chore(network): exempt gateway data-plane pods from NetworkPolicy

Author: duanhongyi

charts/controller/files/network-policy-template.json

@@ -1,6 +1,13 @@
 {
     "spec": {
-        "podSelector": {},
+        "podSelector": {
+            "matchExpressions": [
+                {
+                    "key": "drycc.cc/workspace",
+                    "operator": "Exists"
+                }
+            ]
+        },
         "policyTypes": [
             "Ingress"
         ],
@@ -10,7 +17,7 @@
                     {
                         "namespaceSelector": {
                             "matchLabels": {
-                                "drycc.cc/workspace_id": "{{workspace_id}}"
+                                "drycc.cc/workspace": "{{workspace}}"
                             }
                         }
                     }

rootfs/api/models/app.py

@@ -122,18 +122,6 @@ def _default_actor(self):
     def ptypes(self):
         return list(self.structure.keys())
 
-    @property
-    def scheduler(self):
-        """
-        Override @Base.AuditedModel.scheduler;
-        since the app itself doesn't have an app object context,
-        directly reference using ID instead.
-        """
-        scheduler = super(App, self).scheduler
-        scheduler.metadata["annotations"]["drycc.cc/app_id"] = str(self.id)
-        scheduler.metadata["annotations"]["drycc.cc/workspace_id"] = str(self.workspace_id)
-        return scheduler
-
     def check_ptypes(self, ptypes: set):
         """
         check available procfile types
@@ -955,7 +943,7 @@ def _create_network_policy(self):
             return
         name = namespace = self.id
         json_str = Template(settings.DRYCC_NETWORK_POLICY_TEMPLATE).render(
-            Context({"workspace_id": str(self.workspace_id)})).strip()
+            Context({"workspace": str(self.workspace.id)})).strip()
         kwargs = json.loads(json_str) if json_str else {}
         try:
             self.scheduler.networkpolicy.get(namespace, name)

rootfs/api/models/base.py

@@ -60,11 +60,13 @@ def app_log(self, app_id, msg):
 
     @property
     def scheduler(self):
-        labels = annotations = {}
-        if hasattr(self, 'app'):
-            labels["drycc.cc/app_id"] = str(self.app.id)
-            labels["drycc.cc/workspace_id"] = str(self.app.workspace.id)
-        return get_scheduler(metadata={"labels": labels, "annotations": annotations})
+        from api.models.app import App
+        labels = {}
+        if hasattr(self, 'app') or isinstance(self, App):
+            app = getattr(self, 'app', self)
+            labels["drycc.cc/app"] = app.id
+            labels["drycc.cc/workspace"] = app.workspace.id
+        return get_scheduler(metadata={"labels": labels, "annotations": dict(labels)})
 
 
 class UuidAuditedModel(AuditedModel):

rootfs/api/tests/test_app.py

@@ -658,7 +658,20 @@ def test_get_private_registry_config_off_cluster(self, mock_requests):
         auth = bytes('{}:{}'.format("test", "test"), 'UTF-8')
         encAuth = base64.b64encode(auth).decode(encoding='UTF-8')
         image = "test.com/test/test"
-        docker_config, name, create = App()._get_private_registry_config("web", image, registry.get("web", {}))  # noqa
+        scheduler = mock.Mock()
+        scheduler.secret.get.return_value.json.return_value = {
+            'data': {
+                'registry-host': '',
+                'registry-username': 'test',
+                'registry-password': 'test',
+            }
+        }
+        with mock.patch.object(
+            App, 'scheduler', new_callable=mock.PropertyMock
+        ) as scheduler_property:
+            scheduler_property.return_value = scheduler
+            docker_config, name, create = App()._get_private_registry_config(
+                "web", image, registry.get("web", {}))  # noqa
         dockerConfig = json.loads(docker_config)
         expected = {"https://index.docker.io/v1/": {
             "auth": encAuth

rootfs/scheduler/__init__.py

@@ -45,10 +45,12 @@ def __init__(self, url, k8s_api_verify_tls=True, metadata=None):
         self.url = url
         self.k8s_api_verify_tls = k8s_api_verify_tls
         self.session = get_k8s_session(self.k8s_api_verify_tls)
-        self.metadata = metadata
+        self.metadata = {} if metadata is None else metadata
 
         # map the various k8s Resources to an internal property
         from scheduler.resources import Resource  # lazy load
+        if not isinstance(self, Resource):
+            KubeHTTPClient.resource_mapping = OrderedDict()
         for res in Resource:
             name = str(res.__name__).lower()  # singular
             component = name + 's'  # make plural
@@ -58,7 +60,8 @@ def __init__(self, url, k8s_api_verify_tls=True, metadata=None):
 
             # get past recursion problems in case of self reference
             self.resource_mapping[component] = ''
-            self.resource_mapping[component] = res(self.url, self.k8s_api_verify_tls)
+            self.resource_mapping[component] = res(
+                self.url, self.k8s_api_verify_tls, metadata=self.metadata)
             # map singular Resource name to the plural one
             self.resource_mapping[name] = component
             if res.short_name is not None:
@@ -185,45 +188,45 @@ def http_get(self, path, params=None, **kwargs):
 
         return response
 
-    def http_post(self, path, data=None, json=None, **kwargs):
+    def http_post(self, path, json=None, **kwargs):
         """
         Make a POST request to the k8s server.
         """
         try:
             url = urljoin(self.url, path)
-            if self.metadata is not None and "metadata" in data:
-                data["metadata"] = utils.dict_merge(data["metadata"], self.metadata)
-            response = self.session.post(url, data=data, json=json, **kwargs)
+            if json is not None and "metadata" in json:
+                json["metadata"] = utils.dict_merge(json["metadata"], self.metadata)
+            response = self.session.post(url, json=json, **kwargs)
         except requests.exceptions.ConnectionError as err:
             # reraise as KubeException, but log stacktrace.
             message = "There was a problem posting data to " \
                       "the Kubernetes API server. URL: {}, " \
-                      "data: {}, json: {}".format(url, data, json)
+                      "json: {}".format(url, json)
             logger.error(message)
             raise KubeException(message) from err
 
         return response
 
-    def http_put(self, path, data=None, **kwargs):
+    def http_put(self, path, json=None, **kwargs):
         """
         Make a PUT request to the k8s server.
         """
         try:
             url = urljoin(self.url, path)
-            if self.metadata is not None and "metadata" in data:
-                data["metadata"] = utils.dict_merge(data["metadata"], self.metadata)
-            response = self.session.put(url, data=data, **kwargs)
+            if json is not None and "metadata" in json:
+                json["metadata"] = utils.dict_merge(json["metadata"], self.metadata)
+            response = self.session.put(url, json=json, **kwargs)
         except requests.exceptions.ConnectionError as err:
             # reraise as KubeException, but log stacktrace.
             message = "There was a problem putting data to " \
                       "the Kubernetes API server. URL: {}, " \
-                      "data: {}".format(url, data)
+                      "json: {}".format(url, json)
             logger.error(message)
             raise KubeException(message) from err
 
         return response
 
-    def http_patch(self, path, data=None, **kwargs):
+    def http_patch(self, path, json=None, **kwargs):
         """
         Make a PATCH request to the k8s server.
         """
@@ -234,14 +237,14 @@ def http_patch(self, path, data=None, **kwargs):
             # application/merge-patch+json,
             # application/apply-patch+yaml
             # self.session.headers["Content-Type"] = "application/json-patch+json"
-            if self.metadata is not None and "metadata" in data:
-                data["metadata"] = utils.dict_merge(data["metadata"], self.metadata)
-            response = self.session.patch(url, data=data, **kwargs)
+            if json is not None and "metadata" in json:
+                json["metadata"] = utils.dict_merge(json["metadata"], self.metadata)
+            response = self.session.patch(url, json=json, **kwargs)
         except requests.exceptions.ConnectionError as err:
             # reraise as KubeException, but log stacktrace.
             message = "There was a problem patching data to " \
                       "the Kubernetes API server. URL: {}, " \
-                      "data: {}".format(url, data)
+                      "json: {}".format(url, json)
             logger.error(message)
             raise KubeException(message) from err
 

rootfs/scheduler/resources/namespace.py

@@ -1,5 +1,6 @@
 from scheduler.exceptions import KubeHTTPException
 from scheduler.resources import Resource
+import copy
 
 
 class Namespace(Resource):
@@ -26,16 +27,18 @@ def get(self, name=None, **kwargs):
 
         return response
 
-    def create(self, namespace):
+    def create(self, namespace, **kwargs):
+        # labels that represent the namespace
+        labels = copy.deepcopy(kwargs.get('labels', {}))
+        labels.update({'heritage': 'drycc'})
+
         url = self.api("/namespaces")
         data = {
             "kind": "Namespace",
             "apiVersion": self.api_version,
             "metadata": {
                 "name": namespace,
-                "labels": {
-                    'heritage': 'drycc'
-                }
+                "labels": labels,
             }
         }
 

rootfs/scheduler/resources/pod.py

@@ -9,6 +9,8 @@
 from scheduler.resources import Resource
 from scheduler.states import PodState
 
+from api import utils
+
 DEFAULT_CONTAINER_PORT = 5000
 
 
@@ -192,7 +194,7 @@ def manifest(self, namespace, name, image, **kwargs):
             spec['imagePullSecrets'] = [{'name': kwargs.get('image_pull_secret_name')}]
 
         spec['containers'] = [container]
-
+        manifest["metadata"] = utils.dict_merge(manifest["metadata"], self.metadata)
         return manifest
 
     def _set_container(self, namespace, container_name, data, **kwargs):

rootfs/scheduler/tests/test_namespaces.py

@@ -3,13 +3,44 @@
 
 Run the tests with './manage.py test scheduler'
 """
+from django.conf import settings
+
+from scheduler import mock as scheduler_mock
 from scheduler import KubeHTTPException
 from scheduler.tests import TestCase
+from scheduler.tests.utils import generate_random_name
 
 
 class NamespacesTest(TestCase):
     """Tests scheduler namespace calls"""
 
+    def test_create_namespace_with_metadata_injection(self):
+        namespace = generate_random_name()
+        scheduler = scheduler_mock.MockSchedulerClient(
+            settings.SCHEDULER_URL,
+            metadata={
+                'labels': {
+                    'drycc.cc/app': 'test-app',
+                    'drycc.cc/workspace': 'test-workspace',
+                },
+                'annotations': {
+                    'app.kubernetes.io/managed-by': 'drycc',
+                    'drycc.cc/app': 'test-app',
+                }
+            }
+        )
+
+        response = scheduler.ns.create(namespace)
+        data = response.json()
+
+        self.assertEqual(response.status_code, 201, data)
+        self.assertEqual(data['metadata']['labels']['heritage'], 'drycc')
+        self.assertEqual(data['metadata']['labels']['drycc.cc/app'], 'test-app')
+        self.assertEqual(data['metadata']['labels']['drycc.cc/workspace'], 'test-workspace')
+        self.assertEqual(
+            data['metadata']['annotations']['app.kubernetes.io/managed-by'], 'drycc')
+        self.assertEqual(data['metadata']['annotations']['drycc.cc/app'], 'test-app')
+
     def test_create_namespace(self):
         # subclassed function does all the checking
         self.create_namespace()

rootfs/scheduler/tests/test_services.py

@@ -3,6 +3,9 @@
 
 Run the tests with './manage.py test scheduler'
 """
+from django.conf import settings
+
+from scheduler import mock as scheduler_mock
 from scheduler import KubeHTTPException
 from scheduler.tests import TestCase
 from scheduler.tests.utils import generate_random_name
@@ -11,6 +14,39 @@
 class ServicesTest(TestCase):
     """Tests scheduler service calls"""
 
+    def test_create_service_with_metadata_injection(self):
+        name = generate_random_name()
+        scheduler = scheduler_mock.MockSchedulerClient(
+            settings.SCHEDULER_URL,
+            metadata={
+                'labels': {
+                    'drycc.cc/app': 'test-app',
+                    'drycc.cc/workspace': 'test-workspace',
+                },
+                'annotations': {
+                    'app.kubernetes.io/managed-by': 'drycc',
+                    'drycc.cc/workspace': 'test-workspace',
+                }
+            }
+        )
+
+        response = scheduler.svc.create(self.namespace, name, ports=[{
+            'port': 5000,
+            'protocol': 'TCP',
+            'targetPort': 5000,
+        }])
+        data = response.json()
+
+        self.assertEqual(response.status_code, 201, data)
+        self.assertEqual(data['metadata']['labels']['app'], self.namespace)
+        self.assertEqual(data['metadata']['labels']['heritage'], 'drycc')
+        self.assertEqual(data['metadata']['labels']['drycc.cc/app'], 'test-app')
+        self.assertEqual(data['metadata']['labels']['drycc.cc/workspace'], 'test-workspace')
+        self.assertEqual(
+            data['metadata']['annotations']['app.kubernetes.io/managed-by'], 'drycc')
+        self.assertEqual(
+            data['metadata']['annotations']['drycc.cc/workspace'], 'test-workspace')
+
     def create(self, port=5000, protocol="TCP", target_port=5000):
         """
         Helper function to create and verify a service on the namespace