d8dfun/virtual-kubelet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

VMware vSphere Integrated Containers provider (#206)

Browse Source 
* Add Virtual Kubelet provider for VIC

Initial virtual kubelet provider for VMware VIC.  This provider currently
handles creating and starting of a pod VM via the VIC portlayer and persona
server.  Image store handling via the VIC persona server.  This provider
currently requires the feature/wolfpack branch of VIC.

* Added pod stop and delete.  Also added node capacity.

Added the ability to stop and delete pod VMs via VIC.  Also retrieve
node capacity information from the VCH.

* Cleanup and readme file

Some file clean up and added a Readme.md markdown file for the VIC
provider.

* Cleaned up errors, added function comments, moved operation code

1. Cleaned up error handling.  Set standard for creating errors.
2. Added method prototype comments for all interface functions.
3. Moved PodCreator, PodStarter, PodStopper, and PodDeleter to a new folder.

* Add mocking code and unit tests for podcache, podcreator, and podstarter

Used the unit test framework used in VIC to handle assertions in the provider's
unit test.  Mocking code generated using OSS project mockery, which is compatible
with the testify assertion framework.

* Vendored packages for the VIC provider

Requires feature/wolfpack branch of VIC and a few specific commit sha of
projects used within VIC.

* Implementation of POD Stopper and Deleter unit tests (#4)

* Updated files for initial PR
This commit is contained in:
Loc Nguyen
2018-06-04 15:41:32 -07:00
committed by Ria Bhatia
parent 98a111e8b7
commit 513cebe7b7
6296 changed files with 1123685 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

491
vendor/github.com/vmware/vic/lib/config/dynamic/admiral/source.go generated vendored Normal file
View File

@@ -0,0 +1,491 @@
// Copyright 2016-2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package admiral
import (
"context"
"crypto/tls"
"fmt"
"net"
"net/http"
"net/url"
"strings"
"sync"
"time"
log "github.com/Sirupsen/logrus"
"github.com/go-openapi/runtime"
rtclient "github.com/go-openapi/runtime/client"
strfmt "github.com/go-openapi/strfmt"
"github.com/mitchellh/mapstructure"
"github.com/pkg/errors"
"github.com/vmware/govmomi/vim25/types"
vchcfg "github.com/vmware/vic/lib/config"
"github.com/vmware/vic/lib/config/dynamic"
"github.com/vmware/vic/lib/config/dynamic/admiral/client"
"github.com/vmware/vic/lib/config/dynamic/admiral/client/config_registries"
"github.com/vmware/vic/lib/config/dynamic/admiral/client/projects"
"github.com/vmware/vic/lib/config/dynamic/admiral/client/resources_compute"
"github.com/vmware/vic/lib/config/dynamic/admiral/models"
"github.com/vmware/vic/pkg/vsphere/session"
"github.com/vmware/vic/pkg/vsphere/tags"
"github.com/vmware/vic/pkg/vsphere/vm"
)
const (
VicProductCategory = "VsphereIntegratedContainers"
ProductVMTag = "ProductVM"
admiralEndpointKey = "guestinfo.vicova.admiral.endpoint"
clusterFilter = "(address eq '%s' and customProperties.__containerHostType eq 'VCH')"
// defaultVicRegistry is the query string to fetch the default VIC registry from Admiral
defaultVicRegistry = "default-vic-registry"
)
// #nosec
const admiralTokenKey = "guestinfo.vicova.engine.token"
var (
trueStr = "true"
projectsFilter = "customProperties.__enableContentTrust eq 'true'"
// #nosec
admClient = &http.Client{
Transport: // copied from http.DefaultTransport
&http.Transport{
Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
DualStack: true,
}).DialContext,
MaxIdleConns: 100,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
},
}
)
// NewSource creates a new Admiral dynamic config source. sess
// is a valid vsphere session object. vchID is a unique identifier
// that will be used to lookup the VCH in the Admiral instance; currently
// this is a URI to the docker endpoint in the VCH.
func NewSource(sess *session.Session, vchID string) dynamic.Source {
return &source{
d: DefaultDiscovery,
sess: sess,
vchID: vchID,
}
}
var DefaultDiscovery = &productDiscovery{
clients: make(map[string]*tags.RestClient),
}
type source struct {
mu sync.Mutex
d discovery
sess *session.Session
vchID string
lastCfg *vchcfg.VirtualContainerHostConfigSpec
// the discovered product VM
v *vm.VirtualMachine
// cached values to minimize running discovery
projs []string
c *client.Admiral
}
// Get returns the dynamic config portion from an Admiral instance. For now,
// this is empty pending details from the Admiral team.
func (a *source) Get(ctx context.Context) (*vchcfg.VirtualContainerHostConfigSpec, error) {
a.mu.Lock()
lastCfg := a.lastCfg
a.mu.Unlock()
c, projs, err := a.discover(ctx)
if err != nil {
log.Warnf("could not locate management portal, returning last known config: %s", err)
return lastCfg, nil
}
if len(projs) == 0 {
return nil, nil
}
wl, err := a.whitelist(ctx, c, projs)
if err != nil {
log.Warnf("could not get whitelist from management portal, returning last known config: %s")
return lastCfg, nil
}
log.Debugf("got whitelist: %+v", wl)
newCfg := &vchcfg.VirtualContainerHostConfigSpec{
Registry: vchcfg.Registry{RegistryWhitelist: wl},
}
a.mu.Lock()
defer a.mu.Unlock()
err = nil
if !a.diff(newCfg) {
err = dynamic.ErrConfigNotModified
}
a.lastCfg = newCfg
return newCfg, err
}
func (a *source) diff(newCfg *vchcfg.VirtualContainerHostConfigSpec) bool {
if a.lastCfg == nil {
if newCfg == nil {
return false
}
return true
}
if newCfg == nil {
return true
}
// compare whitelists
if len(a.lastCfg.RegistryWhitelist) != len(newCfg.RegistryWhitelist) {
return true
}
for _, w1 := range a.lastCfg.RegistryWhitelist {
found := false
for _, w2 := range newCfg.RegistryWhitelist {
if w2 == w1 {
found = true
break
}
}
if !found {
return true
}
}
return false
}
func (a *source) discover(ctx context.Context) (*client.Admiral, []string, error) {
a.mu.Lock()
c := a.c
v := a.v
a.mu.Unlock()
var vms []*vm.VirtualMachine
removed := true
if c != nil {
projs, err := a.projects(ctx, c)
if err != nil {
log.Debugf("could not get projects: %s", err)
vms = append(vms, v)
removed = false
} else if len(projs) > 0 {
return c, projs, nil
}
}
a.mu.Lock()
defer a.mu.Unlock()
if c != a.c && a.c != nil {
return a.c, a.projs, nil
}
var err error
// if there isn't a list of potential product VMs
// already, then run discovery
if removed {
log.Infof("running product VM discovery")
vms, err = a.d.Discover(ctx, a.sess)
if err != nil {
return nil, nil, err
}
}
for _, v := range vms {
u, token, err := admiralEndpoint(ctx, v)
if err != nil {
log.Warnf("ignoring potential product VM %s: %s", v, err)
continue
}
rt := rtclient.NewWithClient(u.Host, u.Path, []string{u.Scheme}, admClient)
rt.DefaultAuthentication = &admiralAuth{token: token}
c := client.New(rt, strfmt.Default)
projs, err := a.projects(ctx, c)
if err == nil && len(projs) > 0 {
log.Infof("using Admiral endpoint at %s", u)
a.c = c
a.projs = projs
a.v = v
return c, projs, nil
}
log.Warnf("ignoring product VM Admiral endpoint %s since it does not have the VCH added to any project", u)
}
if removed {
a.c = nil
a.v = nil
a.projs = nil
err = nil
} else {
// only return source unavailable if
// the VCH was not removed from the
// Admiral instance
err = dynamic.ErrSourceUnavailable
}
return nil, nil, err
}
func admiralEndpoint(ctx context.Context, v *vm.VirtualMachine) (*url.URL, string, error) {
values, err := keys(ctx, v, []string{admiralEndpointKey, admiralTokenKey})
if err != nil {
return nil, "", err
}
token := values[admiralTokenKey]
if token == "" {
// not a useable product installation
return nil, "", fmt.Errorf("empty token set in product VM %s", v)
}
u, err := url.Parse(values[admiralEndpointKey])
if err != nil {
return nil, "", fmt.Errorf("bad admiral endpoint %s in product VM %s: %s", values[admiralEndpointKey], v, err)
}
return u, token, nil
}
type admiralAuth struct {
token string
}
func (a *admiralAuth) AuthenticateRequest(req runtime.ClientRequest, _ strfmt.Registry) error {
return req.SetHeaderParam("x-xenon-auth-token", a.token)
}
func (a *source) projects(ctx context.Context, c *client.Admiral) ([]string, error) {
ids := []string{a.vchID}
if u, err := url.Parse(a.vchID); err == nil {
if u.Scheme == "" {
ids = append(ids, "https://"+a.vchID)
} else {
ids = append(ids, strings.TrimPrefix(a.vchID, u.Scheme+"://"))
}
}
var err error
var comps *resources_compute.GetResourcesComputeOK
for _, vchID := range ids {
filter := fmt.Sprintf(clusterFilter, vchID)
log.Debugf("getting compute resources with filter %s", filter)
comps, err = c.ResourcesCompute.GetResourcesCompute(resources_compute.NewGetResourcesComputeParamsWithContext(ctx).WithDollarFilter(&filter))
if err == nil && comps.Payload.DocumentCount > 0 {
break
}
}
if err != nil {
return nil, err
}
if comps.Payload.DocumentCount == 0 {
return nil, nil
}
// more than one project has the VCH added, just pick the first one
comp := &models.ComVmwarePhotonControllerModelResourcesComputeServiceComputeState{}
if err := mapstructure.Decode(comps.Payload.Documents[comps.Payload.DocumentLinks[0]], comp); err != nil {
return nil, err
}
return comp.TenantLinks, nil
}
func (a *source) whitelist(ctx context.Context, c *client.Admiral, hostProjs []string) ([]string, error) {
// find at least one project with enable content trust
// that also contains the vch
projs, err := c.Projects.GetProjects(projects.NewGetProjectsParamsWithContext(ctx).WithDollarFilter(&projectsFilter))
if err != nil {
return nil, err
}
trust := false
for _, t := range hostProjs {
for _, p := range projs.Payload.DocumentLinks {
if t == p {
trust = true
break
}
}
if trust {
break
}
}
if !trust {
// no project with enable content trust and vch
return nil, nil
}
regs, err := c.ConfigRegistries.GetConfigRegistriesID(config_registries.NewGetConfigRegistriesIDParamsWithContext(ctx).WithID(defaultVicRegistry))
if err != nil {
return nil, err
}
if regs.Payload == nil {
// No default VIC registry configured.
log.Warnf("no default VIC registry found despite content trust being enabled")
return nil, nil
}
m := regs.Payload
wl := []string{m.Address}
return wl, nil
}
type discovery interface {
Discover(ctx context.Context, sess *session.Session) ([]*vm.VirtualMachine, error)
}
type productDiscovery struct {
mu sync.Mutex
clients map[string]*tags.RestClient
}
func (o *productDiscovery) Discover(ctx context.Context, sess *session.Session) ([]*vm.VirtualMachine, error) {
service, err := url.Parse(sess.Service)
if err != nil {
return nil, err
}
service.User = sess.User
o.mu.Lock()
t := o.clients[service.String()]
if t == nil {
t = tags.NewClient(service, sess.Insecure, sess.Thumbprint)
o.clients[service.String()] = t
}
o.mu.Unlock()
var tag string
tag, err = findOVATag(ctx, t)
if err != nil {
err = errors.Errorf("could not find ova tag: %s", err)
return nil, err
}
objs, err := t.ListAttachedObjects(ctx, tag)
if err != nil || len(objs) == 0 {
err = errors.Errorf("could not find ova vm: %s", err)
return nil, err
}
var vms []*vm.VirtualMachine
for _, o := range objs {
if o.Type == nil || o.ID == nil {
log.Warnf("skipping invalid object reference %+v", o)
continue
}
if *o.Type != "VirtualMachine" {
// not a virtual machine
continue
}
v := vm.NewVirtualMachine(ctx, sess, types.ManagedObjectReference{Type: *o.Type, Value: *o.ID})
st, err := v.PowerState(ctx)
if err != nil {
log.Warnf("ignoring potential product VM: %s", err)
continue
}
if st != types.VirtualMachinePowerStatePoweredOn {
log.Warnf("ignoring potential product VM %s: not powered on", *o.ID)
continue
}
vms = append(vms, v)
}
return vms, nil
}
func findOVATag(ctx context.Context, t *tags.RestClient) (string, error) {
cats, err := t.GetCategoriesByName(ctx, VicProductCategory)
if err != nil {
return "", err
}
// just use the first one
if len(cats) == 0 {
return "", errors.New("could not find tag")
}
cat := cats[0]
tags, err := t.GetTagByNameForCategory(ctx, ProductVMTag, cat.ID)
if err != nil {
return "", err
}
if len(tags) == 0 {
return "", errors.New("could not find tag")
}
return tags[0].ID, nil
}
func keys(ctx context.Context, v *vm.VirtualMachine, keys []string) (map[string]string, error) {
ovs, err := v.FetchExtraConfigBaseOptions(ctx)
if err != nil {
return nil, err
}
res := make(map[string]string)
for _, k := range keys {
found := false
for _, ov := range ovs {
log.Debugf("key: %s", ov.GetOptionValue().Key)
if k == ov.GetOptionValue().Key {
log.Debugf("found %s", ov.GetOptionValue().Key)
res[k] = ov.GetOptionValue().Value.(string)
found = true
break
}
}
if !found {
return nil, errors.Errorf("key not found: %s", k)
}
}
return res, nil
}

72
vendor/github.com/vmware/vic/lib/config/dynamic/admiral/source_test.go generated vendored Normal file
View File

@@ -0,0 +1,72 @@
// Copyright 2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package admiral
import (
"context"
"flag"
"net/url"
"os"
"testing"
log "github.com/Sirupsen/logrus"
"github.com/vmware/vic/pkg/vsphere/session"
)
var (
target *string
user *string
password *string
thumbprint *string
vchID *string
)
func init() {
thumbprint = flag.String("thumbprint", "", "ESX/VC thumbprint")
target = flag.String("target", "", "ESX/VC target")
user = flag.String("user", "root", "ESX/VC username")
password = flag.String("password", "", "ESX/VC password")
vchID = flag.String("vch", "", "VCH docker endpoint")
}
func TestMain(m *testing.M) {
os.Exit(m.Run())
}
func TestGetConfig(t *testing.T) {
if target == nil || *target == "" {
t.SkipNow()
}
log.SetLevel(log.DebugLevel)
sess := session.NewSession(&session.Config{
Service: *target,
User: url.UserPassword(*user, *password),
Insecure: true,
Thumbprint: *thumbprint,
})
ctx := context.Background()
sess.Connect(ctx)
src := NewSource(sess, *vchID)
cfg, err := src.Get(ctx)
if err != nil {
log.Errorf("error: %s", err)
os.Exit(1)
}
log.Infof("%+v", cfg)
}

33976
vendor/github.com/vmware/vic/lib/config/dynamic/admiral/swagger.json generated vendored Normal file
View File

File diff suppressed because it is too large Load Diff

43
vendor/github.com/vmware/vic/lib/config/dynamic/dynamic.go generated vendored Normal file
View File

@@ -0,0 +1,43 @@
// Copyright 2016-2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package dynamic
import (
"context"
"errors"
"github.com/vmware/vic/lib/config"
)
var ErrConfigNotModified = errors.New("config not modified")
var ErrAccessDenied = errors.New("access denied")
var ErrSourceUnavailable = errors.New("source not available")
// Source is configuration source, remote or otherwise
type Source interface {
// Get returns a config object. If the remote/local source
// is not available, Get returns nil, with an error indicating
// what went wrong. If the configuration has not changed since
// the last time Get was called, it returns
// (nil, ErrConfigNotModified). If the remote/local source
// denies access, it returns (nil, ErrAccessDenied).
Get(ctx context.Context) (*config.VirtualContainerHostConfigSpec, error)
}
// Merger is used to merge two config objects
type Merger interface {
// Merge merges two config objects returning the resulting config.
Merge(orig, other *config.VirtualContainerHostConfigSpec) (*config.VirtualContainerHostConfigSpec, error)
}

134
vendor/github.com/vmware/vic/lib/config/dynamic/merger.go generated vendored Normal file
View File

@@ -0,0 +1,134 @@
// Copyright 2016-2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package dynamic
import (
"fmt"
"github.com/vmware/vic/lib/config"
"github.com/vmware/vic/pkg/registry"
)
type merger struct {
}
func NewMerger() Merger {
return &merger{}
}
// Merge merges two config objects together. For now only
// whitelist registries are merged.
func (m *merger) Merge(orig, other *config.VirtualContainerHostConfigSpec) (*config.VirtualContainerHostConfigSpec, error) {
// merge strategy:
//
// origWl empty, otherWl empty => empty
//
// origWl empty, otherWl not empty => otherWl
//
// origWl not empty, otherWl empty => origWl
//
// origWl not empty, otherWl not empty => merge result
// in this case, each entry in the resulting
// whitelist must be a more restrictive
// version of at least one entry in origWl
//
// The whitelist that is used is always otherWl
// in this case given that the above rule is not
// violated.
otherWl, err := ParseRegistries(other.RegistryWhitelist)
if err != nil {
return nil, err
}
origWl, err := ParseRegistries(orig.RegistryWhitelist)
if err != nil {
return nil, err
}
var wl registry.Set
if wl, err = origWl.Merge(otherWl, &whitelistMerger{}); err != nil {
return nil, err
}
if len(origWl) > 0 {
// check if every entry in wl is a subset of an
// entry in origWl
for _, e := range wl {
found := false
for _, o := range origWl {
if o.Contains(e) {
found = true
break
}
}
if !found {
return nil, fmt.Errorf("whitelist merge allows entries that are not in the original whitelist")
}
}
}
// only use otherWl if its non-empty
//
// if otherWl is empty and origWl is
// not empty, we use origWl, which
// should be the same as wl after the
// merge
if len(otherWl) > 0 {
wl = otherWl
}
res := *orig
res.RegistryWhitelist = wl.Strings()
return &res, nil
}
func ParseRegistries(regs []string) (registry.Set, error) {
var s registry.Set
for _, r := range regs {
e := registry.ParseEntry(r)
if e != nil {
s = append(s, e)
continue
}
return nil, fmt.Errorf("could not parse entry %s", r)
}
return s, nil
}
type whitelistMerger struct{}
// Merge merges two registry entries. The merge fails if merging orig and other would
// broaden orig's scope. The result of the merge is other if that is more restrictive.
// if orig equals other, the result is orig.
func (w *whitelistMerger) Merge(orig, other registry.Entry) (registry.Entry, error) {
if orig.Equal(other) {
return orig, nil
}
if other.Contains(orig) {
return nil, fmt.Errorf("merge of %s and %s would broaden %s", orig, other, orig)
}
// more restrictive result is OK
if orig.Contains(other) {
return other, nil
}
// no merge
return nil, nil
}

302
vendor/github.com/vmware/vic/lib/config/dynamic/merger_test.go generated vendored Normal file
View File

@@ -0,0 +1,302 @@
// Copyright 2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package dynamic
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/vmware/vic/lib/config"
"github.com/vmware/vic/pkg/registry"
)
func TestWhitelistMerger(t *testing.T) {
var tests = []struct {
orig, other registry.Entry
res registry.Entry
err error
}{
{
orig: registry.ParseEntry("10.10.10.10"),
other: registry.ParseEntry("10.10.10.10"),
res: registry.ParseEntry("10.10.10.10"),
},
{
orig: registry.ParseEntry("10.10.10.10"),
other: registry.ParseEntry("10.10.10.20"),
},
{
orig: registry.ParseEntry("10.10.10.10/24"),
other: registry.ParseEntry("10.10.10.10/24"),
res: registry.ParseEntry("10.10.10.10/24"),
},
{
other: registry.ParseEntry("10.10.10.10/24"),
orig: registry.ParseEntry("192.168.1.0/24"),
},
{
orig: registry.ParseEntry("10.10.10.10/24"),
other: registry.ParseEntry("10.10.10.10/16"),
err: assert.AnError,
},
{
orig: registry.ParseEntry("10.10.10.10/16"),
other: registry.ParseEntry("10.10.10.10/24"),
res: registry.ParseEntry("10.10.10.10/24"),
},
{
orig: registry.ParseEntry("*.google.com"),
other: registry.ParseEntry("*.google.com"),
res: registry.ParseEntry("*.google.com"),
},
{
orig: registry.ParseEntry("*.yahoo.com"),
other: registry.ParseEntry("*.google.com"),
},
{
orig: registry.ParseEntry("*.google.com"),
other: registry.ParseEntry("mail.google.com"),
res: registry.ParseEntry("mail.google.com"),
},
{
orig: registry.ParseEntry("mail.google.com"),
other: registry.ParseEntry("*.google.com"),
err: assert.AnError,
},
{
orig: registry.ParseEntry("192.168.1.1:123"),
other: registry.ParseEntry("192.168.1.1"),
err: assert.AnError,
},
{
orig: registry.ParseEntry("192.168.1.1"),
other: registry.ParseEntry("192.168.1.1:123"),
res: registry.ParseEntry("192.168.1.1"),
},
{
orig: registry.ParseEntry("foo:123"),
other: registry.ParseEntry("foo"),
err: assert.AnError,
},
{
orig: registry.ParseEntry("foo"),
other: registry.ParseEntry("foo:123"),
res: registry.ParseEntry("foo"),
},
{
orig: registry.ParseEntry("http://foo"),
other: registry.ParseEntry("foo:123"),
},
{
orig: registry.ParseEntry("http://foo"),
other: registry.ParseEntry("http://foo:123"),
},
{
orig: registry.ParseEntry("http://foo:123"),
other: registry.ParseEntry("http://foo"),
},
{
orig: registry.ParseEntry("http://foo/bar"),
other: registry.ParseEntry("http://foo"),
err: assert.AnError,
},
{
orig: registry.ParseEntry("https://foo/bar"),
other: registry.ParseEntry("http://foo/bar"),
},
{
orig: registry.ParseEntry("https://foo"),
other: registry.ParseEntry("foo"),
err: assert.AnError,
},
}
m := &whitelistMerger{}
for _, te := range tests {
res, err := m.Merge(te.orig, te.other)
if te.err == nil {
assert.Nil(t, err, "case: orig: %s, other: %s, err: %v, res: %s", te.orig, te.other, te.err, te.res)
} else {
assert.NotNil(t, err, "case: orig: %s, other: %s, err: %v, res: %s", te.orig, te.other, te.err, te.res)
}
if te.res == nil {
assert.Nil(t, res, "case: orig: %s, other: %s, err: %v, res: %s", te.orig, te.other, te.err, te.res)
} else {
assert.True(t, te.res.Equal(res), "%s merge %s, %s (expected) == %s (actual)", te.orig, te.other, te.res, res)
}
}
}
func TestMergerMergeWhitelist(t *testing.T) {
var tests = []struct {
orig, other, res *config.VirtualContainerHostConfigSpec
err error
}{
{
orig: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"docker.io"},
},
},
other: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: nil,
},
},
res: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"docker.io"},
},
},
},
// disallow the merge if the other whitelist
// has an entry that is not allowed on the
// original whitelist
{
orig: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"docker.io"},
},
},
other: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"foo.docker.io", "malicious.io"},
},
},
err: assert.AnError,
},
{
orig: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"*.docker.io"},
},
},
other: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"bar.docker.io", "foo.docker.io"},
},
},
res: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"bar.docker.io", "foo.docker.io"},
},
},
},
// result of a merge is always the other if
// its a subset of the original
{
orig: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"docker.io", "harbor.ci.local"},
},
},
other: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"docker.io"},
},
},
res: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"docker.io"},
},
},
},
// empty original whitelist and non-empty other
// whitelist results in other whitelist
{
orig: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: nil,
},
},
other: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"docker.io"},
},
},
res: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"docker.io"},
},
},
},
// more permissive other whitelist results in error
{
orig: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"foo.docker.io"},
},
},
other: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"*.docker.io"},
},
},
err: assert.AnError,
},
// less permissive other whitelist results in other whitelist
{
orig: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"*.docker.io"},
},
},
other: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"foo.docker.io"},
},
},
res: &config.VirtualContainerHostConfigSpec{
Registry: config.Registry{
RegistryWhitelist: []string{"foo.docker.io"},
},
},
},
}
m := NewMerger()
for _, te := range tests {
t.Logf("orig: %+v, other: %+v, err: %+v", te.orig.RegistryWhitelist, te.other.RegistryWhitelist, te.err)
if te.res != nil {
t.Logf("res: %+v", te.res.RegistryWhitelist)
}
res, err := m.Merge(te.orig, te.other)
if te.err != nil {
assert.NotNil(t, err, "expected error, got nil")
assert.Nil(t, res)
continue
}
assert.Nil(t, err, "expected no error, got \"%+v\"", err)
assert.NotNil(t, res)
assert.Len(t, res.RegistryWhitelist, len(te.res.RegistryWhitelist), "expected %v, got %v", te.res.RegistryWhitelist, res.RegistryWhitelist)
for i := range res.RegistryWhitelist {
found := false
for j := range te.res.RegistryWhitelist {
if res.RegistryWhitelist[i] == te.res.RegistryWhitelist[j] {
found = true
break
}
}
assert.True(t, found, "expected whitelist %v, got %v", te.res.RegistryWhitelist, res.RegistryWhitelist)
if !found {
t.FailNow()
}
}
}
}

329
vendor/github.com/vmware/vic/lib/config/executor/container_vm.go generated vendored Normal file
View File

@@ -0,0 +1,329 @@
// Copyright 2016-2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package executor
import (
"fmt"
"net/url"
"strings"
"time"
"github.com/vmware/vic/pkg/version"
)
type State int
const (
STARTED State = iota
EXITED
KILLED
)
// CopyMode type to define whether to copy data from the base image on mount
type CopyMode int
const (
// CopyNever Dont copy data on mount
CopyNever CopyMode = iota + 1
// CopyNew Copy data to the volume when it is first mounted
CopyNew
)
// Container network firewall trust configuration value
type TrustLevel int
const (
Unspecified TrustLevel = iota
Published
Open
Closed
Outbound
Peers
)
// Common data between managed entities, across execution environments
type Common struct {
// A reference to the components hosting execution environment, if any
ExecutionEnvironment string
// Unambiguous ID with meaning in the context of its hosting execution environment. Changing this definition will cause container backward compatibility issue. Please don't change this.
ID string `vic:"0.1" scope:"read-only" key:"id"`
// Convenience field to record a human readable name
Name string `vic:"0.1" scope:"read-only" key:"name"`
// Freeform notes related to the entity
Notes string `vic:"0.1" scope:"hidden" key:"notes"`
}
// Common data (specifically for a containerVM) between managed entities, across execution environments.
type ExecutorConfigCommon struct {
// A reference to the components hosting execution environment, if any
ExecutionEnvironment string
// Unambiguous ID with meaning in the context of its hosting execution environment
ID string `vic:"0.1" scope:"read-only" key:"id"`
// Convenience field to record a human readable name
Name string `vic:"0.1" scope:"hidden" key:"name"`
// Freeform notes related to the entity
Notes string `vic:"0.1" scope:"hidden" key:"notes"`
}
// Diagnostics records some basic control and lifecycle information for diagnostic purposes
type Diagnostics struct {
// Should debugging be enabled on whatever component this is and at what level
DebugLevel int `vic:"0.1" scope:"read-only" key:"debug"`
// RessurectionCount is a log of how many times the entity has been restarted due
// to error exit
ResurrectionCount int `vic:"0.1" scope:"read-write" key:"resurrections"`
// ExitLogs is a best effort record of the time of process death and the cause for
// restartable entities
ExitLogs []ExitLog `vic:"0.1" scope:"read-write" key:"exitlogs"`
// SyslogConfig holds configuration for connecting to a syslog
// server
SysLogConfig *SysLogConfig `vic:"0.1" scope:"read-only" key:"syslog"`
}
// SyslogConfig holds the configuration necessary to connect to a syslog server
type SysLogConfig struct {
// Network can be udp, tcp, udp6, or tcp6
Network string
// RAddr is the remote address of the syslog endpoint
RAddr string
}
// ExitLog records some basic diagnostics about anomalous exit for restartable entities
type ExitLog struct {
Time time.Time
ExitStatus int
Message string
}
// MountSpec details a mount that must be executed within the executor
// A mount is a URI -> path mapping with a credential of some kind
// In the case of a labeled disk:
// label://<label name> => </mnt/path>
type MountSpec struct {
// A URI->path mapping, e.g.
// May contain credentials
Source url.URL `vic:"0.1" scope:"read-only" key:"source"`
// The path in the executor at which this should be mounted
Path string `vic:"0.1" scope:"read-only" key:"dest"`
// Freeform mode string, which could translate directly to mount options
// We may want to turn this into a more structured form eventually
Mode string `vic:"0.1" scope:"read-only" key:"mode"`
// CopyMode specifies if data should be copied from the base image on first mount
CopyMode CopyMode `vic:"0.1" scope:"read-only" key:"copymode"`
}
// ContainerVM holds that data tightly associated with a containerVM, but that should not
// be visible to the guest. This is the external complement to ExecutorConfig.
type ContainerVM struct {
Common
// The version of the bootstrap image that this container was booted from.
Version string
// Name aliases for this specific container, Maps alias to unambiguous name
// This uses unambiguous name rather than reified network endpoint to persist
// the intent rather than a point-in-time manifesting of that intent.
Aliases map[string]string
// The location of the interaction service that the tether should connect to. Examples:
// * tcp://x.x.x.x:2377
// * vmci://moid - should this be an moid or a VMCI CID? Does one insulate us from reboots?
Interaction url.URL
// Key is the host key used during communicate back with the Interaction endpoint if any
// Used if the vSocket agent is responsible for authenticating the connection
AgentKey []byte
}
// ExecutorConfig holds the data tightly associated with an Executor. This is distinct from Sessions
// in that there is no process inherently associated - this is closer to a ThreadPool than a Thread and
// is the owner of the shared filesystem environment. This is the guest visible complement to ContainerVM.
type ExecutorConfig struct {
ExecutorConfigCommon `vic:"0.1" scope:"read-only" key:"common"`
// CreateTime stamp
CreateTime int64 `vic:"0.1" scope:"read-write" key:"createtime"`
// Diagnostics holds basic diagnostics data
Diagnostics Diagnostics `vic:"0.1" scope:"read-only" key:"diagnostics"`
// Sessions is the set of sessions currently hosted by this executor
// These are keyed by session ID
Sessions map[string]*SessionConfig `vic:"0.1" scope:"read-only" key:"sessions"`
// Execs is the set of non-persistent sessions hosted by this executor
Execs map[string]*SessionConfig `vic:"0.1" scope:"read-only,non-persistent" key:"execs"`
// Maps the mount name to the detail mount specification
Mounts map[string]MountSpec `vic:"0.1" scope:"read-only" key:"mounts"`
// This describes an executors presence on a network, and contains sufficient
// information to configure the interface in the guest.
Networks map[string]*NetworkEndpoint `vic:"0.1" scope:"read-only" key:"networks"`
// Key is the host key used during communicate back with the Interaction endpoint if any
// Used if the in-guest tether is responsible for authenticating the connection
Key []byte `vic:"0.1" scope:"read-only" key:"key"`
// Layer id that is backing this container VM
LayerID string `vic:"0.1" scope:"read-only" key:"layerid"`
// Image id that is backing this container VM
ImageID string `vic:"0.1" scope:"read-only" key:"imageid"`
// Blob metadata for the caller
Annotations map[string]string `vic:"0.1" scope:"hidden" key:"annotations"`
// Repository requested by user
// TODO: a bit docker specific
RepoName string `vic:"0.1" scope:"read-only" key:"repo"`
// version
Version *version.Build `vic:"0.1" scope:"read-only" key:"version"`
// AsymmetricRouting is set to true if the VCH needs to be setup for asymmetric routing
AsymmetricRouting bool `vic:"0.1" scope:"read-only" key:"asymrouting"`
// Hostname and domainname provided by personality
Hostname string `vic:"0.1" scope:"read-only" key:"hostname"`
Domainname string `vic:"0.1" scope:"read-only" key:"domainname"`
}
// Cmd is here because the encoding packages seem to have issues with the full exec.Cmd struct
type Cmd struct {
// Path is the command to run
Path string `vic:"0.1" scope:"read-only" key:"Path"`
// Args is the command line arguments including the command in Args[0]
Args []string `vic:"0.1" scope:"read-only" key:"Args"`
// Env specifies the environment of the process
Env []string `vic:"0.1" scope:"read-only" key:"Env"`
// Dir specifies the working directory of the command
Dir string `vic:"0.1" scope:"read-only" key:"Dir"`
}
// SessionConfig defines the content of a session - this maps to the root of a process tree
// inside an executor
// This is close to but not perfectly aligned with the new docker/docker/daemon/execdriver/driver:CommonProcessConfig
type SessionConfig struct {
// The primary session may have the same ID as the executor owning it
Common `vic:"0.1" scope:"read-only" key:"common"`
Detail `vic:"0.1" scope:"read-write" key:"detail"`
// The primary process for the session
Cmd Cmd `vic:"0.1" scope:"read-only" key:"cmd"`
// Allow attach
Attach bool `vic:"0.1" scope:"read-only" key:"attach"`
OpenStdin bool `vic:"0.1" scope:"read-only" key:"openstdin"`
// Delay launching the Cmd until an attach request comes
RunBlock bool `vic:"0.1" scope:"read-write" key:"runblock"`
// Should this config be activated or not
Active bool `vic:"0.1" scope:"read-only" key:"active"`
// Allocate a tty or not
Tty bool `vic:"0.1" scope:"read-only" key:"tty"`
ExitStatus int `vic:"0.1" scope:"read-write" key:"status"`
Started string `vic:"0.1" scope:"read-write" key:"started"`
Restart bool `vic:"0.1" scope:"read-only" key:"restart"`
// StopSignal is the signal name or number used to stop container session
StopSignal string `vic:"0.1" scope:"read-only" key:"stopSignal"`
// Diagnostics holds basic diagnostics data
Diagnostics Diagnostics `vic:"0.1" scope:"read-only" key:"diagnostics"`
// Maps the intent to the signal for this specific app
// Signals map[int]int
// Use struct composition to add in the guest specific portions
// http://attilaolah.eu/2014/09/10/json-and-struct-composition-in-go/
// ulimits
// user
// rootfs - within the container context
// User and group for setuid programs.
// Need to go here since UID/GID resolution must be done on appliance
User string `vic:"0.1" scope:"read-only" key:"User"`
Group string `vic:"0.1" scope:"read-only" key:"Group"`
}
type Detail struct {
// creation, started & stopped timestamps
CreateTime int64 `vic:"0.1" scope:"read-write" key:"createtime"`
StartTime int64 `vic:"0.1" scope:"read-write" key:"starttime"`
StopTime int64 `vic:"0.1" scope:"read-write" key:"stoptime"`
}
func (t TrustLevel) String() string {
switch t {
case Unspecified:
return ""
case Open:
return "open"
case Closed:
return "closed"
case Published:
return "published"
case Outbound:
return "outbound"
case Peers:
return "peers"
}
// Default setting, if unknown is published.
return "published"
}
func ParseTrustLevel(value string) (TrustLevel, error) {
var trust TrustLevel
switch strings.ToLower(value) {
case "open":
trust = Open
case "closed":
trust = Closed
case "published":
trust = Published
case "outbound":
trust = Outbound
case "peers":
trust = Peers
case "":
trust = Unspecified
default:
return Unspecified, fmt.Errorf("Unrecognized container trust level %s.", value)
}
return trust, nil
}

87
vendor/github.com/vmware/vic/lib/config/executor/network_interface.go generated vendored Normal file
View File

@@ -0,0 +1,87 @@
// Copyright 2016-2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package executor
import (
"net"
"github.com/vmware/vic/pkg/ip"
)
// NetworkEndpoint describes a network presence in the form a vNIC in sufficient detail that it can be:
// a. created - the vNIC added to a VM
// b. identified - the guestOS can determine which interface it corresponds to
// c. configured - the guestOS can configure the interface correctly
type NetworkEndpoint struct {
// Common.Name - the nic alias requested (only one name and one alias possible in linux)
// Common.ID - pci slot of the vnic allowing for interface identifcation in-guest
Common
// Whether this endpoint's IP was specified by the client (true if it was)
Static bool `vic:"0.1" scope:"read-only" key:"static"`
// IP address to assign
IP *net.IPNet `vic:"0.1" scope:"read-only" key:"ip"`
// Actual IP address assigned
Assigned net.IPNet `vic:"0.1" scope:"read-write" key:"assigned"`
// The network in which this information should be interpreted. This is embedded directly rather than
// as a pointer so that we can ensure the data is consistent
Network ContainerNetwork `vic:"0.1" scope:"read-only" key:"network"`
// The list of exposed ports on the container
Ports []string `vic:"0.1" scope:"read-only" key:"ports"`
// whether or not this represents an internal network
Internal bool `vic:"0.1" scope:"read-only" key:"internal"`
}
// ContainerNetwork is the data needed on a per container basis both for vSphere to ensure it's attached
// to the correct network, and in the guest to ensure the interface is correctly configured.
type ContainerNetwork struct {
// Common.Name - the symbolic name for the network, e.g. web or backend
// Common.ID - identifier of the underlay for the network
Common
Type string `vic:"0.1" scope:"read-write" key:"type"`
// Destinations is a list of CIDRs used for routing traffic to the gateway
Destinations []net.IPNet `vic:"0.1" scope:"read-only" key:"destinations"`
// The network scope the IP belongs to.
// The IP address is the default gateway
Gateway net.IPNet `vic:"0.1" scope:"read-only" key:"gateway"`
// Should this gateway be the default route for containers on the network
Default bool `vic:"0.1" scope:"read-only" key:"default"`
// The set of nameservers associated with this network - may be empty
Nameservers []net.IP `vic:"0.1" scope:"read-only" key:"dns"`
// The IP ranges for this network
Pools []ip.Range `vic:"0.1" scope:"read-only" key:"pools"`
// set of network wide links and aliases for this container on this network
Aliases []string `vic:"0.1" scope:"hidden" key:"aliases"`
// Level of trust configured for this network
TrustLevel
Assigned struct {
Gateway net.IPNet `vic:"0.1" scope:"read-write" key:"gateway"`
Nameservers []net.IP `vic:"0.1" scope:"read-write" key:"dns"`
} `vic:"0.1" scope:"read-write" key:"assigned"`
}

386
vendor/github.com/vmware/vic/lib/config/virtual_container_host.go generated vendored Normal file
View File

@@ -0,0 +1,386 @@
// Copyright 2016-2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package config
import (
"crypto/tls"
"crypto/x509"
"errors"
"net"
"net/mail"
"net/url"
"time"
"github.com/vmware/govmomi/vim25/types"
"github.com/vmware/vic/lib/config/executor"
"github.com/vmware/vic/pkg/certificate"
)
// PatternToken is a set of tokens that can be placed into string constants
// for containerVMs that will be replaced with the specific values
type PatternToken string
const (
// VM is the VM name - i.e. [ds] {vm}/{vm}.vmx
VMToken PatternToken = "{vm}"
// ID is the container ID for the VM
IDToken PatternToken = "{id}"
// Name is the container name of the VM
NameToken PatternToken = "{name}"
// The default naming pattern that gets applied if no convention is supplied
DefaultNamePattern = "{name}-{id}"
// ID represents the VCH in creating status, which helps to identify VCH VM which still does not have a valid VM moref set
CreatingVCH = "CreatingVCH"
PublicNetworkName = "public"
ClientNetworkName = "client"
ManagementNetworkName = "management"
PersonaService = "docker-personality"
PortLayerService = "port-layer"
VicAdminService = "vicadmin"
KubeletStarterService = "kubelet-starter"
GeneralHTTPProxy = "HTTP_PROXY"
GeneralHTTPSProxy = "HTTPS_PROXY"
VICAdminHTTPProxy = "VICADMIN_HTTP_PROXY"
VICAdminHTTPSProxy = "VICADMIN_HTTPS_PROXY"
AddPerms = "ADD"
)
func (p PatternToken) String() string {
return string(p)
}
// Can we just treat the VCH appliance as a containerVM booting off a specific bootstrap image
// It has many of the same requirements (around networks being attached, version recorded,
// volumes mounted, et al). Each of the components can easily be captured as a Session given they
// are simply processes.
// This would require that the bootstrap read session record for the VM and relaunch them - that
// actually aligns very well with containerVMs restarting their processes if restarted directly
// (this is obviously a behaviour we'd want to toggles for in regular containers).
// VirtualContainerHostConfigSpec holds the metadata for a Virtual Container Host that should be visible inside the appliance VM.
type VirtualContainerHostConfigSpec struct {
// The base config for the appliance. This includes the networks that are to be attached
// and disks to be mounted.
// Networks are keyed by interface name
executor.ExecutorConfig `vic:"0.1" scope:"read-only" key:"init"`
// vSphere connection configuration
Connection `vic:"0.1" scope:"read-only" key:"connect"`
// basic contact information
Contacts `vic:"0.1" scope:"read-only" key:"contact"`
// certificate configuration, for both inbound and outbound access
Certificate `vic:"0.1" scope:"read-only" key:"cert"`
// Port Layer - storage
Storage `vic:"0.1" scope:"read-only" key:"storage"`
// Port Layer - network
Network `vic:"0.1" scope:"read-only" key:"network"`
// Port Layer - exec
Container `vic:"0.1" scope:"read-only" key:"container"`
// Registry configuration for Imagec
Registry `vic:"0.1" scope:"read-only" key:"registry"`
// virtual kubelet specific options
Kubelet `vic:"0.1" scope:"read-only" key:"virtual_kubelet"`
// configuration for vic-machine
CreateBridgeNetwork bool `vic:"0.1" scope:"read-only" key:"create_bridge_network"`
// grant ops-user permissions, string instead of bool for future enhancements
GrantPermsLevel string `vic:"0.1" scope:"read-only" key:"grant_permissions"`
// vic-machine create options used to create or reconfigure the VCH
VicMachineCreateOptions []string `vic:"0.1" scope:"read-only" key:"vic_machine_create_options"`
}
// ContainerConfig holds the container configuration for a virtual container host
type Container struct {
// Default containerVM capacity
ContainerVMSize Resources `vic:"0.1" scope:"read-only" recurse:"depth=0"`
// Resource pools under which all containers will be created
ComputeResources []types.ManagedObjectReference `vic:"0.1" scope:"read-only"`
// Path of the ISO to use for bootstrapping containers
BootstrapImagePath string `vic:"0.1" scope:"read-only" key:"bootstrap_image_path"`
// Allow custom naming convention for containerVMs
ContainerNameConvention string
// Permitted datastore URLs for container storage for this virtual container host
ContainerStores []url.URL `vic:"0.1" scope:"read-only" recurse:"depth=0"`
}
// RegistryConfig defines the registries virtual container host can talk to
type Registry struct {
// Whitelist of registries
RegistryWhitelist []string `vic:"0.1" scope:"read-only" key:"whitelist_registries"`
// Blacklist of registries
RegistryBlacklist []string `vic:"0.1" scope:"read-only" recurse:"depth=0"`
// Insecure registries
InsecureRegistries []string `vic:"0.1" scope:"read-only" key:"insecure_registries"`
}
// Virtual Kubelet
type Kubelet struct {
KubernetesServerAddress string
KubeletConfigFile string
KubeletConfigContent string
}
// NetworkConfig defines the network configuration of virtual container host
type Network struct {
// The network to use by default to provide access to the world
BridgeNetwork string `vic:"0.1" scope:"read-only" key:"bridge_network"`
// Published networks available for containers to join, keyed by consumption name
ContainerNetworks map[string]*executor.ContainerNetwork `vic:"0.1" scope:"read-only" key:"container_networks"`
// The IP range for the bridge networks
BridgeIPRange *net.IPNet `vic:"0.1" scope:"read-only" key:"bridge-ip-range"`
// The width of each new bridge network
BridgeNetworkWidth *net.IPMask `vic:"0.1" scope:"read-only" key:"bridge-net-width"`
}
// StorageConfig defines the storage configuration including images and volumes
type Storage struct {
// Datastore URLs for image stores - the top layer is [0], the bottom layer is [len-1]
ImageStores []url.URL `vic:"0.1" scope:"read-only" key:"image_stores"`
// Permitted datastore URL roots for volumes
// Keyed by the volume store name (which is used by the docker user to
// refer to the datstore + path), valued by the datastores and the path.
VolumeLocations map[string]*url.URL `vic:"0.1" scope:"read-only"`
// default size for root image
ScratchSize int64 `vic:"0.1" scope:"read-only" key:"scratch_size"`
}
type Certificate struct {
// Certificates for user authentication - this needs to be expanded to allow for directory server auth
UserCertificates []*RawCertificate
// Certificates for general outgoing network access, keyed by CIDR (IPNet.String())
NetworkCertificates map[string]*RawCertificate
// The certificate used to validate the appliance to clients
HostCertificate *RawCertificate `vic:"0.1" scope:"read-only"`
// The CAs to validate client connections
CertificateAuthorities []byte `vic:"0.1" scope:"read-only"`
// The CAs to validate docker registry connections
RegistryCertificateAuthorities []byte `vic:"0.1" scope:"read-only"`
// Certificates for specific system access, keyed by FQDN
HostCertificates map[string]*RawCertificate
}
// Connection holds the vSphere connection configuration
type Connection struct {
// The sdk URL
Target string `vic:"0.1" scope:"read-only" key:"target"`
// Username for target login
Username string `vic:"0.1" scope:"read-only" key:"username"`
// Token is an SSO token or password
Token string `vic:"0.1" scope:"secret" key:"token"`
// TargetThumbprint is the SHA-1 digest of the Target's public certificate
TargetThumbprint string `vic:"0.1" scope:"read-only" key:"target_thumbprint"`
// The session timeout
Keepalive time.Duration `vic:"0.1" scope:"read-only" key:"keepalive"`
}
type Contacts struct {
// Administrative contact for the Virtual Container Host
Admin []mail.Address
// Administrative contact for hosting infrastructure
InfrastructureAdmin []mail.Address
}
// RawCertificate is present until we add extraconfig support for [][]byte slices that are present
// in tls.Certificate
type RawCertificate struct {
Key []byte `vic:"0.1" scope:"secret"`
Cert []byte
}
// CustomerExperienceImprovementProgram provides configuration for the phone home mechanism
// This is broken out so that we can have more granular configuration in here in the future
// and so that it is insulated from changes to Virtual Container Host structure
type CustomerExperienceImprovementProgram struct {
// The server target is as follows, where the uuid is the raw number, no dashes
// "https://vcsa.vmware.com/ph-stg/api/hyper/send?_v=1.0&_c=vic.1_0&_i="+vc.uuid
// If this is non-nil then it's enabled
CEIPGateway url.URL
}
// Resources is used instead of the ResourceAllocation structs in govmomi as
// those don't currently hold IO or storage related data.
type Resources struct {
CPU types.ResourceAllocationInfo
Memory types.ResourceAllocationInfo
IO types.ResourceAllocationInfo
Storage types.ResourceAllocationInfo
}
// SetHostCertificate sets the certificate for authenticting with the appliance itself
func (t *VirtualContainerHostConfigSpec) SetHostCertificate(key *[]byte) {
t.ExecutorConfig.Key = *key
}
// SetName sets the name of the VCH - this will be used as the hostname for the appliance
func (t *VirtualContainerHostConfigSpec) SetName(name string) {
t.ExecutorConfig.Name = name
}
// SetDebug configures the debug logging level for the VCH
func (t *VirtualContainerHostConfigSpec) SetDebug(level int) {
t.ExecutorConfig.Diagnostics.DebugLevel = level
}
// SetMoref sets the moref of the VCH - this allows components to acquire a handle to
// the appliance VM.
func (t *VirtualContainerHostConfigSpec) SetMoref(moref *types.ManagedObjectReference) {
if moref != nil {
t.ExecutorConfig.ID = moref.String()
}
}
// SetIsCreating sets the ID of the VCH to a constant if creating is true, to identify the creating VCH VM before the VM moref can be set into this property
// Reset the property back to empty string if creating is false
func (t *VirtualContainerHostConfigSpec) SetIsCreating(creating bool) {
if creating {
t.ExecutorConfig.ID = CreatingVCH
} else {
t.ExecutorConfig.ID = ""
}
}
// IsCreating is checking if this configuration is for one creating VCH VM
func (t *VirtualContainerHostConfigSpec) IsCreating() bool {
return t.ExecutorConfig.ID == CreatingVCH
}
func (t *VirtualContainerHostConfigSpec) SetGrantPerms() {
t.GrantPermsLevel = AddPerms
}
func (t *VirtualContainerHostConfigSpec) ClearGrantPerms() {
t.GrantPermsLevel = ""
}
func (t *VirtualContainerHostConfigSpec) ShouldGrantPerms() bool {
return t.GrantPermsLevel == AddPerms
}
// AddNetwork adds a network that will be configured on the appliance VM
func (t *VirtualContainerHostConfigSpec) AddNetwork(net *executor.NetworkEndpoint) {
if net != nil {
if t.ExecutorConfig.Networks == nil {
t.ExecutorConfig.Networks = make(map[string]*executor.NetworkEndpoint)
}
t.ExecutorConfig.Networks[net.Network.Name] = net
}
}
// AddContainerNetwork adds a network that will be configured on the appliance VM
func (t *VirtualContainerHostConfigSpec) AddContainerNetwork(net *executor.ContainerNetwork) {
if net != nil {
if t.ContainerNetworks == nil {
t.ContainerNetworks = make(map[string]*executor.ContainerNetwork)
}
t.ContainerNetworks[net.Name] = net
}
}
func (t *VirtualContainerHostConfigSpec) AddComponent(name string, component *executor.SessionConfig) {
if component != nil {
if t.ExecutorConfig.Sessions == nil {
t.ExecutorConfig.Sessions = make(map[string]*executor.SessionConfig)
}
if component.Name == "" {
component.Name = name
}
if component.ID == "" {
component.ID = name
}
t.ExecutorConfig.Sessions[name] = component
}
}
func (t *VirtualContainerHostConfigSpec) AddImageStore(url *url.URL) {
if url != nil {
t.ImageStores = append(t.ImageStores, *url)
}
}
func (t *VirtualContainerHostConfigSpec) AddVolumeLocation(name string, u *url.URL) {
if u != nil {
if t.VolumeLocations == nil {
t.VolumeLocations = make(map[string]*url.URL)
}
t.VolumeLocations[name] = u
}
}
// AddComputeResource adds a moref to the set of permitted root pools. It takes a ResourcePool rather than
// an inventory path to encourage validation.
func (t *VirtualContainerHostConfigSpec) AddComputeResource(pool *types.ManagedObjectReference) {
if pool != nil {
t.ComputeResources = append(t.ComputeResources, *pool)
}
}
func CreateSession(cmd string, args ...string) *executor.SessionConfig {
cfg := &executor.SessionConfig{
Cmd: executor.Cmd{
Path: cmd,
Args: []string{
cmd,
},
},
}
cfg.Cmd.Args = append(cfg.Cmd.Args, args...)
return cfg
}
func (t *RawCertificate) Certificate() (*tls.Certificate, error) {
if t.IsNil() {
return nil, errors.New("nil certificate")
}
cert, err := tls.X509KeyPair(t.Cert, t.Key)
return &cert, err
}
func (t *RawCertificate) X509Certificate() (*x509.Certificate, error) {
if t.IsNil() {
return nil, errors.New("nil certificate")
}
cert, _, err := certificate.ParseCertificate(t.Cert, t.Key)
return cert, err
}
func (t *RawCertificate) IsNil() bool {
if t == nil {
return true
}
return len(t.Cert) == 0 && len(t.Key) == 0
}