feat(k8s): match cert data structure to the TLS one for Ingress

helgi · helgi · commit 0da5d104b43a · 2016-04-13T18:36:09.000-07:00
http://kubernetes.io/docs/user-guide/ingress/#tls Fixes #576
diff --git a/rootfs/api/management/commands/load_db_state_to_k8s.py b/rootfs/api/management/commands/load_db_state_to_k8s.py
@@ -1,4 +1,5 @@
 from django.core.management.base import BaseCommand
+from django.shortcuts import get_object_or_404
 
 from api.models import Key, App, Domain, Certificate, Config
 
@@ -13,4 +14,11 @@ def handle(self, *args, **options):
         for model in (Key, App, Domain, Certificate, Config):
             for obj in model.objects.all():
                 obj.save()
+
+        # certificates have to be attached to domains to create k8s secrets
+        for cert in Certificate.objects.all():
+            for domain in cert.domains:
+                domain = get_object_or_404(Domain, domain=domain)
+                cert.attach_in_kubernetes(domain)
+
         print("Done Publishing DB state to k8s.")
diff --git a/rootfs/api/models/certificate.py b/rootfs/api/models/certificate.py
@@ -156,11 +156,6 @@ def delete(self, *args, **kwargs):
         return super(Certificate, self).delete(*args, **kwargs)
 
     def attach(self, *args, **kwargs):
-        data = {
-            'cert': self.certificate,
-            'key': self.key
-        }
-
         # add the certificate to the domain
         domain = get_object_or_404(Domain, domain=kwargs['domain'])
         if domain.certificate is not None:
@@ -169,14 +164,30 @@ def attach(self, *args, **kwargs):
         domain.certificate = self
         domain.save()
 
-        name = '%s-cert' % self.name
-        app = domain.app
-        # only create if it exists
+        # create in kubernetes
+        self.attach_in_kubernetes(domain)
+
+    def attach_in_kubernetes(self, domain):
+        """Creates the certificate as a kubernetes secret"""
+        # only create if it exists - We raise an exception when a secret doesn't exist
         try:
-            # We raise an exception when a secret doesn't exist
-            self._scheduler._get_secret(app, name)
+            name = '%s-cert' % self.name
+            app = domain.app
+            data = {
+                'tls.crt': self.certificate,
+                'tls.key': self.key
+            }
+
+            secret = self._scheduler._get_secret(app, name).json()['data']
         except KubeHTTPException:
             self._scheduler._create_secret(app, name, data)
+        else:
+            # update cert secret to the TLS Ingress format if required
+            if secret != data:
+                try:
+                    self._scheduler._update_secret(app, name, data)
+                except KubeHTTPException:
+                    raise
 
         # get config for the service
         config = self._load_service_config(app, 'router')
