feat(certificate): add cert-manager certificate api

Author: duanhongyi

charts/controller/templates/controller-clusterrole.yaml

@@ -55,6 +55,6 @@ rules:
   verbs: ["get", "list", "watch", "create", "update", "delete"]
 - apiGroups: ["certmanager.k8s.io"]
   resources: ["certificates", "issuers"]
-  verbs: ["get", "list", "watch", "create", "delete", "deletecollection", "patch", "update"]
+  verbs: ["get", "list", "watch", "create", "update", "delete"]
 {{- end -}}
 {{- end -}}

rootfs/api/models/app.py

@@ -158,6 +158,68 @@ def _get_entrypoint(self, container_type):
             entrypoint = ['/bin/bash', '-c']
 
         return entrypoint
+    
+    def _refresh_tls(self, certs_auto_enabled, hosts):
+        namespace = name = self.id
+        try:
+            data = self._scheduler.certificate.get(namespace, name).json()
+        except KubeException:
+            self.log("certificate {} does not exist".format(namespace), level=logging.INFO)
+            data = None
+        
+        if certs_auto_enabled:
+            if data:
+                version = data["metadata"]["resourceVersion"]
+                self._scheduler.certificate.put(
+                    namespace, name, settings.INGRESS_CLASS, hosts, version)
+            else:
+                self._scheduler.certificate.create(
+                    namespace, name, settings.INGRESS_CLASS, hosts)
+        elif data:
+            self._scheduler.certificate.delete(namespace, name)
+    
+    def _refresh_ingress(self, hosts, tls_map, ssl_redirect):
+        ingress = namespace = self.id
+        # Put Ingress
+        kwargs = {
+            "hosts": hosts,
+            "tls": [{"secretName": k, "hosts": v} for k, v in tls_map.items()],
+            "ssl_redirect": ssl_redirect
+        }
+        whitelist = self.appsettings_set.latest().whitelist
+        if whitelist: kwargs.update({"whitelist": whitelist})
+        data = self._scheduler.ingress.get(namespace, ingress).json()
+        version = data["metadata"]["resourceVersion"]
+        self._scheduler.ingress.put(
+            ingress, settings.INGRESS_CLASS, namespace, version, **kwargs)
+
+    def _refresh_ingress_and_tls(self):
+        ingress = self.id
+        hosts, tls_map = [], {}
+
+        tls = self.tls_set.latest()
+        ssl_redirect = "true" if bool(tls.https_enforced) else "false"
+        certs_auto_enabled = bool(tls.certs_auto_enabled)
+
+        for domain in Domain.objects.filter(app=self):
+            if str(domain.domain) == self.id:
+                host = "%s.%s" % (ingress, settings.PLATFORM_DOMAIN)
+            else:
+                host = str(domain.domain)
+            hosts.append(host)
+            if certs_auto_enabled or domain.certificate:
+                if certs_auto_enabled:
+                    secret_name = '%s-auto-tls' % self.id
+                elif domain.certificate:
+                    secret_name = '%s-cert' % domain.certificate.name
+                if secret_name not in tls_map:
+                    tls_map[secret_name] = []
+                tls_map[secret_name].append(host)
+        self._refresh_ingress(hosts, tls_map, ssl_redirect)
+        self._refresh_tls(certs_auto_enabled, hosts)
+    
+    def refresh(self):
+        self._refresh_ingress_and_tls()
 
     def log(self, message, level=logging.INFO):
         """Logs a message in the context of this application.
@@ -190,9 +252,7 @@ def create(self, *args, **kwargs):  # noqa
             )
 
         # create required minimum resources in k8s for the application
-        namespace = self.id
-        ingress = self.id
-        service = self.id
+        namespace = ingress = service = self.id
         quota_name = '{}-quota'.format(self.id)
         try:
             self.log('creating Namespace {} and services'.format(namespace), level=logging.DEBUG)
@@ -234,13 +294,13 @@ def create(self, *args, **kwargs):  # noqa
                 if ingress == "":
                     raise ServiceUnavailable('Empty hostname')
                 try:
-                    self._scheduler.ingress.get(ingress)
+                    self._scheduler.ingress.get(namespace, ingress)
                 except KubeException:
                     self.log("creating Ingress {}".format(namespace), level=logging.INFO)
                     host = "%s.%s" % (ingress, settings.PLATFORM_DOMAIN)
                     self._scheduler.ingress.create(
                         ingress, settings.INGRESS_CLASS, namespace,
-                        hosts=[host, ], tls=[])
+                        hosts=[host, ])
         except KubeException as e:
             raise ServiceUnavailable('Could not create Ingress in Kubernetes') from e
         try:
@@ -572,13 +632,8 @@ def deploy(self, release, force_deploy=False, rollback_on_failure=True):  # noqa
         # let initial deploy settle before routing traffic to the application
         if deploys and app_type:
             app_settings = self.appsettings_set.latest()
-            if app_settings.whitelist:
-                addresses = ",".join(address for address in app_settings.whitelist)
-            else:
-                addresses = None
             service_annotations = {
                 'maintenance': app_settings.maintenance,
-                'whitelist': addresses
             }
 
             routable = deploys[app_type].get('routable')
@@ -950,24 +1005,6 @@ def _update_application_service(self, namespace, app_type, port, routable=False,
             self._scheduler.svc.update(namespace, namespace, data=old_service)
             raise ServiceUnavailable(str(e)) from e
 
-    def whitelist(self, whitelist):
-        """
-        Add/ Delete addresses to application whitelist
-        """
-        service = self._fetch_service_config(self.id)
-
-        try:
-            if whitelist:
-                addresses = ",".join(address for address in whitelist)
-                service['metadata']['annotations']['router.drycc.cc/whitelist'] = addresses
-            elif 'router.drycc.cc/whitelist' in service['metadata']['annotations']:
-                service['metadata']['annotations'].pop('router.drycc.cc/whitelist', None)
-            else:
-                return
-            self._scheduler.svc.update(self.id, self.id, data=service)
-        except KubeException as e:
-            raise ServiceUnavailable(str(e)) from e
-
     def autoscale(self, proc_type, autoscale):
         """
         Set autoscale rules for the application

rootfs/api/models/certificate.py

@@ -172,12 +172,10 @@ def attach(self, *args, **kwargs):
         domain = get_object_or_404(Domain, domain=kwargs['domain'])
         if domain.certificate is not None:
             raise AlreadyExists("Domain already has a certificate attached to it")
-
-        domain.certificate = self
-        domain.save()
-
         # create in kubernetes
         self.attach_in_kubernetes(domain)
+        domain.certificate = self
+        domain.save()
 
     def attach_in_kubernetes(self, domain):
         """Creates the certificate as a kubernetes secret"""
@@ -203,22 +201,6 @@ def attach_in_kubernetes(self, domain):
                           '{} for {}'.format(name, namespace)
                     raise ServiceUnavailable(msg) from e
 
-        # get config for the service
-        config = self._load_service_config(namespace, 'router')
-
-        # See if certificates are available
-        if 'certificates' not in config:
-            config['certificates'] = ''
-
-        # convert from string to list to work with and filter out empty strings
-        cert = '{}:{}'.format(domain.domain, self.name)
-        certificates = [_f for _f in config['certificates'].split(',') if _f]
-        if cert not in certificates:
-            certificates.append(cert)
-        config['certificates'] = ','.join(certificates)
-
-        self._save_service_config(namespace, 'router', config)
-
     def detach(self, *args, **kwargs):
         # remove the certificate from the domain
         domain = get_object_or_404(Domain, domain=kwargs['domain'])
@@ -235,20 +217,4 @@ def detach(self, *args, **kwargs):
                 self._scheduler.secret.get(namespace, name)
                 self._scheduler.secret.delete(namespace, name)
             except KubeException as e:
-                raise ServiceUnavailable("Could not delete certificate secret {} for application {}".format(name, namespace)) from e  # noqa
-
-        # get config for the service
-        config = self._load_service_config(namespace, 'router')
-
-        # See if certificates are available
-        if 'certificates' not in config:
-            config['certificates'] = ''
-
-        # convert from string to list to work with and filter out empty strings
-        cert = '{}:{}'.format(domain.domain, self.name)
-        certificates = [_f for _f in config['certificates'].split(',') if _f]
-        if cert in certificates:
-            certificates.remove(cert)
-        config['certificates'] = ','.join(certificates)
-
-        self._save_service_config(namespace, 'router', config)
+                raise ServiceUnavailable("Could not delete certificate secret {} for application {}".format(name, namespace)) from e  # noqa

rootfs/api/models/domain.py

@@ -1,5 +1,6 @@
 from django.db import models
 from django.conf import settings
+from django.db import transaction
 
 from api.models import AuditedModel
 
@@ -23,53 +24,24 @@ class Domain(AuditedModel):
     class Meta:
         ordering = ['domain', 'certificate']
 
+    @transaction.atomic
     def save(self, *args, **kwargs):
-        app = str(self.app)
-        domain = str(self.domain)
-
-        # get config for the service
-        config = self._load_service_config(app, 'router')
-
-        # See if domains are available
-        if 'domains' not in config:
-            config['domains'] = ''
-
-        # convert from string to list to work with and filter out empty strings
-        domains = [_f for _f in config['domains'].split(',') if _f]
-        if domain not in domains:
-            domains.append(domain)
-        config['domains'] = ','.join(domains)
-
-        self._save_service_config(app, 'router', config)
-
-        # Save to DB
-        return super(Domain, self).save(*args, **kwargs)
+        try:
+            # Save to DB
+            return super(Domain, self).save(*args, **kwargs)
+        finally:
+            self.app.refresh()
 
+    @transaction.atomic
     def delete(self, *args, **kwargs):
-        app = str(self.app)
-        domain = str(self.domain)
-
         # Deatch cert, updates k8s
         if self.certificate:
-            self.certificate.detach(domain=domain)
-
-        # get config for the service
-        config = self._load_service_config(app, 'router')
-
-        # See if domains are available
-        if 'domains' not in config:
-            config['domains'] = ''
-
-        # convert from string to list to work with and filter out empty strings
-        domains = [_f for _f in config['domains'].split(',') if _f]
-        if domain in domains:
-            domains.remove(domain)
-        config['domains'] = ','.join(domains)
-
-        self._save_service_config(app, 'router', config)
-
-        # Delete from DB
-        return super(Domain, self).delete(*args, **kwargs)
+            self.certificate.detach(domain=str(self.domain))
+        try:
+            # Delete from DB
+            return super(Domain, self).delete(*args, **kwargs)
+        finally:
+            self.app.refresh()
 
     def __str__(self):
         return self.domain

rootfs/api/models/tls.py

@@ -9,6 +9,7 @@ class TLS(UuidAuditedModel):
     owner = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.PROTECT)
     app = models.ForeignKey('App', on_delete=models.CASCADE)
     https_enforced = models.NullBooleanField(default=None)
+    certs_auto_enabled = models.NullBooleanField(default=None)
 
     class Meta:
         get_latest_by = 'created'
@@ -18,57 +19,38 @@ class Meta:
     def __str__(self):
         return "{}-{}".format(self.app.id, str(self.uuid)[:7])
 
-    def _load_service_config(self, app, component):
-        config = super()._load_service_config(app, component)
-
-        # See if the ssl.enforce annotation is available
-        if 'ssl' not in config:
-            config['ssl'] = {}
-        if 'enforce' not in config['ssl']:
-            config['ssl']['enforce'] = 'false'
-
-        return config
-
     def _check_previous_tls_settings(self):
+        """
+        Only one value can be set at a time
+        If the other value is None, using the previous setting.
+        """
         try:
             previous_tls_settings = self.app.tls_set.latest()
-
-            if (
-                previous_tls_settings.https_enforced is not None and
-                self.https_enforced == previous_tls_settings.https_enforced
-            ):
-                self.delete()
-                raise AlreadyExists("{} changed nothing".format(self.owner))
+            if self.https_enforced is not None:
+                if previous_tls_settings.https_enforced == self.https_enforced:
+                    raise AlreadyExists(
+                        "{} changed nothing".format(self.owner))
+                self.certs_auto_enabled = \
+                        previous_tls_settings.certs_auto_enabled
+            elif self.certs_auto_enabled is not None:
+                if previous_tls_settings.certs_auto_enabled == \
+                        self.certs_auto_enabled:
+                    raise AlreadyExists(
+                        "{} changed nothing".format(self.owner))
+                self.https_enforced = previous_tls_settings.https_enforced
+            previous_tls_settings.delete()
         except TLS.DoesNotExist:
             pass
 
     def save(self, *args, **kwargs):
         self._check_previous_tls_settings()
+        try:
+            # Save to DB
+            return super(TLS, self).save(*args, **kwargs)
+        finally:
+            self.app.refresh()
 
-        app = str(self.app)
-        https_enforced = bool(self.https_enforced)
-
-        # get config for the service
-        config = self._load_service_config(app, 'router')
-
-        # convert from bool to string
-        config['ssl']['enforce'] = str(https_enforced)
-
-        self._save_service_config(app, 'router', config)
-
-        # Save to DB
-        return super(TLS, self).save(*args, **kwargs)
 
     def sync(self):
-        try:
-            app = str(self.app)
+        self.app.refresh()
 
-            config = self._load_service_config(app, 'router')
-            if (
-                config['ssl']['enforce'] != str(self.https_enforced) and
-                self.https_enforced is not None
-            ):
-                config['ssl']['enforce'] = str(self.https_enforced)
-                self._save_service_config(app, 'router', config)
-        except TLS.DoesNotExist:
-            pass

rootfs/scheduler/__init__.py

@@ -212,6 +212,23 @@ def http_put(self, path, data=None, **kwargs):
 
         return response
 
+    def http_patch(self, path, data=None, **kwargs):
+        """
+        Make a PATCH request to the k8s server.
+        """
+        try:
+            url = urljoin(self.url, path)
+            response = self.session.patch(url, data=data, **kwargs)
+        except requests.exceptions.ConnectionError as err:
+            # reraise as KubeException, but log stacktrace.
+            message = "There was a problem patching data to " \
+                      "the Kubernetes API server. URL: {}, " \
+                      "data: {}".format(url, data)
+            logger.error(message)
+            raise KubeException(message) from err
+
+        return response
+
     def http_delete(self, path, **kwargs):
         """
         Make a DELETE request to the k8s server.