chore(quickwit): add quickwit proxy

Author: duanhongyi

charts/controller/templates/_helpers.tpl

@@ -51,11 +51,11 @@ env:
     secretKeyRef:
       name: controller-creds
       key: django-secret-key
-- name: DRYCC_BUILDER_KEY
+- name: DRYCC_SERVICE_KEY
   valueFrom:
     secretKeyRef:
-      name: builder-key-auth
-      key: builder-key
+      name: controller-creds
+      key: service-key
 {{- if (.Values.valkeyUrl) }}
 - name: DRYCC_VALKEY_URL
   valueFrom:
@@ -119,18 +119,8 @@ env:
       name: controller-creds
       key: victoriametrics-url
 {{- else if .Values.victoriametrics.enabled }}
-- name: "DRYCC_VICTORIAMETRICS_USERNAME"
-  valueFrom:
-    secretKeyRef:
-      name: victoriametrics-vmauth-creds
-      key: username
-- name: "DRYCC_VICTORIAMETRICS_PASSWORD"
-  valueFrom:
-    secretKeyRef:
-      name: victoriametrics-vmauth-creds
-      key: password
 - name: "DRYCC_VICTORIAMETRICS_URL"
-  value: "http://$(DRYCC_VICTORIAMETRICS_USERNAME):$(DRYCC_VICTORIAMETRICS_PASSWORD)@drycc-victoriametrics-vmauth.{{$.Release.Namespace}}.svc.{{$.Values.global.clusterDomain}}:8427"
+  value: "http://drycc-victoriametrics-vmselect.{{$.Release.Namespace}}.svc.{{$.Values.global.clusterDomain}}:8481"
 {{- end }}
 {{- if .Values.passport.enabled }}
 - name: "DRYCC_PASSPORT_URL"
@@ -166,6 +156,10 @@ env:
       name: controller-creds
       key: passport-secret
 {{- end }}
+- name: QUICKWIT_SEARCHER_URL
+  value: http://drycc-quickwit-searcher.{{ $.Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}:7280
+- name: QUICKWIT_LOG_INDEX_PREFIX
+  value: {{ .Values.quickwit.logIndexPrefix }}
 {{- range $key, $value := .Values.environment }}
 - name: {{ $key }}
   value: {{ $value | quote }}

charts/controller/templates/controller-secret-creds.yaml

@@ -31,5 +31,6 @@ data:
   registry-username: {{ .Values.registryUsername | b64enc }}
   registry-password: {{ .Values.registryPassword | b64enc }}
   {{- end }}
+  service-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "service-key" "defaultValue" (randAscii 64) "context" $)) }}
   django-secret-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "django-secret-key" "defaultValue" (randAscii 64) "context" $)) }}
   deploy-hook-secret-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "deploy-hook-secret-key" "defaultValue" (randAscii 64) "context" $)) }}

charts/controller/values.yaml

@@ -163,6 +163,9 @@ valkey:
 database:
   enabled: true
 
+quickwit:
+  logIndexPrefix: logs-
+
 registry:
   enabled: true
 

rootfs/api/authentication.py

@@ -21,6 +21,7 @@ def authenticate(self, request):
 class DryccAuthentication(authentication.BaseAuthentication):
 
     keywords = ('token', 'bearer')
+    ignore_authentication_failed = False
 
     def parse_header(self, request):
         try:
@@ -44,17 +45,19 @@ def authenticate(self, request):
         token_type, token = self.parse_header(request)
         if token_type is None or token is None:
             return None
-        if token_type == 'bearer':  # drycc oauth access token
-            try:
+        try:
+            if token_type == 'bearer':  # drycc oauth access token
                 from api.backend import OauthCacheManager
                 return OauthCacheManager().get_user(token), token
-            except exceptions.AuthenticationFailed:
-                return None
-        # drycc token
-        user = cache.get(token, None)
-        if not user:
-            return self.authenticate_credentials(token)
-        return user, token
+            # drycc token
+            user = cache.get(token, None)
+            if not user:
+                return self.authenticate_credentials(token)
+            return user, token
+        except exceptions.AuthenticationFailed as e:
+            if not self.ignore_authentication_failed:
+                raise e
+        return None
 
     def authenticate_credentials(self, key):
         from api.models.base import Token

rootfs/api/consumers.py

@@ -2,7 +2,6 @@
 import time
 import six
 import ssl
-import aiohttp
 import asyncio
 from django.conf import settings
 from django.core.cache import cache
@@ -66,47 +65,6 @@ def kubernetes(self):
         return core_v1_api.CoreV1Api()
 
 
-class AppLogsConsumer(BaseAppConsumer):
-
-    async def connect(self):
-        await super().connect()
-        self.session = None
-        self.running = False
-        self.conneted = True
-
-    async def task(self, **kwargs):
-        lines = kwargs.get("lines", 100)
-        follow = kwargs.get("follow", False)
-        timeout = kwargs.get("timeout", 300)
-        url = "http://{}:{}/logs/{}?log_lines={}&follow={}&timeout={}".format(
-            settings.LOGGER_HOST, settings.LOGGER_PORT, self.id, lines, follow, timeout,
-        )
-        try:
-            async with aiohttp.ClientSession() as session:
-                self.session = session
-                async with session.get(url) as response:
-                    async for data in response.content.iter_any():
-                        if not self.conneted:
-                            break
-                        await self.send(text_data=data)
-        except asyncio.TimeoutError:
-            pass
-        finally:
-            await self.close(code=1000)
-
-    async def receive(self, text_data=None, bytes_data=None):
-        if self.running:
-            return
-        self.running = True
-        kwargs = json.loads(text_data)
-        asyncio.create_task(self.task(**kwargs))
-
-    async def disconnect(self, close_code):
-        if self.session:
-            await self.session.close()
-        self.conneted = False
-
-
 class AppPodLogsConsumer(BaseK8sConsumer):
 
     async def connect(self):

rootfs/api/models/app.py

@@ -250,8 +250,6 @@ def delete(self, *args, **kwargs):
         except KubeHTTPException:
             # it's fine if the namespace does not exist - delete app from the DB
             pass
-
-        self._clean_app_logs()
         return super(App, self).delete(*args, **kwargs)
 
     def restart(self, **kwargs):  # noqa
@@ -752,18 +750,6 @@ def __str__(self):
     def _get_deployment_name(self, ptype):
         return f"{self.id}-{ptype}"
 
-    def _clean_app_logs(self):
-        """Delete application logs stored by the logger component"""
-        try:
-            url = 'http://{}:{}/logs/{}'.format(settings.LOGGER_HOST,
-                                                settings.LOGGER_PORT, self.id)
-            requests.delete(url)
-        except Exception as e:
-            # Ignore errors deleting application logs.  An error here should not interfere with
-            # the overall success of deleting an application, but we should log it.
-            err = 'Error deleting existing application logs: {}'.format(e)
-            self.log(err, logging.WARNING)
-
     def _mount(self, user, volume, app_settings, structure=None):
         volumes = Volume.objects.filter(app=self)
         tasks = []

rootfs/api/models/base.py

@@ -1,4 +1,5 @@
 import uuid
+import time
 import string
 import random
 from datetime import timedelta
@@ -10,7 +11,7 @@
 from django.utils.translation import gettext_lazy as _
 
 
-from api.utils import validate_json, get_scheduler
+from api.utils import get_session, validate_json, get_scheduler
 
 token_manager_oauth_schema = {
     "$schema": "http://json-schema.org/schema#",
@@ -47,6 +48,20 @@ class Meta:
         """Mark :class:`AuditedModel` as abstract."""
         abstract = True
 
+    def app_log(self, app_id, msg):
+        session = get_session()
+        session.post(
+            "",
+            json={
+                "timestamp": int(time.time()),
+                "log": msg,
+                "kubernetes": {
+                    "namespace": app_id,
+                    "container_name": "drycc-controller",
+                }
+            }
+        )
+
     @property
     def scheduler(self):
         annotations = {}

rootfs/api/permissions.py

@@ -111,20 +111,20 @@ def has_permission(self, request, view):
         return request.method in permissions.SAFE_METHODS or request.user.is_superuser
 
 
-class HasBuilderAuth(permissions.BasePermission):
+class IsServiceToken(permissions.BasePermission):
     """
-    View permission to allow builder to perform actions
-    with a special HTTP header
+    The service token is used for internal communication between Drycc components,
+    such as the builder and Quickwit.
     """
 
     def has_permission(self, request, view):
         """
         Return `True` if permission is granted, `False` otherwise.
         """
-        auth_header = request.META.get('HTTP_X_DRYCC_BUILDER_AUTH')
+        auth_header = request.META.get('HTTP_X_DRYCC_SERVICE_KEY')
         if not auth_header:
             return False
-        return auth_header == settings.BUILDER_KEY
+        return auth_header == settings.SERVICE_KEY
 
 
 class IsWorkflowManager(permissions.BasePermission):

rootfs/api/routing.py

@@ -4,9 +4,6 @@
 from . import consumers
 
 websocket_urlpatterns = [
-    re_path(
-        r'^v2/apps/(?P<id>([\w-]*))/logs/?$',
-        consumers.AppLogsConsumer.as_asgi()),
     re_path(
         r'^v2/apps/(?P<id>([\w-]*))/pods/(?P<pod_id>([\w-]*))/logs/?$',
         consumers.AppPodLogsConsumer.as_asgi()),

rootfs/api/settings/production.py

@@ -4,10 +4,17 @@
 import sys
 import uuid
 import json
+import random
+import string
 import os.path
 import tempfile
 import dj_database_url
 
+
+def randstr(k):
+    return ''.join(random.choices(string.ascii_lowercase + string.digits, k=k))
+
+
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 sys.path.insert(0, os.path.join(BASE_DIR, 'apps_extra'))
 
@@ -312,10 +319,11 @@
     with open(DRYCC_VOLUME_CLAIM_TEMPLATE_PATH) as fd:
         DRYCC_VOLUME_CLAIM_TEMPLATE = json.load(fd)
 
-# security keys and auth tokens
-random_secret = 'CHANGEME_sapm$s%upvsw5l_zuy_&29rkywd^78ff(qi*#@&*^'
-SECRET_KEY = os.environ.get('DRYCC_SECRET_KEY', random_secret)
-BUILDER_KEY = os.environ.get('DRYCC_BUILDER_KEY', random_secret)
+# Django secret key
+SECRET_KEY = os.environ.get('DRYCC_SECRET_KEY', randstr(64))
+
+# Drycc service key
+SERVICE_KEY = os.environ.get('DRYCC_SERVICE_KEY', randstr(64))
 
 # Drycc admission mutate key
 MUTATE_KEY_PATH = os.environ.get('DRYCC_MUTATE_KEY_PATH', '/etc/controller/mutate/cert/key')
@@ -387,10 +395,6 @@
 REGISTRY_LOCATION = os.environ.get('DRYCC_REGISTRY_LOCATION', 'on-cluster')
 REGISTRY_SECRET_PREFIX = os.environ.get('DRYCC_REGISTRY_SECRET_PREFIX', 'private-registry')
 
-# logger settings
-LOGGER_HOST = os.environ.get('DRYCC_LOGGER_SERVICE_HOST', '127.0.0.1')
-LOGGER_PORT = os.environ.get('DRYCC_LOGGER_SERVICE_PORT_HTTP', 80)
-
 DRYCC_DATABASE_URL = os.environ.get('DRYCC_DATABASE_URL', 'postgres://postgres:@:5432/drycc')
 DATABASES = {
     'default': dj_database_url.config(default=DRYCC_DATABASE_URL)
@@ -479,6 +483,10 @@
     }
 }
 
+# Quickwit Configuration
+QUICKWIT_SEARCHER_URL = os.environ.get('QUICKWIT_SEARCHER_URL', None)
+QUICKWIT_LOG_INDEX_PREFIX = os.environ.get('QUICKWIT_LOG_INDEX_PREFIX', None)
+
 # Workflow-manager Configuration Options
 WORKFLOW_MANAGER_URL = os.environ.get('WORKFLOW_MANAGER_URL', None)
 WORKFLOW_MANAGER_ACCESS_KEY = os.environ.get('WORKFLOW_MANAGER_ACCESS_KEY', None)