Add one-action transplant of kube secret

config_app/config_util/config/TransientDirectoryProvider.py

@@ -1,8 +1,12 @@
 import os
+import base64
+
 from backports.tempfile import TemporaryDirectory
 
 from config_app.config_util.config.fileprovider import FileConfigProvider
 from config_app.config_util.k8saccessor import KubernetesAccessorSingleton
+from util.config.validator import EXTRA_CA_DIRECTORY, EXTRA_CA_DIRECTORY_PREFIX
+
 
 
 class TransientDirectoryProvider(FileConfigProvider):
@@ -38,10 +42,21 @@ class TransientDirectoryProvider(FileConfigProvider):
     return self.config_volume
 
   def save_configuration_to_kubernetes(self):
-    config_path = self.get_config_dir_path()
+    data = {}
 
-    for name in os.listdir(config_path):
+    certs_dir = os.path.join(self.config_volume, EXTRA_CA_DIRECTORY)
+    if os.path.exists(certs_dir):
+      for extra_cert in os.listdir(certs_dir):
+        with open(os.path.join(certs_dir, extra_cert)) as f:
+          data[EXTRA_CA_DIRECTORY_PREFIX + extra_cert] = base64.b64encode(f.read())
+
+
+    for name in os.listdir(self.config_volume):
       file_path = os.path.join(self.config_volume, name)
-      KubernetesAccessorSingleton.get_instance().save_file_as_secret(name, file_path)
+      if not os.path.isdir(file_path):
+        with open(file_path) as f:
+          data[name] = base64.b64encode(f.read())
+
+    KubernetesAccessorSingleton.get_instance().replace_qe_secret(data)
 
     return 200

config_app/config_util/k8saccessor.py

@@ -35,10 +35,40 @@ class KubernetesAccessorSingleton(object):
 
     return cls._instance
 
-  def save_file_as_secret(self, name, file_path):
-    with open(file_path) as f:
-      value = f.read()
-      self._update_secret_file(name, value)
+  def save_file_as_secret(self, name, file_pointer):
+    value = file_pointer.read()
+    self._update_secret_file(name, value)
+
+  def replace_qe_secret(self, new_secret_data):
+    """
+    Removes the old config and replaces it with the new_secret_data as one action
+    """
+    # Check first that the namespace for Quay Enterprise exists. If it does not, report that
+    # as an error, as it seems to be a common issue.
+    namespace_url = 'namespaces/%s' % (self.kube_config.qe_namespace)
+    response = self._execute_k8s_api('GET', namespace_url)
+    if response.status_code // 100 != 2:
+      msg = 'A Kubernetes namespace with name `%s` must be created to save config' % self.kube_config.qe_namespace
+      raise Exception(msg)
+
+    # Check if the secret exists. If not, then we create an empty secret and then update the file
+    # inside.
+    secret_url = 'namespaces/%s/secrets/%s' % (self.kube_config.qe_namespace, self.kube_config.qe_config_secret)
+    secret = self._lookup_secret()
+    if secret is None:
+      self._assert_success(self._execute_k8s_api('POST', secret_url, {
+        "kind": "Secret",
+        "apiVersion": "v1",
+        "metadata": {
+          "name": self.kube_config.qe_config_secret
+        },
+        "data": {}
+      }))
+
+    # Update the secret to reflect the file change.
+    secret['data'] = new_secret_data
+
+    self._assert_success(self._execute_k8s_api('PUT', secret_url, secret))
 
   def get_qe_deployments(self):
     """"

util/config/validator.py

@@ -41,6 +41,7 @@ CONFIG_FILENAMES = (SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES + ACI_CERT_
                     LDAP_FILENAMES)
 CONFIG_FILE_SUFFIXES = ['-cloudfront-signing-key.pem']
 EXTRA_CA_DIRECTORY = 'extra_ca_certs'
+EXTRA_CA_DIRECTORY_PREFIX = 'extra_ca_certs_'
 
 VALIDATORS = {
   DatabaseValidator.name: DatabaseValidator.validate,