summaryrefslogtreecommitdiffstats
path: root/k8s/k8sclient/k8sclient.py
diff options
context:
space:
mode:
authorJack Lucas <jflucas@research.att.com>2018-09-10 12:14:29 +0000
committerJack Lucas <jflucas@research.att.com>2018-09-10 12:50:51 +0000
commit6292de70ae19c84c01d12562c0e6682918fe30f8 (patch)
tree9546d23f7584f6f7bcda8f7cbce1e9ebde640a17 /k8s/k8sclient/k8sclient.py
parentdcee205400592c9d629a5b059820dd402e994869 (diff)
Add support for TLS init container
Change-Id: I118af2c8a0294ffc89e045f8cdae24dfb7e57ab6 Issue-ID: DCAEGEN2-591 Signed-off-by: Jack Lucas <jflucas@research.att.com>
Diffstat (limited to 'k8s/k8sclient/k8sclient.py')
-rw-r--r--k8s/k8sclient/k8sclient.py38
1 files changed, 31 insertions, 7 deletions
diff --git a/k8s/k8sclient/k8sclient.py b/k8s/k8sclient/k8sclient.py
index 1c30534..eff51a3 100644
--- a/k8s/k8sclient/k8sclient.py
+++ b/k8s/k8sclient/k8sclient.py
@@ -84,7 +84,7 @@ def _parse_interval(t):
raise ValueError("Bad interval specification: {0}".format(t))
return time
-def _create_probe(hc, port):
+def _create_probe(hc, port, use_tls=False):
''' Create a Kubernetes probe based on info in the health check dictionary hc '''
probe_type = hc['type']
probe = None
@@ -99,7 +99,7 @@ def _create_probe(hc, port):
http_get = client.V1HTTPGetAction(
path = hc['endpoint'],
port = port,
- scheme = probe_type.upper()
+ scheme = 'HTTPS' if use_tls else probe_type.upper()
)
)
elif probe_type in ['script', 'docker']:
@@ -114,7 +114,7 @@ def _create_probe(hc, port):
)
return probe
-def _create_container_object(name, image, always_pull, env={}, container_ports=[], volume_mounts = [], readiness = None):
+def _create_container_object(name, image, always_pull, use_tls=False, env={}, container_ports=[], volume_mounts = [], readiness = None):
# Set up environment variables
# Copy any passed in environment variables
env_vars = [client.V1EnvVar(name=k, value=env[k]) for k in env.keys()]
@@ -130,7 +130,7 @@ def _create_container_object(name, image, always_pull, env={}, container_ports=[
hc_port = None
if len(container_ports) > 0:
hc_port = container_ports[0]
- probe = _create_probe(readiness, hc_port)
+ probe = _create_probe(readiness, hc_port, use_tls)
# Define container for pod
return client.V1Container(
@@ -145,6 +145,7 @@ def _create_container_object(name, image, always_pull, env={}, container_ports=[
def _create_deployment_object(component_name,
containers,
+ init_containers,
replicas,
volumes,
labels={},
@@ -166,6 +167,7 @@ def _create_deployment_object(component_name,
metadata=client.V1ObjectMeta(labels=labels),
spec=client.V1PodSpec(hostname=component_name,
containers=containers,
+ init_containers=init_containers,
volumes=volumes,
image_pull_secrets=ips)
)
@@ -333,6 +335,9 @@ def deploy(namespace, component_name, image, replicas, always_pull, k8sconfig, *
"config_subpath" : subpath for config data in filebeat container
"config_map" : ConfigMap holding the filebeat configuration
"image": Docker image to use for filebeat
+ - tls: a dictionary of TLS init container parameters:
+ "cert_path": mount point for certificate volume in init container
+ "image": Docker image to use for TLS init container
kwargs may have:
- volumes: array of volume objects, where a volume object is:
{"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw_or_ro"}
@@ -341,6 +346,8 @@ def deploy(namespace, component_name, image, replicas, always_pull, k8sconfig, *
- msb_list: array of msb objects, where an msb object is as described in msb/msb.py.
- log_info: an object with info for setting up ELK logging, with the form:
{"log_directory": "/path/to/container/log/directory", "alternate_fb_path" : "/alternate/sidecar/log/path"}
+ - tls_info: an object with info for setting up TLS (HTTPS), with the form:
+ {"use_tls": true, "cert_directory": "/path/to/container/cert/directory" }
- labels: dict with label-name/label-value pairs, e.g. {"cfydeployment" : "lsdfkladflksdfsjkl", "cfynode":"mycomponent"}
These label will be set on all the pods deployed as a result of this deploy() invocation.
- readiness: dict with health check info; if present, used to create a readiness probe for the main container. Includes:
@@ -375,6 +382,7 @@ def deploy(namespace, component_name, image, replicas, always_pull, k8sconfig, *
# Initialize the list of containers that will be part of the pod
containers = []
+ init_containers = []
# Set up the ELK logging sidecar container, if needed
log_info = kwargs.get("log_info")
@@ -395,7 +403,7 @@ def deploy(namespace, component_name, image, replicas, always_pull, k8sconfig, *
sidecar_volume_mounts.append(client.V1VolumeMount(name="filebeat-data", mount_path=fb["data_path"]))
# Create the container for the sidecar
- containers.append(_create_container_object("filebeat", fb["image"], False, {}, [], sidecar_volume_mounts))
+ containers.append(_create_container_object("filebeat", fb["image"], False, False, {}, [], sidecar_volume_mounts))
# Create the volume for the sidecar configuration data and the volume mount for it
# The configuration data is in a k8s ConfigMap that should be created when DCAE is installed.
@@ -404,14 +412,30 @@ def deploy(namespace, component_name, image, replicas, always_pull, k8sconfig, *
sidecar_volume_mounts.append(
client.V1VolumeMount(name="filebeat-conf", mount_path=fb["config_path"], sub_path=fb["config_subpath"]))
+ # Set up the TLS init container, if needed
+ tls_info = kwargs.get("tls_info")
+ use_tls = False
+ if tls_info and "use_tls" in tls_info and tls_info["use_tls"]:
+ if "cert_directory" in tls_info and len(tls_info["cert_directory"]) > 0:
+ use_tls = True
+ tls_config = k8sconfig["tls"]
+
+ # Create the certificate volume and volume mounts
+ volumes.append(client.V1Volume(name="tls-info", empty_dir=client.V1EmptyDirVolumeSource()))
+ volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=tls_info["cert_directory"]))
+ init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_config["cert_path"])]
+
+ # Create the init container
+ init_containers.append(_create_container_object("init-tls", tls_config["image"], False, False, {}, [], init_volume_mounts))
+
# Create the container for the component
# Make it the first container in the pod
- containers.insert(0, _create_container_object(component_name, image, always_pull, kwargs.get("env", {}), container_ports, volume_mounts, kwargs["readiness"]))
+ containers.insert(0, _create_container_object(component_name, image, always_pull, use_tls, kwargs.get("env", {}), container_ports, volume_mounts, kwargs["readiness"]))
# Build the k8s Deployment object
labels = kwargs.get("labels", {})
labels.update({"app": component_name})
- dep = _create_deployment_object(component_name, containers, replicas, volumes, labels, pull_secrets=k8sconfig["image_pull_secrets"])
+ dep = _create_deployment_object(component_name, containers, init_containers, replicas, volumes, labels, pull_secrets=k8sconfig["image_pull_secrets"])
# Have k8s deploy it
ext.create_namespaced_deployment(namespace, dep)