def recreate_secret(self, event_data): """ It is a workaround, delete the secret for cert-manager to recreate it with new private key """ kube_op = sys_kube.KubeOperator() kube_op.kube_delete_secret(event_data.secret_name, self.context.kubernete_namespace) LOG.info('Recreate secret %s:%s' % (self.context.kubernete_namespace, event_data.secret_name))
def verify_adminep_cert_chain(): """ Verify admin endpoint certificate chain & delete if invalid :param context: an admin context. :return: True/False if chain is valid """ """ * Retrieve ICA & AdminEP cert secrets from k8s * base64 decode ICA cert (tls.crt from SC_INTERMEDIATE_CA_SECRET_NAME) * & adminep (tls.crt from SC_ADMIN_ENDPOINT_SECRET_NAME) * & store the crts in tempfiles * Run openssl verify against RootCA to verify the chain """ kube_op = sys_kube.KubeOperator() secret_ica = kube_op.kube_get_secret(constants.SC_INTERMEDIATE_CA_SECRET_NAME, CERT_NAMESPACE_SUBCLOUD_CONTROLLER) if 'tls.crt' not in secret_ica.data: raise Exception('%s tls.crt (ICA) data missing' % (constants.SC_INTERMEDIATE_CA_SECRET_NAME)) secret_adminep = kube_op.kube_get_secret(constants.SC_ADMIN_ENDPOINT_SECRET_NAME, CERT_NAMESPACE_SUBCLOUD_CONTROLLER) if 'tls.crt' not in secret_adminep.data: raise Exception('%s tls.crt data missing' % (constants.SC_ADMIN_ENDPOINT_SECRET_NAME)) txt_ca_crt = base64.b64decode(secret_ica.data['tls.crt']) txt_tls_crt = base64.b64decode(secret_adminep.data['tls.crt']) with tempfile.NamedTemporaryFile() as ca_tmpfile: ca_tmpfile.write(txt_ca_crt) ca_tmpfile.flush() with tempfile.NamedTemporaryFile() as adminep_tmpfile: adminep_tmpfile.write(txt_tls_crt) adminep_tmpfile.flush() cmd = ['openssl', 'verify', '-CAfile', constants.DC_ROOT_CA_CERT_PATH, '-untrusted', ca_tmpfile.name, adminep_tmpfile.name] proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = proc.communicate() proc.wait() if 0 == proc.returncode: LOG.info('verify_adminep_cert_chain passed. Valid chain') return True else: LOG.info('verify_adminep_cert_chain: Chain is invalid\n%s\n%s' % (stdout, stderr)) res = kube_op.kube_delete_secret(constants.SC_ADMIN_ENDPOINT_SECRET_NAME, CERT_NAMESPACE_SUBCLOUD_CONTROLLER) LOG.info('Deleting AdminEP secret due to invalid chain. %s:%s, result %s, msg %s' % (CERT_NAMESPACE_SUBCLOUD_CONTROLLER, constants.SC_ADMIN_ENDPOINT_SECRET_NAME, res.status, res.message)) return False
def _get_rook_ceph_admin_keyring(self): try: kube = kubernetes.KubeOperator() keyring = kube.kube_get_secret(constants.K8S_RBD_PROV_ADMIN_SECRET_NAME, common.HELM_NS_STORAGE_PROVISIONER) return keyring.data['key'].decode('base64', 'strict') except Exception: pass return 'null'
def setUp(self): super(TestKubeOperator, self).setUp() self.setup_result() self.list_namespaced_pod_result = None def mock_is_k8s_configured(): return True self.mocked_is_k8s_configured = mock.patch( 'sysinv.common.kubernetes.is_k8s_configured', mock_is_k8s_configured) self.mocked_is_k8s_configured.start() def mock_list_namespaced_pod(obj, namespace, field_selector=""): pod_name = field_selector.split('metadata.name=', 1)[1] return self.list_namespaced_pod_result[pod_name] self.mocked_list_namespaced_pod = mock.patch( 'kubernetes.client.CoreV1Api.list_namespaced_pod', mock_list_namespaced_pod) self.mocked_list_namespaced_pod.start() self.list_pod_for_all_namespaces_result = None def mock_list_pod_for_all_namespaces(obj, label_selector=""): return self.list_pod_for_all_namespaces_result self.mocked_list_pod_for_all_namespaces = mock.patch( 'kubernetes.client.CoreV1Api.list_pod_for_all_namespaces', mock_list_pod_for_all_namespaces) self.mocked_list_pod_for_all_namespaces.start() self.list_node_result = None def mock_list_node(obj, label_selector=""): return self.list_node_result self.mocked_list_node = mock.patch( 'kubernetes.client.CoreV1Api.list_node', mock_list_node) self.mocked_list_node.start() self.read_namespaced_config_map_result = None def mock_read_namespaced_config_map(obj, configmap, namespace): return self.read_namespaced_config_map_result self.mocked_read_namespaced_config_map = mock.patch( 'kubernetes.client.CoreV1Api.read_namespaced_config_map', mock_read_namespaced_config_map) self.mocked_read_namespaced_config_map.start() self.kube_operator = kube.KubeOperator()
def _is_rook_ceph(self): try: # check function getLabels in rook/pkg/operator/ceph/cluster/mon/spec.go # rook will assign label "mon_cluster=kube-system" to monitor pods label = "mon_cluster=" + common.HELM_NS_STORAGE_PROVISIONER kube = kubernetes.KubeOperator() pods = kube.kube_get_pods_by_selector(common.HELM_NS_STORAGE_PROVISIONER, label, "") if len(pods) > 0: return True except Exception: pass return False
def _get_active_kubernetes_version(): """Get the active kubernetes version """ # During a platform upgrade, the version is still None # when N+1 controller-1 is creating hieradata. # The version is updated from the running kubernetes version. config = {} kube_operator = kubernetes.KubeOperator() kube_version = kube_operator.kube_get_kubernetes_version() config.update({ 'platform::kubernetes::params::version': kube_version, }) return config
def recreate_secrets(self): kube_op = sys_kube.KubeOperator() secret_list = self.secrets_to_recreate[:] for secret in secret_list: try: LOG.info('Recreate %s:%s' % (utils.CERT_NAMESPACE_SYS_CONTROLLER, secret)) kube_op.kube_delete_secret(secret, utils.CERT_NAMESPACE_SYS_CONTROLLER) except Exception as e: LOG.error('Deleting secret %s:%s. Error %s' % (utils.CERT_NAMESPACE_SYS_CONTROLLER, secret, e)) else: self.secrets_to_recreate.remove(secret) if len(self.secrets_to_recreate) > 0: # raise exception to keep reattempting raise Exception('Some secrets were not recreated successfully')
def get_subcloud_secrets(): """get subcloud name and ICA secret name pairs from k8s secret Every subcloud comes with an ICA entry in k8s secret :return: dict of subcloud name and ICA secret name pairs """ secret_pattern = re.compile('-adminep-ca-certificate$') kube_op = sys_kube.KubeOperator() secret_list = kube_op.kube_list_secret(ENDPOINT_TYPE_DC_CERT) dict = {} for secret in secret_list: secret_name = secret.metadata.name m = secret_pattern.search(secret_name) if m: start = m.start() if start > 0: dict.update({secret_name[0:m.start()]: secret_name}) return dict
def _get_kubernetes_rootca_cert_key(): """"Get kubernetes root CA certficate secret from cert-manager""" try: kube_operator = kubernetes.KubeOperator() secret = kube_operator.kube_get_secret(KUBE_ROOTCA_CERT_SECRET, KUBE_ROOTCA_CERT_NS) # The root CA cert/key are not stored in kubernetes yet if not secret: return 'undef', 'undef' if hasattr(secret, 'data') and secret.data: cert = secret.data.get('tls.crt', None) key = secret.data.get('tls.key', None) if cert and key: return cert, key raise Exception('Failed to get secret %s\\%s' % (KUBE_ROOTCA_CERT_NS, KUBE_ROOTCA_CERT_SECRET)) except exception.KubeNotConfigured: # During ansible bootstrap, kubernetes is not configured. # Set the cert and key to 'undef' return 'undef', 'undef'
def __init__(self, dbapi): self._dbapi = dbapi self._ceph = ceph.CephApiOperator() self._kube_operator = kubernetes.KubeOperator()
def __init__(self): self._api_token = None self._kube_op = sys_kube.KubeOperator()
def __init__(self, *args, **kwargs): super(KubernetesPuppet, self).__init__(*args, **kwargs) self._kube_operator = kubernetes.KubeOperator()
def __init__(self): self._kube_operator = kubernetes.KubeOperator()
def __init__(self): self._bm_region = None self._kube_op = sys_kube.KubeOperator()
def __init__(self, parent=None, **kwargs): self._parent = parent self._kube_operator = kubernetes.KubeOperator()
def post(self, host_uuid, body): """Update the kubernetes root CA certificate on this host""" # Check cluster update status try: update = pecan.request.dbapi.kube_rootca_update_get_one() except exception.NotFound: raise wsme.exc.ClientSideError( _("kube-rootca-host-update rejected: No update in progress.")) # Check if the new root CA cert secret exists, in case the secret # is deleted unexpectly. kube_operator = kubernetes.KubeOperator() try: cert_secret = kube_operator.kube_get_secret( constants.KUBE_ROOTCA_SECRET, kubernetes.NAMESPACE_DEPLOYMENT, ) except Exception: raise wsme.exc.ClientSideError( _("kube-rootca-host-update rejected: failed to get new root CA " "cert secret from kubernetes.")) if cert_secret is None: raise wsme.exc.ClientSideError( _("kube-rootca-host-update rejected: no new root CA cert found." )) ihost = pecan.request.dbapi.ihost_get(host_uuid) if body['phase'].lower() == constants.KUBE_CERT_UPDATE_TRUSTBOTHCAS: # kube root CA update on host phase trust-both-cas self._precheck_trustbothcas(update, ihost) update_state = kubernetes.KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS else: raise wsme.exc.ClientSideError( _("kube-rootca-host-update rejected: not supported phase.")) # Update the cluster update state c_values = dict() c_values['state'] = update_state c_update = pecan.request.dbapi.kube_rootca_update_get_one() pecan.request.dbapi.kube_rootca_update_update(c_update.id, c_values) # Create or update "update state" on this host h_values = dict() h_values['state'] = update_state h_values['effective_rootca_cert'] = c_update.from_rootca_cert h_values['target_rootca_cert'] = c_update.to_rootca_cert try: h_update = pecan.request.dbapi.kube_rootca_host_update_get_by_host( ihost.id) h_update = pecan.request.dbapi.kube_rootca_host_update_update( h_update.id, h_values) except exception.NotFound: h_update = pecan.request.dbapi.kube_rootca_host_update_create( ihost.id, h_values) phase = body['phase'].lower() if phase not in [ constants.KUBE_CERT_UPDATE_TRUSTBOTHCAS, constants.KUBE_CERT_UPDATE_UPDATECERTS, constants.KUBE_CERT_UPDATE_TRUSTNEWCA ]: raise exception.SysinvException( _("Invalid phase %s to update kube certificate." % phase)) # perform rpc to conductor to perform config apply pecan.request.rpcapi.kube_certificate_update_by_host( pecan.request.context, host_uuid, body['phase']) LOG.info("Kubernetes rootca update started on host: %s" % ihost.hostname) return KubeRootCAHostUpdate.convert_with_links(h_update)
def get_sc_intermediate_ca_secret(sc): secret_name = get_intermediate_ca_secret_name(sc) kube_op = sys_kube.KubeOperator() return kube_op.kube_get_secret(secret_name, CERT_NAMESPACE_SYS_CONTROLLER)
def __init__(self, dbapi): self._dbapi = dbapi self._kube_operator = kubernetes.KubeOperator()