From 89d6cb9330a3094c01ea6015a105881671916251 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=98yvind=20Ingebrigtsen=20=C3=98vergaard?= Date: Thu, 2 Dec 2021 15:11:29 +0100 Subject: [PATCH 1/3] Use k8s.config.use_in_cluster_config for in-cluster configuration This is mainly to support regularly re-reading the service account token from file when in-cluster configuration is used. This also introduces the option to explicitly override the default in-cluster configuration by setting the api-token or api-cert config flags. Currently these flags are ignored if `/var/run/secrets/kubernetes.io/serviceaccount/token` exists, which could be surprising behaviour. If neither api-token or client-cert is set, and in-cluster configuration can not be set up (service account token can not be read), log a warning indicating potentially missing apiserver authentication configuration. --- fiaas_deploy_daemon/__init__.py | 27 +++++++++++++++++------ fiaas_deploy_daemon/bootstrap/__init__.py | 2 +- fiaas_deploy_daemon/config.py | 8 ------- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/fiaas_deploy_daemon/__init__.py b/fiaas_deploy_daemon/__init__.py index fb7019dd..39638e53 100644 --- a/fiaas_deploy_daemon/__init__.py +++ b/fiaas_deploy_daemon/__init__.py @@ -98,15 +98,28 @@ def run(self): self._webapp.run("0.0.0.0", self._config.port) -def init_k8s_client(config): - k8s_config.api_server = config.api_server - k8s_config.api_token = config.api_token +def init_k8s_client(config, log): + if config.client_cert: + k8s_config.cert = (config.client_cert, config.client_key) + + if config.api_token: + k8s_config.api_token = config.api_token + else: + # use default in-cluster config if api_token is not explicitly set + try: + # sets api_token_source and verify_ssl + k8s_config.use_in_cluster_config() + except IOError as e: + if not config.client_cert: + log.warn("No apiserver auth config was specified, and in-cluster config could not be set up: " + str(e)) + + # if api_cert or debug is explicitly set, override in-cluster config setting (if used) if config.api_cert: k8s_config.verify_ssl = config.api_cert - else: + elif config.debug: k8s_config.verify_ssl = not config.debug - if config.client_cert: - k8s_config.cert = (config.client_cert, config.client_key) + + k8s_config.api_server = config.api_server k8s_config.debug = config.debug @@ -182,8 +195,8 @@ def expose_fdd_version(config): def main(): cfg = Configuration() init_logging(cfg) - init_k8s_client(cfg) log = logging.getLogger(__name__) + init_k8s_client(cfg, log) warn_if_env_variable_config(cfg, log) expose_fdd_version(cfg) signal.signal(signal.SIGUSR2, thread_dump_logger(log)) diff --git a/fiaas_deploy_daemon/bootstrap/__init__.py b/fiaas_deploy_daemon/bootstrap/__init__.py index 960b889f..6df7415c 100644 --- a/fiaas_deploy_daemon/bootstrap/__init__.py +++ b/fiaas_deploy_daemon/bootstrap/__init__.py @@ -71,8 +71,8 @@ def run(self): def main(): cfg = Configuration() init_logging(cfg) - init_k8s_client(cfg) log = logging.getLogger(__name__) + init_k8s_client(cfg, log) try: log.info("fiaas-deploy-daemon starting with configuration {!r}".format(cfg)) binding_specs = [ diff --git a/fiaas_deploy_daemon/config.py b/fiaas_deploy_daemon/config.py index 7286f80f..d2f44b38 100644 --- a/fiaas_deploy_daemon/config.py +++ b/fiaas_deploy_daemon/config.py @@ -151,7 +151,6 @@ def __init__(self, args=None, **kwargs): self.image = "" self.version = "" self._parse_args(args) - self._resolve_api_config() self._resolve_env() self.namespace = self._resolve_namespace() @@ -275,13 +274,6 @@ def _parse_args(self, args): self.tls_certificate_issuer_type_overrides = {issuer_type.key: issuer_type.value for issuer_type in self.tls_certificate_issuer_type_overrides} - def _resolve_api_config(self): - token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token" - if os.path.exists(token_file): - with open(token_file) as fobj: - self.api_token = fobj.read().strip() - self.api_cert = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" - def _resolve_env(self): image = os.getenv("IMAGE") if not image: From 72e0f005af1de54333007dcc3220823baa347815 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=98yvind=20Ingebrigtsen=20=C3=98vergaard?= Date: Thu, 2 Dec 2021 16:03:58 +0100 Subject: [PATCH 2/3] Remove unused function This looks like a leftover from when the pipeline consumer was removed. It isn't used anywhere --- fiaas_deploy_daemon/config.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/fiaas_deploy_daemon/config.py b/fiaas_deploy_daemon/config.py index d2f44b38..535a09c0 100644 --- a/fiaas_deploy_daemon/config.py +++ b/fiaas_deploy_daemon/config.py @@ -287,14 +287,6 @@ def _resolve_env(self): if version: self.version = version - @staticmethod - def _resolve_required_variable(key, service_name): - value = os.getenv(key) - if not value: - raise InvalidConfigurationException( - "{} is not set in environment, unable to resolve service {}".format(key, service_name)) - return value - @staticmethod def _resolve_namespace(): namespace_file_path = "/var/run/secrets/kubernetes.io/serviceaccount/namespace" From cfb1dca0c510c658c4be7ac46f5a0df6f6de3549 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=98yvind=20Ingebrigtsen=20=C3=98vergaard?= Date: Wed, 8 Dec 2021 12:50:35 +0100 Subject: [PATCH 3/3] Use k8s 0.20.0 This version includes built-in support in k8s for in-cluster config, which is used in 89d6cb9330a3094c01ea6015a105881671916251. --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index fefb83da..734d2eab 100755 --- a/setup.py +++ b/setup.py @@ -33,7 +33,7 @@ def read(filename): "decorator < 5.0.0", # 5.0.0 and later drops py2 support (transitive dep from pinject) "six == 1.12.0", "dnspython == 1.16.0", - "k8s == 0.17.0", + "k8s == 0.20.0", "monotonic == 1.5", "appdirs == 1.4.3", "requests-toolbelt == 0.9.1",