feat(api): add deploy hooks (#1168)

Matthew Fisher · web-flow · commit 51cab9dacab7 · 2016-12-16T13:17:19.000-08:00
diff --git a/charts/controller/templates/controller-deployment.yaml b/charts/controller/templates/controller-deployment.yaml
@@ -42,16 +42,16 @@ spec:
           ports:
             - containerPort: 8000
               name: http
-{{- if or (.Values.limits_cpu) (.Values.limits_memory)}}
+{{- if or (.Values.limits_cpu) (.Values.limits_memory) }}
           resources:
             limits:
 {{- if (.Values.limits_cpu) }}
               cpu: {{.Values.limits_cpu}}
-{{- end}}
+{{- end }}
 {{- if (.Values.limits_memory) }}
               memory: {{.Values.limits_memory}}
-{{- end}}
-{{- end}}
+{{- end }}
+{{- end }}
           env:
             - name: REGISTRATION_MODE
               value: {{ .Values.registration_mode }}
@@ -75,6 +75,15 @@ spec:
                   key: image
             - name: "IMAGE_PULL_POLICY"
               value: "{{ .Values.app_pull_policy }}"
+{{- if (.Values.deploy_hook_urls) }}
+            - name: DEIS_DEPLOY_HOOK_URLS
+              value: "{{ .Values.deploy_hook_urls }}"
+            - name: DEIS_DEPLOY_HOOK_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: deploy-hook-key
+                  key: secret-key
+{{- end }}
             - name: DEIS_SECRET_KEY
               valueFrom:
                 secretKeyRef:
diff --git a/charts/controller/templates/deploy-hook-secret.yaml b/charts/controller/templates/deploy-hook-secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: deploy-hook-key
+  labels:
+    heritage: deis
+  annotations:
+    "helm.sh/hook": pre-install
+type: Opaque
+data:
+  secret-key: {{ randAscii 64 | b64enc }}
diff --git a/charts/controller/values.yaml b/charts/controller/values.yaml
@@ -2,6 +2,9 @@ org: "deisci"
 pull_policy: "Always"
 docker_tag: canary
 app_pull_policy: "Always"
+# A comma-separated list of URLs to send app release information to
+# See https://deis.com/docs/workflow/managing-workflow/deploy-hooks
+deploy_hook_urls: ""
 # limits_cpu: "100m"
 # limits_memory: "50Mi"
 # Possible values are:
diff --git a/rootfs/api/models/__init__.py b/rootfs/api/models/__init__.py
@@ -3,26 +3,49 @@
 """
 Data models for the Deis API.
 """
+import hashlib
+import hmac
 import importlib
 import logging
-import uuid
 import morph
 import re
+import urllib.parse
+import uuid
 
 from django.conf import settings
 from django.db import models
 from django.db.models.signals import post_delete, post_save
 from django.dispatch import receiver
-
 from rest_framework.exceptions import ValidationError
 from rest_framework.authtoken.models import Token
+import requests
+from requests_toolbelt import user_agent
 
+from api import __version__ as deis_version
 from api.exceptions import DeisException, AlreadyExists, ServiceUnavailable, UnprocessableEntity  # noqa
 from api.utils import dict_merge
 from scheduler import KubeException
 
+
 logger = logging.getLogger(__name__)
 
+session = None
+
+
+def get_session():
+    global session
+    if session is None:
+        session = requests.Session()
+        session.headers = {
+            # https://toolbelt.readthedocs.org/en/latest/user-agent.html#user-agent-constructor
+            'User-Agent': user_agent('Deis Controller', deis_version),
+        }
+        # `mount` a custom adapter that retries failed connections for HTTP and HTTPS requests.
+        # http://docs.python-requests.org/en/latest/api/#requests.adapters.HTTPAdapter
+        session.mount('http://', requests.adapters.HTTPAdapter(max_retries=10))
+        session.mount('https://', requests.adapters.HTTPAdapter(max_retries=10))
+    return session
+
 
 def validate_label(value):
     """
@@ -165,16 +188,48 @@ def _log_instance_removed(**kwargs):
         logger.info(message)
 
 
-# special case: log the release summary
-def _log_release_created(**kwargs):
+# special case: log the release summary and send release info to each deploy hook
+def _hook_release_created(**kwargs):
     if kwargs.get('created'):
         release = kwargs['instance']
         # append release lifecycle logs to the app
         release.app.log(release.summary)
 
+        for deploy_hook in settings.DEIS_DEPLOY_HOOK_URLS:
+            url = deploy_hook
+            params = {
+                'app': release.app,
+                'release': 'v{}'.format(release.version),
+                'release_summary': release.summary,
+                'sha': '',
+                'user': release.owner,
+            }
+            if release.build is not None:
+                params['sha'] = release.build.sha
+
+            # order of the query arguments is important when computing the HMAC auth secret
+            params = sorted(params.items())
+            url += '?{}'.format(urllib.parse.urlencode(params))
+
+            headers = {}
+            if settings.DEIS_DEPLOY_HOOK_SECRET_KEY is not None:
+                headers['Authorization'] = hmac.new(
+                    settings.DEIS_DEPLOY_HOOK_SECRET_KEY.encode('utf-8'),
+                    url.encode('utf-8'),
+                    hashlib.sha1
+                ).hexdigest()
+
+            try:
+                get_session().post(url, headers=headers)
+                # just notify with the base URL, disregard the added URL query
+                release.app.log('Deploy hook sent to {}'.format(deploy_hook))
+            except requests.RequestException as e:
+                release.app.log('An error occurred while sending the deploy hook to {}: {}'.format(
+                    deploy_hook, e), logging.ERROR)
+
 
 # Log significant app-related events
-post_save.connect(_log_release_created, sender=Release, dispatch_uid='api.models.log')
+post_save.connect(_hook_release_created, sender=Release, dispatch_uid='api.models.log')
 
 post_save.connect(_log_instance_created, sender=Build, dispatch_uid='api.models.log')
 post_save.connect(_log_instance_added, sender=Certificate, dispatch_uid='api.models.log')
diff --git a/rootfs/api/models/app.py b/rootfs/api/models/app.py
@@ -9,7 +9,6 @@
 import random
 import re
 import requests
-from requests_toolbelt import user_agent
 import string
 import time
 from urllib.parse import urljoin
@@ -19,7 +18,7 @@
 from rest_framework.exceptions import ValidationError, NotFound
 from jsonfield import JSONField
 
-from api import __version__ as deis_version
+from api.models import get_session
 from api.models import UuidAuditedModel, AlreadyExists, DeisException, ServiceUnavailable
 
 from api.utils import generate_app_name, async_run
@@ -33,23 +32,6 @@
 
 logger = logging.getLogger(__name__)
 
-session = None
-
-
-def get_session():
-    global session
-    if session is None:
-        session = requests.Session()
-        session.headers = {
-            # https://toolbelt.readthedocs.org/en/latest/user-agent.html#user-agent-constructor
-            'User-Agent': user_agent('Deis Controller', deis_version),
-        }
-        # `mount` a custom adapter that retries failed connections for HTTP and HTTPS requests.
-        # http://docs.python-requests.org/en/latest/api/#requests.adapters.HTTPAdapter
-        session.mount('http://', requests.adapters.HTTPAdapter(max_retries=10))
-        session.mount('https://', requests.adapters.HTTPAdapter(max_retries=10))
-    return session
-
 
 # http://kubernetes.io/v1.1/docs/design/identifiers.html
 def validate_app_id(value):
diff --git a/rootfs/api/settings/production.py b/rootfs/api/settings/production.py
@@ -294,6 +294,13 @@
 # where it roughly goes BATCHES * TIMEOUT = global timeout
 DEIS_DEPLOY_TIMEOUT = int(os.environ.get('DEIS_DEPLOY_TIMEOUT', 120))
 
+try:
+    DEIS_DEPLOY_HOOK_URLS = os.environ['DEIS_DEPLOY_HOOK_URLS'].split(',')
+except KeyError:
+    DEIS_DEPLOY_HOOK_URLS = []
+
+DEIS_DEPLOY_HOOK_SECRET_KEY = os.environ.get('DEIS_DEPLOY_HOOK_SECRET_KEY', None)
+
 KUBERNETES_DEPLOYMENTS_REVISION_HISTORY_LIMIT = os.environ.get('KUBERNETES_DEPLOYMENTS_REVISION_HISTORY_LIMIT', None)  # noqa
 
 # How long k8s waits for a pod to finish work after a SIGTERM before sending SIGKILL
diff --git a/rootfs/api/tests/test_release.py b/rootfs/api/tests/test_release.py
@@ -1,11 +1,8 @@
-"""
-Unit tests for the Deis api app.
-
-Run the tests with "./manage.py test api"
-"""
-
-
+import hashlib
+import hmac
 import json
+import logging
+import requests
 import uuid
 
 from django.contrib.auth.models import User
@@ -390,6 +387,98 @@ def test_release_get_port(self, mock_requests):
 
         # TODO(bacongobbler): test dockerfile ports
 
+    @override_settings(DEIS_DEPLOY_HOOK_URLS=['http://deis.rocks'])
+    @mock.patch('api.models.logger')
+    def test_deploy_hooks_logged(self, mock_requests, mock_logger):
+        """
+        Verifies that a configured deploy hook is dumped into the logs when a release is created.
+        """
+        app_id = 'foo'
+        body = {'sha': '123456', 'image': 'autotest/example'}
+
+        mr_rocks = mock_requests.post('http://deis.rocks?app={app_id}&user={self.user.username}&sha=&release=v1&release_summary={self.user.username}+created+initial+release'.format(**locals()))  # noqa
+        self.create_app(app_id)
+        # check app logs
+        exp_msg = "[{app_id}]: Sent deploy hook to http://deis.rocks".format(**locals())
+        mock_logger.log.has_calls(logging.INFO, exp_msg)
+        self.assertTrue(mr_rocks.called)
+        self.assertEqual(mr_rocks.call_count, 1)
+
+        # override DEIS_DEPLOY_HOOK_URLS again, ensuring that the new deploy hooks get the same
+        # treatment
+        url = '/v2/apps/{app_id}/builds'.format(**locals())
+        with self.settings(DEIS_DEPLOY_HOOK_URLS=['http://deis.ninja', 'http://cat.dog']):
+            mr_ninja = mock_requests.post("http://deis.ninja?app={app_id}&user={self.user.username}&sha=123456&release=v2&release_summary={self.user.username}+deployed+123456".format(**locals()))  # noqa
+            mr_catdog = mock_requests.post("http://cat.dog?app={app_id}&user={self.user.username}&sha=123456&release=v2&release_summary={self.user.username}+deployed+123456".format(**locals()))  # noqa
+            response = self.client.post(url, body)
+            self.assertEqual(response.status_code, 201, response.data)
+
+            # check app logs
+            exp_msg = "[{app_id}]: Sent deploy hook to http://deis.ninja".format(**locals())
+            mock_logger.log.has_calls(logging.INFO, exp_msg)
+            self.assertTrue(mr_ninja.called)
+            self.assertEqual(mr_ninja.call_count, 1)
+            exp_msg = "[{app_id}]: Sent deploy hook to http://cat.dog".format(**locals())
+            mock_logger.log.has_calls(logging.INFO, exp_msg)
+            self.assertTrue(mr_catdog.called)
+            self.assertEqual(mr_catdog.call_count, 1)
+        sha = '2345678'
+        body['sha'] = sha
+        # Ensure that when requests.Exception is raised, the error is noted and life carries on.
+        with self.settings(DEIS_DEPLOY_HOOK_URLS=['http://cat.ninja', 'http://deis.dog']):
+            def raise_callback(request, context):
+                raise requests.ConnectionError('poop')
+            mr_ninja = mock_requests.post("http://cat.ninja?app={app_id}&user={self.user.username}&sha={sha}&release=v3&release_summary={self.user.username}+deployed+{sha}".     format(**locals()), text=raise_callback)  # noqa
+            mr_catdog = mock_requests.post("http://deis.dog?app={app_id}&user={self.user.username}&sha={sha}&release=v3&release_summary={self.user.username}+deployed+{sha}".       format(**locals()))  # noqa
+            response = self.client.post(url, body)
+            self.assertEqual(response.status_code, 201, response.data)
+
+            # check app logs
+            exp_msg = "[{app_id}]: An error occurred while sending the deploy hook to http://cat.ninja: poop".format(**locals())  # noqa
+            mock_logger.log.has_calls(logging.ERROR, exp_msg)
+            self.assertTrue(mr_ninja.called)
+            self.assertEqual(mr_ninja.call_count, 1)
+            exp_msg = "[{app_id}]: Sent deploy hook to http://deis.dog".format(**locals())
+            mock_logger.log.has_calls(logging.INFO, exp_msg)
+            self.assertTrue(mr_catdog.called)
+            self.assertEqual(mr_catdog.call_count, 1)
+
+        # ensure that when a secret key is used, a Deis-Signature header is present
+        # which was generated by using HMAC-SHA1 against the target URL
+        secret = 'Hasta la vista, baby.'
+        hook_url = 'http://deis.com'
+        sha = '3456789'
+        body['sha'] = sha
+        # target URL MUST be in the exact alphabetized order when calculating the HMAC signature.
+        target_url = '{}?app={}&release=v4&release_summary={}+deployed+{}&sha={}&user={}'.format(
+            hook_url,
+            app_id,
+            self.user.username,
+            sha,
+            sha,
+            self.user.username,
+        )
+        signature = hmac.new(
+            secret.encode('utf-8'),
+            target_url.encode('utf-8'),
+            hashlib.sha1,
+        ).hexdigest()
+        request_headers = {'Authorization': signature}
+
+        with self.settings(DEIS_DEPLOY_HOOK_SECRET_KEY=secret, DEIS_DEPLOY_HOOK_URLS=[hook_url]):
+            mr_terminator = mock_requests.post(
+                target_url,
+                request_headers=request_headers,
+            )
+            response = self.client.post(url, body)
+            self.assertEqual(response.status_code, 201, response.data)
+
+            # check app logs
+            exp_msg = "[{app_id}]: Sent deploy hook to {hook_url}".format(**locals())
+            mock_logger.log.has_calls(logging.INFO, exp_msg)
+            self.assertTrue(mr_terminator.called)
+            self.assertEqual(mr_terminator.call_count, 1)
+
     @override_settings(REGISTRY_LOCATION="off-cluster")
     def test_release_external_registry(self, mock_requests):
         """
