def migrate(self, backupList: BackupList, manifestList: ManifestList,
**kwargs: Any) -> ManifestList:
ml = ManifestList()
for ba in backupList.backups(pluginName='secret'):
assert isinstance(ba, Backup)
metadata = V1ObjectMeta()
metadata.annotations = {}
clusterMeta = manifestList.clusterMeta()
if clusterMeta:
metadata.annotations = clusterMeta.annotations
logging.debug("Found backup {}".format(ba))
b = ba.data
fullPath = "/".join(filter(None, [b["path"], b["key"]]))
name = b["key"]
metadata.annotations[utils.namespace_path(
"secret-path")] = fullPath
metadata.name = utils.make_subdomain(name.split('/'))
sec = V1Secret(metadata=metadata)
sec.api_version = 'v1'
sec.kind = 'Secret'
# K8s requires secret values to be base64-encoded. The secret value
# is base64-encoded during backup so it can be passed as-is here.
sec.data = {utils.dnsify(name): b['value']}
manifest = Manifest(pluginName=self.plugin_name,
manifestName=utils.dnsify(fullPath))
manifest.append(sec)
ml.append(manifest)
return ml
def handleSecret(self, key: str, value: T.Dict[str, str],
full_path: str) -> None:
if not self.jobSecret:
assert self.object
name = self.dnsify("jobsecret." + str(self.object.get("id", "")))
metadata = K.V1ObjectMeta(name=name)
assert self.manifest_list
clusterMeta = self.manifest_list.clusterMeta()
if clusterMeta:
metadata.annotations = clusterMeta.annotations
self.jobSecret = K.V1Secret(metadata=metadata, data={})
self.jobSecret.api_version = 'v1'
self.jobSecret.kind = 'Secret'
self.manifest.append(self.jobSecret)
sourceSecretName = value.get("source", "")
if not sourceSecretName:
# logging.critical("{}.source missing", full_path)
return
source_key = utils.dnsify(sourceSecretName)
assert self.manifest_list
sourceSecret = self.manifest_list.manifest(pluginName='secret',
manifestName=source_key)
if not sourceSecret:
# logging.warning("secret {} missing", source_key)
self.jobSecret.data[key] = "{} not found".format(source_key)
return
[v] = sourceSecret[0].data.values()
self.jobSecret.data[key] = v
def dnsify(self, name: str) -> str:
new_name = utils.dnsify(name)
if not name == new_name:
logging.info(
f'"{name}" is not a valid name in kubernetes. converted it to "{new_name}".'
)
return new_name
def _create_remapped_secret(
manifest_list: Optional[ManifestList],
remapping: SecretRemapping,
app_id: str,
) -> Optional[V1Secret]:
if not remapping.key_mapping:
return None
assert manifest_list is not None
clusterMeta: Optional[V1ObjectMeta] = manifest_list.clusterMeta()
metadata = V1ObjectMeta(annotations={})
if clusterMeta is not None:
metadata.annotations = clusterMeta.annotations
metadata.annotations[utils.namespace_path("marathon-appid")] = app_id
metadata.name = utils.dnsify(remapping.dest_name)
secret = V1Secret(metadata=metadata, data={})
secret.api_version = 'v1'
secret.kind = 'Secret'
if remapping.dest_type is not None:
secret.type = remapping.dest_type
for source_key, destination_key in remapping.key_mapping.items():
sourceSecret = manifest_list.manifest(pluginName='secret', manifestName=source_key)
if not sourceSecret:
raise NoMigratedSecretFound('No migrated secret "{}" found'.format(source_key))
[value] = sourceSecret[0].data.values()
secret.data[destination_key] = value
return secret
def __init__(
self,
app_id: str,
app_secrets: Mapping[str, Mapping[str, str]],
):
self._app_secrets = app_secrets
self._generic_remapping = SecretRemapping(
dest_name="marathonsecret-{}".format(utils.dnsify(app_id)),
dest_type=None,
key_mapping={})
self._image_pull_remapping = SecretRemapping(
dest_name="marathonpullcfgsecret-{}".format(utils.dnsify(app_id)),
dest_type="kubernetes.io/dockerconfigjson",
key_mapping={})
def __get_k8s_secret_key(self, app_secret_name: str) -> str:
try:
dcos_name = self._app_secrets[app_secret_name]['source']
except KeyError:
raise InvalidAppDefinition(
'No source specified for a secret "{}"'.format(
app_secret_name))
return utils.dnsify(dcos_name)
def test_dnsify(path_name, expected_name):
assert dnsify(path_name) == expected_name