-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathtls.py
More file actions
165 lines (148 loc) · 6.85 KB
/
tls.py
File metadata and controls
165 lines (148 loc) · 6.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
import copy
import logging
from django.db import models
from django.db import transaction
from django.contrib.auth import get_user_model
from api.exceptions import AlreadyExists
from api.exceptions import ServiceUnavailable
from scheduler import KubeException
from .base import UuidAuditedModel
User = get_user_model()
logger = logging.getLogger(__name__)
def default_issuer():
return {
"email": "anonymous@cert-manager.io",
"server": "https://acme-v02.api.letsencrypt.org/directory",
"key_id": "",
"key_secret": "",
}
class TLS(UuidAuditedModel):
owner = models.ForeignKey(User, on_delete=models.PROTECT)
app = models.ForeignKey('App', on_delete=models.CASCADE)
issuer = models.JSONField(default=default_issuer)
https_enforced = models.BooleanField(null=True)
certs_auto_enabled = models.BooleanField(null=True)
def log(self, message, level=logging.INFO):
"""Logs a message in the context of this application.
This prefixes log messages with an application "tag" that the customized
drycc-logspout will be on the lookout for. When it's seen, the message-- usually
an application event of some sort like releasing or scaling, will be considered
as "belonging" to the application instead of the controller and will be handled
accordingly.
"""
logger.log(level, "[{}]: {}".format(self.app.id, message))
@property
def events(self):
def to_result(name, kind, condition):
return {
"name": name,
"kind": kind,
"time": condition["lastTransitionTime"],
"type": condition["type"],
"status": condition["status"],
"message": condition["message"],
}
results = []
name = namespace = self.app.id
response = self.scheduler().issuer.get(namespace, name, ignore_exception=True)
if response.status_code == 200:
for condition in response.json()["status"]["conditions"]:
results.append(to_result(name, "Issuer", condition))
name = f"{self.app.id}-auto-tls"
response = self.scheduler().certificate.get(namespace, name, ignore_exception=True)
if response.status_code == 200:
for condition in response.json()["status"]["conditions"]:
results.append(to_result(name, "Certificate", condition))
response = self.scheduler().certificaterequest.get(namespace, ignore_exception=True)
if response.status_code == 200:
for item in response.json()["items"]:
for condition in item["status"]["conditions"]:
results.append(to_result(
item["metadata"]["name"], "CertificateRequest", condition))
return results
def refresh_issuer_to_k8s(self):
name = namespace = self.app.id
try:
if self.issuer["key_id"] and self.issuer["key_secret"]:
self._refresh_secret_to_k8s()
data = copy.deepcopy(self.issuer)
data["parent_refs"] = [
{
"group": "gateway.networking.k8s.io",
"kind": "Gateway",
"name": gateway.name,
}
for gateway in self.app.gateway_set.all()
]
try:
version = self.scheduler().issuer.get(
namespace, name, ignore_exception=False).json()["metadata"]["resourceVersion"]
data.update({"version": version})
self.scheduler().issuer.put(namespace, name, **data)
except KubeException:
self.scheduler().issuer.create(namespace, name, **data)
except KubeException as e:
raise ServiceUnavailable('Kubernetes issuer could not be created') from e
def refresh_certificate_to_k8s(self):
namespace, name = self.app.id, f"{self.app.id}-auto-tls"
if self.certs_auto_enabled:
hosts = [domain.domain for domain in self.app.domain_set.all()]
if len(hosts) > 0:
response = self.scheduler().certificate.get(namespace, name)
if response.status_code == 200:
data = response.json()
version = data["metadata"]["resourceVersion"]
self.scheduler().certificate.put(namespace, name, hosts, version)
else:
self.log(
"certificate {} does not exist".format(namespace), level=logging.INFO)
self.scheduler().certificate.create(namespace, name, hosts)
else:
self.log("skip creating certificate, no domain name set", logging.WARNING)
else:
self.scheduler().certificate.delete(namespace, name, ignore_exception=True)
@transaction.atomic
def save(self, *args, **kwargs):
self._check_previous_tls_settings()
super(TLS, self).save(*args, **kwargs)
def __str__(self):
return "{}-{}".format(self.app.id, str(self.uuid)[:7])
def _check_previous_tls_settings(self):
"""
Only one value can be set at a time
If the other value is None, using the previous setting.
"""
try:
previous_tls_settings = self.app.tls_set.latest()
if self.https_enforced is not None:
if previous_tls_settings.https_enforced == self.https_enforced:
raise AlreadyExists(
"{} changed nothing".format(self.owner))
self.certs_auto_enabled = previous_tls_settings.certs_auto_enabled
elif self.certs_auto_enabled is not None:
if previous_tls_settings.certs_auto_enabled == self.certs_auto_enabled:
raise AlreadyExists(
"{} changed nothing".format(self.owner))
self.https_enforced = previous_tls_settings.https_enforced
previous_tls_settings.delete()
except TLS.DoesNotExist:
pass
def _refresh_secret_to_k8s(self):
secret_name = f"{self.app.id}-acme-external-account-binding-secret"
try:
try:
data = self.scheduler().secret.get(self.app.id, secret_name).json()
self.scheduler().secret.patch(self.app.id, secret_name, {
"secret": self.issuer["key_secret"],
"version": data["metadata"]["resourceVersion"],
})
except KubeException:
self.scheduler().secret.create(self.app.id, secret_name, {
"secret": self.issuer["key_secret"],
})
except KubeException as e:
raise ServiceUnavailable('Kubernetes secret could not be created') from e
class Meta:
get_latest_by = 'created'
unique_together = (('app', 'uuid'))
ordering = ['-created']