Prevents config from failing to save. Also clarifies any other errors that do occur. Fixes #1449
		
			
				
	
	
		
			121 lines
		
	
	
	
		
			4.1 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			121 lines
		
	
	
	
		
			4.1 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| import os
 | |
| import logging
 | |
| import json
 | |
| import base64
 | |
| 
 | |
| from requests import Request, Session
 | |
| 
 | |
| from util.config.provider.baseprovider import get_yaml, CannotWriteConfigException
 | |
| from util.config.provider.fileprovider import FileConfigProvider
 | |
| 
 | |
| logger = logging.getLogger(__name__)
 | |
| 
 | |
| KUBERNETES_API_HOST = os.environ.get('KUBERNETES_SERVICE_HOST', '')
 | |
| port = os.environ.get('KUBERNETES_SERVICE_PORT')
 | |
| if port:
 | |
|   KUBERNETES_API_HOST += ':' + port
 | |
| 
 | |
| SERVICE_ACCOUNT_TOKEN_PATH = '/var/run/secrets/kubernetes.io/serviceaccount/token'
 | |
| 
 | |
| QE_NAMESPACE = os.environ.get('QE_K8S_NAMESPACE', 'quay-enterprise')
 | |
| QE_CONFIG_SECRET = os.environ.get('QE_K8S_CONFIG_SECRET', 'quay-enterprise-config-secret')
 | |
| 
 | |
| class KubernetesConfigProvider(FileConfigProvider):
 | |
|   """ Implementation of the config provider that reads and writes configuration
 | |
|       data from a Kubernetes Secret. """
 | |
|   def __init__(self, config_volume, yaml_filename, py_filename):
 | |
|     super(KubernetesConfigProvider, self).__init__(config_volume, yaml_filename, py_filename)
 | |
| 
 | |
|     self.yaml_filename = yaml_filename
 | |
| 
 | |
|     # Load the service account token from the local store.
 | |
|     if not os.path.exists(SERVICE_ACCOUNT_TOKEN_PATH):
 | |
|       raise Exception('Cannot load Kubernetes service account token')
 | |
| 
 | |
|     with open(SERVICE_ACCOUNT_TOKEN_PATH, 'r') as f:
 | |
|       self._service_token = f.read()
 | |
| 
 | |
|     # Make sure the configuration volume exists.
 | |
|     if not self.volume_exists():
 | |
|       os.makedirs(config_volume)
 | |
| 
 | |
|   @property
 | |
|   def provider_id(self):
 | |
|     return 'k8s'
 | |
| 
 | |
|   def save_config(self, config_obj):
 | |
|     self._update_secret_file(self.yaml_filename, get_yaml(config_obj))
 | |
|     super(KubernetesConfigProvider, self).save_config(config_obj)
 | |
| 
 | |
|   def save_volume_file(self, filename, flask_file):
 | |
|     filepath = super(KubernetesConfigProvider, self).save_volume_file(filename, flask_file)
 | |
| 
 | |
|     try:
 | |
|       with open(filepath, 'r') as f:
 | |
|         self._update_secret_file(filename, f.read())
 | |
|     except IOError as ioe:
 | |
|       raise CannotWriteConfigException(str(ioe))
 | |
| 
 | |
|   def _assert_success(self, response):
 | |
|     if response.status_code != 200:
 | |
|       logger.error('Kubernetes API call failed with response: %s => %s', response.status_code,
 | |
|                    response.text)
 | |
|       raise CannotWriteConfigException('Kubernetes API call failed: %s' % response.text)
 | |
| 
 | |
|   def _update_secret_file(self, filename, value):
 | |
|     # Check first that the namespace for Quay Enterprise exists. If it does not, report that
 | |
|     # as an error, as it seems to be a common issue.
 | |
|     namespace_url = 'namespaces/%s' % (QE_NAMESPACE)
 | |
|     response = self._execute_k8s_api('GET', namespace_url)
 | |
|     if response.status_code != 200:
 | |
|       msg = 'A Kubernetes namespace with name `%s` must be created to save config' % QE_NAMESPACE
 | |
|       raise CannotWriteConfigException(msg)
 | |
| 
 | |
|     # Save the secret to the namespace.
 | |
|     secret_data = {}
 | |
|     secret_data[filename] = base64.b64encode(value)
 | |
| 
 | |
|     data = {
 | |
|       "kind": "Secret",
 | |
|       "apiVersion": "v1",
 | |
|       "metadata": {
 | |
|         "name": QE_CONFIG_SECRET
 | |
|       },
 | |
|       "data": secret_data
 | |
|     }
 | |
| 
 | |
|     secret_url = 'namespaces/%s/secrets/%s' % (QE_NAMESPACE, QE_CONFIG_SECRET)
 | |
|     secret = self._lookup_secret()
 | |
|     if not secret:
 | |
|       self._assert_success(self._execute_k8s_api('POST', secret_url, data))
 | |
|       return
 | |
| 
 | |
|     if not 'data' in secret:
 | |
|       secret['data'] = {}
 | |
| 
 | |
|     secret['data'][filename] = base64.b64encode(value)
 | |
|     self._assert_success(self._execute_k8s_api('PUT', secret_url, secret))
 | |
| 
 | |
| 
 | |
|   def _lookup_secret(self):
 | |
|     secret_url = 'namespaces/%s/secrets/%s' % (QE_NAMESPACE, QE_CONFIG_SECRET)
 | |
|     response = self._execute_k8s_api('GET', secret_url)
 | |
|     if response.status_code != 200:
 | |
|       return None
 | |
| 
 | |
|     return json.loads(response.text)
 | |
| 
 | |
|   def _execute_k8s_api(self, method, relative_url, data=None):
 | |
|     headers = {
 | |
|       'Authorization': 'Bearer ' + self._service_token
 | |
|     }
 | |
| 
 | |
|     if data:
 | |
|       headers['Content-Type'] = 'application/json'
 | |
| 
 | |
|     data = json.dumps(data) if data else None
 | |
|     session = Session()
 | |
|     url = 'https://%s/api/v1/%s' % (KUBERNETES_API_HOST, relative_url)
 | |
| 
 | |
|     request = Request(method, url, data=data, headers=headers)
 | |
|     return session.send(request.prepare(), verify=False, timeout=2)
 |