From 5893ee39a3526a1520343898c0707cd7a4bacd26 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Fri, 12 Aug 2022 13:08:03 +0200 Subject: [PATCH 1/8] draft of installing apps and getting app status --- .pylintrc | 610 ++++++++++++++++++ areas/apps/apps.py | 8 + areas/apps/models.py | 125 +++- .../add-app-kustomization.yaml.jinja | 14 + .../stackspin-nextcloud-variables.yaml.jinja | 12 + .../stackspin-oauth-variables.yaml.jinja | 8 + .../stackspin-wekan-variables.yaml.jinja | 7 + .../stackspin-wordpress-variables.yaml.jinja | 9 + .../stackspin-zulip-variables.yaml.jinja | 12 + cliapp/cliapp/cli.py | 50 +- docker-compose.yml | 2 + helpers/kubernetes.py | 296 +++++++++ requirements.txt | 2 + 13 files changed, 1148 insertions(+), 7 deletions(-) create mode 100644 .pylintrc create mode 100644 areas/apps/templates/add-app-kustomization.yaml.jinja create mode 100644 areas/apps/templates/stackspin-nextcloud-variables.yaml.jinja create mode 100644 areas/apps/templates/stackspin-oauth-variables.yaml.jinja create mode 100644 areas/apps/templates/stackspin-wekan-variables.yaml.jinja create mode 100644 areas/apps/templates/stackspin-wordpress-variables.yaml.jinja create mode 100644 areas/apps/templates/stackspin-zulip-variables.yaml.jinja create mode 100644 helpers/kubernetes.py diff --git a/.pylintrc b/.pylintrc new file mode 100644 index 0000000..3f7a685 --- /dev/null +++ b/.pylintrc @@ -0,0 +1,610 @@ +[MAIN] + +# Analyse import fallback blocks. This can be used to support both Python 2 and +# 3 compatible code, which means that the block might have code that exists +# only in one or another interpreter, leading to false positives when analysed. +analyse-fallback-blocks=no + +# Load and enable all available extensions. Use --list-extensions to see a list +# all available extensions. +#enable-all-extensions= + +# In error mode, messages with a category besides ERROR or FATAL are +# suppressed, and no reports are done by default. Error mode is compatible with +# disabling specific errors. +#errors-only= + +# Always return a 0 (non-error) status code, even if lint errors are found. +# This is primarily useful in continuous integration scripts. +#exit-zero= + +# A comma-separated list of package or module names from where C extensions may +# be loaded. Extensions are loading into the active Python interpreter and may +# run arbitrary code. +extension-pkg-allow-list= + +# A comma-separated list of package or module names from where C extensions may +# be loaded. Extensions are loading into the active Python interpreter and may +# run arbitrary code. (This is an alternative name to extension-pkg-allow-list +# for backward compatibility.) +extension-pkg-whitelist= + +# Return non-zero exit code if any of these messages/categories are detected, +# even if score is above --fail-under value. Syntax same as enable. Messages +# specified are enabled, while categories only check already-enabled messages. +fail-on= + +# Specify a score threshold to be exceeded before program exits with error. +fail-under=10 + +# Interpret the stdin as a python script, whose filename needs to be passed as +# the module_or_package argument. +#from-stdin= + +# Files or directories to be skipped. They should be base names, not paths. +ignore=CVS + +# Add files or directories matching the regex patterns to the ignore-list. The +# regex matches against paths and can be in Posix or Windows format. +ignore-paths= + +# Files or directories matching the regex patterns are skipped. The regex +# matches against base names, not paths. The default value ignores Emacs file +# locks +ignore-patterns=^\.# + +# List of module names for which member attributes should not be checked +# (useful for modules/projects where namespaces are manipulated during runtime +# and thus existing member attributes cannot be deduced by static analysis). It +# supports qualified module names, as well as Unix pattern matching. +ignored-modules= + +# Python code to execute, usually for sys.path manipulation such as +# pygtk.require(). +#init-hook= + +# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the +# number of processors available to use, and will cap the count on Windows to +# avoid hangs. +jobs=1 + +# Control the amount of potential inferred values when inferring a single +# object. This can help the performance when dealing with large functions or +# complex, nested conditions. +limit-inference-results=100 + +# List of plugins (as comma separated values of python module names) to load, +# usually to register additional checkers. +load-plugins=pylint_flask,pylint_flask_sqlalchemy + +# Pickle collected data for later comparisons. +persistent=yes + +# Minimum Python version to use for version dependent checks. Will default to +# the version used to run pylint. +py-version=3.9 + +# Discover python modules and packages in the file system subtree. +recursive=no + +# When enabled, pylint would attempt to guess common misconfiguration and emit +# user-friendly hints instead of false-positive error messages. +suggestion-mode=yes + +# Allow loading of arbitrary C extensions. Extensions are imported into the +# active Python interpreter and may run arbitrary code. +unsafe-load-any-extension=no + +# In verbose mode, extra non-checker-related info will be displayed. +#verbose= + + +[REPORTS] + +# Python expression which should return a score less than or equal to 10. You +# have access to the variables 'fatal', 'error', 'warning', 'refactor', +# 'convention', and 'info' which contain the number of messages in each +# category, as well as 'statement' which is the total number of statements +# analyzed. This score is used by the global evaluation report (RP0004). +evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)) + +# Template used to display messages. This is a python new-style format string +# used to format the message information. See doc for all details. +msg-template= + +# Set the output format. Available formats are text, parseable, colorized, json +# and msvs (visual studio). You can also give a reporter class, e.g. +# mypackage.mymodule.MyReporterClass. +#output-format= + +# Tells whether to display a full report or only the messages. +reports=no + +# Activate the evaluation score. +score=yes + + +[MESSAGES CONTROL] + +# Only show warnings with the listed confidence levels. Leave empty to show +# all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE, +# UNDEFINED. +confidence=HIGH, + CONTROL_FLOW, + INFERENCE, + INFERENCE_FAILURE, + UNDEFINED + +# Disable the message, report, category or checker with the given id(s). You +# can either give multiple identifiers separated by comma (,) or put this +# option multiple times (only on the command line, not in the configuration +# file where it should appear only once). You can also use "--disable=all" to +# disable everything first and then re-enable specific checks. For example, if +# you want to run only the similarities checker, you can use "--disable=all +# --enable=similarities". If you want to run only the classes checker, but have +# no Warning level messages displayed, use "--disable=all --enable=classes +# --disable=W". +disable=raw-checker-failed, + bad-inline-option, + locally-disabled, + file-ignored, + suppressed-message, + useless-suppression, + deprecated-pragma, + use-symbolic-message-instead + +# Enable the message, report, category or checker with the given id(s). You can +# either give multiple identifier separated by comma (,) or put this option +# multiple time (only on the command line, not in the configuration file where +# it should appear only once). See also the "--disable" option for examples. +enable=c-extension-no-member + + +[CLASSES] + +# Warn about protected attribute access inside special methods +check-protected-access-in-special-methods=no + +# List of method names used to declare (i.e. assign) instance attributes. +defining-attr-methods=__init__, + __new__, + setUp, + __post_init__ + +# List of member names, which should be excluded from the protected access +# warning. +exclude-protected=_asdict, + _fields, + _replace, + _source, + _make + +# List of valid names for the first argument in a class method. +valid-classmethod-first-arg=cls + +# List of valid names for the first argument in a metaclass class method. +valid-metaclass-classmethod-first-arg=cls + + +[SIMILARITIES] + +# Comments are removed from the similarity computation +ignore-comments=yes + +# Docstrings are removed from the similarity computation +ignore-docstrings=yes + +# Imports are removed from the similarity computation +ignore-imports=yes + +# Signatures are removed from the similarity computation +ignore-signatures=yes + +# Minimum lines number of a similarity. +min-similarity-lines=4 + + +[REFACTORING] + +# Maximum number of nested blocks for function / method body +max-nested-blocks=5 + +# Complete name of functions that never returns. When checking for +# inconsistent-return-statements if a never returning function is called then +# it will be considered as an explicit return statement and no message will be +# printed. +never-returning-functions=sys.exit,argparse.parse_error + + +[BASIC] + +# Naming style matching correct argument names. +argument-naming-style=snake_case + +# Regular expression matching correct argument names. Overrides argument- +# naming-style. If left empty, argument names will be checked with the set +# naming style. +#argument-rgx= + +# Naming style matching correct attribute names. +attr-naming-style=snake_case + +# Regular expression matching correct attribute names. Overrides attr-naming- +# style. If left empty, attribute names will be checked with the set naming +# style. +#attr-rgx= + +# Bad variable names which should always be refused, separated by a comma. +bad-names=foo, + bar, + baz, + toto, + tutu, + tata + +# Bad variable names regexes, separated by a comma. If names match any regex, +# they will always be refused +bad-names-rgxs= + +# Naming style matching correct class attribute names. +class-attribute-naming-style=any + +# Regular expression matching correct class attribute names. Overrides class- +# attribute-naming-style. If left empty, class attribute names will be checked +# with the set naming style. +#class-attribute-rgx= + +# Naming style matching correct class constant names. +class-const-naming-style=UPPER_CASE + +# Regular expression matching correct class constant names. Overrides class- +# const-naming-style. If left empty, class constant names will be checked with +# the set naming style. +#class-const-rgx= + +# Naming style matching correct class names. +class-naming-style=PascalCase + +# Regular expression matching correct class names. Overrides class-naming- +# style. If left empty, class names will be checked with the set naming style. +#class-rgx= + +# Naming style matching correct constant names. +const-naming-style=UPPER_CASE + +# Regular expression matching correct constant names. Overrides const-naming- +# style. If left empty, constant names will be checked with the set naming +# style. +#const-rgx= + +# Minimum line length for functions/classes that require docstrings, shorter +# ones are exempt. +docstring-min-length=-1 + +# Naming style matching correct function names. +function-naming-style=snake_case + +# Regular expression matching correct function names. Overrides function- +# naming-style. If left empty, function names will be checked with the set +# naming style. +#function-rgx= + +# Good variable names which should always be accepted, separated by a comma. +good-names=i, + j, + k, + ex, + Run, + _ + +# Good variable names regexes, separated by a comma. If names match any regex, +# they will always be accepted +good-names-rgxs= + +# Include a hint for the correct naming format with invalid-name. +include-naming-hint=no + +# Naming style matching correct inline iteration names. +inlinevar-naming-style=any + +# Regular expression matching correct inline iteration names. Overrides +# inlinevar-naming-style. If left empty, inline iteration names will be checked +# with the set naming style. +#inlinevar-rgx= + +# Naming style matching correct method names. +method-naming-style=snake_case + +# Regular expression matching correct method names. Overrides method-naming- +# style. If left empty, method names will be checked with the set naming style. +#method-rgx= + +# Naming style matching correct module names. +module-naming-style=snake_case + +# Regular expression matching correct module names. Overrides module-naming- +# style. If left empty, module names will be checked with the set naming style. +#module-rgx= + +# Colon-delimited sets of names that determine each other's naming style when +# the name regexes allow several styles. +name-group= + +# Regular expression which should only match function or class names that do +# not require a docstring. +no-docstring-rgx=^_ + +# List of decorators that produce properties, such as abc.abstractproperty. Add +# to this list to register other decorators that produce valid properties. +# These decorators are taken in consideration only for invalid-name. +property-classes=abc.abstractproperty + +# Regular expression matching correct type variable names. If left empty, type +# variable names will be checked with the set naming style. +#typevar-rgx= + +# Naming style matching correct variable names. +variable-naming-style=snake_case + +# Regular expression matching correct variable names. Overrides variable- +# naming-style. If left empty, variable names will be checked with the set +# naming style. +#variable-rgx= + + +[SPELLING] + +# Limits count of emitted suggestions for spelling mistakes. +max-spelling-suggestions=4 + +# Spelling dictionary name. Available dictionaries: none. To make it work, +# install the 'python-enchant' package. +spelling-dict= + +# List of comma separated words that should be considered directives if they +# appear at the beginning of a comment and should not be checked. +spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy: + +# List of comma separated words that should not be checked. +spelling-ignore-words= + +# A path to a file that contains the private dictionary; one word per line. +spelling-private-dict-file= + +# Tells whether to store unknown words to the private dictionary (see the +# --spelling-private-dict-file option) instead of raising a message. +spelling-store-unknown-words=no + + +[VARIABLES] + +# List of additional names supposed to be defined in builtins. Remember that +# you should avoid defining new builtins when possible. +additional-builtins= + +# Tells whether unused global variables should be treated as a violation. +allow-global-unused-variables=yes + +# List of names allowed to shadow builtins +allowed-redefined-builtins= + +# List of strings which can identify a callback function by name. A callback +# name must start or end with one of those strings. +callbacks=cb_, + _cb + +# A regular expression matching the name of dummy variables (i.e. expected to +# not be used). +dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_ + +# Argument names that match this expression will be ignored. Default to name +# with leading underscore. +ignored-argument-names=_.*|^ignored_|^unused_ + +# Tells whether we should check for unused import in __init__ files. +init-import=no + +# List of qualified module names which can have objects that can redefine +# builtins. +redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io + + +[LOGGING] + +# The type of string formatting that logging methods do. `old` means using % +# formatting, `new` is for `{}` formatting. +logging-format-style=old + +# Logging modules to check that the string format arguments are in logging +# function parameter format. +logging-modules=logging + + +[FORMAT] + +# Expected format of line ending, e.g. empty (any line ending), LF or CRLF. +expected-line-ending-format= + +# Regexp for a line that is allowed to be longer than the limit. +ignore-long-lines=^\s*(# )??$ + +# Number of spaces of indent required inside a hanging or continued line. +indent-after-paren=4 + +# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 +# tab). +indent-string=' ' + +# Maximum number of characters on a single line. +max-line-length=100 + +# Maximum number of lines in a module. +max-module-lines=1000 + +# Allow the body of a class to be on the same line as the declaration if body +# contains single statement. +single-line-class-stmt=no + +# Allow the body of an if to be on the same line as the test if there is no +# else. +single-line-if-stmt=no + + +[EXCEPTIONS] + +# Exceptions that will emit a warning when caught. +overgeneral-exceptions=BaseException, + Exception + + +[IMPORTS] + +# List of modules that can be imported at any level, not just the top level +# one. +allow-any-import-level= + +# Allow wildcard imports from modules that define __all__. +allow-wildcard-with-all=no + +# Deprecated modules which should not be used, separated by a comma. +deprecated-modules= + +# Output a graph (.gv or any supported image format) of external dependencies +# to the given file (report RP0402 must not be disabled). +ext-import-graph= + +# Output a graph (.gv or any supported image format) of all (i.e. internal and +# external) dependencies to the given file (report RP0402 must not be +# disabled). +import-graph= + +# Output a graph (.gv or any supported image format) of internal dependencies +# to the given file (report RP0402 must not be disabled). +int-import-graph= + +# Force import order to recognize a module as part of the standard +# compatibility libraries. +known-standard-library= + +# Force import order to recognize a module as part of a third party library. +known-third-party=enchant + +# Couples of modules and preferred modules, separated by a comma. +preferred-modules= + + +[TYPECHECK] + +# List of decorators that produce context managers, such as +# contextlib.contextmanager. Add to this list to register other decorators that +# produce valid context managers. +contextmanager-decorators=contextlib.contextmanager + +# List of members which are set dynamically and missed by pylint inference +# system, and so shouldn't trigger E1101 when accessed. Python regular +# expressions are accepted. +generated-members= + +# Tells whether to warn about missing members when the owner of the attribute +# is inferred to be None. +ignore-none=yes + +# This flag controls whether pylint should warn about no-member and similar +# checks whenever an opaque object is returned when inferring. The inference +# can return multiple potential results while evaluating a Python object, but +# some branches might not be evaluated, which results in partial inference. In +# that case, it might be useful to still emit no-member and other checks for +# the rest of the inferred objects. +ignore-on-opaque-inference=yes + +# List of symbolic message names to ignore for Mixin members. +ignored-checks-for-mixins=no-member, + not-async-context-manager, + not-context-manager, + attribute-defined-outside-init + +# List of class names for which member attributes should not be checked (useful +# for classes with dynamically set attributes). This supports the use of +# qualified names. +ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace,scoped_session + +# Show a hint with possible names when a member name was not found. The aspect +# of finding the hint is based on edit distance. +missing-member-hint=yes + +# The minimum edit distance a name should have in order to be considered a +# similar match for a missing member name. +missing-member-hint-distance=1 + +# The total number of similar names that should be taken in consideration when +# showing a hint for a missing member. +missing-member-max-choices=1 + +# Regex pattern to define which classes are considered mixins. +mixin-class-rgx=.*[Mm]ixin + +# List of decorators that change the signature of a decorated function. +signature-mutators= + + +[MISCELLANEOUS] + +# List of note tags to take in consideration, separated by a comma. +notes=FIXME, + XXX, + TODO + +# Regular expression of note tags to take in consideration. +notes-rgx= + + +[STRING] + +# This flag controls whether inconsistent-quotes generates a warning when the +# character used as a quote delimiter is used inconsistently within a module. +check-quote-consistency=no + +# This flag controls whether the implicit-str-concat should generate a warning +# on implicit string concatenation in sequences defined over several lines. +check-str-concat-over-line-jumps=no + + +[DESIGN] + +# List of regular expressions of class ancestor names to ignore when counting +# public methods (see R0903) +exclude-too-few-public-methods= + +# List of qualified class names to ignore when counting class parents (see +# R0901) +ignored-parents= + +# Maximum number of arguments for function / method. +max-args=5 + +# Maximum number of attributes for a class (see R0902). +max-attributes=7 + +# Maximum number of boolean expressions in an if statement (see R0916). +max-bool-expr=5 + +# Maximum number of branch for function / method body. +max-branches=12 + +# Maximum number of locals for function / method body. +max-locals=15 + +# Maximum number of parents for a class (see R0901). +max-parents=7 + +# Maximum number of public methods for a class (see R0904). +max-public-methods=20 + +# Maximum number of return / yield for function / method body. +max-returns=6 + +# Maximum number of statements in function / method body. +max-statements=50 + +# Minimum number of public methods for a class (see R0903). +min-public-methods=2 diff --git a/areas/apps/apps.py b/areas/apps/apps.py index edfc852..1be83ae 100644 --- a/areas/apps/apps.py +++ b/areas/apps/apps.py @@ -24,6 +24,14 @@ APPS_DATA = [ APP_DATA = {"id": 1, "name": "Nextcloud", "selected": True, "status": "ON for everyone", "config": CONFIG_DATA}, +# Apps that should not get oauth variables when they are installed +APPS_WITHOUT_OAUTH = [ + "single-sign-on", + "prometheus", + "alertmanager", +] + +APP_NOT_INSTALLED_STATUS = "Not installed" @api_v1.route('/apps', methods=['GET']) @jwt_required() diff --git a/areas/apps/models.py b/areas/apps/models.py index a9afdaf..0858592 100644 --- a/areas/apps/models.py +++ b/areas/apps/models.py @@ -1,6 +1,12 @@ +"""Everything to do with Apps""" + +import os + from sqlalchemy import ForeignKey, Integer, String from sqlalchemy.orm import relationship from database import db +import helpers.kubernetes as k8s +from .apps import APPS_WITHOUT_OAUTH, APP_NOT_INSTALLED_STATUS class App(db.Model): @@ -16,8 +22,122 @@ class App(db.Model): def __repr__(self): return f"{self.id} <{self.name}>" + def get_kustomization_status(self): + """Returns True if the kustomization for this App is ready""" + kustomization = k8s.get_kustomization(self.slug) + if kustomization is None: + return None + return kustomization['status'] -class AppRole(db.Model): + def get_helmrelease_status(self): + """Returns True if the kustomization for this App is ready""" + helmrelease = k8s.get_helmrelease(self.slug, self.namespace) + if helmrelease is None: + return None + return helmrelease['status'] + + def get_status(self): + """Returns a string that describes the app state in the cluster""" + ks_status = self.get_kustomization_status() + if ks_status is not None: + ks_ready, ks_message = App.check_condition(ks_status) + else: + ks_ready = None + hr_status = self.get_helmrelease_status() + if hr_status is not None: + hr_ready, hr_message = App.check_condition(hr_status) + else: + hr_ready = None + if ks_ready is None: + return APP_NOT_INSTALLED_STATUS + # *Should* not happen, but just in case: + if (ks_ready is None and hr_ready is not None) or \ + (hr_ready is None and ks_ready is not None): + return ("This app is in a strange state. Contact a Stackspin" + " administrator if this status stays for longer than 5 minutes") + if ks_ready and hr_ready: + return "App installed and running" + if not hr_ready: + return f"App failed installing: {hr_message}" + if not ks_ready: + return f"App failed installing: {ks_message}" + return "App is installing..." + + + def install(self): + """Creates a Kustomization in the Kubernetes cluster that installs this application""" + # Generate the necessary passwords, etc. from a template + self.__generate_secrets() + # Create add- kustomization + self.__create_kustomization() + + def __generate_secrets(self): + """Generates passwords for app installation""" + # Create app variables secret + if self.variables_template_filepath: + k8s.create_variables_secret(self.slug, self.variables_template_filepath) + # Create a secret that contains the oauth variables for Hydra Maester + if self.slug not in APPS_WITHOUT_OAUTH: + k8s.create_variables_secret( + self.slug, + os.path.join(self.__get_templates_dir(), + "stackspin-oauth-variables.yaml.jinja")) + + def __create_kustomization(self): + """Creates the `add-{app_slug}` kustomization in the Kubernetes cluster""" + kustomization_template_filepath = \ + os.path.join(self.__get_templates_dir(), + "add-app-kustomization.yaml.jinja") + k8s.store_kustomization(kustomization_template_filepath, self.slug) + + + @staticmethod + def __get_templates_dir(): + """Returns directory that contains the Jinja templates used to create app secrets.""" + return os.path.join(os.path.dirname(os.path.realpath(__file__)), "templates") + + @property + def variables_template_filepath(self): + """Path to the variables template used to generate secrets the app needs""" + variables_template_filepath = os.path.join(self.__get_templates_dir(), + f"stackspin-{self.slug}-variables.yaml.jinja") + if os.path.exists(variables_template_filepath): + return variables_template_filepath + return None + + @property + def namespace(self): + """ + Returns the Kubernetes namespace of this app + + FIXME: This should probably become a database field. + """ + if self.slug in ['nextcloud', 'wordpress', 'wekan', 'zulip']: + return 'stackspin-apps' + return 'stackspin' + + @staticmethod + def check_condition(status): + """ + Returns a tuple that has true/false for readiness and a message + + Ready, in this case means that the condition's type == "Ready" and its + status == "True". If the condition type "Ready" does not exist, the + status is interpreted as not ready. + + The message that is returned is the message that comes with the + condition with type "Ready" + + :param status: Kubernetes resource's "status" object. + :type status: dict + """ + for condition in status["conditions"]: + if condition["type"] == "Ready": + return condition["status"] == "True", condition["message"] + return False + + +class AppRole(db.Model): # pylint: disable=too-few-public-methods """ The AppRole object, stores the roles Users have on Apps """ @@ -29,4 +149,5 @@ class AppRole(db.Model): role = relationship("Role") def __repr__(self): - return f"role_id: {self.role_id}, user_id: {self.user_id}, app_id: {self.app_id}, role: {self.role}" + return (f"role_id: {self.role_id}, user_id: {self.user_id}," + f" app_id: {self.app_id}, role: {self.role}") diff --git a/areas/apps/templates/add-app-kustomization.yaml.jinja b/areas/apps/templates/add-app-kustomization.yaml.jinja new file mode 100644 index 0000000..6068245 --- /dev/null +++ b/areas/apps/templates/add-app-kustomization.yaml.jinja @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: add-{{ app }} + namespace: flux-system +spec: + interval: 1h0m0s + path: ./flux2/cluster/optional/{{ app }} + prune: true + sourceRef: + kind: GitRepository + name: stackspin + diff --git a/areas/apps/templates/stackspin-nextcloud-variables.yaml.jinja b/areas/apps/templates/stackspin-nextcloud-variables.yaml.jinja new file mode 100644 index 0000000..824749f --- /dev/null +++ b/areas/apps/templates/stackspin-nextcloud-variables.yaml.jinja @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: stackspin-nextcloud-variables +data: + nextcloud_password: "{{ 32 | generate_password | b64encode }}" + nextcloud_mariadb_password: "{{ 32 | generate_password | b64encode }}" + nextcloud_mariadb_root_password: "{{ 32 | generate_password | b64encode }}" + onlyoffice_database_password: "{{ 32 | generate_password | b64encode }}" + onlyoffice_jwt_secret: "{{ 32 | generate_password | b64encode }}" + onlyoffice_rabbitmq_password: "{{ 32 | generate_password | b64encode }}" diff --git a/areas/apps/templates/stackspin-oauth-variables.yaml.jinja b/areas/apps/templates/stackspin-oauth-variables.yaml.jinja new file mode 100644 index 0000000..32a0ab0 --- /dev/null +++ b/areas/apps/templates/stackspin-oauth-variables.yaml.jinja @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: stackspin-{{ app }}-oauth-variables +data: + client_id: "{{ app | b64encode }}" + client_secret: "{{ 32 | generate_password | b64encode }}" diff --git a/areas/apps/templates/stackspin-wekan-variables.yaml.jinja b/areas/apps/templates/stackspin-wekan-variables.yaml.jinja new file mode 100644 index 0000000..b5bad3d --- /dev/null +++ b/areas/apps/templates/stackspin-wekan-variables.yaml.jinja @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: stackspin-wekan-variables +data: + mongodb_password: "{{ 32 | generate_password | b64encode }}" + mongodb_root_password: "{{ 32 | generate_password | b64encode }}" diff --git a/areas/apps/templates/stackspin-wordpress-variables.yaml.jinja b/areas/apps/templates/stackspin-wordpress-variables.yaml.jinja new file mode 100644 index 0000000..b491834 --- /dev/null +++ b/areas/apps/templates/stackspin-wordpress-variables.yaml.jinja @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: stackspin-wordpress-variables +data: + wordpress_admin_password: "{{ 32 | generate_password | b64encode }}" + wordpress_mariadb_password: "{{ 32 | generate_password | b64encode }}" + wordpress_mariadb_root_password: "{{ 32 | generate_password | b64encode }}" diff --git a/areas/apps/templates/stackspin-zulip-variables.yaml.jinja b/areas/apps/templates/stackspin-zulip-variables.yaml.jinja new file mode 100644 index 0000000..80fc8f4 --- /dev/null +++ b/areas/apps/templates/stackspin-zulip-variables.yaml.jinja @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: stackspin-zulip-variables +data: + admin_password: "{{ 32 | generate_password | b64encode }}" + memcached_password: "{{ 32 | generate_password | b64encode }}" + rabbitmq_password: "{{ 32 | generate_password | b64encode }}" + rabbitmq_erlang_cookie: "{{ 32 | generate_password | b64encode }}" + redis_password: "{{ 32 | generate_password | b64encode }}" + postgresql_password: "{{ 32 | generate_password | b64encode }}" + zulip_password: "{{ 32 | generate_password | b64encode }}" diff --git a/cliapp/cliapp/cli.py b/cliapp/cliapp/cli.py index 75194a1..e442421 100644 --- a/cliapp/cliapp/cli.py +++ b/cliapp/cliapp/cli.py @@ -13,11 +13,11 @@ from flask.cli import AppGroup from ory_kratos_client.api import v0alpha2_api as kratos_api from sqlalchemy import func -from config import * +from config import HYDRA_ADMIN_URL,KRATOS_ADMIN_URL,KRATOS_PUBLIC_URL from helpers import KratosUser from cliapp import cli from areas.roles import Role -from areas.apps import AppRole, App +from areas.apps import AppRole, App, APP_NOT_INSTALLED_STATUS from database import db # APIs @@ -66,7 +66,7 @@ def create_app(slug, name): if app_obj: current_app.logger.info(f"App definition: {name} ({slug}) already exists in database") return - + db.session.add(obj) db.session.commit() current_app.logger.info(f"App definition: {name} ({slug}) created") @@ -106,6 +106,46 @@ def delete_app(slug): current_app.logger.info("Success") return +@app_cli.command("get_status") +@click.argument("slug") +def get_status_app(slug): + """Gets the current app status from the Kubernetes cluster + :param slug: str Slug of app to remove + """ + current_app.logger.info(f"Getting status for app: {slug}") + + app = App.query.filter_by(slug=slug).first() + + if not app: + current_app.logger.error(f"App {slug} does not exist") + return + + current_app.logger.info("Status: " + str(app.get_status())) + +@app_cli.command("install") +@click.argument("slug") +def install_app(slug): + """Gets the current app status from the Kubernetes cluster + :param slug: str Slug of app to remove + """ + current_app.logger.info(f"Installing app: {slug}") + + app = App.query.filter_by(slug=slug).first() + + if not app: + current_app.logger.error(f"App {slug} does not exist") + return + + current_status = app.get_status() + if current_status == APP_NOT_INSTALLED_STATUS: + app.install() + current_app.logger.info( + f"App {slug} installing... use `get_status` to see status") + else: + current_app.logger.error("App {slug} should have status" + f" {APP_NOT_INSTALLED_STATUS} but has status: {current_status}") + + cli.cli.add_command(app_cli) @@ -282,7 +322,7 @@ def setpassword_user(email, password): # Execute UI sequence to set password, given we have a recovery URL result = kratos_user.ui_set_password(KRATOS_PUBLIC_URL, url, password) - except Exception as error: + except Exception as error: # pylint: disable=broad-except current_app.logger.error(f"Error while setting password: {error}") return False @@ -321,7 +361,7 @@ def recover_user(email): url = kratos_user.get_recovery_link() print(url) - except Exception as error: + except Exception as error: # pylint: disable=broad-except current_app.logger.error(f"Error while getting reset link: {error}") diff --git a/docker-compose.yml b/docker-compose.yml index fdb2f71..c730f13 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -34,8 +34,10 @@ services: # - OAUTHLIB_INSECURE_TRANSPORT=1 ports: - "5000:5000" + user: "${KUBECTL_UID}:${KUBECTL_GID}" volumes: - .:/app + - "$KUBECONFIG:/.kube/config" depends_on: - kube_port_mysql entrypoint: ["bash", "-c", "flask run --host $$(hostname -i)"] diff --git a/helpers/kubernetes.py b/helpers/kubernetes.py new file mode 100644 index 0000000..d8f9b7b --- /dev/null +++ b/helpers/kubernetes.py @@ -0,0 +1,296 @@ +""" +List of functions to get data from Flux Kustomizations and Helmreleases +""" +import crypt +import secrets +import string + +import jinja2 +import yaml +from kubernetes import client, config +from kubernetes.client import api_client +from kubernetes.client.exceptions import ApiException +from kubernetes.utils import create_from_yaml +from kubernetes.utils.create_from_yaml import FailToCreateError + + +def create_variables_secret(app_slug, variables_filepath): + """Checks if a variables secret for app_name already exists, generates it if necessary. + + :param app_slug: The slug of the app, used in the oauth secrets + :type app_slug: string + :param variables_filepath: The path to an existing jinja2 template + :type variables_filepath: string + """ + new_secret_dict = read_template_to_dict( + variables_filepath, + {"app": app_slug}) + secret_name, secret_namespace = get_secret_metadata(new_secret_dict) + current_secret_data = get_kubernetes_secret_data( + secret_name, secret_namespace + ) + if current_secret_data is None: + # Create new secret + update_secret = False + elif current_secret_data.keys() != new_secret_dict["data"].keys(): + # Update current secret with new keys + update_secret = True + print( + f"Secret {secret_name} in namespace {secret_namespace}" + " already exists. Merging..." + ) + # Merge dicts. Values from current_secret_data take precedence + new_secret_dict["data"] |= current_secret_data + else: + # Do Nothing + print( + f"Secret {secret_name} in namespace {secret_namespace}" + " is already in a good state, doing nothing." + ) + return True + print( + f"Storing secret {secret_name} in namespace" + f" {secret_namespace} in cluster." + ) + store_kubernetes_secret( + new_secret_dict, secret_namespace, update=update_secret + ) + return True + + +def get_secret_metadata(secret_dict): + """Returns secret name and namespace from metadata field in a yaml string.""" + secret_name = secret_dict["metadata"]["name"] + # default namespace is flux-system, but other namespace can be + # provided in secret metadata + if "namespace" in secret_dict["metadata"]: + secret_namespace = secret_dict["metadata"]["namespace"] + else: + secret_namespace = "flux-system" + return secret_name, secret_namespace + + +def get_kubernetes_secret_data(secret_name, namespace): + """Returns the contents of a kubernetes secret or None if the secret does not exist.""" + api_client_instance = api_client.ApiClient() + api_instance = client.CoreV1Api(api_client_instance) + try: + secret = api_instance.read_namespaced_secret(secret_name, namespace).data + except ApiException as ex: + # 404 is expected when the optional secret does not exist. + if ex.status != 404: + raise ex + return None + return secret + + +def store_kubernetes_secret(secret_dict, namespace, update=False): + """Stores either a new secret in the cluster, or updates an existing one.""" + api_client_instance = api_client.ApiClient() + if update: + verb = "updated" + api_response = patch_kubernetes_secret(secret_dict, namespace) + else: + verb = "created" + try: + api_response = create_from_yaml( + api_client_instance, + yaml_objects=[secret_dict], + namespace=namespace + ) + except FailToCreateError as ex: + print(f"Secret not {verb} because of exception {ex}") + return + print(f"Secret {verb} with api response: {api_response}") + + +def store_kustomization(kustomization_template_filepath, app_slug): + """Add a kustomization that installs app {app_slug} to the cluster""" + kustomization_dict = read_template_to_dict(kustomization_template_filepath, + {"app": app_slug}) + api_client_instance = api_client.ApiClient() + custom_objects_api = client.CustomObjectsApi(api_client_instance) + try: + api_response = custom_objects_api.create_namespaced_custom_object( + group="kustomize.toolkit.fluxcd.io", + version="v1beta2", + namespace="flux-system", + plural="kustomizations", + body=kustomization_dict) + + + # create_from_yaml( + # api_client_instance, + # yaml_objects=[kustomization_dict], + # # All kustomizations live in the flux-system namespace + # namespace="flux-system" + # ) + except FailToCreateError as ex: + print(f"Could not create {app_slug} Kustomization because of exception {ex}") + return + print(f"Kustomization created with api response: {api_response}") + + +def read_template_to_dict(template_filepath, template_globals): + """Reads a Jinja2 template that contains yaml and turns it into a dict + + :param template_filepath: The path to an existing Jinja2 template + :type template_filepath: string + :param template_globals: The variables substituted in the template + :type template_globals: dict + :return: dict, or None if anything fails + """ + env = jinja2.Environment( + extensions=["jinja2_base64_filters.Base64Filters"]) + env.filters["generate_password"] = generate_password + # Check if k8s secret already exists, if not, generate it + with open(template_filepath, encoding="UTF-8") as template_file: + lines = template_file.read() + templated_dict = yaml.safe_load( + env.from_string(lines, globals=template_globals).render() + ) + return templated_dict + return None + + +def patch_kubernetes_secret(secret_dict, namespace): + """Patches secret in the cluster with new data.""" + api_client_instance = api_client.ApiClient() + api_instance = client.CoreV1Api(api_client_instance) + name = secret_dict["metadata"]["name"] + body = {} + body["data"] = secret_dict["data"] + return api_instance.patch_namespaced_secret(name, namespace, body) + + +def generate_password(length): + """Generates a password of "length" characters.""" + length = int(length) + password = "".join((secrets.choice(string.ascii_letters) + for i in range(length))) + return password + + +def gen_htpasswd(user, password): + """Generate htpasswd entry for user with password.""" + return f"{user}:{crypt.crypt(password, crypt.mksalt(crypt.METHOD_SHA512))}" + +def get_all_kustomization_names(namespace='flux-system'): + """ + Returns all flux kustomizations in a namespace. + :param namespace: namespace that contains kustomizations. Default: `flux-system` + :type namespace: str + :return: List of names for kustomizations in namespace + :rtype: list + """ + kustomizations = get_all_kustomizations(namespace) + return_kustomizations = [] + for kustomization in kustomizations['items']: + return_kustomizations.append(kustomization['metadata']['name']) + return return_kustomizations + + +def get_all_kustomizations(namespace='flux-system'): + """ + Returns all flux kustomizations in a namespace. + :param namespace: namespace that contains kustomizations. Default: `flux-system` + :type namespace: str + :return: Kustomizations as returned by CustomObjectsApi.list_namespaced_custom_object() + :rtype: object + """ + config.load_kube_config() + api = client.CustomObjectsApi() + api_response = api.list_namespaced_custom_object( + group="kustomize.toolkit.fluxcd.io", + version="v1beta1", + plural="kustomizations", + namespace=namespace, + ) + return api_response + + +def get_all_helmrelease_names(namespace='stackspin'): + """ + Returns names of all helmreleases in a namespace. + :param namespace: namespace that contains kustomizations. Default: `stackspin` + :type namespace: str + :return: List of names for helmreleases in namespace + :rtype: list + """ + helmreleases = get_all_helmreleases(namespace) + return_helmreleases = [] + for helmrelease in helmreleases['items']: + return_helmreleases.append(helmrelease['metadata']['name']) + return return_helmreleases + +def get_all_helmreleases(namespace='stackspin'): + """ + Returns all helmreleases in a namespace. + :param namespace: namespace that contains kustomizations. Default: `stackspin` + :type namespace: str + :return: Helmreleases as returned by CustomObjectsApi.list_namespaced_custom_object() + :rtype: object + """ + config.load_kube_config() + api = client.CustomObjectsApi() + api_response = api.list_namespaced_custom_object( + group="helm.toolkit.fluxcd.io", + version="v2beta1", + plural="helmreleases", + namespace=namespace, + ) + return api_response + + +def get_kustomization(name, namespace='flux-system'): + """Returns all info of a Flux kustomization with name 'name'""" + config.load_kube_config() + api = client.CustomObjectsApi() + try: + resource = api.get_namespaced_custom_object( + group="kustomize.toolkit.fluxcd.io", + version="v1beta1", + name=name, + namespace=namespace, + plural="kustomizations", + ) + except client.exceptions.ApiException as error: + if error.status == 404: + return None + # Raise all non-404 errors + raise error + return resource + + +def get_helmrelease(name, namespace='stackspin-apps'): + """Returns all info of a Flux helmrelease with name 'name'""" + config.load_kube_config() + api = client.CustomObjectsApi() + try: + resource = api.get_namespaced_custom_object( + group="helm.toolkit.fluxcd.io", + version="v2beta1", + name=name, + namespace=namespace, + plural="helmreleases", + ) + except client.exceptions.ApiException as error: + if error.status == 404: + return None + # Raise all non-404 errors + raise error + + return resource + + +def get_readiness(app_status): + """ + Parses an app status's 'conditions' to find a type field called 'Ready' and + returns its status. Works for Kustomizations as well as Helmreleases. + """ + for condition in app_status['conditions']: + if condition['type'] == 'Ready': + return condition['status'] + # If this point is reached, no condition "Ready" exists, so the application + # is not ready. + return False diff --git a/requirements.txt b/requirements.txt index a98cfdc..eae5bd2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,6 +15,8 @@ install==1.3.5 itsdangerous==2.1.1 jsonschema==4.4.0 Jinja2==3.0.3 +jinja2-base64-filters==0.1.4 +kubernetes==24.2.0 MarkupSafe==2.1.1 mypy-extensions==0.4.3 oauthlib==3.2.0 From caa9b2e79b88b1b1dd4056e87639e639abc24ca4 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Thu, 22 Sep 2022 16:14:49 +0200 Subject: [PATCH 2/8] Enable deleting apps by using CLI --- areas/apps/models.py | 51 ++++++++++++++++++++++++++++++++++++++----- cliapp/cliapp/cli.py | 41 ++++++++++++++++++++++------------ docker-compose.yml | 2 +- helpers/kubernetes.py | 34 +++++++++++++++++++---------- 4 files changed, 95 insertions(+), 33 deletions(-) diff --git a/areas/apps/models.py b/areas/apps/models.py index 0858592..23a6249 100644 --- a/areas/apps/models.py +++ b/areas/apps/models.py @@ -58,9 +58,9 @@ class App(db.Model): if ks_ready and hr_ready: return "App installed and running" if not hr_ready: - return f"App failed installing: {hr_message}" + return f"App HelmRelease status: {hr_message}" if not ks_ready: - return f"App failed installing: {ks_message}" + return f"App Kustomization status: {ks_message}" return "App is installing..." @@ -71,6 +71,32 @@ class App(db.Model): # Create add- kustomization self.__create_kustomization() + def delete(self): + """ + Fully deletes an application + + This includes user roles, all kubernetes objects and also PVCs, so your + data will be *gone* + """ + # Delete all roles first + for role in self.roles: + db.session.delete(role) + + # Delete the kustomization + if self.__delete_kustomization(): + + # TODO: This is where we might want to poll for status changes in the + # app, so that only once the kustomization and all its stuff (other ks, + # helmrelease, etc.) is deleted, we continue + + # If the kustomization delete went well, commit DB changes. + db.session.commit() + # Then delete the app + db.session.delete(self) + db.session.commit() + return True + return False + def __generate_secrets(self): """Generates passwords for app installation""" # Create app variables secret @@ -90,11 +116,10 @@ class App(db.Model): "add-app-kustomization.yaml.jinja") k8s.store_kustomization(kustomization_template_filepath, self.slug) + def __delete_kustomization(self): + """Deletes kustomization for this app""" + k8s.delete_kustomization(f"add-{self.slug}") - @staticmethod - def __get_templates_dir(): - """Returns directory that contains the Jinja templates used to create app secrets.""" - return os.path.join(os.path.dirname(os.path.realpath(__file__)), "templates") @property def variables_template_filepath(self): @@ -116,6 +141,20 @@ class App(db.Model): return 'stackspin-apps' return 'stackspin' + @property + def roles(self): + """ + All roles that are linked to this app + """ + return AppRole.query.filter_by( + app_id=self.id + ).all() + + @staticmethod + def __get_templates_dir(): + """Returns directory that contains the Jinja templates used to create app secrets.""" + return os.path.join(os.path.dirname(os.path.realpath(__file__)), "templates") + @staticmethod def check_condition(status): """ diff --git a/cliapp/cliapp/cli.py b/cliapp/cliapp/cli.py index e442421..ba564c1 100644 --- a/cliapp/cliapp/cli.py +++ b/cliapp/cliapp/cli.py @@ -88,27 +88,23 @@ def list_app(): ) @click.argument("slug") def delete_app(slug): - """Removes app from database + """Removes app from database as well as uninstalls it from the cluster :param slug: str Slug of app to remove """ current_app.logger.info(f"Trying to delete app: {slug}") - obj = App.query.filter_by(slug=slug).first() + app_obj = App.query.filter_by(slug=slug).first() - if not obj: + if not app_obj: current_app.logger.info("Not found") return - # Deleting will (probably) fail if there are still roles attached. This is a - # PoC implementation only. Actually management of apps and roles will be - # done by the backend application - db.session.delete(obj) - db.session.commit() - current_app.logger.info("Success") + deleted = app_obj.delete() + current_app.logger.info(f"Success: {deleted}") return -@app_cli.command("get_status") +@app_cli.command("status") @click.argument("slug") -def get_status_app(slug): +def status_app(slug): """Gets the current app status from the Kubernetes cluster :param slug: str Slug of app to remove """ @@ -125,8 +121,8 @@ def get_status_app(slug): @app_cli.command("install") @click.argument("slug") def install_app(slug): - """Gets the current app status from the Kubernetes cluster - :param slug: str Slug of app to remove + """Installs app into Kubernetes cluster + :param slug: str Slug of app to install """ current_app.logger.info(f"Installing app: {slug}") @@ -140,11 +136,28 @@ def install_app(slug): if current_status == APP_NOT_INSTALLED_STATUS: app.install() current_app.logger.info( - f"App {slug} installing... use `get_status` to see status") + f"App {slug} installing... use `status` to see status") else: current_app.logger.error("App {slug} should have status" f" {APP_NOT_INSTALLED_STATUS} but has status: {current_status}") +@app_cli.command("roles") +@click.argument("slug") +def roles_app(slug): + """Gets a list of roles for this app + :param slug: str Slug of app queried + """ + current_app.logger.info(f"Getting roles for app: {slug}") + + app = App.query.filter_by(slug=slug).first() + + if not app: + current_app.logger.error(f"App {slug} does not exist") + return + + current_app.logger.info("Roles: ") + for role in app.roles: + current_app.logger.info(role) cli.cli.add_command(app_cli) diff --git a/docker-compose.yml b/docker-compose.yml index c730f13..e261b48 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -31,7 +31,7 @@ services: # ENV variables that are deployment-specific - SECRET_KEY=$FLASK_SECRET_KEY - HYDRA_CLIENT_SECRET=$HYDRA_CLIENT_SECRET - # - OAUTHLIB_INSECURE_TRANSPORT=1 + - KUBECONFIG=/.kube/config ports: - "5000:5000" user: "${KUBECTL_UID}:${KUBECTL_GID}" diff --git a/helpers/kubernetes.py b/helpers/kubernetes.py index d8f9b7b..3169c63 100644 --- a/helpers/kubernetes.py +++ b/helpers/kubernetes.py @@ -13,6 +13,8 @@ from kubernetes.client.exceptions import ApiException from kubernetes.utils import create_from_yaml from kubernetes.utils.create_from_yaml import FailToCreateError +# Load the kube config once +config.load_kube_config() def create_variables_secret(app_slug, variables_filepath): """Checks if a variables secret for app_name already exists, generates it if necessary. @@ -117,19 +119,31 @@ def store_kustomization(kustomization_template_filepath, app_slug): namespace="flux-system", plural="kustomizations", body=kustomization_dict) - - - # create_from_yaml( - # api_client_instance, - # yaml_objects=[kustomization_dict], - # # All kustomizations live in the flux-system namespace - # namespace="flux-system" - # ) except FailToCreateError as ex: print(f"Could not create {app_slug} Kustomization because of exception {ex}") return print(f"Kustomization created with api response: {api_response}") +def delete_kustomization(kustomization_name): + """Deletes kustomization for an app_slug. Should also result in the + deletion of the app's HelmReleases, PVCs, OAuth2Client, etc. Nothing will + remain""" + api_client_instance = api_client.ApiClient() + custom_objects_api = client.CustomObjectsApi(api_client_instance) + body = client.V1DeleteOptions() + try: + api_response = custom_objects_api.delete_namespaced_custom_object( + group="kustomize.toolkit.fluxcd.io", + version="v1beta2", + namespace="flux-system", + plural="kustomizations", + name=kustomization_name, + body=body) + except ApiException as ex: + print(f"Could not delete {kustomization_name} Kustomization because of exception {ex}") + return False + print(f"Kustomization deleted with api response: {api_response}") + def read_template_to_dict(template_filepath, template_globals): """Reads a Jinja2 template that contains yaml and turns it into a dict @@ -198,7 +212,6 @@ def get_all_kustomizations(namespace='flux-system'): :return: Kustomizations as returned by CustomObjectsApi.list_namespaced_custom_object() :rtype: object """ - config.load_kube_config() api = client.CustomObjectsApi() api_response = api.list_namespaced_custom_object( group="kustomize.toolkit.fluxcd.io", @@ -231,7 +244,6 @@ def get_all_helmreleases(namespace='stackspin'): :return: Helmreleases as returned by CustomObjectsApi.list_namespaced_custom_object() :rtype: object """ - config.load_kube_config() api = client.CustomObjectsApi() api_response = api.list_namespaced_custom_object( group="helm.toolkit.fluxcd.io", @@ -244,7 +256,6 @@ def get_all_helmreleases(namespace='stackspin'): def get_kustomization(name, namespace='flux-system'): """Returns all info of a Flux kustomization with name 'name'""" - config.load_kube_config() api = client.CustomObjectsApi() try: resource = api.get_namespaced_custom_object( @@ -264,7 +275,6 @@ def get_kustomization(name, namespace='flux-system'): def get_helmrelease(name, namespace='stackspin-apps'): """Returns all info of a Flux helmrelease with name 'name'""" - config.load_kube_config() api = client.CustomObjectsApi() try: resource = api.get_namespaced_custom_object( From 8e41705d39d0fe8ca0a9f1720e3148801cdc48ea Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Fri, 23 Sep 2022 17:10:31 +0200 Subject: [PATCH 3/8] Process feedback; make it possible to install monitoring --- areas/apps/apps.py | 7 ---- areas/apps/models.py | 82 +++++++++++++++++++------------------------ cliapp/cliapp/cli.py | 25 +++++++++++-- helpers/kubernetes.py | 29 ++++++++++++--- 4 files changed, 84 insertions(+), 59 deletions(-) diff --git a/areas/apps/apps.py b/areas/apps/apps.py index 1be83ae..fe9f30a 100644 --- a/areas/apps/apps.py +++ b/areas/apps/apps.py @@ -24,13 +24,6 @@ APPS_DATA = [ APP_DATA = {"id": 1, "name": "Nextcloud", "selected": True, "status": "ON for everyone", "config": CONFIG_DATA}, -# Apps that should not get oauth variables when they are installed -APPS_WITHOUT_OAUTH = [ - "single-sign-on", - "prometheus", - "alertmanager", -] - APP_NOT_INSTALLED_STATUS = "Not installed" @api_v1.route('/apps', methods=['GET']) diff --git a/areas/apps/models.py b/areas/apps/models.py index 23a6249..f28971e 100644 --- a/areas/apps/models.py +++ b/areas/apps/models.py @@ -6,7 +6,7 @@ from sqlalchemy import ForeignKey, Integer, String from sqlalchemy.orm import relationship from database import db import helpers.kubernetes as k8s -from .apps import APPS_WITHOUT_OAUTH, APP_NOT_INSTALLED_STATUS +from .apps import APP_NOT_INSTALLED_STATUS class App(db.Model): @@ -22,32 +22,21 @@ class App(db.Model): def __repr__(self): return f"{self.id} <{self.name}>" - def get_kustomization_status(self): - """Returns True if the kustomization for this App is ready""" - kustomization = k8s.get_kustomization(self.slug) - if kustomization is None: - return None - return kustomization['status'] - - def get_helmrelease_status(self): - """Returns True if the kustomization for this App is ready""" - helmrelease = k8s.get_helmrelease(self.slug, self.namespace) - if helmrelease is None: - return None - return helmrelease['status'] - def get_status(self): """Returns a string that describes the app state in the cluster""" - ks_status = self.get_kustomization_status() - if ks_status is not None: - ks_ready, ks_message = App.check_condition(ks_status) + kustomization = self.kustomization + if kustomization is not None and "status" in kustomization: + ks_ready, ks_message = App.check_condition(kustomization['status']) else: ks_ready = None - hr_status = self.get_helmrelease_status() - if hr_status is not None: + for helmrelease in self.helmreleases['items']: + hr_status = helmrelease['status'] hr_ready, hr_message = App.check_condition(hr_status) - else: - hr_ready = None + + # For now, only show the message of the first HR that isn't ready + if not hr_ready: + break + if ks_ready is None: return APP_NOT_INSTALLED_STATUS # *Should* not happen, but just in case: @@ -71,6 +60,15 @@ class App(db.Model): # Create add- kustomization self.__create_kustomization() + def uninstall(self): + """ + Delete the app kustomization. + + This triggers a deletion of the app's PVCs (so deletes all data), as + well as any other Kustomizations and HelmReleases related to the app + """ + self.__delete_kustomization() + def delete(self): """ Fully deletes an application @@ -80,34 +78,16 @@ class App(db.Model): """ # Delete all roles first for role in self.roles: - db.session.delete(role) + role.delete() - # Delete the kustomization - if self.__delete_kustomization(): - - # TODO: This is where we might want to poll for status changes in the - # app, so that only once the kustomization and all its stuff (other ks, - # helmrelease, etc.) is deleted, we continue - - # If the kustomization delete went well, commit DB changes. - db.session.commit() - # Then delete the app - db.session.delete(self) - db.session.commit() - return True - return False + db.session.delete(self) + return db.session.commit() def __generate_secrets(self): """Generates passwords for app installation""" # Create app variables secret if self.variables_template_filepath: k8s.create_variables_secret(self.slug, self.variables_template_filepath) - # Create a secret that contains the oauth variables for Hydra Maester - if self.slug not in APPS_WITHOUT_OAUTH: - k8s.create_variables_secret( - self.slug, - os.path.join(self.__get_templates_dir(), - "stackspin-oauth-variables.yaml.jinja")) def __create_kustomization(self): """Creates the `add-{app_slug}` kustomization in the Kubernetes cluster""" @@ -150,6 +130,18 @@ class App(db.Model): app_id=self.id ).all() + @property + def kustomization(self): + """Returns the kustomization object for this app""" + return k8s.get_kustomization(self.slug) + + + @property + def helmreleases(self): + """Returns the helmreleases associated with the kustomization for this app""" + return k8s.list_helmreleases(self.namespace, + f"kustomize.toolkit.fluxcd.io/name={self.slug}") + @staticmethod def __get_templates_dir(): """Returns directory that contains the Jinja templates used to create app secrets.""" @@ -161,7 +153,7 @@ class App(db.Model): Returns a tuple that has true/false for readiness and a message Ready, in this case means that the condition's type == "Ready" and its - status == "True". If the condition type "Ready" does not exist, the + status == "True". If the condition type "Ready" does not occur, the status is interpreted as not ready. The message that is returned is the message that comes with the @@ -173,7 +165,7 @@ class App(db.Model): for condition in status["conditions"]: if condition["type"] == "Ready": return condition["status"] == "True", condition["message"] - return False + return False, "Condition with type 'Ready' not found" class AppRole(db.Model): # pylint: disable=too-few-public-methods diff --git a/cliapp/cliapp/cli.py b/cliapp/cliapp/cli.py index ba564c1..6a689bf 100644 --- a/cliapp/cliapp/cli.py +++ b/cliapp/cliapp/cli.py @@ -13,7 +13,7 @@ from flask.cli import AppGroup from ory_kratos_client.api import v0alpha2_api as kratos_api from sqlalchemy import func -from config import HYDRA_ADMIN_URL,KRATOS_ADMIN_URL,KRATOS_PUBLIC_URL +from config import HYDRA_ADMIN_URL, KRATOS_ADMIN_URL, KRATOS_PUBLIC_URL from helpers import KratosUser from cliapp import cli from areas.roles import Role @@ -88,7 +88,7 @@ def list_app(): ) @click.argument("slug") def delete_app(slug): - """Removes app from database as well as uninstalls it from the cluster + """Removes app from database :param slug: str Slug of app to remove """ current_app.logger.info(f"Trying to delete app: {slug}") @@ -102,6 +102,25 @@ def delete_app(slug): current_app.logger.info(f"Success: {deleted}") return +@app_cli.command( + "uninstall", +) +@click.argument("slug") +def uninstall_app(slug): + """Uninstalls the app from the cluster + :param slug: str Slug of app to remove + """ + current_app.logger.info(f"Trying to delete app: {slug}") + app_obj = App.query.filter_by(slug=slug).first() + + if not app_obj: + current_app.logger.info("Not found") + return + + uninstalled = app_obj.uninstall() + current_app.logger.info(f"Success: {uninstalled}") + return + @app_cli.command("status") @click.argument("slug") def status_app(slug): @@ -116,7 +135,7 @@ def status_app(slug): current_app.logger.error(f"App {slug} does not exist") return - current_app.logger.info("Status: " + str(app.get_status())) + current_app.logger.info(f"Status: {app.get_status()}") @app_cli.command("install") @click.argument("slug") diff --git a/helpers/kubernetes.py b/helpers/kubernetes.py index 3169c63..9d843e2 100644 --- a/helpers/kubernetes.py +++ b/helpers/kubernetes.py @@ -110,8 +110,7 @@ def store_kustomization(kustomization_template_filepath, app_slug): """Add a kustomization that installs app {app_slug} to the cluster""" kustomization_dict = read_template_to_dict(kustomization_template_filepath, {"app": app_slug}) - api_client_instance = api_client.ApiClient() - custom_objects_api = client.CustomObjectsApi(api_client_instance) + custom_objects_api = client.CustomObjectsApi() try: api_response = custom_objects_api.create_namespaced_custom_object( group="kustomize.toolkit.fluxcd.io", @@ -128,8 +127,7 @@ def delete_kustomization(kustomization_name): """Deletes kustomization for an app_slug. Should also result in the deletion of the app's HelmReleases, PVCs, OAuth2Client, etc. Nothing will remain""" - api_client_instance = api_client.ApiClient() - custom_objects_api = client.CustomObjectsApi(api_client_instance) + custom_objects_api = client.CustomObjectsApi() body = client.V1DeleteOptions() try: api_response = custom_objects_api.delete_namespaced_custom_object( @@ -143,6 +141,7 @@ def delete_kustomization(kustomization_name): print(f"Could not delete {kustomization_name} Kustomization because of exception {ex}") return False print(f"Kustomization deleted with api response: {api_response}") + return api_response def read_template_to_dict(template_filepath, template_globals): @@ -292,6 +291,28 @@ def get_helmrelease(name, namespace='stackspin-apps'): return resource +def list_helmreleases(namespace='stackspin-apps', label_selector=""): + """ + Lists all helmreleases in a certain namespace (stackspin-apps by default) + + Optionally takes a label selector to limit the list. + """ + api_instance = client.CustomObjectsApi() + + try: + api_response = api_instance.list_namespaced_custom_object( + group="helm.toolkit.fluxcd.io", + version="v2beta1", + namespace=namespace, + plural="helmreleases", + label_selector=label_selector) + except ApiException as error: + if error.status == 404: + return None + # Raise all non-404 errors + raise error + return api_response + def get_readiness(app_status): """ From 2e55e2fa39bc66949c5206adfbd1881921228eaa Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Wed, 28 Sep 2022 09:46:56 +0200 Subject: [PATCH 4/8] Process lots of feedback - Add a lot of docstrings - Add AppStatus class - Remove unused code --- .pylintrc | 605 ------------------------------------------ areas/apps/apps.py | 2 - areas/apps/models.py | 117 ++++---- cliapp/cliapp/cli.py | 9 +- helpers/kubernetes.py | 265 +++++++++--------- 5 files changed, 221 insertions(+), 777 deletions(-) diff --git a/.pylintrc b/.pylintrc index 3f7a685..4051d64 100644 --- a/.pylintrc +++ b/.pylintrc @@ -1,610 +1,5 @@ [MAIN] -# Analyse import fallback blocks. This can be used to support both Python 2 and -# 3 compatible code, which means that the block might have code that exists -# only in one or another interpreter, leading to false positives when analysed. -analyse-fallback-blocks=no - -# Load and enable all available extensions. Use --list-extensions to see a list -# all available extensions. -#enable-all-extensions= - -# In error mode, messages with a category besides ERROR or FATAL are -# suppressed, and no reports are done by default. Error mode is compatible with -# disabling specific errors. -#errors-only= - -# Always return a 0 (non-error) status code, even if lint errors are found. -# This is primarily useful in continuous integration scripts. -#exit-zero= - -# A comma-separated list of package or module names from where C extensions may -# be loaded. Extensions are loading into the active Python interpreter and may -# run arbitrary code. -extension-pkg-allow-list= - -# A comma-separated list of package or module names from where C extensions may -# be loaded. Extensions are loading into the active Python interpreter and may -# run arbitrary code. (This is an alternative name to extension-pkg-allow-list -# for backward compatibility.) -extension-pkg-whitelist= - -# Return non-zero exit code if any of these messages/categories are detected, -# even if score is above --fail-under value. Syntax same as enable. Messages -# specified are enabled, while categories only check already-enabled messages. -fail-on= - -# Specify a score threshold to be exceeded before program exits with error. -fail-under=10 - -# Interpret the stdin as a python script, whose filename needs to be passed as -# the module_or_package argument. -#from-stdin= - -# Files or directories to be skipped. They should be base names, not paths. -ignore=CVS - -# Add files or directories matching the regex patterns to the ignore-list. The -# regex matches against paths and can be in Posix or Windows format. -ignore-paths= - -# Files or directories matching the regex patterns are skipped. The regex -# matches against base names, not paths. The default value ignores Emacs file -# locks -ignore-patterns=^\.# - -# List of module names for which member attributes should not be checked -# (useful for modules/projects where namespaces are manipulated during runtime -# and thus existing member attributes cannot be deduced by static analysis). It -# supports qualified module names, as well as Unix pattern matching. -ignored-modules= - -# Python code to execute, usually for sys.path manipulation such as -# pygtk.require(). -#init-hook= - -# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the -# number of processors available to use, and will cap the count on Windows to -# avoid hangs. -jobs=1 - -# Control the amount of potential inferred values when inferring a single -# object. This can help the performance when dealing with large functions or -# complex, nested conditions. -limit-inference-results=100 - # List of plugins (as comma separated values of python module names) to load, # usually to register additional checkers. load-plugins=pylint_flask,pylint_flask_sqlalchemy - -# Pickle collected data for later comparisons. -persistent=yes - -# Minimum Python version to use for version dependent checks. Will default to -# the version used to run pylint. -py-version=3.9 - -# Discover python modules and packages in the file system subtree. -recursive=no - -# When enabled, pylint would attempt to guess common misconfiguration and emit -# user-friendly hints instead of false-positive error messages. -suggestion-mode=yes - -# Allow loading of arbitrary C extensions. Extensions are imported into the -# active Python interpreter and may run arbitrary code. -unsafe-load-any-extension=no - -# In verbose mode, extra non-checker-related info will be displayed. -#verbose= - - -[REPORTS] - -# Python expression which should return a score less than or equal to 10. You -# have access to the variables 'fatal', 'error', 'warning', 'refactor', -# 'convention', and 'info' which contain the number of messages in each -# category, as well as 'statement' which is the total number of statements -# analyzed. This score is used by the global evaluation report (RP0004). -evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)) - -# Template used to display messages. This is a python new-style format string -# used to format the message information. See doc for all details. -msg-template= - -# Set the output format. Available formats are text, parseable, colorized, json -# and msvs (visual studio). You can also give a reporter class, e.g. -# mypackage.mymodule.MyReporterClass. -#output-format= - -# Tells whether to display a full report or only the messages. -reports=no - -# Activate the evaluation score. -score=yes - - -[MESSAGES CONTROL] - -# Only show warnings with the listed confidence levels. Leave empty to show -# all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE, -# UNDEFINED. -confidence=HIGH, - CONTROL_FLOW, - INFERENCE, - INFERENCE_FAILURE, - UNDEFINED - -# Disable the message, report, category or checker with the given id(s). You -# can either give multiple identifiers separated by comma (,) or put this -# option multiple times (only on the command line, not in the configuration -# file where it should appear only once). You can also use "--disable=all" to -# disable everything first and then re-enable specific checks. For example, if -# you want to run only the similarities checker, you can use "--disable=all -# --enable=similarities". If you want to run only the classes checker, but have -# no Warning level messages displayed, use "--disable=all --enable=classes -# --disable=W". -disable=raw-checker-failed, - bad-inline-option, - locally-disabled, - file-ignored, - suppressed-message, - useless-suppression, - deprecated-pragma, - use-symbolic-message-instead - -# Enable the message, report, category or checker with the given id(s). You can -# either give multiple identifier separated by comma (,) or put this option -# multiple time (only on the command line, not in the configuration file where -# it should appear only once). See also the "--disable" option for examples. -enable=c-extension-no-member - - -[CLASSES] - -# Warn about protected attribute access inside special methods -check-protected-access-in-special-methods=no - -# List of method names used to declare (i.e. assign) instance attributes. -defining-attr-methods=__init__, - __new__, - setUp, - __post_init__ - -# List of member names, which should be excluded from the protected access -# warning. -exclude-protected=_asdict, - _fields, - _replace, - _source, - _make - -# List of valid names for the first argument in a class method. -valid-classmethod-first-arg=cls - -# List of valid names for the first argument in a metaclass class method. -valid-metaclass-classmethod-first-arg=cls - - -[SIMILARITIES] - -# Comments are removed from the similarity computation -ignore-comments=yes - -# Docstrings are removed from the similarity computation -ignore-docstrings=yes - -# Imports are removed from the similarity computation -ignore-imports=yes - -# Signatures are removed from the similarity computation -ignore-signatures=yes - -# Minimum lines number of a similarity. -min-similarity-lines=4 - - -[REFACTORING] - -# Maximum number of nested blocks for function / method body -max-nested-blocks=5 - -# Complete name of functions that never returns. When checking for -# inconsistent-return-statements if a never returning function is called then -# it will be considered as an explicit return statement and no message will be -# printed. -never-returning-functions=sys.exit,argparse.parse_error - - -[BASIC] - -# Naming style matching correct argument names. -argument-naming-style=snake_case - -# Regular expression matching correct argument names. Overrides argument- -# naming-style. If left empty, argument names will be checked with the set -# naming style. -#argument-rgx= - -# Naming style matching correct attribute names. -attr-naming-style=snake_case - -# Regular expression matching correct attribute names. Overrides attr-naming- -# style. If left empty, attribute names will be checked with the set naming -# style. -#attr-rgx= - -# Bad variable names which should always be refused, separated by a comma. -bad-names=foo, - bar, - baz, - toto, - tutu, - tata - -# Bad variable names regexes, separated by a comma. If names match any regex, -# they will always be refused -bad-names-rgxs= - -# Naming style matching correct class attribute names. -class-attribute-naming-style=any - -# Regular expression matching correct class attribute names. Overrides class- -# attribute-naming-style. If left empty, class attribute names will be checked -# with the set naming style. -#class-attribute-rgx= - -# Naming style matching correct class constant names. -class-const-naming-style=UPPER_CASE - -# Regular expression matching correct class constant names. Overrides class- -# const-naming-style. If left empty, class constant names will be checked with -# the set naming style. -#class-const-rgx= - -# Naming style matching correct class names. -class-naming-style=PascalCase - -# Regular expression matching correct class names. Overrides class-naming- -# style. If left empty, class names will be checked with the set naming style. -#class-rgx= - -# Naming style matching correct constant names. -const-naming-style=UPPER_CASE - -# Regular expression matching correct constant names. Overrides const-naming- -# style. If left empty, constant names will be checked with the set naming -# style. -#const-rgx= - -# Minimum line length for functions/classes that require docstrings, shorter -# ones are exempt. -docstring-min-length=-1 - -# Naming style matching correct function names. -function-naming-style=snake_case - -# Regular expression matching correct function names. Overrides function- -# naming-style. If left empty, function names will be checked with the set -# naming style. -#function-rgx= - -# Good variable names which should always be accepted, separated by a comma. -good-names=i, - j, - k, - ex, - Run, - _ - -# Good variable names regexes, separated by a comma. If names match any regex, -# they will always be accepted -good-names-rgxs= - -# Include a hint for the correct naming format with invalid-name. -include-naming-hint=no - -# Naming style matching correct inline iteration names. -inlinevar-naming-style=any - -# Regular expression matching correct inline iteration names. Overrides -# inlinevar-naming-style. If left empty, inline iteration names will be checked -# with the set naming style. -#inlinevar-rgx= - -# Naming style matching correct method names. -method-naming-style=snake_case - -# Regular expression matching correct method names. Overrides method-naming- -# style. If left empty, method names will be checked with the set naming style. -#method-rgx= - -# Naming style matching correct module names. -module-naming-style=snake_case - -# Regular expression matching correct module names. Overrides module-naming- -# style. If left empty, module names will be checked with the set naming style. -#module-rgx= - -# Colon-delimited sets of names that determine each other's naming style when -# the name regexes allow several styles. -name-group= - -# Regular expression which should only match function or class names that do -# not require a docstring. -no-docstring-rgx=^_ - -# List of decorators that produce properties, such as abc.abstractproperty. Add -# to this list to register other decorators that produce valid properties. -# These decorators are taken in consideration only for invalid-name. -property-classes=abc.abstractproperty - -# Regular expression matching correct type variable names. If left empty, type -# variable names will be checked with the set naming style. -#typevar-rgx= - -# Naming style matching correct variable names. -variable-naming-style=snake_case - -# Regular expression matching correct variable names. Overrides variable- -# naming-style. If left empty, variable names will be checked with the set -# naming style. -#variable-rgx= - - -[SPELLING] - -# Limits count of emitted suggestions for spelling mistakes. -max-spelling-suggestions=4 - -# Spelling dictionary name. Available dictionaries: none. To make it work, -# install the 'python-enchant' package. -spelling-dict= - -# List of comma separated words that should be considered directives if they -# appear at the beginning of a comment and should not be checked. -spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy: - -# List of comma separated words that should not be checked. -spelling-ignore-words= - -# A path to a file that contains the private dictionary; one word per line. -spelling-private-dict-file= - -# Tells whether to store unknown words to the private dictionary (see the -# --spelling-private-dict-file option) instead of raising a message. -spelling-store-unknown-words=no - - -[VARIABLES] - -# List of additional names supposed to be defined in builtins. Remember that -# you should avoid defining new builtins when possible. -additional-builtins= - -# Tells whether unused global variables should be treated as a violation. -allow-global-unused-variables=yes - -# List of names allowed to shadow builtins -allowed-redefined-builtins= - -# List of strings which can identify a callback function by name. A callback -# name must start or end with one of those strings. -callbacks=cb_, - _cb - -# A regular expression matching the name of dummy variables (i.e. expected to -# not be used). -dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_ - -# Argument names that match this expression will be ignored. Default to name -# with leading underscore. -ignored-argument-names=_.*|^ignored_|^unused_ - -# Tells whether we should check for unused import in __init__ files. -init-import=no - -# List of qualified module names which can have objects that can redefine -# builtins. -redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io - - -[LOGGING] - -# The type of string formatting that logging methods do. `old` means using % -# formatting, `new` is for `{}` formatting. -logging-format-style=old - -# Logging modules to check that the string format arguments are in logging -# function parameter format. -logging-modules=logging - - -[FORMAT] - -# Expected format of line ending, e.g. empty (any line ending), LF or CRLF. -expected-line-ending-format= - -# Regexp for a line that is allowed to be longer than the limit. -ignore-long-lines=^\s*(# )??$ - -# Number of spaces of indent required inside a hanging or continued line. -indent-after-paren=4 - -# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 -# tab). -indent-string=' ' - -# Maximum number of characters on a single line. -max-line-length=100 - -# Maximum number of lines in a module. -max-module-lines=1000 - -# Allow the body of a class to be on the same line as the declaration if body -# contains single statement. -single-line-class-stmt=no - -# Allow the body of an if to be on the same line as the test if there is no -# else. -single-line-if-stmt=no - - -[EXCEPTIONS] - -# Exceptions that will emit a warning when caught. -overgeneral-exceptions=BaseException, - Exception - - -[IMPORTS] - -# List of modules that can be imported at any level, not just the top level -# one. -allow-any-import-level= - -# Allow wildcard imports from modules that define __all__. -allow-wildcard-with-all=no - -# Deprecated modules which should not be used, separated by a comma. -deprecated-modules= - -# Output a graph (.gv or any supported image format) of external dependencies -# to the given file (report RP0402 must not be disabled). -ext-import-graph= - -# Output a graph (.gv or any supported image format) of all (i.e. internal and -# external) dependencies to the given file (report RP0402 must not be -# disabled). -import-graph= - -# Output a graph (.gv or any supported image format) of internal dependencies -# to the given file (report RP0402 must not be disabled). -int-import-graph= - -# Force import order to recognize a module as part of the standard -# compatibility libraries. -known-standard-library= - -# Force import order to recognize a module as part of a third party library. -known-third-party=enchant - -# Couples of modules and preferred modules, separated by a comma. -preferred-modules= - - -[TYPECHECK] - -# List of decorators that produce context managers, such as -# contextlib.contextmanager. Add to this list to register other decorators that -# produce valid context managers. -contextmanager-decorators=contextlib.contextmanager - -# List of members which are set dynamically and missed by pylint inference -# system, and so shouldn't trigger E1101 when accessed. Python regular -# expressions are accepted. -generated-members= - -# Tells whether to warn about missing members when the owner of the attribute -# is inferred to be None. -ignore-none=yes - -# This flag controls whether pylint should warn about no-member and similar -# checks whenever an opaque object is returned when inferring. The inference -# can return multiple potential results while evaluating a Python object, but -# some branches might not be evaluated, which results in partial inference. In -# that case, it might be useful to still emit no-member and other checks for -# the rest of the inferred objects. -ignore-on-opaque-inference=yes - -# List of symbolic message names to ignore for Mixin members. -ignored-checks-for-mixins=no-member, - not-async-context-manager, - not-context-manager, - attribute-defined-outside-init - -# List of class names for which member attributes should not be checked (useful -# for classes with dynamically set attributes). This supports the use of -# qualified names. -ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace,scoped_session - -# Show a hint with possible names when a member name was not found. The aspect -# of finding the hint is based on edit distance. -missing-member-hint=yes - -# The minimum edit distance a name should have in order to be considered a -# similar match for a missing member name. -missing-member-hint-distance=1 - -# The total number of similar names that should be taken in consideration when -# showing a hint for a missing member. -missing-member-max-choices=1 - -# Regex pattern to define which classes are considered mixins. -mixin-class-rgx=.*[Mm]ixin - -# List of decorators that change the signature of a decorated function. -signature-mutators= - - -[MISCELLANEOUS] - -# List of note tags to take in consideration, separated by a comma. -notes=FIXME, - XXX, - TODO - -# Regular expression of note tags to take in consideration. -notes-rgx= - - -[STRING] - -# This flag controls whether inconsistent-quotes generates a warning when the -# character used as a quote delimiter is used inconsistently within a module. -check-quote-consistency=no - -# This flag controls whether the implicit-str-concat should generate a warning -# on implicit string concatenation in sequences defined over several lines. -check-str-concat-over-line-jumps=no - - -[DESIGN] - -# List of regular expressions of class ancestor names to ignore when counting -# public methods (see R0903) -exclude-too-few-public-methods= - -# List of qualified class names to ignore when counting class parents (see -# R0901) -ignored-parents= - -# Maximum number of arguments for function / method. -max-args=5 - -# Maximum number of attributes for a class (see R0902). -max-attributes=7 - -# Maximum number of boolean expressions in an if statement (see R0916). -max-bool-expr=5 - -# Maximum number of branch for function / method body. -max-branches=12 - -# Maximum number of locals for function / method body. -max-locals=15 - -# Maximum number of parents for a class (see R0901). -max-parents=7 - -# Maximum number of public methods for a class (see R0904). -max-public-methods=20 - -# Maximum number of return / yield for function / method body. -max-returns=6 - -# Maximum number of statements in function / method body. -max-statements=50 - -# Minimum number of public methods for a class (see R0903). -min-public-methods=2 diff --git a/areas/apps/apps.py b/areas/apps/apps.py index fe9f30a..2f15bd4 100644 --- a/areas/apps/apps.py +++ b/areas/apps/apps.py @@ -24,8 +24,6 @@ APPS_DATA = [ APP_DATA = {"id": 1, "name": "Nextcloud", "selected": True, "status": "ON for everyone", "config": CONFIG_DATA}, -APP_NOT_INSTALLED_STATUS = "Not installed" - @api_v1.route('/apps', methods=['GET']) @jwt_required() @cross_origin() diff --git a/areas/apps/models.py b/areas/apps/models.py index f28971e..a3098ab 100644 --- a/areas/apps/models.py +++ b/areas/apps/models.py @@ -6,7 +6,6 @@ from sqlalchemy import ForeignKey, Integer, String from sqlalchemy.orm import relationship from database import db import helpers.kubernetes as k8s -from .apps import APP_NOT_INSTALLED_STATUS class App(db.Model): @@ -23,34 +22,8 @@ class App(db.Model): return f"{self.id} <{self.name}>" def get_status(self): - """Returns a string that describes the app state in the cluster""" - kustomization = self.kustomization - if kustomization is not None and "status" in kustomization: - ks_ready, ks_message = App.check_condition(kustomization['status']) - else: - ks_ready = None - for helmrelease in self.helmreleases['items']: - hr_status = helmrelease['status'] - hr_ready, hr_message = App.check_condition(hr_status) - - # For now, only show the message of the first HR that isn't ready - if not hr_ready: - break - - if ks_ready is None: - return APP_NOT_INSTALLED_STATUS - # *Should* not happen, but just in case: - if (ks_ready is None and hr_ready is not None) or \ - (hr_ready is None and ks_ready is not None): - return ("This app is in a strange state. Contact a Stackspin" - " administrator if this status stays for longer than 5 minutes") - if ks_ready and hr_ready: - return "App installed and running" - if not hr_ready: - return f"App HelmRelease status: {hr_message}" - if not ks_ready: - return f"App Kustomization status: {ks_message}" - return "App is installing..." + """Returns an AppStatus object that describes the current cluster state""" + return AppStatus(self.kustomization, self.helmreleases) def install(self): @@ -139,7 +112,7 @@ class App(db.Model): @property def helmreleases(self): """Returns the helmreleases associated with the kustomization for this app""" - return k8s.list_helmreleases(self.namespace, + return k8s.get_all_helmreleases(self.namespace, f"kustomize.toolkit.fluxcd.io/name={self.slug}") @staticmethod @@ -147,6 +120,74 @@ class App(db.Model): """Returns directory that contains the Jinja templates used to create app secrets.""" return os.path.join(os.path.dirname(os.path.realpath(__file__)), "templates") + + +class AppRole(db.Model): # pylint: disable=too-few-public-methods + """ + The AppRole object, stores the roles Users have on Apps + """ + + user_id = db.Column(String(length=64), primary_key=True) + app_id = db.Column(Integer, ForeignKey("app.id"), primary_key=True) + role_id = db.Column(Integer, ForeignKey("role.id")) + + role = relationship("Role") + + def __repr__(self): + return (f"role_id: {self.role_id}, user_id: {self.user_id}," + f" app_id: {self.app_id}, role: {self.role}") + +class AppStatus(): # pylint: disable=too-few-public-methods + """ + Represents the status of an app in the Kubernetes cluster. + + This class can answer a few questions, like "is the app installed?", but + can also return raw status messages from Kustomizations and HelmReleases + + This constructor sets three variables: + + self.installed (bool): Whether the app should be installed + self.ready (bool): Whether the app is installed correctly + self.message (str): Information about the status + + :param kustomization_status: The status of the Kustomization of this app: + :type kustomization_status: str + :param helmrelease_status: The status of the helmreleases of this app + :type helmrelease_status: str[] + """ + def __init__(self, kustomization, helmreleases): + self.helmreleases = {} + if kustomization is not None and "status" in kustomization: + ks_ready, ks_message = AppStatus.check_condition(kustomization['status']) + self.installed = True + else: + ks_ready = None + ks_message = "Kustomization does not exist" + self.installed = False + self.ready = False + self.message = "Not installed" + + for helmrelease in helmreleases: + hr_status = helmrelease['status'] + hr_ready, hr_message = AppStatus.check_condition(hr_status) + + # For now, only show the message of the first HR that isn't ready + if not hr_ready: + self.ready = False + self.message = f"HelmRelease {helmrelease['metadata']['name']} status: {hr_message}" + return + + # If we end up here, all HRs are ready + if ks_ready: + self.ready = True + self.message = "Installed" + else: + self.ready = False + self.message = f"App Kustomization status: {ks_message}" + + def __repr__(self): + return f"Installed: {self.installed}\tReady: {self.ready}\tMessage: {self.message}" + @staticmethod def check_condition(status): """ @@ -166,19 +207,3 @@ class App(db.Model): if condition["type"] == "Ready": return condition["status"] == "True", condition["message"] return False, "Condition with type 'Ready' not found" - - -class AppRole(db.Model): # pylint: disable=too-few-public-methods - """ - The AppRole object, stores the roles Users have on Apps - """ - - user_id = db.Column(String(length=64), primary_key=True) - app_id = db.Column(Integer, ForeignKey("app.id"), primary_key=True) - role_id = db.Column(Integer, ForeignKey("role.id")) - - role = relationship("Role") - - def __repr__(self): - return (f"role_id: {self.role_id}, user_id: {self.user_id}," - f" app_id: {self.app_id}, role: {self.role}") diff --git a/cliapp/cliapp/cli.py b/cliapp/cliapp/cli.py index 6a689bf..6ac5cba 100644 --- a/cliapp/cliapp/cli.py +++ b/cliapp/cliapp/cli.py @@ -17,7 +17,7 @@ from config import HYDRA_ADMIN_URL, KRATOS_ADMIN_URL, KRATOS_PUBLIC_URL from helpers import KratosUser from cliapp import cli from areas.roles import Role -from areas.apps import AppRole, App, APP_NOT_INSTALLED_STATUS +from areas.apps import AppRole, App from database import db # APIs @@ -135,7 +135,7 @@ def status_app(slug): current_app.logger.error(f"App {slug} does not exist") return - current_app.logger.info(f"Status: {app.get_status()}") + current_app.logger.info(app.get_status()) @app_cli.command("install") @click.argument("slug") @@ -152,13 +152,12 @@ def install_app(slug): return current_status = app.get_status() - if current_status == APP_NOT_INSTALLED_STATUS: + if current_status.installed == False: app.install() current_app.logger.info( f"App {slug} installing... use `status` to see status") else: - current_app.logger.error("App {slug} should have status" - f" {APP_NOT_INSTALLED_STATUS} but has status: {current_status}") + current_app.logger.error(f"App {slug} is already installed") @app_cli.command("roles") @click.argument("slug") diff --git a/helpers/kubernetes.py b/helpers/kubernetes.py index 9d843e2..7f29ade 100644 --- a/helpers/kubernetes.py +++ b/helpers/kubernetes.py @@ -12,17 +12,28 @@ from kubernetes.client import api_client from kubernetes.client.exceptions import ApiException from kubernetes.utils import create_from_yaml from kubernetes.utils.create_from_yaml import FailToCreateError +from flask import current_app # Load the kube config once +# +# By default this loads whatever we define in the `KUBECONFIG` env variable, +# otherwise loads the config from default locations, similar to what kubectl +# does. config.load_kube_config() def create_variables_secret(app_slug, variables_filepath): """Checks if a variables secret for app_name already exists, generates it if necessary. + If a secret already exists, loops through keys from the template, and adds + values for keys that miss in the Kubernetes secret, but are available in + the template. + :param app_slug: The slug of the app, used in the oauth secrets :type app_slug: string :param variables_filepath: The path to an existing jinja2 template :type variables_filepath: string + :return: returns True, unless an exception gets raised by the Kubernetes API + :rtype: boolean """ new_secret_dict = read_template_to_dict( variables_filepath, @@ -37,7 +48,7 @@ def create_variables_secret(app_slug, variables_filepath): elif current_secret_data.keys() != new_secret_dict["data"].keys(): # Update current secret with new keys update_secret = True - print( + current_app.logger.info( f"Secret {secret_name} in namespace {secret_namespace}" " already exists. Merging..." ) @@ -45,12 +56,12 @@ def create_variables_secret(app_slug, variables_filepath): new_secret_dict["data"] |= current_secret_data else: # Do Nothing - print( + current_app.logger.info( f"Secret {secret_name} in namespace {secret_namespace}" " is already in a good state, doing nothing." ) return True - print( + current_app.logger.info( f"Storing secret {secret_name} in namespace" f" {secret_namespace} in cluster." ) @@ -61,7 +72,14 @@ def create_variables_secret(app_slug, variables_filepath): def get_secret_metadata(secret_dict): - """Returns secret name and namespace from metadata field in a yaml string.""" + """ + Returns secret name and namespace from metadata field in a yaml string. + + :param secret_dict: Dictionary of the secret as returned by read_namespaced_secret + :type secret_dict: dict + :return: Tuple containing secret name and secret namespace + :rtype: tuple + """ secret_name = secret_dict["metadata"]["name"] # default namespace is flux-system, but other namespace can be # provided in secret metadata @@ -73,7 +91,17 @@ def get_secret_metadata(secret_dict): def get_kubernetes_secret_data(secret_name, namespace): - """Returns the contents of a kubernetes secret or None if the secret does not exist.""" + """ + Get secret from Kubernetes + + :param secret_name: Name of the secret + :type secret_name: string + :param namespace: Namespace of the secret + :type namespace: string + + :return: The contents of a kubernetes secret or None if the secret does not exist. + :rtype: dict or None + """ api_client_instance = api_client.ApiClient() api_instance = client.CoreV1Api(api_client_instance) try: @@ -87,7 +115,20 @@ def get_kubernetes_secret_data(secret_name, namespace): def store_kubernetes_secret(secret_dict, namespace, update=False): - """Stores either a new secret in the cluster, or updates an existing one.""" + """ + Stores either a new secret in the cluster, or updates an existing one. + + :param secret_dict: Dictionary of the secret as returned by read_namespaced_secret + :type secret_dict: dict + :param namespace: Namespace of the secret + :type namespace: string + :param update: If True, use `patch_kubernetes_secret`, + otherwise use `create_from_yaml` (default: False) + :type update: boolean + + :return: None + :rtype: None + """ api_client_instance = api_client.ApiClient() if update: verb = "updated" @@ -101,13 +142,23 @@ def store_kubernetes_secret(secret_dict, namespace, update=False): namespace=namespace ) except FailToCreateError as ex: - print(f"Secret not {verb} because of exception {ex}") + current_app.logger.info(f"Secret not created because of exception {ex}") return - print(f"Secret {verb} with api response: {api_response}") + current_app.logger.info(f"Secret {verb} with api response: {api_response}") def store_kustomization(kustomization_template_filepath, app_slug): - """Add a kustomization that installs app {app_slug} to the cluster""" + """ + Add a kustomization that installs app {app_slug} to the cluster. + + :param kustomization_template_filepath: Path to the template that describes + the kustomization. The template should have an `{{ app }}` entry. + :type kustomization_template_filepath: string + :param app_slug: Slug for the app, used to replace `{{ app }}` in the + template + :return: True on success + :rtype: boolean + """ kustomization_dict = read_template_to_dict(kustomization_template_filepath, {"app": app_slug}) custom_objects_api = client.CustomObjectsApi() @@ -119,14 +170,25 @@ def store_kustomization(kustomization_template_filepath, app_slug): plural="kustomizations", body=kustomization_dict) except FailToCreateError as ex: - print(f"Could not create {app_slug} Kustomization because of exception {ex}") - return - print(f"Kustomization created with api response: {api_response}") + current_app.logger.info( + f"Could not create {app_slug} Kustomization because of exception {ex}") + return False + current_app.logger.debug(f"Kustomization created with api response: {api_response}") + return True def delete_kustomization(kustomization_name): - """Deletes kustomization for an app_slug. Should also result in the - deletion of the app's HelmReleases, PVCs, OAuth2Client, etc. Nothing will - remain""" + """ + Deletes a kustomization. + + Note that this can also result in the deletion of an app's HelmReleases, + PVCs (user data!), OAuth2Client, etc. Nothing will remain + + :param kustomization_name: name of the kustomization to delete + :type kustomization_name: string + + :return: Response of delete API call + :rtype: dict + """ custom_objects_api = client.CustomObjectsApi() body = client.V1DeleteOptions() try: @@ -138,14 +200,16 @@ def delete_kustomization(kustomization_name): name=kustomization_name, body=body) except ApiException as ex: - print(f"Could not delete {kustomization_name} Kustomization because of exception {ex}") + current_app.logger.info( + f"Could not delete {kustomization_name} Kustomization because of exception {ex}") return False - print(f"Kustomization deleted with api response: {api_response}") + current_app.logger.debug(f"Kustomization deleted with api response: {api_response}") return api_response def read_template_to_dict(template_filepath, template_globals): - """Reads a Jinja2 template that contains yaml and turns it into a dict + """ + Reads a Jinja2 template that contains yaml and turns it into a dict. :param template_filepath: The path to an existing Jinja2 template :type template_filepath: string @@ -167,7 +231,17 @@ def read_template_to_dict(template_filepath, template_globals): def patch_kubernetes_secret(secret_dict, namespace): - """Patches secret in the cluster with new data.""" + """ + Patches secret in the cluster with new data. + + Warning: currently ignores everything that's not in secret_dict["data"] + + :param secret_dict: Dictionary of the secret as returned by read_namespaced_secret + :type secret_dict: dict + :param namespace: Namespace of the secret + :type namespace: string + :return: Response of the patch API call + """ api_client_instance = api_client.ApiClient() api_instance = client.CoreV1Api(api_client_instance) name = secret_dict["metadata"]["name"] @@ -177,30 +251,32 @@ def patch_kubernetes_secret(secret_dict, namespace): def generate_password(length): - """Generates a password of "length" characters.""" + """ + Generates a password with letters and digits. + + :param length: The amount of characters in the password + :type length: int + :return: Generated password + :rtype: string + """ length = int(length) - password = "".join((secrets.choice(string.ascii_letters) + password = "".join((secrets.choice(string.ascii_letters + string.digits) for i in range(length))) return password def gen_htpasswd(user, password): - """Generate htpasswd entry for user with password.""" - return f"{user}:{crypt.crypt(password, crypt.mksalt(crypt.METHOD_SHA512))}" + """ + Generate htpasswd entry for user with password. -def get_all_kustomization_names(namespace='flux-system'): + :param user: Username used in the htpasswd entry + :type user: string + :param password: Password for the user, will get encrypted. + :type password: string + :return: htpassword line entry + :rtype: string """ - Returns all flux kustomizations in a namespace. - :param namespace: namespace that contains kustomizations. Default: `flux-system` - :type namespace: str - :return: List of names for kustomizations in namespace - :rtype: list - """ - kustomizations = get_all_kustomizations(namespace) - return_kustomizations = [] - for kustomization in kustomizations['items']: - return_kustomizations.append(kustomization['metadata']['name']) - return return_kustomizations + return f"{user}:{crypt.crypt(password, crypt.mksalt(crypt.METHOD_SHA512))}" def get_all_kustomizations(namespace='flux-system'): @@ -208,8 +284,8 @@ def get_all_kustomizations(namespace='flux-system'): Returns all flux kustomizations in a namespace. :param namespace: namespace that contains kustomizations. Default: `flux-system` :type namespace: str - :return: Kustomizations as returned by CustomObjectsApi.list_namespaced_custom_object() - :rtype: object + :return: 'items' in dict returned by CustomObjectsApi.list_namespaced_custom_object() + :rtype: dict[] """ api = client.CustomObjectsApi() api_response = api.list_namespaced_custom_object( @@ -221,81 +297,17 @@ def get_all_kustomizations(namespace='flux-system'): return api_response -def get_all_helmrelease_names(namespace='stackspin'): +def get_all_helmreleases(namespace='stackspin', label_selector=""): """ - Returns names of all helmreleases in a namespace. - :param namespace: namespace that contains kustomizations. Default: `stackspin` + Lists all helmreleases in a certain namespace (stackspin by default) + + :param namespace: namespace that contains helmreleases. Default: `stackspin-apps` :type namespace: str - :return: List of names for helmreleases in namespace - :rtype: list - """ - helmreleases = get_all_helmreleases(namespace) - return_helmreleases = [] - for helmrelease in helmreleases['items']: - return_helmreleases.append(helmrelease['metadata']['name']) - return return_helmreleases + :param label_selector: a label selector to limit the list (optional) + :type label_selector: str -def get_all_helmreleases(namespace='stackspin'): - """ - Returns all helmreleases in a namespace. - :param namespace: namespace that contains kustomizations. Default: `stackspin` - :type namespace: str - :return: Helmreleases as returned by CustomObjectsApi.list_namespaced_custom_object() - :rtype: object - """ - api = client.CustomObjectsApi() - api_response = api.list_namespaced_custom_object( - group="helm.toolkit.fluxcd.io", - version="v2beta1", - plural="helmreleases", - namespace=namespace, - ) - return api_response - - -def get_kustomization(name, namespace='flux-system'): - """Returns all info of a Flux kustomization with name 'name'""" - api = client.CustomObjectsApi() - try: - resource = api.get_namespaced_custom_object( - group="kustomize.toolkit.fluxcd.io", - version="v1beta1", - name=name, - namespace=namespace, - plural="kustomizations", - ) - except client.exceptions.ApiException as error: - if error.status == 404: - return None - # Raise all non-404 errors - raise error - return resource - - -def get_helmrelease(name, namespace='stackspin-apps'): - """Returns all info of a Flux helmrelease with name 'name'""" - api = client.CustomObjectsApi() - try: - resource = api.get_namespaced_custom_object( - group="helm.toolkit.fluxcd.io", - version="v2beta1", - name=name, - namespace=namespace, - plural="helmreleases", - ) - except client.exceptions.ApiException as error: - if error.status == 404: - return None - # Raise all non-404 errors - raise error - - return resource - -def list_helmreleases(namespace='stackspin-apps', label_selector=""): - """ - Lists all helmreleases in a certain namespace (stackspin-apps by default) - - Optionally takes a label selector to limit the list. + :return: List of helmreleases + :rtype: dict[] """ api_instance = client.CustomObjectsApi() @@ -311,17 +323,32 @@ def list_helmreleases(namespace='stackspin-apps', label_selector=""): return None # Raise all non-404 errors raise error - return api_response + return api_response['items'] -def get_readiness(app_status): +def get_kustomization(name, namespace='flux-system'): """ - Parses an app status's 'conditions' to find a type field called 'Ready' and - returns its status. Works for Kustomizations as well as Helmreleases. + Returns all info of a Flux kustomization with name 'name' + + :param name: Name of the kustomizatoin + :type name: string + :param namespace: Namespace of the kustomization + :type namespace: string + :return: kustomization as returned by the API + :rtype: dict """ - for condition in app_status['conditions']: - if condition['type'] == 'Ready': - return condition['status'] - # If this point is reached, no condition "Ready" exists, so the application - # is not ready. - return False + api = client.CustomObjectsApi() + try: + resource = api.get_namespaced_custom_object( + group="kustomize.toolkit.fluxcd.io", + version="v1beta1", + name=name, + namespace=namespace, + plural="kustomizations", + ) + except client.exceptions.ApiException as error: + if error.status == 404: + return None + # Raise all non-404 errors + raise error + return resource From 82478e50062d3df4776b5bd8c2717cee42213b65 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Wed, 28 Sep 2022 14:46:49 +0200 Subject: [PATCH 5/8] fix a few bugs with app del uninstall and deletion --- .pylintrc | 5 +++++ areas/apps/models.py | 4 +++- cliapp/cliapp/cli.py | 15 ++++++++++----- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/.pylintrc b/.pylintrc index 4051d64..cacf5a9 100644 --- a/.pylintrc +++ b/.pylintrc @@ -3,3 +3,8 @@ # List of plugins (as comma separated values of python module names) to load, # usually to register additional checkers. load-plugins=pylint_flask,pylint_flask_sqlalchemy + +# List of class names for which member attributes should not be checked (useful +# for classes with dynamically set attributes). This supports the use of +# qualified names. +ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace,scoped_session diff --git a/areas/apps/models.py b/areas/apps/models.py index a3098ab..abc3448 100644 --- a/areas/apps/models.py +++ b/areas/apps/models.py @@ -51,7 +51,8 @@ class App(db.Model): """ # Delete all roles first for role in self.roles: - role.delete() + db.session.delete(role) + db.session.commit() db.session.delete(self) return db.session.commit() @@ -166,6 +167,7 @@ class AppStatus(): # pylint: disable=too-few-public-methods self.installed = False self.ready = False self.message = "Not installed" + return for helmrelease in helmreleases: hr_status = helmrelease['status'] diff --git a/cliapp/cliapp/cli.py b/cliapp/cliapp/cli.py index 6ac5cba..25ba861 100644 --- a/cliapp/cliapp/cli.py +++ b/cliapp/cliapp/cli.py @@ -98,9 +98,14 @@ def delete_app(slug): current_app.logger.info("Not found") return - deleted = app_obj.delete() - current_app.logger.info(f"Success: {deleted}") - return + app_status = app_obj.get_status() + if not app_status.installed: + deleted = app_obj.delete() + current_app.logger.info(f"Success.") + else: + current_app.logger.info("Can not delete installed application, run" + " 'uninstall' first") + @app_cli.command( "uninstall", @@ -110,7 +115,7 @@ def uninstall_app(slug): """Uninstalls the app from the cluster :param slug: str Slug of app to remove """ - current_app.logger.info(f"Trying to delete app: {slug}") + current_app.logger.info(f"Trying to uninstall app: {slug}") app_obj = App.query.filter_by(slug=slug).first() if not app_obj: @@ -152,7 +157,7 @@ def install_app(slug): return current_status = app.get_status() - if current_status.installed == False: + if not current_status.installed: app.install() current_app.logger.info( f"App {slug} installing... use `status` to see status") From 5e5b8ce200714be852ff96c29566fadf06df1790 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Wed, 28 Sep 2022 14:53:40 +0200 Subject: [PATCH 6/8] raise exceptions instead of logging them and then failing relatively silently --- helpers/kubernetes.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helpers/kubernetes.py b/helpers/kubernetes.py index 7f29ade..09fcc68 100644 --- a/helpers/kubernetes.py +++ b/helpers/kubernetes.py @@ -143,7 +143,7 @@ def store_kubernetes_secret(secret_dict, namespace, update=False): ) except FailToCreateError as ex: current_app.logger.info(f"Secret not created because of exception {ex}") - return + raise ex current_app.logger.info(f"Secret {verb} with api response: {api_response}") @@ -172,7 +172,7 @@ def store_kustomization(kustomization_template_filepath, app_slug): except FailToCreateError as ex: current_app.logger.info( f"Could not create {app_slug} Kustomization because of exception {ex}") - return False + raise ex current_app.logger.debug(f"Kustomization created with api response: {api_response}") return True @@ -202,7 +202,7 @@ def delete_kustomization(kustomization_name): except ApiException as ex: current_app.logger.info( f"Could not delete {kustomization_name} Kustomization because of exception {ex}") - return False + raise ex current_app.logger.debug(f"Kustomization deleted with api response: {api_response}") return api_response From 903f11cf477448d66cfc4895037bc859d9101791 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Wed, 28 Sep 2022 16:45:34 +0200 Subject: [PATCH 7/8] fix oauth secret creation for most apps --- areas/apps/models.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/areas/apps/models.py b/areas/apps/models.py index abc3448..fd12c6e 100644 --- a/areas/apps/models.py +++ b/areas/apps/models.py @@ -63,6 +63,14 @@ class App(db.Model): if self.variables_template_filepath: k8s.create_variables_secret(self.slug, self.variables_template_filepath) + k8s.create_variables_secret( + self.slug, + os.path.join( + self.__get_templates_dir(), + "stackspin-oauth-variables.yaml.jinja" + ) + ) + def __create_kustomization(self): """Creates the `add-{app_slug}` kustomization in the Kubernetes cluster""" kustomization_template_filepath = \ From 95eb8db5a38a594bef62e249265c54c44bff3b20 Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Thu, 29 Sep 2022 12:54:37 +0200 Subject: [PATCH 8/8] improve uninstall documentation, remove None output in uninstall command --- areas/apps/models.py | 7 +++++-- cliapp/cliapp/cli.py | 8 ++++---- helpers/kubernetes.py | 6 ++++-- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/areas/apps/models.py b/areas/apps/models.py index fd12c6e..3cad938 100644 --- a/areas/apps/models.py +++ b/areas/apps/models.py @@ -37,8 +37,11 @@ class App(db.Model): """ Delete the app kustomization. - This triggers a deletion of the app's PVCs (so deletes all data), as - well as any other Kustomizations and HelmReleases related to the app + In our case, this triggers a deletion of the app's PVCs (so deletes all + data), as well as any other Kustomizations and HelmReleases related to + the app. It also triggers a deletion of the OAuth2Client object, but + does not delete the secrets generated by the `install` command. It also + does not remove the TLS secret generated by cert-manager. """ self.__delete_kustomization() diff --git a/cliapp/cliapp/cli.py b/cliapp/cliapp/cli.py index 25ba861..578b9e3 100644 --- a/cliapp/cliapp/cli.py +++ b/cliapp/cliapp/cli.py @@ -100,8 +100,8 @@ def delete_app(slug): app_status = app_obj.get_status() if not app_status.installed: - deleted = app_obj.delete() - current_app.logger.info(f"Success.") + app_obj.delete() + current_app.logger.info("Success.") else: current_app.logger.info("Can not delete installed application, run" " 'uninstall' first") @@ -122,8 +122,8 @@ def uninstall_app(slug): current_app.logger.info("Not found") return - uninstalled = app_obj.uninstall() - current_app.logger.info(f"Success: {uninstalled}") + app_obj.uninstall() + current_app.logger.info("Success.") return @app_cli.command("status") diff --git a/helpers/kubernetes.py b/helpers/kubernetes.py index 09fcc68..280ccea 100644 --- a/helpers/kubernetes.py +++ b/helpers/kubernetes.py @@ -180,8 +180,10 @@ def delete_kustomization(kustomization_name): """ Deletes a kustomization. - Note that this can also result in the deletion of an app's HelmReleases, - PVCs (user data!), OAuth2Client, etc. Nothing will remain + Note that if the kustomization has `prune: true` in its spec, this will + trigger deletion of other elements generated by the Kustomizartion. See + App.uninstall() to learn what implications this has for what will and will + not be deleted by the kustomize-controller. :param kustomization_name: name of the kustomization to delete :type kustomization_name: string