def recreate_secret(self, event_data):
"""
It is a workaround, delete the secret for cert-manager to recreate it with
new private key
"""
kube_op = sys_kube.KubeOperator()
kube_op.kube_delete_secret(event_data.secret_name, self.context.kubernete_namespace)
LOG.info('Recreate secret %s:%s' % (self.context.kubernete_namespace, event_data.secret_name))
def verify_adminep_cert_chain():
"""
Verify admin endpoint certificate chain & delete if invalid
:param context: an admin context.
:return: True/False if chain is valid
"""
"""
* Retrieve ICA & AdminEP cert secrets from k8s
* base64 decode ICA cert (tls.crt from SC_INTERMEDIATE_CA_SECRET_NAME)
* & adminep (tls.crt from SC_ADMIN_ENDPOINT_SECRET_NAME)
* & store the crts in tempfiles
* Run openssl verify against RootCA to verify the chain
"""
kube_op = sys_kube.KubeOperator()
secret_ica = kube_op.kube_get_secret(constants.SC_INTERMEDIATE_CA_SECRET_NAME,
CERT_NAMESPACE_SUBCLOUD_CONTROLLER)
if 'tls.crt' not in secret_ica.data:
raise Exception('%s tls.crt (ICA) data missing'
% (constants.SC_INTERMEDIATE_CA_SECRET_NAME))
secret_adminep = kube_op.kube_get_secret(constants.SC_ADMIN_ENDPOINT_SECRET_NAME,
CERT_NAMESPACE_SUBCLOUD_CONTROLLER)
if 'tls.crt' not in secret_adminep.data:
raise Exception('%s tls.crt data missing'
% (constants.SC_ADMIN_ENDPOINT_SECRET_NAME))
txt_ca_crt = base64.b64decode(secret_ica.data['tls.crt'])
txt_tls_crt = base64.b64decode(secret_adminep.data['tls.crt'])
with tempfile.NamedTemporaryFile() as ca_tmpfile:
ca_tmpfile.write(txt_ca_crt)
ca_tmpfile.flush()
with tempfile.NamedTemporaryFile() as adminep_tmpfile:
adminep_tmpfile.write(txt_tls_crt)
adminep_tmpfile.flush()
cmd = ['openssl', 'verify', '-CAfile', constants.DC_ROOT_CA_CERT_PATH,
'-untrusted', ca_tmpfile.name, adminep_tmpfile.name]
proc = subprocess.Popen(cmd, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = proc.communicate()
proc.wait()
if 0 == proc.returncode:
LOG.info('verify_adminep_cert_chain passed. Valid chain')
return True
else:
LOG.info('verify_adminep_cert_chain: Chain is invalid\n%s\n%s'
% (stdout, stderr))
res = kube_op.kube_delete_secret(constants.SC_ADMIN_ENDPOINT_SECRET_NAME,
CERT_NAMESPACE_SUBCLOUD_CONTROLLER)
LOG.info('Deleting AdminEP secret due to invalid chain. %s:%s, result %s, msg %s'
% (CERT_NAMESPACE_SUBCLOUD_CONTROLLER,
constants.SC_ADMIN_ENDPOINT_SECRET_NAME,
res.status, res.message))
return False
def _get_rook_ceph_admin_keyring(self):
try:
kube = kubernetes.KubeOperator()
keyring = kube.kube_get_secret(constants.K8S_RBD_PROV_ADMIN_SECRET_NAME,
common.HELM_NS_STORAGE_PROVISIONER)
return keyring.data['key'].decode('base64', 'strict')
except Exception:
pass
return 'null'
def setUp(self):
super(TestKubeOperator, self).setUp()
self.setup_result()
self.list_namespaced_pod_result = None
def mock_is_k8s_configured():
return True
self.mocked_is_k8s_configured = mock.patch(
'sysinv.common.kubernetes.is_k8s_configured',
mock_is_k8s_configured)
self.mocked_is_k8s_configured.start()
def mock_list_namespaced_pod(obj, namespace, field_selector=""):
pod_name = field_selector.split('metadata.name=', 1)[1]
return self.list_namespaced_pod_result[pod_name]
self.mocked_list_namespaced_pod = mock.patch(
'kubernetes.client.CoreV1Api.list_namespaced_pod',
mock_list_namespaced_pod)
self.mocked_list_namespaced_pod.start()
self.list_pod_for_all_namespaces_result = None
def mock_list_pod_for_all_namespaces(obj, label_selector=""):
return self.list_pod_for_all_namespaces_result
self.mocked_list_pod_for_all_namespaces = mock.patch(
'kubernetes.client.CoreV1Api.list_pod_for_all_namespaces',
mock_list_pod_for_all_namespaces)
self.mocked_list_pod_for_all_namespaces.start()
self.list_node_result = None
def mock_list_node(obj, label_selector=""):
return self.list_node_result
self.mocked_list_node = mock.patch(
'kubernetes.client.CoreV1Api.list_node', mock_list_node)
self.mocked_list_node.start()
self.read_namespaced_config_map_result = None
def mock_read_namespaced_config_map(obj, configmap, namespace):
return self.read_namespaced_config_map_result
self.mocked_read_namespaced_config_map = mock.patch(
'kubernetes.client.CoreV1Api.read_namespaced_config_map',
mock_read_namespaced_config_map)
self.mocked_read_namespaced_config_map.start()
self.kube_operator = kube.KubeOperator()
def _is_rook_ceph(self):
try:
# check function getLabels in rook/pkg/operator/ceph/cluster/mon/spec.go
# rook will assign label "mon_cluster=kube-system" to monitor pods
label = "mon_cluster=" + common.HELM_NS_STORAGE_PROVISIONER
kube = kubernetes.KubeOperator()
pods = kube.kube_get_pods_by_selector(common.HELM_NS_STORAGE_PROVISIONER, label, "")
if len(pods) > 0:
return True
except Exception:
pass
return False
def _get_active_kubernetes_version():
"""Get the active kubernetes version
"""
# During a platform upgrade, the version is still None
# when N+1 controller-1 is creating hieradata.
# The version is updated from the running kubernetes version.
config = {}
kube_operator = kubernetes.KubeOperator()
kube_version = kube_operator.kube_get_kubernetes_version()
config.update({
'platform::kubernetes::params::version': kube_version,
})
return config
def recreate_secrets(self):
kube_op = sys_kube.KubeOperator()
secret_list = self.secrets_to_recreate[:]
for secret in secret_list:
try:
LOG.info('Recreate %s:%s' % (utils.CERT_NAMESPACE_SYS_CONTROLLER, secret))
kube_op.kube_delete_secret(secret, utils.CERT_NAMESPACE_SYS_CONTROLLER)
except Exception as e:
LOG.error('Deleting secret %s:%s. Error %s' %
(utils.CERT_NAMESPACE_SYS_CONTROLLER, secret, e))
else:
self.secrets_to_recreate.remove(secret)
if len(self.secrets_to_recreate) > 0:
# raise exception to keep reattempting
raise Exception('Some secrets were not recreated successfully')
def get_subcloud_secrets():
"""get subcloud name and ICA secret name pairs from k8s secret
Every subcloud comes with an ICA entry in k8s secret
:return: dict of subcloud name and ICA secret name pairs
"""
secret_pattern = re.compile('-adminep-ca-certificate$')
kube_op = sys_kube.KubeOperator()
secret_list = kube_op.kube_list_secret(ENDPOINT_TYPE_DC_CERT)
dict = {}
for secret in secret_list:
secret_name = secret.metadata.name
m = secret_pattern.search(secret_name)
if m:
start = m.start()
if start > 0:
dict.update({secret_name[0:m.start()]: secret_name})
return dict
def _get_kubernetes_rootca_cert_key():
""""Get kubernetes root CA certficate secret from cert-manager"""
try:
kube_operator = kubernetes.KubeOperator()
secret = kube_operator.kube_get_secret(KUBE_ROOTCA_CERT_SECRET,
KUBE_ROOTCA_CERT_NS)
# The root CA cert/key are not stored in kubernetes yet
if not secret:
return 'undef', 'undef'
if hasattr(secret, 'data') and secret.data:
cert = secret.data.get('tls.crt', None)
key = secret.data.get('tls.key', None)
if cert and key:
return cert, key
raise Exception('Failed to get secret %s\\%s' %
(KUBE_ROOTCA_CERT_NS, KUBE_ROOTCA_CERT_SECRET))
except exception.KubeNotConfigured:
# During ansible bootstrap, kubernetes is not configured.
# Set the cert and key to 'undef'
return 'undef', 'undef'
def __init__(self, dbapi):
self._dbapi = dbapi
self._ceph = ceph.CephApiOperator()
self._kube_operator = kubernetes.KubeOperator()
def __init__(self):
self._api_token = None
self._kube_op = sys_kube.KubeOperator()
def __init__(self, *args, **kwargs):
super(KubernetesPuppet, self).__init__(*args, **kwargs)
self._kube_operator = kubernetes.KubeOperator()
def __init__(self):
self._kube_operator = kubernetes.KubeOperator()
def __init__(self):
self._bm_region = None
self._kube_op = sys_kube.KubeOperator()
def __init__(self, parent=None, **kwargs):
self._parent = parent
self._kube_operator = kubernetes.KubeOperator()
def post(self, host_uuid, body):
"""Update the kubernetes root CA certificate on this host"""
# Check cluster update status
try:
update = pecan.request.dbapi.kube_rootca_update_get_one()
except exception.NotFound:
raise wsme.exc.ClientSideError(
_("kube-rootca-host-update rejected: No update in progress."))
# Check if the new root CA cert secret exists, in case the secret
# is deleted unexpectly.
kube_operator = kubernetes.KubeOperator()
try:
cert_secret = kube_operator.kube_get_secret(
constants.KUBE_ROOTCA_SECRET,
kubernetes.NAMESPACE_DEPLOYMENT,
)
except Exception:
raise wsme.exc.ClientSideError(
_("kube-rootca-host-update rejected: failed to get new root CA "
"cert secret from kubernetes."))
if cert_secret is None:
raise wsme.exc.ClientSideError(
_("kube-rootca-host-update rejected: no new root CA cert found."
))
ihost = pecan.request.dbapi.ihost_get(host_uuid)
if body['phase'].lower() == constants.KUBE_CERT_UPDATE_TRUSTBOTHCAS:
# kube root CA update on host phase trust-both-cas
self._precheck_trustbothcas(update, ihost)
update_state = kubernetes.KUBE_ROOTCA_UPDATING_HOST_TRUSTBOTHCAS
else:
raise wsme.exc.ClientSideError(
_("kube-rootca-host-update rejected: not supported phase."))
# Update the cluster update state
c_values = dict()
c_values['state'] = update_state
c_update = pecan.request.dbapi.kube_rootca_update_get_one()
pecan.request.dbapi.kube_rootca_update_update(c_update.id, c_values)
# Create or update "update state" on this host
h_values = dict()
h_values['state'] = update_state
h_values['effective_rootca_cert'] = c_update.from_rootca_cert
h_values['target_rootca_cert'] = c_update.to_rootca_cert
try:
h_update = pecan.request.dbapi.kube_rootca_host_update_get_by_host(
ihost.id)
h_update = pecan.request.dbapi.kube_rootca_host_update_update(
h_update.id, h_values)
except exception.NotFound:
h_update = pecan.request.dbapi.kube_rootca_host_update_create(
ihost.id, h_values)
phase = body['phase'].lower()
if phase not in [
constants.KUBE_CERT_UPDATE_TRUSTBOTHCAS,
constants.KUBE_CERT_UPDATE_UPDATECERTS,
constants.KUBE_CERT_UPDATE_TRUSTNEWCA
]:
raise exception.SysinvException(
_("Invalid phase %s to update kube certificate." % phase))
# perform rpc to conductor to perform config apply
pecan.request.rpcapi.kube_certificate_update_by_host(
pecan.request.context, host_uuid, body['phase'])
LOG.info("Kubernetes rootca update started on host: %s" %
ihost.hostname)
return KubeRootCAHostUpdate.convert_with_links(h_update)
def get_sc_intermediate_ca_secret(sc):
secret_name = get_intermediate_ca_secret_name(sc)
kube_op = sys_kube.KubeOperator()
return kube_op.kube_get_secret(secret_name, CERT_NAMESPACE_SYS_CONTROLLER)
def __init__(self, dbapi):
self._dbapi = dbapi
self._kube_operator = kubernetes.KubeOperator()
