ref(scheduler): generate secrets manifest for create and update secrets

Move to the same model as Pod building. Also moves update secret to generate a whole new object to overwrite the previous one instead of just updating the data element
Unifies the base64 encoding and how labels are applied

Author: helgi

rootfs/api/models/certificate.py

@@ -173,27 +173,27 @@ def attach_in_kubernetes(self, domain):
         # only create if it exists - We raise an exception when a secret doesn't exist
         try:
             name = '%s-cert' % self.name
-            app = domain.app
+            namespace = domain.app.id
             data = {
                 'tls.crt': self.certificate,
                 'tls.key': self.key
             }
 
-            secret = self._scheduler.get_secret(app, name).json()['data']
+            secret = self._scheduler.get_secret(namespace, name).json()['data']
         except KubeException:
-            self._scheduler.create_secret(app, name, data)
+            self._scheduler.create_secret(namespace, name, data)
         else:
             # update cert secret to the TLS Ingress format if required
             if secret != data:
                 try:
-                    self._scheduler.update_secret(app, name, data)
+                    self._scheduler.update_secret(namespace, name, data)
                 except KubeException as e:
                     msg = 'There was a problem updating the certificate secret ' \
-                          '{} for {}'.format(name, app)
+                          '{} for {}'.format(name, namespace)
                     raise ServiceUnavailable(msg) from e
 
         # get config for the service
-        config = self._load_service_config(app, 'router')
+        config = self._load_service_config(namespace, 'router')
 
         # See if certificates are available
         if 'certificates' not in config:
@@ -206,7 +206,7 @@ def attach_in_kubernetes(self, domain):
             certificates.append(cert)
         config['certificates'] = ','.join(certificates)
 
-        self._save_service_config(app, 'router', config)
+        self._save_service_config(namespace, 'router', config)
 
     def detach(self, *args, **kwargs):
         # remove the certificate from the domain
@@ -215,19 +215,19 @@ def detach(self, *args, **kwargs):
         domain.save()
 
         name = '%s-cert' % self.name
-        app = domain.app
+        namespace = domain.app.id
 
         # only delete if it exists and if no other domains depend on secret
         if len(self.domains) == 0:
             try:
                 # We raise an exception when a secret doesn't exist
-                self._scheduler.get_secret(app, name)
-                self._scheduler.delete_secret(app, name)
+                self._scheduler.get_secret(namespace, name)
+                self._scheduler.delete_secret(namespace, name)
             except KubeException as e:
-                raise ServiceUnavailable("Could not delete certificate secret {} for application {}".format(name, app)) from e  # noqa
+                raise ServiceUnavailable("Could not delete certificate secret {} for application {}".format(name, namespace)) from e  # noqa
 
         # get config for the service
-        config = self._load_service_config(app, 'router')
+        config = self._load_service_config(namespace, 'router')
 
         # See if certificates are available
         if 'certificates' not in config:
@@ -240,4 +240,4 @@ def detach(self, *args, **kwargs):
             certificates.remove(cert)
         config['certificates'] = ','.join(certificates)
 
-        self._save_service_config(app, 'router', config)
+        self._save_service_config(namespace, 'router', config)

rootfs/scheduler/__init__.py

@@ -41,19 +41,6 @@
     heritage: deis
 """
 
-SECRET_TEMPLATE = """\
-kind: Secret
-apiVersion: v1
-metadata:
-  name: $name
-  namespace: $id
-  labels:
-    app: $id
-    heritage: deis
-type: $type
-data: {}
-"""
-
 
 class KubeException(Exception):
     def __init__(self, *args, **kwargs):
@@ -454,6 +441,11 @@ def _set_container(self, namespace, container_name, data, **kwargs):  # noqa
         if env:
             # env vars are stored in secrets and mapped to env in k8s
             try:
+                labels = {
+                    'version': kwargs.get('version'),
+                    'type': 'env'
+                }
+
                 # secrets use dns labels for keys, map those properly here
                 secrets_env = {}
                 for key, value in env.items():
@@ -462,13 +454,9 @@ def _set_container(self, namespace, container_name, data, **kwargs):  # noqa
                 secret_name = "{}-{}-env".format(namespace, kwargs.get('version'))
                 self.get_secret(namespace, secret_name)
             except KubeHTTPException:
-                labels = {
-                    'version': kwargs.get('version'),
-                    'type': 'env'
-                }
                 self.create_secret(namespace, secret_name, secrets_env, labels=labels)
             else:
-                self.update_secret(namespace, secret_name, secrets_env)
+                self.update_secret(namespace, secret_name, secrets_env, labels=labels)
 
             for key in env.keys():
                 item = {
@@ -562,7 +550,12 @@ def _set_image_secret(self, data, namespace, **kwargs):
                 secret_type='kubernetes.io/dockerconfigjson'
             )
         else:
-            self.update_secret(namespace, secret_name, secret_data)
+            self.update_secret(
+                namespace,
+                secret_name,
+                secret_data,
+                secret_type='kubernetes.io/dockerconfigjson'
+            )
 
         # apply image pull secret to a Pod spec
         data['imagePullSecrets'] = [{'name': secret_name}]
@@ -1030,7 +1023,7 @@ def _default_dockerapp_readiness_probe(self, port, delay=5, timeout=5, period_se
         return readinessprobe
 
     # SECRETS #
-    # http://kubernetes.io/v1.1/docs/api-reference/v1/definitions.html#_v1_secret
+    # http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_secret
     def get_secret(self, namespace, name):
         url = self._api("/namespaces/{}/secrets/{}", namespace, name)
         response = self.session.get(url)
@@ -1060,25 +1053,38 @@ def get_secrets(self, namespace, **kwargs):
 
         return response
 
-    def create_secret(self, namespace, name, data, secret_type='Opaque', labels={}):
+    def _build_secret_manifest(self, namespace, name, data, secret_type='Opaque', labels={}):
         secret_types = ['Opaque', 'kubernetes.io/dockerconfigjson']
         if secret_type not in secret_types:
             raise KubeException('{} is not a supported secret type. Use one of the following: '.format(secret_type, ', '.join(secret_types)))  # noqa
 
-        manifest = ruamel.yaml.load(string.Template(SECRET_TEMPLATE).substitute({
-            "id": namespace,
-            "name": name,
-            "type": secret_type
-        }))
+        manifest = {
+            'kind': 'Secret',
+            'apiVersion': 'v1',
+            'metadata': {
+                'name': name,
+                'namespace': namespace,
+                'labels': {
+                    'app': namespace,
+                    'heritage': 'deis'
+                }
+            },
+            'type': secret_type,
+            'data': {}
+        }
 
         # add in any additional label info
         manifest['metadata']['labels'].update(labels)
 
         for key, value in data.items():
             value = value if isinstance(value, bytes) else bytes(value, 'UTF-8')
             item = base64.b64encode(value).decode(encoding='UTF-8')
-            manifest["data"].update({key: item})
+            manifest['data'].update({key: item})
+
+        return manifest
 
+    def create_secret(self, namespace, name, data, secret_type='Opaque', labels={}):
+        manifest = self._build_secret_manifest(namespace, name, data, secret_type, labels)
         url = self._api("/namespaces/{}/secrets", namespace)
         response = self.session.post(url, json=manifest)
         if unhealthy(response.status_code):
@@ -1089,17 +1095,10 @@ def create_secret(self, namespace, name, data, secret_type='Opaque', labels={}):
 
         return response
 
-    def update_secret(self, namespace, name, data):
-        # only update the data attribute
-        secret = self.get_secret(namespace, name).json()
-
-        for key, value in data.items():
-            value = value if isinstance(value, bytes) else bytes(value, 'UTF-8')
-            item = base64.b64encode(value).decode(encoding='UTF-8')
-            secret["data"].update({key: item})
-
+    def update_secret(self, namespace, name, data, secret_type='Opaque', labels={}):
+        manifest = self._build_secret_manifest(namespace, name, data, secret_type, labels)
         url = self._api("/namespaces/{}/secrets/{}", namespace, name)
-        response = self.session.put(url, json=secret)
+        response = self.session.put(url, json=manifest)
         if unhealthy(response.status_code):
             raise KubeHTTPException(
                 response,