feat(cert-manager): add tls events

Author: duanhongyi

charts/controller/templates/controller-clusterrole.yaml

@@ -59,7 +59,7 @@ rules:
   resources: ["ingresses"]
   verbs: ["get", "list", "watch", "create", "update", "delete"]
 - apiGroups: ["cert-manager.io"]
-  resources: ["certificates", "issuers"]
+  resources: ["certificates", "certificaterequest", "issuers"]
   verbs: ["get", "list", "watch", "create", "update", "delete"]
 - apiGroups: ["networking.k8s.io"]
   resources: ["ingresses"]

rootfs/api/models/app.py

@@ -25,7 +25,7 @@
 from api.utils import generate_app_name, apply_tasks
 from scheduler import KubeHTTPException, KubeException
 from scheduler.resources.pod import DEFAULT_CONTAINER_PORT
-from .gateway import Gateway, Route, DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT
+from .gateway import Gateway, Route, DEFAULT_HTTP_PORT
 from .limit import LimitPlan
 from .config import Config
 from .service import Service
@@ -767,17 +767,19 @@ def _create_default_ingress(self, target_port):
         # create default gateway
         try:
             gateway = self.gateway_set.filter(name=self.id).latest()
+            if gateway.change_default_tls():
+                gateway.save()
         except Gateway.DoesNotExist:
             gateway = Gateway(app=self, owner=self.owner, name=self.id)
-        modified = gateway.add(DEFAULT_HTTP_PORT, "HTTP")
-        if self.tls_set.latest().certs_auto_enabled or self.domain_set.filter(
-                models.Q(certificate__isnull=False)).exists():
-            modified = gateway.add(DEFAULT_HTTPS_PORT, "HTTPS") if not modified else True
-        if modified:
+            added, msg = gateway.add(DEFAULT_HTTP_PORT, "HTTP")
+            if not added:
+                raise DryccException(msg)
             gateway.save()
         # create default route
         try:
-            self.route_set.filter(name=self.id).latest()
+            route = self.route_set.filter(name=self.id).latest()
+            if route.change_default_tls():
+                route.save()
         except Route.DoesNotExist:
             route = Route(app=self, owner=self.owner, kind="HTTPRoute", name=self.id,
                           port=DEFAULT_HTTP_PORT, procfile_type=service.procfile_type)

rootfs/api/models/gateway.py

@@ -22,29 +22,6 @@ class Gateway(AuditedModel):
     name = models.CharField(max_length=63, db_index=True)
     ports = models.JSONField(default=list)
 
-    def _check_port(self, port, protocol):
-        for item in self.ports:
-            if item["port"] == port:
-                if (item["protocol"] == protocol) or (
-                        item["protocol"] != "UDP" and protocol != "UDP"):
-                    return False
-        return True
-
-    def _get_tls_domain(self, auto_tls):
-        domains = self.app.domain_set.all()
-        if not auto_tls:
-            domains = domains.exclude(certificate=None)
-        return domains
-
-    def _get_listener_name(self, port, protocol, index):
-        if protocol in ("TCP", "TLS", "HTTP"):
-            protocol = "TCP"
-        elif protocol in ("HTTPS", ):
-            protocol = "MIX"
-        else:
-            protocol = "UDP"
-        return "-".join([protocol, str(port), str(index)]).lower()
-
     def add(self, port, protocol):
         # check port
         if not self._check_port(port, protocol):
@@ -125,7 +102,19 @@ def refresh_to_k8s(self):
         except KubeException as e:
             raise ServiceUnavailable('Kubernetes gateway could not be created') from e
 
+    def change_default_tls(self):
+        if self.name != self.app.id:
+            return False
+        tls_enabled = (self.app.tls_set.latest().certs_auto_enabled and
+                       self.app.domain_set.exists()) or self.app.domain_set.filter(
+                           models.Q(certificate__isnull=False)).exists()
+        if tls_enabled:
+            return self.add(DEFAULT_HTTPS_PORT, "HTTPS")[0]
+        else:
+            return self.remove(DEFAULT_HTTPS_PORT, "HTTPS")[0]
+
     def save(self, *args, **kwargs):
+        self.change_default_tls()
         super().save(*args, **kwargs)
         self.refresh_to_k8s()
 
@@ -139,6 +128,29 @@ def delete(self, *args, **kwargs):
             )
         return super().delete(*args, **kwargs)
 
+    def _check_port(self, port, protocol):
+        for item in self.ports:
+            if item["port"] == port:
+                if (item["protocol"] == protocol) or (
+                        item["protocol"] != "UDP" and protocol != "UDP"):
+                    return False
+        return True
+
+    def _get_tls_domain(self, auto_tls):
+        domains = self.app.domain_set.all()
+        if not auto_tls:
+            domains = domains.exclude(certificate=None)
+        return domains
+
+    def _get_listener_name(self, port, protocol, index):
+        if protocol in ("TCP", "TLS", "HTTP"):
+            protocol = "TCP"
+        elif protocol in ("HTTPS", ):
+            protocol = "MIX"
+        else:
+            protocol = "UDP"
+        return "-".join([protocol, str(port), str(index)]).lower()
+
     class Meta:
         get_latest_by = 'created'
         unique_together = (('app', 'name'), )
@@ -233,6 +245,17 @@ def refresh_to_k8s(self):
             self.scheduler().httproute.delete(self.app.id, self.name)
             self.scheduler().httproute.delete(self.app.id, self._https_redirect_name)
 
+    def change_default_tls(self):
+        if self.app.id != self.name:
+            return False
+        tls_enabled = (self.app.tls_set.latest().certs_auto_enabled and
+                       self.app.domain_set.exists()) or self.app.domain_set.filter(
+                           models.Q(certificate__isnull=False)).exists()
+        if tls_enabled:
+            return self.attach(self.app.id, DEFAULT_HTTPS_PORT)[0]
+        else:
+            return self.detach(self.app.id, DEFAULT_HTTPS_PORT)[0]
+
     def attach(self, gateway_name, port):
         ok, msg = self._check_parent(gateway_name, port)
         if not ok:
@@ -253,6 +276,7 @@ def detach(self, gateway_name, port):
         return True, ""
 
     def save(self, *args, **kwargs):
+        self.change_default_tls()
         ok, msg = self.check_rules()
         if not ok:
             raise ValueError(msg)

rootfs/api/models/tls.py

@@ -29,51 +29,6 @@ class TLS(UuidAuditedModel):
     https_enforced = models.BooleanField(null=True)
     certs_auto_enabled = models.BooleanField(null=True)
 
-    class Meta:
-        get_latest_by = 'created'
-        unique_together = (('app', 'uuid'))
-        ordering = ['-created']
-
-    def __str__(self):
-        return "{}-{}".format(self.app.id, str(self.uuid)[:7])
-
-    def _check_previous_tls_settings(self):
-        """
-        Only one value can be set at a time
-        If the other value is None, using the previous setting.
-        """
-        try:
-            previous_tls_settings = self.app.tls_set.latest()
-            if self.https_enforced is not None:
-                if previous_tls_settings.https_enforced == self.https_enforced:
-                    raise AlreadyExists(
-                        "{} changed nothing".format(self.owner))
-                self.certs_auto_enabled = previous_tls_settings.certs_auto_enabled
-            elif self.certs_auto_enabled is not None:
-                if previous_tls_settings.certs_auto_enabled == self.certs_auto_enabled:
-                    raise AlreadyExists(
-                        "{} changed nothing".format(self.owner))
-                self.https_enforced = previous_tls_settings.https_enforced
-            previous_tls_settings.delete()
-        except TLS.DoesNotExist:
-            pass
-
-    def _refresh_secret_to_k8s(self):
-        secret_name = f"{self.app.id}-acme-external-account-binding-secret"
-        try:
-            try:
-                data = self.scheduler().secret.get(self.app.id, secret_name).json()
-                self.scheduler().secret.patch(self.app.id, secret_name, {
-                    "secret": self.issuer["key_secret"],
-                    "version": data["metadata"]["resourceVersion"],
-                })
-            except KubeException:
-                self.scheduler().secret.create(self.app.id, secret_name, {
-                    "secret": self.issuer["key_secret"],
-                })
-        except KubeException as e:
-            raise ServiceUnavailable('Kubernetes secret could not be created') from e
-
     def log(self, message, level=logging.INFO):
         """Logs a message in the context of this application.
 
@@ -85,6 +40,37 @@ def log(self, message, level=logging.INFO):
         """
         logger.log(level, "[{}]: {}".format(self.app.id, message))
 
+    @property
+    def events(self):
+        def to_result(name, kind, condition):
+            return {
+                "name": name,
+                "kind": kind,
+                "time": condition["lastTransitionTime"],
+                "type": condition["type"],
+                "status": condition["status"],
+                "message": condition["message"],
+            }
+
+        results = []
+        name = namespace = self.app.id
+        response = self.scheduler().issuer.get(namespace, name, ignore_exception=True)
+        if response.status_code == 200:
+            for condition in response.json()["status"]["conditions"]:
+                results.append(to_result(name, "Issuer", condition))
+        name = f"{self.app.id}-auto-tls"
+        response = self.scheduler().certificate.get(namespace, name, ignore_exception=True)
+        if response.status_code == 200:
+            for condition in response.json()["status"]["conditions"]:
+                results.append(to_result(name, "Certificate", condition))
+        response = self.scheduler().certificaterequest.get(namespace, ignore_exception=True)
+        if response.status_code == 200:
+            for item in response.json()["items"]:
+                for condition in item["status"]["conditions"]:
+                    results.append(to_result(
+                        item["metadata"]["name"], "CertificateRequest", condition))
+        return results
+
     def refresh_issuer_to_k8s(self):
         name = namespace = self.app.id
         try:
@@ -110,7 +96,7 @@ def refresh_issuer_to_k8s(self):
             raise ServiceUnavailable('Kubernetes issuer could not be created') from e
 
     def refresh_certificate_to_k8s(self):
-        namespace = name = self.app.id
+        namespace, name = self.app.id, f"{self.app.id}-auto-tls"
         if self.certs_auto_enabled:
             hosts = [domain.domain for domain in self.app.domain_set.all()]
             if len(hosts) > 0:
@@ -132,3 +118,48 @@ def refresh_certificate_to_k8s(self):
     def save(self, *args, **kwargs):
         self._check_previous_tls_settings()
         super(TLS, self).save(*args, **kwargs)
+
+    def __str__(self):
+        return "{}-{}".format(self.app.id, str(self.uuid)[:7])
+
+    def _check_previous_tls_settings(self):
+        """
+        Only one value can be set at a time
+        If the other value is None, using the previous setting.
+        """
+        try:
+            previous_tls_settings = self.app.tls_set.latest()
+            if self.https_enforced is not None:
+                if previous_tls_settings.https_enforced == self.https_enforced:
+                    raise AlreadyExists(
+                        "{} changed nothing".format(self.owner))
+                self.certs_auto_enabled = previous_tls_settings.certs_auto_enabled
+            elif self.certs_auto_enabled is not None:
+                if previous_tls_settings.certs_auto_enabled == self.certs_auto_enabled:
+                    raise AlreadyExists(
+                        "{} changed nothing".format(self.owner))
+                self.https_enforced = previous_tls_settings.https_enforced
+            previous_tls_settings.delete()
+        except TLS.DoesNotExist:
+            pass
+
+    def _refresh_secret_to_k8s(self):
+        secret_name = f"{self.app.id}-acme-external-account-binding-secret"
+        try:
+            try:
+                data = self.scheduler().secret.get(self.app.id, secret_name).json()
+                self.scheduler().secret.patch(self.app.id, secret_name, {
+                    "secret": self.issuer["key_secret"],
+                    "version": data["metadata"]["resourceVersion"],
+                })
+            except KubeException:
+                self.scheduler().secret.create(self.app.id, secret_name, {
+                    "secret": self.issuer["key_secret"],
+                })
+        except KubeException as e:
+            raise ServiceUnavailable('Kubernetes secret could not be created') from e
+
+    class Meta:
+        get_latest_by = 'created'
+        unique_together = (('app', 'uuid'))
+        ordering = ['-created']

rootfs/api/serializers/__init__.py

@@ -535,6 +535,7 @@ class TLSSerializer(serializers.ModelSerializer):
 
     app = serializers.SlugRelatedField(slug_field='id', queryset=models.app.App.objects.all())
     owner = serializers.ReadOnlyField(source='owner.username')
+    events = serializers.ReadOnlyField()
 
     class Meta:
         """Metadata options for a :class:`AppTLSSerializer`."""

rootfs/api/signals.py

@@ -18,7 +18,7 @@
 from api.tasks import send_measurements
 from api.models.app import App
 from api.models.service import Service
-from api.models.gateway import Gateway, DEFAULT_HTTPS_PORT
+from api.models.gateway import Gateway
 from api.models.appsettings import AppSettings
 from api.models.build import Build
 from api.models.certificate import Certificate
@@ -165,13 +165,15 @@ def tls_changed_handle(sender, instance: TLS, created=False, update_fields=None,
     if (update_fields and "certs_auto_enabled" in update_fields) or created:
         instance.refresh_certificate_to_k8s()
         for gateway in instance.app.gateway_set.all():
-            if (instance.certs_auto_enabled and gateway.name == instance.app.id
-                    and gateway.add(DEFAULT_HTTPS_PORT, "HTTPS")[0]):
+            if gateway.change_default_tls():
                 gateway.save()
             else:
                 gateway.refresh_to_k8s()
         for route in instance.app.route_set.all():
-            route.refresh_to_k8s()
+            if route.change_default_tls():
+                route.save()
+            else:
+                route.refresh_to_k8s()
 
 
 @receiver(post_save, sender=Gateway)
@@ -195,9 +197,15 @@ def service_changed_handle(
 def domain_changed_handle(
         sender, instance: Domain, created=False, update_fields=None, **kwargs):
     for gateway in instance.app.gateway_set.all():
-        gateway.refresh_to_k8s()
+        if gateway.change_default_tls():
+            gateway.save()
+        else:
+            gateway.refresh_to_k8s()
     for route in instance.app.route_set.all():
-        route.refresh_to_k8s()
+        if route.change_default_tls():
+            route.save()
+        else:
+            route.refresh_to_k8s()
 
 
 @receiver(signal=[post_save, post_delete], sender=AppSettings)

rootfs/api/tests/test_config.py

@@ -486,13 +486,15 @@ def test_unset_limits_error(self, mock_requests):
             sha='somereallylongsha'
         )
         # create an initial release
-        Release.objects.create(
+        release = Release.objects.create(
             version=3,
             owner=user,
             app=app,
             config=app.config_set.latest(),
             build=build
         )
+        # deploy
+        app.pipeline(release)
         # unset error
         body = {
             'limits': {