201 lines
7.4 KiB
Python
201 lines
7.4 KiB
Python
import logging
|
|
import json
|
|
import base64
|
|
import datetime
|
|
import os
|
|
|
|
from requests import Request, Session
|
|
from util.config.validator import EXTRA_CA_DIRECTORY, EXTRA_CA_DIRECTORY_PREFIX
|
|
|
|
from config_app.config_util.k8sconfig import KubernetesConfig
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
QE_DEPLOYMENT_LABEL = 'quay-enterprise-component'
|
|
|
|
|
|
class KubernetesAccessorSingleton(object):
|
|
""" Singleton allowing access to kubernetes operations """
|
|
_instance = None
|
|
|
|
def __init__(self, kube_config=None):
|
|
self.kube_config = kube_config
|
|
if kube_config is None:
|
|
self.kube_config = KubernetesConfig.from_env()
|
|
|
|
KubernetesAccessorSingleton._instance = self
|
|
|
|
@classmethod
|
|
def get_instance(cls, kube_config=None):
|
|
"""
|
|
Singleton getter implementation, returns the instance if one exists, otherwise creates the
|
|
instance and ties it to the class.
|
|
:return: KubernetesAccessorSingleton
|
|
"""
|
|
if cls._instance is None:
|
|
return cls(kube_config)
|
|
|
|
return cls._instance
|
|
|
|
def save_secret_to_directory(self, dir_path):
|
|
"""
|
|
Saves all files in the kubernetes secret to a local directory.
|
|
Assumes the directory is empty.
|
|
"""
|
|
secret = self._lookup_secret()
|
|
|
|
secret_data = secret.get('data', {})
|
|
|
|
# Make the `extra_ca_certs` dir to ensure we can populate extra certs
|
|
extra_ca_dir_path = os.path.join(dir_path, EXTRA_CA_DIRECTORY)
|
|
os.mkdir(extra_ca_dir_path)
|
|
|
|
for secret_filename, data in secret_data.iteritems():
|
|
write_path = os.path.join(dir_path, secret_filename)
|
|
|
|
if EXTRA_CA_DIRECTORY_PREFIX in secret_filename:
|
|
write_path = os.path.join(extra_ca_dir_path, secret_filename.replace(EXTRA_CA_DIRECTORY_PREFIX, ''))
|
|
|
|
with open(write_path, 'w') as f:
|
|
f.write(base64.b64decode(data))
|
|
|
|
return 200
|
|
|
|
def save_file_as_secret(self, name, file_pointer):
|
|
value = file_pointer.read()
|
|
self._update_secret_file(name, value)
|
|
|
|
def replace_qe_secret(self, new_secret_data):
|
|
"""
|
|
Removes the old config and replaces it with the new_secret_data as one action
|
|
"""
|
|
# Check first that the namespace for Quay Enterprise exists. If it does not, report that
|
|
# as an error, as it seems to be a common issue.
|
|
namespace_url = 'namespaces/%s' % (self.kube_config.qe_namespace)
|
|
response = self._execute_k8s_api('GET', namespace_url)
|
|
if response.status_code // 100 != 2:
|
|
msg = 'A Kubernetes namespace with name `%s` must be created to save config' % self.kube_config.qe_namespace
|
|
raise Exception(msg)
|
|
|
|
# Check if the secret exists. If not, then we create an empty secret and then update the file
|
|
# inside.
|
|
secret_url = 'namespaces/%s/secrets/%s' % (self.kube_config.qe_namespace, self.kube_config.qe_config_secret)
|
|
secret = self._lookup_secret()
|
|
if secret is None:
|
|
self._assert_success(self._execute_k8s_api('POST', secret_url, {
|
|
"kind": "Secret",
|
|
"apiVersion": "v1",
|
|
"metadata": {
|
|
"name": self.kube_config.qe_config_secret
|
|
},
|
|
"data": {}
|
|
}))
|
|
|
|
# Update the secret to reflect the file change.
|
|
secret['data'] = new_secret_data
|
|
|
|
self._assert_success(self._execute_k8s_api('PUT', secret_url, secret))
|
|
|
|
def get_qe_deployments(self):
|
|
""""
|
|
Returns all deployments matching the label selector provided in the KubeConfig
|
|
"""
|
|
deployment_selector_url = 'namespaces/%s/deployments?labelSelector=%s%%3D%s' % (
|
|
self.kube_config.qe_namespace, QE_DEPLOYMENT_LABEL, self.kube_config.qe_deployment_selector
|
|
)
|
|
|
|
response = self._execute_k8s_api('GET', deployment_selector_url, api_prefix='apis/extensions/v1beta1')
|
|
if response.status_code != 200:
|
|
return None
|
|
return json.loads(response.text)
|
|
|
|
def cycle_qe_deployments(self, deployment_names):
|
|
""""
|
|
Triggers a rollout of all desired deployments in the qe namespace
|
|
"""
|
|
|
|
for name in deployment_names:
|
|
logger.debug('Cycling deployment %s', name)
|
|
deployment_url = 'namespaces/%s/deployments/%s' % (self.kube_config.qe_namespace, name)
|
|
|
|
# There is currently no command to simply rolling restart all the pods: https://github.com/kubernetes/kubernetes/issues/13488
|
|
# Instead, we modify the template of the deployment with a dummy env variable to trigger a cycle of the pods
|
|
# (based off this comment: https://github.com/kubernetes/kubernetes/issues/13488#issuecomment-240393845)
|
|
self._assert_success(self._execute_k8s_api('PATCH', deployment_url, {
|
|
'spec': {
|
|
'template': {
|
|
'spec': {
|
|
'containers': [{
|
|
'name': 'quay-enterprise-app', 'env': [{
|
|
'name': 'RESTART_TIME',
|
|
'value': str(datetime.datetime.now())
|
|
}]
|
|
}]
|
|
}
|
|
}
|
|
}
|
|
}, api_prefix='apis/extensions/v1beta1', content_type='application/strategic-merge-patch+json'))
|
|
|
|
def _assert_success(self, response):
|
|
if response.status_code != 200:
|
|
logger.error('Kubernetes API call failed with response: %s => %s', response.status_code,
|
|
response.text)
|
|
raise Exception('Kubernetes API call failed: %s' % response.text)
|
|
|
|
def _update_secret_file(self, relative_file_path, value=None):
|
|
if '/' in relative_file_path:
|
|
raise Exception('Expected path from get_volume_path, but found slashes')
|
|
|
|
# Check first that the namespace for Quay Enterprise exists. If it does not, report that
|
|
# as an error, as it seems to be a common issue.
|
|
namespace_url = 'namespaces/%s' % (self.kube_config.qe_namespace)
|
|
response = self._execute_k8s_api('GET', namespace_url)
|
|
if response.status_code // 100 != 2:
|
|
msg = 'A Kubernetes namespace with name `%s` must be created to save config' % self.kube_config.qe_namespace
|
|
raise Exception(msg)
|
|
|
|
# Check if the secret exists. If not, then we create an empty secret and then update the file
|
|
# inside.
|
|
secret_url = 'namespaces/%s/secrets/%s' % (self.kube_config.qe_namespace, self.kube_config.qe_config_secret)
|
|
secret = self._lookup_secret()
|
|
if secret is None:
|
|
self._assert_success(self._execute_k8s_api('POST', secret_url, {
|
|
"kind": "Secret",
|
|
"apiVersion": "v1",
|
|
"metadata": {
|
|
"name": self.kube_config.qe_config_secret
|
|
},
|
|
"data": {}
|
|
}))
|
|
|
|
# Update the secret to reflect the file change.
|
|
secret['data'] = secret.get('data', {})
|
|
|
|
if value is not None:
|
|
secret['data'][relative_file_path] = base64.b64encode(value)
|
|
else:
|
|
secret['data'].pop(relative_file_path)
|
|
|
|
self._assert_success(self._execute_k8s_api('PUT', secret_url, secret))
|
|
|
|
def _lookup_secret(self):
|
|
secret_url = 'namespaces/%s/secrets/%s' % (self.kube_config.qe_namespace, self.kube_config.qe_config_secret)
|
|
response = self._execute_k8s_api('GET', secret_url)
|
|
if response.status_code != 200:
|
|
return None
|
|
return json.loads(response.text)
|
|
|
|
def _execute_k8s_api(self, method, relative_url, data=None, api_prefix='api/v1', content_type='application/json'):
|
|
headers = {
|
|
'Authorization': 'Bearer ' + self.kube_config.service_account_token
|
|
}
|
|
|
|
if data:
|
|
headers['Content-Type'] = content_type
|
|
|
|
data = json.dumps(data) if data else None
|
|
session = Session()
|
|
url = 'https://%s/%s/%s' % (self.kube_config.api_host, api_prefix, relative_url)
|
|
|
|
request = Request(method, url, data=data, headers=headers)
|
|
return session.send(request.prepare(), verify=False, timeout=2)
|