chore(controller): add reserved names config

Author: duanhongyi

charts/controller/templates/_helpers.tpl

@@ -130,7 +130,7 @@ env:
       name: victoriametrics-vmauth-creds
       key: password
 - name: "DRYCC_VICTORIAMETRICS_URL"
-  value: "http://$(DRYCC_VICTORIAMETRICS_USERNAME):$(DRYCC_VICTORIAMETRICS_PASSWORD)@drycc-victoriametrics-vmauth.{{$.Release.Namespace}}.svc.{{$.Values.global.clusterDomain}}:8481"
+  value: "http://$(DRYCC_VICTORIAMETRICS_USERNAME):$(DRYCC_VICTORIAMETRICS_PASSWORD)@drycc-victoriametrics-vmauth.{{$.Release.Namespace}}.svc.{{$.Values.global.clusterDomain}}:8427"
 {{- end }}
 {{- if .Values.passport.enabled }}
 - name: "DRYCC_PASSPORT_URL"
@@ -172,7 +172,6 @@ env:
 {{- end }}
 {{- end }}
 
-
 {{- define "controller-job.envs" }}
 {{- include "controller.envs" . }}
 - name: DRYCC_DATABASE_ROUTERS
@@ -329,6 +328,29 @@ kubelet_volume_stats_inodes_free: [namespace, persistentvolumeclaim, job]
 kubelet_volume_stats_inodes_used: [namespace, persistentvolumeclaim, job]
 {{- end }}
 
+{{/* Generate controller config default reserved names */}}
+{{ define "controller.config.defaultReservedNames" }}
+backup
+catalog
+cert-manager
+default
+drycc
+drycc-manager
+drycc-helmbroker
+drycc-builder
+drycc-grafana
+drycc-passport
+istio-gateway
+istio-system
+kube-node-lease
+kube-public
+kube-system
+longhorn-system
+metallb
+mount-s3
+topolvm
+rook-ceph
+{{- end }}
 
 {{/* Generate controller config default secrets template */}}
 {{ define "controller.config.defaultSecretTemplate" }}

charts/controller/templates/controller-configmap.yaml

@@ -23,6 +23,12 @@ data:
     {{- else}}
     {{- include "controller.config.defaultLimitPlans" . | fromYamlArray | toPrettyJson | nindent 4 }}
     {{- end }}
+  reserved-names.txt: |-
+    {{- if .Values.config.reservedNames }}
+    {{- (tpl .Values.config.reservedNames $)  | nindent 4 }}
+    {{- else}}
+    {{- include "controller.config.defaultReservedNames" . | nindent 4 }}
+    {{- end }}
   secret-template.json: |
     {{- if .Values.config.secretTemplate }}
     {{- (tpl .Values.config.secretTemplate $)  | nindent 4 }}

charts/controller/values.yaml

@@ -76,6 +76,7 @@ config:
   metrics: ""
   limitSpecs: ""
   limitPlans: ""
+  reservedNames: ""
   secretTemplate: ""
   volumeTemplate: ""
   volumeClaimTemplate: ""
@@ -88,8 +89,7 @@ service:
 # Any custom controller environment variables
 # can be specified as key-value pairs under environment
 # this is usually a non required setting.
-environment:
-  RESERVED_NAMES: "drycc, drycc-builder, drycc-grafana, drycc-passport, drycc-helmbroker, drycc-manager"
+environment: {}
 
 api:
   resources: {}

rootfs/api/models/app.py

@@ -84,7 +84,7 @@ def validate_app_id(value):
     """
     Check that the value follows the kubernetes name constraints
     """
-    match = re.match(r'[a-z]([a-z0-9-]*[a-z0-9])?$', value)
+    match = re.match(r'^[a-z]([a-z0-9-]{3,}[a-z0-9])$', value)
     if not match:
         raise ValidationError("App name must start with an alphabetic character, cannot end with a"
                               + " hyphen and can only contain a-z (lowercase), 0-9 and hyphens.")
@@ -101,7 +101,7 @@ def validate_app_structure(value):
 
 def validate_reserved_names(value):
     """A value cannot use some reserved names."""
-    if value in settings.DRYCC_RESERVED_NAMES:
+    if value in settings.RESERVED_NAMES:
         raise ValidationError('{} is a reserved name.'.format(value))
 
 

rootfs/api/settings/production.py

@@ -248,7 +248,13 @@
 TEMPDIR = tempfile.mkdtemp(prefix='drycc')
 
 # names which apps cannot reserve for routing
-DRYCC_RESERVED_NAMES = os.environ.get('RESERVED_NAMES', '').replace(' ', '').split(',')
+RESERVED_NAMES_PATH = os.environ.get(
+    'RESERVED_NAMES_PATH', '/etc/controller/reserved-names.txt')
+if os.path.exists(RESERVED_NAMES_PATH):
+    with open(RESERVED_NAMES_PATH) as f:
+        RESERVED_NAMES = [line.strip() for line in f if line]
+else:
+    RESERVED_NAMES = ["drycc", "drycc-helmbroker", "drycc-manager", "kube-system", "default"]
 
 # the k8s namespace in which the controller and workflow were installed.
 WORKFLOW_NAMESPACE = os.environ.get('WORKFLOW_NAMESPACE', 'drycc')

rootfs/api/tests/test_app.py

@@ -159,7 +159,7 @@ def test_app_errors(self, mock_requests):
     def test_app_reserved_names(self, mock_requests):
         """Nobody should be able to create applications with names which are reserved."""
         reserved_names = ['foo', 'bar']
-        with self.settings(DRYCC_RESERVED_NAMES=reserved_names):
+        with self.settings(RESERVED_NAMES=reserved_names):
             for name in reserved_names:
                 response = self.client.post('/v2/apps', {'id': name})
                 self.assertContains(
@@ -531,7 +531,7 @@ def test_list_ordering(self, mock_requests):
         """
         Test that a list of apps is sorted by name
         """
-        for name in ['zulu', 'tango', 'alpha', 'foxtrot']:
+        for name in ['zulua', 'tango', 'alpha', 'foxtrot']:
             response = self.client.post('/v2/apps', {'id': name})
             self.assertEqual(response.status_code, 201, response.data)
 
@@ -540,7 +540,7 @@ def test_list_ordering(self, mock_requests):
         self.assertEqual(apps[0]['id'], 'alpha')
         self.assertEqual(apps[1]['id'], 'foxtrot')
         self.assertEqual(apps[2]['id'], 'tango')
-        self.assertEqual(apps[3]['id'], 'zulu')
+        self.assertEqual(apps[3]['id'], 'zulua')
 
     def test_get_private_registry_config(self, mock_requests):
         registry = {"web": {'username': 'test', 'password': 'test'}}

rootfs/api/tests/test_release.py

@@ -614,7 +614,7 @@ def test_deploy_hooks_logged(self, mock_requests, mock_logger):
         """
         Verifies that a configured deploy hook is dumped into the logs when a release is created.
         """
-        app_id = 'foo'
+        app_id = 'foooo'
         body = {'sha': '123456', 'image': 'autotest/example', 'stack': 'heroku-18'}
 
         mr_rocks = mock_requests.post(f'http://drycc.rocks?app={app_id}&user={self.user.username}&sha=&release=v1&release_summary={self.user.username}+created+initial+release')  # noqa