def _get_api(cluster):
""" Get custom objects api associated with a cluster specifier.
"""
if cluster is None:
load_incluster_config()
api = CustomObjectsApi()
elif cluster == 'remote_transcode':
host = os.getenv('REMOTE_TRANSCODE_HOST')
port = os.getenv('REMOTE_TRANSCODE_PORT')
token = os.getenv('REMOTE_TRANSCODE_TOKEN')
cert = os.getenv('REMOTE_TRANSCODE_CERT')
conf = Configuration()
conf.api_key['authorization'] = token
conf.host = f'https://{host}:{port}'
conf.verify_ssl = True
conf.ssl_ca_cert = cert
api_client = ApiClient(conf)
api = CustomObjectsApi(api_client)
else:
cluster_obj = JobCluster.objects.get(pk=cluster)
host = cluster_obj.host
port = cluster_obj.port
token = cluster_obj.token
fd, cert = tempfile.mkstemp(text=True)
with open(fd, 'w') as f:
f.write(cluster_obj.cert)
conf = Configuration()
conf.api_key['authorization'] = token
conf.host = f'https://{host}:{port}'
conf.verify_ssl = True
conf.ssl_ca_cert = cert
api_client = ApiClient(conf)
api = CustomObjectsApi(api_client)
return api
def connect():
config_file = None
if os.environ.get('RD_CONFIG_ENV') == 'incluster':
config.load_incluster_config()
return
if os.environ.get('RD_CONFIG_CONFIG_FILE'):
config_file = os.environ.get('RD_CONFIG_CONFIG_FILE')
url = None
if os.environ.get('RD_CONFIG_URL'):
url = os.environ.get('RD_CONFIG_URL')
verify_ssl = None
if os.environ.get('RD_CONFIG_VERIFY_SSL'):
verify_ssl = os.environ.get('RD_CONFIG_VERIFY_SSL')
ssl_ca_cert = None
if os.environ.get('RD_CONFIG_SSL_CA_CERT'):
ssl_ca_cert = os.environ.get('RD_CONFIG_SSL_CA_CERT')
token = None
if os.environ.get('RD_CONFIG_TOKEN'):
token = os.environ.get('RD_CONFIG_TOKEN')
log.debug("config file")
log.debug(config_file)
log.debug("-------------------")
if config_file:
log.debug("getting settings from file %s" % config_file)
config.load_kube_config(config_file=config_file)
else:
if url:
log.debug("getting settings from pluing configuration")
configuration = Configuration()
configuration.host = url
if verify_ssl == 'true':
configuration.verify_ssl = verify_ssl
else:
configuration.verify_ssl = None
if ssl_ca_cert:
configuration.ssl_ca_cert = ssl_ca_cert
configuration.api_key['authorization'] = token
configuration.api_key_prefix['authorization'] = 'Bearer'
client.Configuration.set_default(configuration)
else:
log.debug("getting from default config file")
config.load_kube_config()
c = Configuration()
c.assert_hostname = False
Configuration.set_default(c)
def connect():
config_file = None
if os.environ.get('RD_CONFIG_ENV') == 'incluster':
config.load_incluster_config()
return
if os.environ.get('RD_CONFIG_CONFIG_FILE'):
config_file = os.environ.get('RD_CONFIG_CONFIG_FILE')
elif os.environ.get('RD_NODE_KUBERNETES_CONFIG_FILE'):
config_file = os.environ.get('RD_NODE_KUBERNETES_CONFIG_FILE')
verify_ssl = os.environ.get('RD_CONFIG_VERIFY_SSL')
ssl_ca_cert = os.environ.get('RD_CONFIG_SSL_CA_CERT')
url = os.environ.get('RD_CONFIG_URL')
token = os.environ.get('RD_CONFIG_TOKEN')
if not token:
token = os.environ.get('RD_CONFIG_TOKEN_STORAGE_PATH')
log.debug("config file")
log.debug(config_file)
log.debug("-------------------")
if config_file:
log.debug("getting settings from file %s", config_file)
config.load_kube_config(config_file=config_file)
else:
if url and token:
log.debug("getting settings from plugin configuration")
configuration = Configuration()
configuration.host = url
if verify_ssl == 'true':
configuration.verify_ssl = verify_ssl
else:
configuration.verify_ssl = None
configuration.assert_hostname = False
if ssl_ca_cert:
configuration.ssl_ca_cert = ssl_ca_cert
configuration.api_key['authorization'] = token
configuration.api_key_prefix['authorization'] = 'Bearer'
client.Configuration.set_default(configuration)
else:
log.debug(
"Either URL or Token is not defined. Fall back to getting settings from default config file [$home/.kube/config]"
)
config.load_kube_config()
def __configure_by_params(self):
""" Return API client from configuration file """
auth_args = AUTH_ARG_SPEC.keys()
core_configuration = Configuration()
for key, value in iteritems(self.params):
if key in auth_args and value is not None:
if key == 'api_key':
setattr(
sdk.configuration,
key, {'authorization': "Bearer {0}".format(value)})
setattr(
core_configuration,
key, {'authorization': "Bearer {0}".format(value)})
else:
setattr(sdk.configuration, key, value)
setattr(core_configuration, key, value)
if not self.params.get('verify_ssl'):
sdk.configuration.verify_ssl = False
core_configuration.verify_ssl = False
kube_config.load_kube_config(client_configuration=sdk.configuration)
Configuration.set_default(core_configuration)
return sdk.DefaultApi(), core_client.CoreV1Api()
def _load_kube_config(self):
config.load_kube_config('/etc/kubernetes/admin.conf')
# Workaround: Turn off SSL/TLS verification
c = Configuration()
c.verify_ssl = False
Configuration.set_default(c)
def build_client(self):
configuration = Configuration()
configuration.api_key['authorization'] = "Bearer {}".format(self.auth_info['K8S-Token'])
configuration.host = self.auth_info['K8S-Endpoint']
configuration.verify_ssl = self._verify_ssl
api_client = ApiClient(configuration)
return K8sClient(api_client)
def _disable_verify_ssl() -> None:
if hasattr(Configuration, 'get_default_copy'):
configuration = Configuration.get_default_copy()
else:
configuration = Configuration()
configuration.verify_ssl = False
Configuration.set_default(configuration)
def __init__(self, alg):
""" Intializes the connection. If algorithm object includes
a remote cluster, use that. Otherwise, use this cluster.
"""
if alg.cluster:
host = alg.cluster.host
port = alg.cluster.port
token = alg.cluster.token
fd, cert = tempfile.mkstemp(text=True)
with open(fd, 'w') as f:
f.write(alg.cluster.cert)
conf = Configuration()
conf.api_key['authorization'] = token
conf.host = f'{PROTO}{host}:{port}'
conf.verify_ssl = True
conf.ssl_ca_cert = cert
api_client = ApiClient(conf)
self.corev1 = CoreV1Api(api_client)
self.custom = CustomObjectsApi(api_client)
else:
load_incluster_config()
self.corev1 = CoreV1Api()
self.custom = CustomObjectsApi()
# Read in the manifest.
if alg.manifest:
self.manifest = yaml.safe_load(alg.manifest.open(mode='r'))
# Save off the algorithm.
self.alg = alg
def __init__(self):
""" Intializes the connection. If environment variables for
remote transcode are defined, connect to that cluster.
"""
host = os.getenv('REMOTE_TRANSCODE_HOST')
port = os.getenv('REMOTE_TRANSCODE_PORT')
token = os.getenv('REMOTE_TRANSCODE_TOKEN')
cert = os.getenv('REMOTE_TRANSCODE_CERT')
self.remote = host is not None
if self.remote:
conf = Configuration()
conf.api_key['authorization'] = token
conf.host = f'https://{host}:{port}'
conf.verify_ssl = True
conf.ssl_ca_cert = cert
api_client = ApiClient(conf)
self.corev1 = CoreV1Api(api_client)
self.custom = CustomObjectsApi(api_client)
else:
load_incluster_config()
self.corev1 = CoreV1Api()
self.custom = CustomObjectsApi()
self.setup_common_steps()
def _refresh_oidc(self, provider):
config = Configuration()
if 'idp-certificate-authority-data' in provider['config']:
ca_cert = tempfile.NamedTemporaryFile(delete=True)
if PY3:
cert = base64.b64decode(
provider['config']['idp-certificate-authority-data']
).decode('utf-8')
else:
cert = base64.b64decode(
provider['config']['idp-certificate-authority-data'] + "=="
)
with open(ca_cert.name, 'w') as fh:
fh.write(cert)
config.ssl_ca_cert = ca_cert.name
else:
config.verify_ssl = False
client = ApiClient(configuration=config)
response = client.request(
method="GET",
url="%s/.well-known/openid-configuration"
% provider['config']['idp-issuer-url']
)
if response.status != 200:
return
response = json.loads(response.data)
request = OAuth2Session(
client_id=provider['config']['client-id'],
token=provider['config']['refresh-token'],
auto_refresh_kwargs={
'client_id': provider['config']['client-id'],
'client_secret': provider['config']['client-secret']
},
auto_refresh_url=response['token_endpoint']
)
try:
refresh = request.refresh_token(
token_url=response['token_endpoint'],
refresh_token=provider['config']['refresh-token'],
auth=(provider['config']['client-id'],
provider['config']['client-secret']),
verify=config.ssl_ca_cert if config.verify_ssl else None
)
except oauthlib.oauth2.rfc6749.errors.InvalidClientIdError:
return
provider['config'].value['id-token'] = refresh['id_token']
provider['config'].value['refresh-token'] = refresh['refresh_token']
def client(self):
configuration = Configuration()
configuration.api_key['authorization'] = "Bearer {}".format(
self.headers['K8S-Token'])
configuration.host = self.headers['K8S-Endpoint']
configuration.verify_ssl = self._verify_ssl
api_client = ApiClient(configuration)
return CoreV1Api(api_client)
def get_api_client(self):
configuration = Configuration()
configuration.verify_ssl = False
configuration.host = self.cluster.api
configuration.api_key['authorization'] = self.cluster.token
configuration.api_key_prefix['authorization'] = 'Bearer'
api_client = ApiClient(configuration)
return api_client
def connect(params):
'''return CustomObjectsApi object after parsing user options.'''
config.load_kube_config()
cfg = Configuration()
if params.get("insecure"):
cfg.verify_ssl = False
api_client = client.ApiClient(configuration=cfg)
return client.CustomObjectsApi(api_client=api_client)
def set_config(self):
configuration = Configuration()
configuration.api_key["authorization"] = self.get_access_token()
configuration.api_key_prefix["authorization"] = "Bearer"
configuration.host = os.environ.get("GKE_MASTER_SERVER")
configuration.verify_ssl = False
configuration.assert_hostname = False
Configuration.set_default(configuration)
def init_k8s_client(kube_context: str) -> client.CoreV1Api:
env = os.environ
if kube_context:
# config.load_kube_config()
config.load_kube_config(kube_context)
configuration = Configuration()
configuration.verify_ssl = bool(
strtobool((env.get("KUBERNETES_VERIFY_SSL", "false"))))
api_client = client.ApiClient(configuration)
return client.CoreV1Api(api_client)
elif env.get("CHAOSTOOLKIT_IN_POD") == "true":
config.load_incluster_config()
proxy_url = os.getenv('HTTP_PROXY', None)
if proxy_url:
configuration = Configuration()
configuration.proxy = proxy_url
api_client = client.ApiClient(configuration)
return client.CoreV1Api(api_client)
else:
api = client.ApiClient()
return client.CoreV1Api(api)
else:
configuration = client.Configuration()
configuration.debug = True
configuration.host = os.environ.get("KUBERNETES_HOST",
"http://localhost")
configuration.verify_ssl = bool(
strtobool((env.get("KUBERNETES_VERIFY_SSL", "false"))))
configuration.cert_file = os.environ.get("KUBERNETES_CA_CERT_FILE")
if "KUBERNETES_CERT_FILE" in env:
configuration.cert_file = os.environ.get(
"KUBERNETES_CERT_FILE")
configuration.key_file = os.environ.get("KUBERNETES_KEY_FILE")
elif "KUBERNETES_USERNAME" in env:
configuration.username = os.environ.get("KUBERNETES_USERNAME")
configuration.password = os.environ.get(
"KUBERNETES_PASSWORD", "")
proxy_url = os.getenv('HTTP_PROXY', None)
if proxy_url:
configuration.proxy = proxy_url
api = client.ApiClient(configuration)
return client.CoreV1Api(api)
def get_rest_client(self):
configuration = Configuration()
configuration.verify_ssl = False
configuration.host = self.cluster.api
configuration.api_key['authorization'] = self.cluster.token
configuration.api_key_prefix['authorization'] = 'Bearer'
rest_client = RESTClientObject(configuration)
return rest_client
def _load_kube_config(self):
if not is_k8s_configured():
raise exception.KubeNotConfigured()
config.load_kube_config(KUBERNETES_ADMIN_CONF)
# Workaround: Turn off SSL/TLS verification
c = Configuration()
c.verify_ssl = False
Configuration.set_default(c)
def __create_core_client(self, config_file, verify_ssl, context):
configuration = Configuration()
configuration.verify_ssl = verify_ssl
Configuration.set_default(configuration)
kube_config.load_kube_config(config_file=config_file)
if context:
return core_client.CoreV1Api(
api_client=config.new_client_from_config(context=context))
return core_client.CoreV1Api()
def _get_kubernetesclient(self):
if not self._kube_client:
config.load_kube_config('/etc/kubernetes/admin.conf')
# Workaround: Turn off SSL/TLS verification
c = Configuration()
c.verify_ssl = False
Configuration.set_default(c)
self._kube_client = client.CoreV1Api()
return self._kube_client
def __init__(self, ctx=None, cfg=None):
cfg = cfg or os.environ.get("KUBECONFIG")
if cfg:
k8s_client = config.new_client_from_config(cfg)
else:
config.load_incluster_config() # makes a singleton config behind the scenes
k8cfg = Configuration() # gets a copy from what was populated in the line above
# NOTE this is required due to https://github.com/openshift/origin/issues/22125
k8cfg.verify_ssl = False
k8s_client = ApiClient(configuration=k8cfg) # this should use the singleton produced above
self.k8s = DynamicClient(k8s_client) # stole this from config.new_client_from_config
def get_config(cluster):
'''
:param cluster: k8s集群的配置对象
:return: 返回一个config对象
'''
configuration = Configuration()
configuration.verify_ssl = False
configuration.host = cluster.api
configuration.api_key['authorization'] = cluster.token
configuration.api_key_prefix['authorization'] = 'Bearer'
return configuration
def _load_kube_config(self):
config.load_kube_config(KUBELET_CONF)
# WORKAROUND: Turn off SSL/TLS verification
if SSL_TLS_SUPPRESS:
# Suppress the "InsecureRequestWarning: Unverified HTTPS request"
# seen with each kubelet client API call.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
c = Configuration()
c.verify_ssl = False
Configuration.set_default(c)
def __init__(self, websocket, **kwargs):
self.websocket = websocket
self.cols = int(kwargs.get('cols', 80))
self.rows = int(kwargs.get('rows', 24))
self.need_auth = bool(kwargs.get('need_auth', True))
self.auth_ok = not self.need_auth
conf = Configuration()
conf.host = KUBERNETES_API_SERVER_URL
conf.verify_ssl = False
conf.api_key = {"authorization": "Bearer " + KUBERNETES_CLUSTER_TOKEN}
self.api_client = core_v1_api.CoreV1Api(ApiClient(conf))
self.api_response = None
def main():
logger = create_logger(PurePath(__file__).stem)
config.load_incluster_config()
configuration = Configuration()
configuration.verify_ssl = False
configuration.assert_hostname = False
urllib3.disable_warnings()
Configuration.set_default(configuration)
api = core_v1_api.CoreV1Api()
label_selector = getenv('LABEL_SELECTOR', 'role=greyhole')
namespace = getenv('NAMESPACE', 'storage')
command_switch = getenv('COMMAND_SWITCH', '')
k8s_response = api.list_namespaced_pod(namespace=namespace,
label_selector=label_selector)
logger.info(f'ENV Commands {label_selector} {namespace} {command_switch}')
logger.debug(f'{k8s_response}')
for pod in k8s_response.items:
name = pod.metadata.name
k8s_response = api.read_namespaced_pod(name=name, namespace=namespace)
exec_command = ['/bin/sh', '-c']
if command_switch.lower() == 'monthly':
exec_command.append('greyhole --fsck --checksums')
elif command_switch.lower() == 'weekly':
exec_command.append(
'greyhole --fsck --dont-walk-metadata-store --disk-usage-report'
)
elif command_switch.lower() == 'daily':
exec_command.append(
'greyhole --fsck --if-conf-changed --dont-walk-metadata-store')
else:
exec_command.append('greyhole --process-spool --keepalive')
k8s_response = stream(api.connect_get_namespaced_pod_exec,
name,
namespace,
command=exec_command,
stderr=True,
stdin=False,
stdout=True,
tty=False)
logger.info(f'Cleanup {name}: {k8s_response}')
logger.info(f'Successfully executed cron job')
def setup_collector():
kube_config = Configuration()
kube_config.host = "https://localhost:3000"
kube_config.verify_ssl = False
dyn_client = DynamicClient(ApiClient(configuration=kube_config))
username = "******"
token = "gittoken"
git_api = "localhost:3000"
namespaces = (
"basic-nginx-build,basic-nginx-dev,basic-nginx-stage,basic-nginx-prod".
split(","))
apps = None
tls_verify = False
return GitHubCommitCollector(dyn_client, username, token, namespaces, apps,
git_api, tls_verify)
def start_watch(self, on_success, on_error):
config.load_kube_config(KUBE_CONFIG_PATH)
c = Configuration()
c.verify_ssl = True
Configuration.set_default(c)
ccApi = client.CoreV1Api()
w = watch.Watch()
LOG.info('Monitor secrets in %s' % self.namespace)
for item in w.stream(ccApi.list_namespaced_secret, namespace=self.namespace):
event_data = CertUpdateEventData(item)
for listener in self.listeners:
update_event = CertUpdateEvent(listener, event_data)
try:
if listener.notify_changed(event_data):
on_success(update_event.get_id())
except Exception as e:
LOG.error('Monitoring action %s failed. %s' % (event_data, e))
if not isinstance(e, URLError):
LOG.exception(e)
on_error(update_event)
def __init__(self, alg):
""" Intializes the connection. If algorithm object includes
a remote cluster, use that. Otherwise, use this cluster.
"""
if alg.cluster:
host = alg.cluster.host
port = alg.cluster.port
token = alg.cluster.token
fd, cert = tempfile.mkstemp(text=True)
with open(fd, 'w') as f:
f.write(alg.cluster.cert)
conf = Configuration()
conf.api_key['authorization'] = token
conf.host = f'{PROTO}{host}:{port}'
conf.verify_ssl = True
conf.ssl_ca_cert = cert
api_client = ApiClient(conf)
self.corev1 = CoreV1Api(api_client)
self.custom = CustomObjectsApi(api_client)
else:
load_incluster_config()
self.corev1 = CoreV1Api()
self.custom = CustomObjectsApi()
# Read in the manifest.
if alg.manifest:
self.manifest = yaml.safe_load(alg.manifest.open(mode='r'))
if 'volumeClaimTemplates' in self.manifest['spec']:
for claim in self.manifest['spec']['volumeClaimTemplates']:
storage_class_name = claim['spec'].get(
'storageClassName', None)
if storage_class_name is None:
claim['storageClassName'] = os.getenv(
'WORKFLOW_STORAGE_CLASS')
logger.warning(
f"Implicitly sc to pvc of Algo:{alg.pk}")
# Save off the algorithm.
self.alg = alg
def load_kubernetes_config():
"""
dynamic load config file
:return:
"""
# use kube config default location while there are no ENVIRONMENTS about kubernetes config
try:
if KUBE_HOST is not None:
from kubernetes.client import Configuration
configuration = Configuration()
configuration.host = KUBE_HOST
configuration.verify_ssl = False
Configuration.set_default(configuration)
return
config.load_kube_config()
if KUBE_CONFIG_FILE is not None:
config.load_kube_config(KUBE_CONFIG_FILE)
except FileNotFoundError as e:
raise Exception(str(e), 500)
def get_kubernetes_api_client():
conf = Configuration()
conf.host = KUBERNETES_API_SERVER_URL
conf.verify_ssl = False
conf.api_key = {"authorization": "Bearer " + KUBERNETES_CLUSTER_TOKEN}
return ApiClient(conf)
def _disable_verify_ssl() -> None:
configuration = Configuration()
configuration.verify_ssl = False
Configuration.set_default(configuration)
