chore(controller): improve the details of certificate

Author: duanhongyi

charts/controller/templates/controller-certificate.yaml

@@ -4,7 +4,7 @@ kind: Certificate
 metadata:
   name: drycc-controller
 spec:
-  secretName: drycc-controller-auto-tls
+  secretName: drycc-controller-certificate-auto
   issuerRef:
     name: drycc-cluster-issuer
     kind: ClusterIssuer

charts/controller/templates/controller-ingress.yaml

@@ -27,7 +27,7 @@ spec:
           servicePort: 80
   {{ if .Values.global.cert_manager_enabled }}
   tls:
-    - secretName: drycc-controller-auto-tls
+    - secretName: drycc-controller-certificate-auto
       hosts:
         - drycc.{{ .Values.global.platform_domain }}
   {{- end }}

rootfs/api/models/app.py

@@ -1,7 +1,7 @@
 import backoff
 import base64
 import math
-from collections import OrderedDict
+from collections import OrderedDict, defaultdict
 from datetime import datetime
 from docker import auth as docker_auth
 import functools
@@ -162,7 +162,7 @@ def _get_entrypoint(self, container_type):
 
         return entrypoint
 
-    def _refresh_tls(self, certs_auto_enabled, hosts):
+    def _refresh_certificate(self, certs_auto_enabled, hosts):
         namespace = name = self.id
         try:
             data = self._scheduler.certificate.get(namespace, name).json()
@@ -208,35 +208,27 @@ def _refresh_ingress(self, hosts, tls_map, ssl_redirect):
         except KubeException as e:
             raise ServiceUnavailable('Could not create Ingress in Kubernetes') from e
 
-    def refresh_ingress_and_tls(self):
-        if not getattr(self, 'refresh_ingress_and_tls_enabled', True):
+    def refresh(self):
+        if not getattr(self, 'refresh_enabled', True):
             return
         app_settings = self.appsettings_set.latest()
         if not app_settings.routable:
             return
-        ingress = self.id
-        hosts, tls_map = [], {}
-
         tls = self.tls_set.latest()
         ssl_redirect = "true" if bool(tls.https_enforced) else "false"
         certs_auto_enabled = bool(tls.certs_auto_enabled)
-
+        hosts, tls_map = [], defaultdict(list)
         for domain in Domain.objects.filter(app=self):
-            if str(domain.domain) == self.id:
-                host = "%s.%s" % (ingress, settings.PLATFORM_DOMAIN)
-            else:
-                host = str(domain.domain)
+            host = str(domain.domain)
             hosts.append(host)
-            if certs_auto_enabled or domain.certificate:
-                if certs_auto_enabled:
-                    secret_name = '%s-auto-tls' % self.id
-                elif domain.certificate:
-                    secret_name = '%s-cert' % domain.certificate.name
-                if secret_name not in tls_map:
-                    tls_map[secret_name] = []
+            if domain.certificate:
+                secret_name = '%s-certificate' % domain.certificate.name
+                tls_map[secret_name].append(host)
+            if certs_auto_enabled and not domain.domain.startswith("*."):
+                secret_name = '%s-certificate-auto' % self.id
                 tls_map[secret_name].append(host)
-        self._refresh_ingress(hosts, tls_map, ssl_redirect)
-        self._refresh_tls(certs_auto_enabled, hosts)
+        self._refresh_ingress(hosts, dict(tls_map), ssl_redirect)
+        self._refresh_certificate(certs_auto_enabled, hosts)
 
     def log(self, message, level=logging.INFO):
         """Logs a message in the context of this application.
@@ -311,7 +303,7 @@ def create(self, *args, **kwargs):  # noqa
 
             raise ServiceUnavailable('Kubernetes resources could not be created') from e
         try:
-            setattr(self, 'refresh_ingress_and_tls_enabled', False)  # do not refresh
+            setattr(self, 'refresh_enabled', False)  # do not refresh
             try:
                 self.appsettings_set.latest()
             except AppSettings.DoesNotExist:
@@ -322,12 +314,13 @@ def create(self, *args, **kwargs):  # noqa
                 TLS.objects.create(owner=self.owner, app=self)
             # Attach the platform specific application sub domain to the k8s service
             # Only attach it on first release in case a customer has remove the app domain
-            if rel.version == 1 and not Domain.objects.filter(domain=self.id).exists():
-                Domain.objects.create(owner=self.owner, app=self, domain=self.id)
+            domain = "%s.%s" % (self.id, settings.PLATFORM_DOMAIN)
+            if rel.version == 1 and not Domain.objects.filter(domain=domain).exists():
+                Domain.objects.create(owner=self.owner, app=self, domain=domain)
             # The default routable is true, so refresh ingress and tls
         finally:
-            setattr(self, 'refresh_ingress_and_tls_enabled', True)
-        self.refresh_ingress_and_tls()  # refresh
+            setattr(self, 'refresh_enabled', True)
+        self.refresh()  # refresh
 
     def delete(self, *args, **kwargs):
         """Delete this application including all containers"""
@@ -968,7 +961,7 @@ def routable(self, routable):
         Turn on/off if an application is publically routable
         """
         if routable:
-            self.refresh_ingress_and_tls()
+            self.refresh()
         else:
             try:
                 namespace = ingress = self.id

rootfs/api/models/appsettings.py

@@ -182,5 +182,5 @@ def save(self, *args, **kwargs):
         try:
             return super(AppSettings, self).save(**kwargs)
         finally:
-            self.app.refresh_ingress_and_tls()
+            self.app.refresh()
         self.app.log('summary of app setting changes: {}'.format(summary), logging.DEBUG)

rootfs/api/models/certificate.py

@@ -181,7 +181,7 @@ def attach_in_kubernetes(self, domain):
         """Creates the certificate as a kubernetes secret"""
         # only create if it exists - We raise an exception when a secret doesn't exist
         try:
-            name = '%s-cert' % self.name
+            name = '%s-certificate' % self.name
             namespace = domain.app.id
             data = {
                 'tls.crt': self.certificate,
@@ -207,7 +207,7 @@ def detach(self, *args, **kwargs):
         domain.certificate = None
         domain.save()
 
-        name = '%s-cert' % self.name
+        name = '%s-certificate' % self.name
         namespace = domain.app.id
 
         # only delete if it exists and if no other domains depend on secret
@@ -217,4 +217,4 @@ def detach(self, *args, **kwargs):
                 self._scheduler.secret.get(namespace, name)
                 self._scheduler.secret.delete(namespace, name)
             except KubeException as e:
-                raise ServiceUnavailable("Could not delete certificate secret {} for application {}".format(name, namespace)) from e  # noqa
+                raise ServiceUnavailable("Could not delete certificate secret {} for application {}".format(name, namespace)) from e  # noqa

rootfs/api/models/domain.py

@@ -30,7 +30,7 @@ def save(self, *args, **kwargs):
             # Save to DB
             return super(Domain, self).save(*args, **kwargs)
         finally:
-            self.app.refresh_ingress_and_tls()
+            self.app.refresh()
 
     @transaction.atomic
     def delete(self, *args, **kwargs):
@@ -41,7 +41,7 @@ def delete(self, *args, **kwargs):
             # Delete from DB
             return super(Domain, self).delete(*args, **kwargs)
         finally:
-            self.app.refresh_ingress_and_tls()
+            self.app.refresh()
 
     def __str__(self):
         return self.domain

rootfs/api/models/tls.py

@@ -48,7 +48,7 @@ def save(self, *args, **kwargs):
             # Save to DB
             return super(TLS, self).save(*args, **kwargs)
         finally:
-            self.app.refresh_ingress_and_tls()
+            self.app.refresh()
 
     def sync(self):
-        self.app.refresh_ingress_and_tls()
+        self.app.refresh()

rootfs/api/settings/production.py

@@ -336,9 +336,9 @@
 KUBERNETES_POD_TERMINATION_GRACE_PERIOD_SECONDS = int(os.environ.get('KUBERNETES_POD_TERMINATION_GRACE_PERIOD_SECONDS', 30))  # noqa
 
 # Minimum allocation cpu, units are represented in the millicpu of CPUs
-KUBERNETES_CPU_MIN_ALLOCATION = int(os.environ.get('KUBERNETES_RAM_MIN_ALLOCATION', '100'))
+KUBERNETES_CPU_MIN_ALLOCATION = int(os.environ.get('KUBERNETES_RAM_MIN_ALLOCATION', '10'))
 # Minimum allocation memory, units are represented in Megabytes(M)
-KUBERNETES_RAM_MIN_ALLOCATION = int(os.environ.get('KUBERNETES_RAM_MIN_ALLOCATION', '128'))
+KUBERNETES_RAM_MIN_ALLOCATION = int(os.environ.get('KUBERNETES_RAM_MIN_ALLOCATION', '64'))
 # Maximum allocation cpu, units are represented in the millicpu of CPUs
 KUBERNETES_CPU_MAX_ALLOCATION = int(os.environ.get('KUBERNETES_RAM_MIN_ALLOCATION', '32000'))
 # Maximum allocation memory, units are represented in Megabytes(M)

rootfs/api/tests/test_domain.py

@@ -7,6 +7,7 @@
 
 from django.contrib.auth.models import User
 from django.core.cache import cache
+from django.conf import settings
 from rest_framework.authtoken.models import Token
 
 from api.models import Domain
@@ -66,7 +67,9 @@ def test_strip_dot(self):
         url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
         response = self.client.get(url)
         expected = [data['domain'] for data in response.data['results']]
-        self.assertEqual(sorted([self.app_id, domain]), expected, msg)
+        self.assertEqual(
+            sorted(["%s.%s" % (self.app_id, settings.PLATFORM_DOMAIN), domain]),
+            expected, msg)
 
     def test_manage_idn_domain(self):
         url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
@@ -102,7 +105,9 @@ def test_manage_idn_domain(self):
             url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
             response = self.client.get(url)
             expected = [data['domain'] for data in response.data['results']]
-            self.assertEqual(sorted([self.app_id, ace_domain]), sorted(expected), msg)
+            self.assertEqual(
+                sorted(["%s.%s" % (self.app_id, settings.PLATFORM_DOMAIN), ace_domain]),
+                sorted(expected), msg)
 
             # Verify creation failure for same domain with different encoding
             if ace_domain != domain:
@@ -127,7 +132,9 @@ def test_manage_idn_domain(self):
 
             # verify only app domain is left
             expected = [data['domain'] for data in response.data['results']]
-            self.assertEqual([self.app_id], expected, msg)
+            self.assertEqual(
+                ["%s.%s" % (self.app_id, settings.PLATFORM_DOMAIN)],
+                expected, msg)
 
             # Use different encoding for creating and deleting (ACE)
             if ace_domain != domain:
@@ -139,7 +146,9 @@ def test_manage_idn_domain(self):
                 url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
                 response = self.client.get(url)
                 expected = [data['domain'] for data in response.data['results']]
-                self.assertEqual(sorted([self.app_id, ace_domain]), sorted(expected), msg)
+                self.assertEqual(
+                    sorted(["%s.%s" % (self.app_id, settings.PLATFORM_DOMAIN), ace_domain]),
+                    sorted(expected), msg)
 
                 # Delete
                 url = '/v2/apps/{app_id}/domains/{hostname}'.format(hostname=ace_domain,
@@ -154,7 +163,9 @@ def test_manage_idn_domain(self):
 
                 # verify only app domain is left
                 expected = [data['domain'] for data in response.data['results']]
-                self.assertEqual([self.app_id], expected, msg)
+                self.assertEqual(
+                    ["%s.%s" % (self.app_id, settings.PLATFORM_DOMAIN)],
+                    expected, msg)
 
             # Use different encoding for creating and deleting (Unicode)
             if unicode_domain != domain:
@@ -166,7 +177,9 @@ def test_manage_idn_domain(self):
                 url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
                 response = self.client.get(url)
                 expected = [data['domain'] for data in response.data['results']]
-                self.assertEqual(sorted([self.app_id, ace_domain]), sorted(expected), msg)
+                self.assertEqual(
+                    sorted(["%s.%s" % (self.app_id, settings.PLATFORM_DOMAIN), ace_domain]),
+                    sorted(expected), msg)
 
                 # Delete
                 url = '/v2/apps/{app_id}/domains/{hostname}'.format(hostname=unicode_domain,
@@ -181,7 +194,9 @@ def test_manage_idn_domain(self):
 
                 # verify only app domain is left
                 expected = [data['domain'] for data in response.data['results']]
-                self.assertEqual([self.app_id], expected, msg)
+                self.assertEqual(
+                    ["%s.%s" % (self.app_id, settings.PLATFORM_DOMAIN)],
+                    expected, msg)
 
     def test_manage_domain(self):
         url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
@@ -211,7 +226,9 @@ def test_manage_domain(self):
             url = '/v2/apps/{app_id}/domains'.format(app_id=self.app_id)
             response = self.client.get(url)
             expected = [data['domain'] for data in response.data['results']]
-            self.assertEqual(sorted([self.app_id, domain]), sorted(expected), msg)
+            self.assertEqual(
+                sorted(["%s.%s" % (self.app_id, settings.PLATFORM_DOMAIN), domain]),
+                sorted(expected), msg)
 
             # Delete
             url = '/v2/apps/{app_id}/domains/{hostname}'.format(hostname=domain,
@@ -226,7 +243,9 @@ def test_manage_domain(self):
 
             # verify only app domain is left
             expected = [data['domain'] for data in response.data['results']]
-            self.assertEqual([self.app_id], expected, msg)
+            self.assertEqual(
+                ["%s.%s" % (self.app_id, settings.PLATFORM_DOMAIN)],
+                expected, msg)
 
     def test_delete_domain_does_not_exist(self):
         """Remove a domain that does not exist"""
@@ -253,6 +272,13 @@ def test_delete_domain_does_not_remove_latest(self):
         with self.assertRaises(Domain.DoesNotExist):
             Domain.objects.get(domain=test_domains[0])
 
+    def test_delete_domain_does_not_remove_default(self):
+        domain = "%s.%s" % (self.app_id, settings.PLATFORM_DOMAIN)
+        url = '/v2/apps/{app_id}/domains/{domain}'.format(domain=domain,
+                                                          app_id=self.app_id)
+        response = self.client.delete(url)
+        self.assertEqual(response.status_code, 403, response.data)
+
     def test_delete_domain_does_not_remove_others(self):
         """https://github.com/drycc/drycc/issues/3475"""
         self.test_delete_domain_does_not_remove_latest()

rootfs/api/views.py

@@ -375,10 +375,17 @@ def get_object(self, **kwargs):
                 ace_domain = "*." + idna.encode(domain[2:]).decode("utf-8", "strict")
             else:
                 ace_domain = idna.encode(domain).decode("utf-8", "strict")
-        except:
+        except:  # noqa
             ace_domain = domain
         return get_object_or_404(qs, domain=ace_domain)
 
+    def destroy(self, request, **kwargs):
+        domain = self.get_object()
+        if "%s.%s" % (domain.app.id, settings.PLATFORM_DOMAIN) == domain.domain:
+            return Response(status=status.HTTP_403_FORBIDDEN)
+        domain.delete()
+        return Response(status=status.HTTP_204_NO_CONTENT)
+
 
 class ServiceViewSet(AppResourceViewSet):
     """A viewset for interacting with Service objects."""