
configMap, err := kcl.cli.CoreV1().ConfigMaps(portainerNamespace).Get(portainerConfigMapName, metav1.GetOptions{})
if k8serrors.IsNotFound(err) {
return nil
}
if err != nil {
return err
}
configMap.Data[portainerConfigMapAccessPoliciesKey] = string(data)
_, err = kcl.cli.CoreV1().ConfigMaps(portainerNamespace).Update(configMap)
if err != nil {
return err
}
return nil
}

68
api/kubernetes/cli/access_test.go
View File

@@ -1,68 +0,0 @@
package cli
import (
"sync"
"testing"
portainer "github.com/portainer/portainer/api"
"github.com/stretchr/testify/assert"
ktypes "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
kfake "k8s.io/client-go/kubernetes/fake"
)
func Test_NamespaceAccessPoliciesDeleteNamespace_updatesPortainerConfig_whenConfigExists(t *testing.T) {
testcases := []struct {
name string
namespaceToDelete string
expectedConfig map[string]portainer.K8sNamespaceAccessPolicy
}{
{
name: "doesn't change config, when designated namespace absent",
namespaceToDelete: "missing-namespace",
expectedConfig: map[string]portainer.K8sNamespaceAccessPolicy{
"ns1": {UserAccessPolicies: portainer.UserAccessPolicies{2: {RoleID: 0}}},
"ns2": {UserAccessPolicies: portainer.UserAccessPolicies{2: {RoleID: 0}}},
},
},
{
name: "removes designated namespace from config, when namespace is present",
namespaceToDelete: "ns2",
expectedConfig: map[string]portainer.K8sNamespaceAccessPolicy{
"ns1": {UserAccessPolicies: portainer.UserAccessPolicies{2: {RoleID: 0}}},
},
},
}
for _, test := range testcases {
t.Run(test.name, func(t *testing.T) {
k := &KubeClient{
cli: kfake.NewSimpleClientset(),
instanceID: "instance",
lock: &sync.Mutex{},
}
config := &ktypes.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: portainerConfigMapName,
Namespace: portainerNamespace,
},
Data: map[string]string{
"NamespaceAccessPolicies": `{"ns1":{"UserAccessPolicies":{"2":{"RoleId":0}}}, "ns2":{"UserAccessPolicies":{"2":{"RoleId":0}}}}`,
},
}
_, err := k.cli.CoreV1().ConfigMaps(portainerNamespace).Create(config)
assert.NoError(t, err, "failed to create a portainer config")
defer func() {
k.cli.CoreV1().ConfigMaps(portainerNamespace).Delete(portainerConfigMapName, nil)
}()
err = k.NamespaceAccessPoliciesDeleteNamespace(test.namespaceToDelete)
assert.NoError(t, err, "failed to delete namespace")
policies, err := k.GetNamespaceAccessPolicies()
assert.NoError(t, err, "failed to fetch policies")
assert.Equal(t, test.expectedConfig, policies)
})
}
}

5
api/kubernetes/cli/client.go
View File

@@ -5,7 +5,6 @@ import (
"fmt"
"net/http"
"strconv"
"sync"
cmap "github.com/orcaman/concurrent-map"
@@ -26,9 +25,8 @@ type (
// KubeClient represent a service used to execute Kubernetes operations
KubeClient struct {
cli kubernetes.Interface
cli *kubernetes.Clientset
instanceID string
lock *sync.Mutex
}
)
@@ -74,7 +72,6 @@ func (factory *ClientFactory) createKubeClient(endpoint *portainer.Endpoint) (po
kubecli := &KubeClient{
cli: cli,
instanceID: factory.instanceID,
lock: &sync.Mutex{},
}
return kubecli, nil

9
api/kubernetes/cli/exec.go
View File

@@ -14,18 +14,13 @@ import (
// StartExecProcess will start an exec process inside a container located inside a pod inside a specific namespace
// using the specified command. The stdin parameter will be bound to the stdin process and the stdout process will write
// to the stdout parameter.
// This function only works against a local endpoint using an in-cluster config with the user's SA token.
func (kcl *KubeClient) StartExecProcess(token string, useAdminToken bool, namespace, podName, containerName string, command []string, stdin io.Reader, stdout io.Writer) error {
// This function only works against a local endpoint using an in-cluster config.
func (kcl *KubeClient) StartExecProcess(namespace, podName, containerName string, command []string, stdin io.Reader, stdout io.Writer) error {
config, err := rest.InClusterConfig()
if err != nil {
return err
}
if !useAdminToken {
config.BearerToken = token
config.BearerTokenFile = ""
}
req := kcl.cli.CoreV1().RESTClient().
Post().
Resource("pods").

23
api/libcompose/compose_stack.go
View File

@@ -86,12 +86,14 @@ func (manager *ComposeStackManager) Up(stack *portainer.Stack, endpoint *portain
for _, envvar := range stack.Env {
env[envvar.Name] = envvar.Value
}
composeFilePath := path.Join(stack.ProjectPath, stack.EntryPoint)
var composeFiles []string
for _, file := range append([]string{stack.EntryPoint}, stack.AdditionalFiles...) {
composeFiles = append(composeFiles, path.Join(stack.ProjectPath, file))
}
proj, err := docker.NewProject(&ctx.Context{
ConfigDir: manager.dataPath,
Context: project.Context{
ComposeFiles: []string{composeFilePath},
ComposeFiles: composeFiles,
EnvironmentLookup: &lookup.ComposableEnvLookup{
Lookups: []config.EnvironmentLookup{
&lookup.EnvfileLookup{
@@ -120,10 +122,13 @@ func (manager *ComposeStackManager) Down(stack *portainer.Stack, endpoint *porta
return err
}
composeFilePath := path.Join(stack.ProjectPath, stack.EntryPoint)
var composeFiles []string
for _, file := range append([]string{stack.EntryPoint}, stack.AdditionalFiles...) {
composeFiles = append(composeFiles, path.Join(stack.ProjectPath, file))
}
proj, err := docker.NewProject(&ctx.Context{
Context: project.Context{
ComposeFiles: []string{composeFilePath},
ComposeFiles: composeFiles,
ProjectName: stack.Name,
},
ClientFactory: clientFactory,
@@ -134,3 +139,11 @@ func (manager *ComposeStackManager) Down(stack *portainer.Stack, endpoint *porta
return proj.Down(context.Background(), options.Down{RemoveVolume: false, RemoveOrphans: true})
}
func stackFilePaths(stack *portainer.Stack) []string {
var filePaths []string
for _, file := range append([]string{stack.EntryPoint}, stack.AdditionalFiles...) {
filePaths = append(filePaths, path.Join(stack.ProjectPath, file))
}
return filePaths
}

25
api/oauth/oauth.go
View File

@@ -4,15 +4,14 @@ import (
"context"
"encoding/json"
"fmt"
"golang.org/x/oauth2"
"io/ioutil"
"log"
"mime"
"net/http"
"net/url"
"golang.org/x/oauth2"
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api"
)
// Service represents a service used to authenticate users against an authorization server
@@ -24,35 +23,31 @@ func NewService() *Service {
}
// Authenticate takes an access code and exchanges it for an access token from portainer OAuthSettings token endpoint.
// On success, it will then return the username and token expiry time associated to authenticated user by fetching this information
// On success, it will then return the username associated to authenticated user by fetching this information
// from the resource server and matching it with the user identifier setting.
func (*Service) Authenticate(code string, configuration *portainer.OAuthSettings) (string, error) {
token, err := getOAuthToken(code, configuration)
token, err := getAccessToken(code, configuration)
if err != nil {
log.Printf("[DEBUG] - Failed retrieving access token: %v", err)
return "", err
}
username, err := getUsername(token.AccessToken, configuration)
if err != nil {
log.Printf("[DEBUG] - Failed retrieving oauth user name: %v", err)
return "", err
}
return username, nil
return getUsername(token, configuration)
}
func getOAuthToken(code string, configuration *portainer.OAuthSettings) (*oauth2.Token, error) {
func getAccessToken(code string, configuration *portainer.OAuthSettings) (string, error) {
unescapedCode, err := url.QueryUnescape(code)
if err != nil {
return nil, err
return "", err
}
config := buildConfig(configuration)
token, err := config.Exchange(context.Background(), unescapedCode)
if err != nil {
return nil, err
return "", err
}
return token, nil
return token.AccessToken, nil
}
func getUsername(token string, configuration *portainer.OAuthSettings) (string, error) {

39
api/portainer.go
View File

@@ -2,10 +2,7 @@ package portainer
import (
"io"
"net/http"
"time"
gittypes "github.com/portainer/portainer/api/git/types"
)
type (
@@ -393,11 +390,6 @@ type (
// JobType represents a job type
JobType int
K8sNamespaceAccessPolicy struct {
UserAccessPolicies UserAccessPolicies `json:"UserAccessPolicies"`
TeamAccessPolicies TeamAccessPolicies `json:"TeamAccessPolicies"`
}
// KubernetesData contains all the Kubernetes related endpoint information
KubernetesData struct {
Snapshots []KubernetesSnapshot `json:"Snapshots"`
@@ -497,8 +489,6 @@ type (
Scopes string `json:"Scopes"`
OAuthAutoCreateUsers bool `json:"OAuthAutoCreateUsers"`
DefaultTeamID TeamID `json:"DefaultTeamID"`
SSO bool `json:"SSO"`
LogoutURI string `json:"LogoutURI"`
}
// Pair defines a key/value string pair
@@ -691,6 +681,10 @@ type (
SwarmID string `json:"SwarmId" example:"jpofkc0i9uo9wtx1zesuk649w"`
// Path to the Stack file
EntryPoint string `json:"EntryPoint" example:"docker-compose.yml"`
// Additional Stack files
AdditionalFiles []string `json:"AdditionalFiles"`
// Stack auto update settings
AutoUpdate *StackAutoUpdate `json:"AutoUpdate"`
// A list of environment variables used during stack deployment
Env []Pair `json:"Env" example:""`
//
@@ -707,8 +701,12 @@ type (
UpdateDate int64 `example:"1587399600"`
// The username which last updated this stack
UpdatedBy string `example:"bob"`
// The git config of this stack
GitConfig *gittypes.RepoConfig
}
//StackAutoUpdate represents the git auto sync config for stack deployment
StackAutoUpdate struct {
Interval string
Webhook string //a UUID generated from client
}
// StackID represents a stack identifier (it must be composed of Name + "_" + SwarmID to create a unique identifier)
@@ -1150,13 +1148,13 @@ type (
// GitService represents a service for managing Git
GitService interface {
CloneRepository(destination string, repositoryURL, referenceName, username, password string) error
ClonePublicRepository(repositoryURL, referenceName string, destination string) error
ClonePrivateRepositoryWithBasicAuth(repositoryURL, referenceName string, destination, username, password string) error
}
// JWTService represents a service for managing JWT tokens
JWTService interface {
GenerateToken(data *TokenData) (string, error)
GenerateTokenForOAuth(data *TokenData, expiryTime *time.Time) (string, error)
ParseAndVerifyToken(token string) (*TokenData, error)
SetUserSessionDuration(userSessionDuration time.Duration)
}
@@ -1165,16 +1163,12 @@ type (
KubeClient interface {
SetupUserServiceAccount(userID int, teamIDs []int) error
GetServiceAccountBearerToken(userID int) (string, error)
StartExecProcess(token string, useAdminToken bool, namespace, podName, containerName string, command []string, stdin io.Reader, stdout io.Writer) error
NamespaceAccessPoliciesDeleteNamespace(namespace string) error
GetNamespaceAccessPolicies() (map[string]K8sNamespaceAccessPolicy, error)
UpdateNamespaceAccessPolicies(accessPolicies map[string]K8sNamespaceAccessPolicy) error
StartExecProcess(namespace, podName, containerName string, command []string, stdin io.Reader, stdout io.Writer) error
}
// KubernetesDeployer represents a service to deploy a manifest inside a Kubernetes endpoint
KubernetesDeployer interface {
Deploy(request *http.Request, endpoint *Endpoint, data string, namespace string) (string, error)
ConvertCompose(data string) ([]byte, error)
Deploy(endpoint *Endpoint, data string, composeFormat bool, namespace string) ([]byte, error)
}
// KubernetesSnapshotter represents a service used to create Kubernetes endpoint snapshots
@@ -1254,6 +1248,7 @@ type (
UpdateStack(ID StackID, stack *Stack) error
DeleteStack(ID StackID) error
GetNextIdentifier() int
StackByWebhookID(ID string) (*Stack, error)
}
// SnapshotService represents a service for managing endpoint snapshots
@@ -1343,9 +1338,9 @@ type (
const (
// APIVersion is the version number of the Portainer API
APIVersion = "2.6.2"
APIVersion = "2.5.0"
// DBVersion is the version number of the Portainer database
DBVersion = 30
DBVersion = 27
// ComposeSyntaxMaxVersion is a maximum supported version of the docker compose syntax
ComposeSyntaxMaxVersion = "3.9"
// AssetsServerURL represents the URL of the Portainer asset server

5
app/assets/css/app.css
View File

@@ -1023,8 +1023,3 @@ json-tree .branch-preview {
overflow-y: auto;
}
/* !uib-typeahead override */
.my-8 {
margin-top: 2rem;
margin-bottom: 2rem;
}

6
app/azure/models/container_group.js
View File

@@ -20,18 +20,18 @@ export function ContainerGroupDefaultModel() {
}
export function ContainerGroupViewModel(data) {
const addressPorts = data.properties.ipAddress ? data.properties.ipAddress.ports : [];
const addressPorts = data.properties.ipAddress.ports;
const container = data.properties.containers.length ? data.properties.containers[0] : {};
const containerPorts = container ? container.properties.ports : [];
this.Id = data.id;
this.Name = data.name;
this.Location = data.location;
this.IPAddress = data.properties.ipAddress ? data.properties.ipAddress.ip : '';
this.IPAddress = data.properties.ipAddress.ip;
this.Ports = addressPorts.length ? addressPorts.map((binding, index) => ({ container: containerPorts[index].port, host: binding.port, protocol: binding.protocol })) : [];
this.Image = container.properties.image || '';
this.OSType = data.properties.osType;
this.AllocatePublicIP = data.properties.ipAddress && data.properties.ipAddress.type === 'Public';
this.AllocatePublicIP = data.properties.ipAddress.type === 'Public';
this.CPU = container.properties.resources.requests.cpu;
this.Memory = container.properties.resources.requests.memoryInGB;

2
app/azure/views/containerinstances/container-instance-details/containerInstanceDetails.html
View File

@@ -63,7 +63,7 @@
</div>
<!-- !os-input -->
<!-- port-mapping -->
<div class="form-group" ng-if="$ctrl.container.Ports.length > 0">
<div class="form-group">
<div class="col-sm-12">
<label class="control-label text-left">Port mapping</label>
</div>

8
app/azure/views/containerinstances/create/createContainerInstanceController.js
View File

@@ -8,8 +8,7 @@ angular.module('portainer.azure').controller('AzureCreateContainerInstanceContro
'Notifications',
'Authentication',
'ResourceControlService',
'FormValidator',
function ($q, $scope, $state, AzureService, Notifications, Authentication, ResourceControlService, FormValidator) {
function ($q, $scope, $state, AzureService, Notifications, Authentication, ResourceControlService) {
var allResourceGroups = [];
var allProviders = [];
@@ -71,11 +70,6 @@ angular.module('portainer.azure').controller('AzureCreateContainerInstanceContro
return 'At least one port binding is required';
}
const error = FormValidator.validateAccessControl(model.AccessControlData, Authentication.isAdmin());
if (error !== '') {
return error;
}
return null;
}

2
app/constants.js
View File

@@ -30,5 +30,3 @@ angular
.constant('PREDEFINED_NETWORKS', ['host', 'bridge', 'none'])
.constant('KUBERNETES_DEFAULT_NAMESPACE', 'default')
.constant('KUBERNETES_SYSTEM_NAMESPACES', ['kube-system', 'kube-public', 'kube-node-lease', 'portainer']);
export const PORTAINER_FADEOUT = 1500;

2
app/docker/__module.js
View File

@@ -456,7 +456,7 @@ angular.module('portainer.docker', ['portainer.app']).config([
var stack = {
name: 'docker.stacks.stack',
url: '/:name?id&type&regular&external&orphaned&orphanedRunning',
url: '/:name?id&type&external',
views: {
'content@': {
templateUrl: '~Portainer/views/stacks/edit/stack.html',

2
app/docker/components/imageRegistry/por-image-registry-rate-limits.controller.js
View File

@@ -19,7 +19,7 @@ export default class porImageRegistryContainerController {
if (this.EndpointHelper.isAgentEndpoint(this.endpoint) || this.EndpointHelper.isLocalEndpoint(this.endpoint)) {
try {
this.pullRateLimits = await this.DockerHubService.checkRateLimits(this.endpoint);
this.setValidity(!this.pullRateLimits.limit || (this.pullRateLimits.limit && this.pullRateLimits.remaining >= 0));
this.setValidity(this.pullRateLimits.remaining >= 0);
} catch (e) {
// eslint-disable-next-line no-console
console.error('Failed loading DockerHub pull rate limits', e);

2
app/docker/components/log-viewer/logViewerController.js
View File

@@ -48,7 +48,7 @@ angular.module('portainer.docker').controller('LogViewerController', [
};
this.downloadLogs = function () {
const data = new Blob([_.reduce(this.state.filteredLogs, (acc, log) => acc + '\n' + log.line, '')]);
const data = new Blob([_.reduce(this.state.filteredLogs, (acc, log) => acc + '\n' + log, '')]);
FileSaver.saveAs(data, this.resourceName + '_logs.txt');
};
},

33
app/docker/helpers/serviceHelper.js
View File

@@ -67,6 +67,39 @@ angular.module('portainer.docker').factory('ServiceHelper', [
return [];
};
helper.translateEnvironmentVariables = function (env) {
if (env) {
var variables = [];
env.forEach(function (variable) {
var idx = variable.indexOf('=');
var keyValue = [variable.slice(0, idx), variable.slice(idx + 1)];
var originalValue = keyValue.length > 1 ? keyValue[1] : '';
variables.push({
key: keyValue[0],
value: originalValue,
originalKey: keyValue[0],
originalValue: originalValue,
added: true,
});
});
return variables;
}
return [];
};
helper.translateEnvironmentVariablesToEnv = function (env) {
if (env) {
var variables = [];
env.forEach(function (variable) {
if (variable.key && variable.key !== '') {
variables.push(variable.key + '=' + variable.value);
}
});
return variables;
}
return [];
};
helper.translatePreferencesToKeyValue = function (preferences) {
if (preferences) {
var keyValuePreferences = [];

14
app/docker/models/container.js
View File

@@ -91,20 +91,6 @@ export function ContainerStatsViewModel(data) {
this.CPUCores = data.cpu_stats.cpu_usage.percpu_usage.length;
}
this.Networks = _.values(data.networks);
if (data.blkio_stats !== undefined) {
//TODO: take care of multiple block devices
var readData = data.blkio_stats.io_service_bytes_recursive.find((d) => d.op === 'Read');
if (readData !== undefined) {
this.BytesRead = readData.value;
}
var writeData = data.blkio_stats.io_service_bytes_recursive.find((d) => d.op === 'Write');
if (writeData !== undefined) {
this.BytesWrite = writeData.value;
}
} else {
//no IO related data is available
this.noIOdata = true;
}
}
export function ContainerDetailsViewModel(data) {

4
app/docker/rest/response/handlers.js
View File

@@ -18,10 +18,6 @@ function isJSON(jsonString) {
// This handler wrap the JSON objects in an array.
// Used by the API in: Image push, Image create, Events query.
export function jsonObjectsToArrayHandler(data) {
// catching empty data helps the function not to fail and prevents unwanted error message to user.
if (!data) {
return [];
}
var str = '[' + data.replace(/\n/g, ' ').replace(/\}\s*\{/g, '}, {') + ']';
return angular.fromJson(str);
}

Some files were not shown because too many files have changed in this diff Show More