Merge pull request docker-archive#455 from docker/azure-token

Azure token metaserver

Author: FrenchBen

tools/metaserver/Dockerfile

@@ -6,6 +6,7 @@ RUN go get github.com/docker/docker/api/types
 RUN go get github.com/docker/go-connections/tlsconfig
 RUN go get github.com/docker/go-connections/sockets
 RUN go get github.com/gorilla/mux
+RUN go get -u github.com/rancher/trash
 
 ENV USER root
 WORKDIR /go/

tools/metaserver/compile.sh

@@ -3,6 +3,7 @@
 set -e
 
 cd /go/src/metaserver
+trash
 go vet
 go build
 cp metaserver /go/bin

tools/metaserver/src/metaserver/aws.go

@@ -4,32 +4,24 @@ import (
 	"fmt"
 	"net/http"
 	"os"
-	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ec2"
 )
 
-type awsInstance struct {
-	InstanceID       string
-	InstanceType     string
-	PublicIPAddress  string
-	PrivateIPAddress string
-	InstanceState    string
-	InstanceAZ       string
-}
-
+// AWSWeb interface for all Azure calls
 type AWSWeb struct {
 }
 
+// TokenManager obtain the AWS Swarm Manager Token
 func (a AWSWeb) TokenManager(w http.ResponseWriter, r *http.Request) {
 	// get the swarm manager token, if they are a manager node,
 	// and are not already in the swarm. Block otherwise
 	RequestInfo(r)
 	ip := RequestIP(r)
 	inSwarm := alreadyInSwarm(ip)
-	isManager := isManagerNode(ip)
+	isManager := isManagerNode(a, ip)
 
 	if inSwarm || !isManager {
 		// they are either already in the swarm, or they are not a manager
@@ -50,14 +42,15 @@ func (a AWSWeb) TokenManager(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprintf(w, swarm.JoinTokens.Manager)
 }
 
+// TokenWorker obtain the AWS Swarm Worker Token
 func (a AWSWeb) TokenWorker(w http.ResponseWriter, r *http.Request) {
 	// get the swarm worker token, if they are a worker node,
 	// and are not already in the swarm. block otherwise
 	RequestInfo(r)
 
 	ip := RequestIP(r)
 	inSwarm := alreadyInSwarm(ip)
-	isWorker := isWorkerNode(ip)
+	isWorker := isWorkerNode(a, ip)
 
 	if inSwarm || !isWorker {
 		// they are either already in the swarm, or they are not a worker
@@ -78,75 +71,45 @@ func (a AWSWeb) TokenWorker(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprintf(w, swarm.JoinTokens.Worker)
 }
 
-func alreadyInSwarm(ip string) bool {
-	// Is the node making the request, already in the swarm.
-	nodes := SwarmNodes()
-	for _, node := range nodes {
-		nodeIP := ConvertAWSHostToIP(node.Description.Hostname)
-		if ip == nodeIP {
-			return true
-		}
-	}
-	return false
-}
-
-func isManagerNode(ip string) bool {
-	// Is the node making the request a manager node
-	return isNodeInList(ip, awsManagers())
-}
-
-func isWorkerNode(ip string) bool {
-	// Is the node making the request a worker node
-	return isNodeInList(ip, awsWorkers())
-}
-
-func isNodeInList(ip string, instances []awsInstance) bool {
-	// given an IP, find out if it is in the instance list.
-	for _, instance := range instances {
-		if ip == instance.PrivateIPAddress {
-			return true
-		}
-	}
-	return false
-}
-
-func awsWorkers() []awsInstance {
-	// get the instances from AWS worker security group
+// Managers get list of AWS manager instances
+func (a AWSWeb) Managers() []WebInstance {
+	// get the instances from AWS Manager security group
 	customFilter := []*ec2.Filter{
 		&ec2.Filter{
 			Name:   aws.String("tag:swarm-node-type"),
-			Values: []*string{aws.String("worker")},
+			Values: []*string{aws.String("manager")},
 		},
 	}
 
 	// ec2 classic would be just group-id, VPC would be instance.group-id
 	customFilter = append(customFilter, &ec2.Filter{
 		Name:   aws.String("instance.group-id"),
-		Values: []*string{aws.String(os.Getenv("WORKER_SECURITY_GROUP_ID"))},
+		Values: []*string{aws.String(os.Getenv("MANAGER_SECURITY_GROUP_ID"))},
 	})
 
 	return awsInstances(customFilter)
 }
 
-func awsManagers() []awsInstance {
-	// get the instances from AWS Manager security group
+// Workers get list of AWS worker instances
+func (a AWSWeb) Workers() []WebInstance {
+	// get the instances from AWS worker security group
 	customFilter := []*ec2.Filter{
 		&ec2.Filter{
 			Name:   aws.String("tag:swarm-node-type"),
-			Values: []*string{aws.String("manager")},
+			Values: []*string{aws.String("worker")},
 		},
 	}
 
 	// ec2 classic would be just group-id, VPC would be instance.group-id
 	customFilter = append(customFilter, &ec2.Filter{
 		Name:   aws.String("instance.group-id"),
-		Values: []*string{aws.String(os.Getenv("MANAGER_SECURITY_GROUP_ID"))},
+		Values: []*string{aws.String(os.Getenv("WORKER_SECURITY_GROUP_ID"))},
 	})
 
 	return awsInstances(customFilter)
 }
 
-func awsInstances(customFilters []*ec2.Filter) []awsInstance {
+func awsInstances(customFilters []*ec2.Filter) []WebInstance {
 	// get the instances from AWS, takes a filter to limit the results.
 	client := ec2.New(session.New(&aws.Config{}))
 
@@ -173,10 +136,10 @@ func awsInstances(customFilters []*ec2.Filter) []awsInstance {
 		fmt.Println(err.Error())
 	}
 
-	var instances []awsInstance
+	var instances []WebInstance
 	for _, reservation := range result.Reservations {
 		for _, instance := range reservation.Instances {
-			aInstance := awsInstance{
+			aInstance := WebInstance{
 				InstanceID:       *instance.InstanceId,
 				InstanceType:     *instance.InstanceType,
 				PublicIPAddress:  *instance.PublicIpAddress,
@@ -189,18 +152,3 @@ func awsInstances(customFilters []*ec2.Filter) []awsInstance {
 	}
 	return instances
 }
-
-func ConvertAWSHostToIP(hostStr string) string {
-	// This is risky, this assumes the following formation for hosts in swarm node ls
-	// ip-10-0-3-149.ec2.internal
-	// there was one use case when someone had an old account, and their hostnames were not
-	// in this format. they just had
-	// ip-192-168-33-67
-	// not sure how many other formats there are.
-	// This will work for both formats above.
-	hostSplit := strings.Split(hostStr, ".")
-	host := hostSplit[0]
-	host = strings.Replace(host, "ip-", "", -1)
-	ip := strings.Replace(host, "-", ".", -1)
-	return ip
-}

tools/metaserver/src/metaserver/aws_test.go

@@ -3,27 +3,187 @@ package main
 import (
 	"fmt"
 	"net/http"
+	"os"
+
+	"github.com/Azure/azure-sdk-for-go/arm/compute"
+	"github.com/Azure/azure-sdk-for-go/arm/examples/helpers"
+	"github.com/Azure/azure-sdk-for-go/arm/network"
+	"github.com/Azure/go-autorest/autorest/azure"
 )
 
+// AzureWeb interface for all Azure calls
 type AzureWeb struct {
 }
 
-//TODO: implement these using Azure specific API's
-
+// TokenManager obtain the Azure Swarm Manager Token
 func (a AzureWeb) TokenManager(w http.ResponseWriter, r *http.Request) {
 	RequestInfo(r)
+	ip := RequestIP(r)
+	inSwarm := alreadyInSwarm(ip)
+	isManager := isManagerNode(a, ip)
+
+	if inSwarm || !isManager {
+		// they are either already in the swarm, or they are not a manager
+		w.WriteHeader(http.StatusForbidden)
+		fmt.Fprintln(w, "Access Denied")
+		return
+	}
 
-	w.WriteHeader(http.StatusNotImplemented)
-	fmt.Fprintf(w, "Not implmented Yet")
+	// They are not in the swarm, and they are a manager, so good to go.
+	cli, ctx := DockerClient()
+	swarm, err := cli.SwarmInspect(ctx)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		fmt.Fprintf(w, "%v", err)
+		return
+	}
 
-	fmt.Println("Endpoint Hit: tokenManager")
+	fmt.Fprintf(w, swarm.JoinTokens.Manager)
 }
 
+// TokenWorker obtain the Azure Swarm Worker Token
 func (a AzureWeb) TokenWorker(w http.ResponseWriter, r *http.Request) {
+	// get the swarm worker token, if they are a worker node,
+	// and are not already in the swarm. block otherwise
 	RequestInfo(r)
 
-	w.WriteHeader(http.StatusNotImplemented)
-	fmt.Fprintf(w, "Not implmented Yet")
+	ip := RequestIP(r)
+	inSwarm := alreadyInSwarm(ip)
+	isWorker := isWorkerNode(a, ip)
+
+	if inSwarm || !isWorker {
+		// they are either already in the swarm, or they are not a worker
+		w.WriteHeader(http.StatusForbidden)
+		fmt.Fprintln(w, "Access Denied")
+		return
+	}
+
+	// They are not in the swarm, and they are a worker, so good to go.
+	cli, ctx := DockerClient()
+	swarm, err := cli.SwarmInspect(ctx)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		fmt.Fprintf(w, "%v", err)
+		return
+	}
+
+	fmt.Fprintf(w, swarm.JoinTokens.Worker)
+}
+
+// Managers get list of Azure manager instances
+func (a AzureWeb) Managers() []WebInstance {
+	// get the clients for Network and Compute
+	env := map[string]string{
+		"AZURE_CLIENT_ID":       os.Getenv("APP_ID"),
+		"AZURE_CLIENT_SECRET":   os.Getenv("APP_SECRET"),
+		"AZURE_SUBSCRIPTION_ID": os.Getenv("SUBSCRIPTION_ID"),
+		"AZURE_TENANT_ID":       os.Getenv("TENANT_ID"),
+		"AZURE_GROUP_NAME":      os.Getenv("GROUP_NAME"),
+		"AZURE_VMSS_MGR":        os.Getenv("VMSS_MGR"),
+		"AZURE_VMSS_WRK":        os.Getenv("VMSS_WRK")}
+	nicClient, vmssClient := initClients(env)
+	// Get list of VMSS Network Interfaces for Managers
+	managerIPTable, err := getVMSSNic(nicClient, env, env["AZURE_VMSS_MGR"])
+	if err != nil {
+		fmt.Printf("Couldn't get Manager Nic for VMSS: %v", err)
+		return []WebInstance{}
+	}
+	// Get list of VMSS for Managers
+	managerVMs, err := getVMSSList(vmssClient, env, env["AZURE_VMSS_MGR"], managerIPTable)
+	if err != nil {
+		fmt.Printf("Couldn't get List of Manager VMSS: %v", err)
+		return []WebInstance{}
+	}
+	return managerVMs
+}
+
+// Workers get list of Azure worker instances
+func (a AzureWeb) Workers() []WebInstance {
+	// get the clients for Network and Compute
+	env := map[string]string{
+		"AZURE_CLIENT_ID":       os.Getenv("APP_ID"),
+		"AZURE_CLIENT_SECRET":   os.Getenv("APP_SECRET"),
+		"AZURE_SUBSCRIPTION_ID": os.Getenv("SUBSCRIPTION_ID"),
+		"AZURE_TENANT_ID":       os.Getenv("TENANT_ID"),
+		"AZURE_GROUP_NAME":      os.Getenv("GROUP_NAME"),
+		"AZURE_VMSS_MGR":        os.Getenv("VMSS_MGR"),
+		"AZURE_VMSS_WRK":        os.Getenv("VMSS_WRK")}
+	nicClient, vmssClient := initClients(env)
+	// Get list of VMSS Network Interfaces for Managers
+	workerIPTable, err := getVMSSNic(nicClient, env, env["AZURE_VMSS_WRK"])
+	if err != nil {
+		fmt.Printf("Couldn't get Worker Nic for VMSS: %v", err)
+		return []WebInstance{}
+	}
+	// Get list of VMSS for Managers
+	workerVMs, err := getVMSSList(vmssClient, env, env["AZURE_VMSS_WRK"], workerIPTable)
+	if err != nil {
+		fmt.Printf("Couldn't get List of Worker VMSS: %v", err)
+		return []WebInstance{}
+	}
+	return workerVMs
+}
+
+func initClients(env map[string]string) (network.InterfacesClient, compute.VirtualMachineScaleSetVMsClient) {
+
+	spt, err := helpers.NewServicePrincipalTokenFromCredentials(env, azure.PublicCloud.ResourceManagerEndpoint)
+	if err != nil {
+		fmt.Printf("ERROR: Getting SP token - check that all ENV variables are set")
+		os.Exit(1)
+	}
+	// Create Network Interface Client
+	nicClient := network.NewInterfacesClient(env["AZURE_SUBSCRIPTION_ID"])
+	nicClient.Authorizer = spt
+	// Create VMSS Client
+	vmssClient := compute.NewVirtualMachineScaleSetVMsClient(env["AZURE_SUBSCRIPTION_ID"])
+	vmssClient.Authorizer = spt
+	return nicClient, vmssClient
+}
+
+func getVMSSNic(client network.InterfacesClient, env map[string]string, vmss string) (IPTable map[string]string, err error) {
+	result, err := client.ListVirtualMachineScaleSetNetworkInterfaces(env["AZURE_GROUP_NAME"], vmss)
+	if err != nil {
+		// Message from an error.
+		fmt.Println("Error: ", err.Error())
+		return IPTable, err
+	}
+
+	IPTable = map[string]string{}
+
+	for _, nic := range *result.Value {
+		if *nic.Properties.Primary {
+			for _, ipConfig := range *nic.Properties.IPConfigurations {
+				if *ipConfig.Properties.Primary {
+					IPTable[*nic.ID] = *ipConfig.Properties.PrivateIPAddress
+				}
+			}
+		}
+	}
+	return IPTable, nil
+}
+
+func getVMSSList(client compute.VirtualMachineScaleSetVMsClient, env map[string]string, vmss string, nicIPTable map[string]string) ([]WebInstance, error) {
+	vms := []WebInstance{}
+
+	result, err := client.List(env["AZURE_GROUP_NAME"], vmss, "", "", "")
+	if err != nil {
+		// Message from an error.
+		fmt.Println("Error: ", err.Error())
+		return vms, err
+	}
 
-	fmt.Println("Endpoint Hit: tokenWorker")
+	for _, vm := range *result.Value {
+		nics := *vm.Properties.NetworkProfile.NetworkInterfaces
+		privateIP := nicIPTable[*nics[0].ID]
+		newVM := WebInstance{
+			ID:               *vm.ID,
+			InstanceID:       *vm.InstanceID,
+			InstanceName:     *vm.Name,
+			InstanceType:     *vm.Type,
+			InstanceNic:      *nics[0].ID,
+			PrivateIPAddress: privateIP,
+			InstanceState:    *vm.Properties.ProvisioningState}
+		vms = append(vms, newVM)
+	}
+	return vms, nil
 }