lemur/lemur/plugins/lemur_kubernetes/plugin.py

"""
.. module: lemur.plugins.lemur_kubernetes.plugin
    :platform: Unix
    :copyright: (c) 2015 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.


    The plugin inserts certificates and the private key as Kubernetes secret that
     can later be used to secure service endpoints running in Kubernetes pods

.. moduleauthor:: Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>
"""
import base64
import urllib
import requests
import itertools

from lemur.certificates.models import Certificate
from lemur.plugins.bases import DestinationPlugin

DEFAULT_API_VERSION = 'v1'


def ensure_resource(k8s_api, k8s_base_uri, namespace, kind, name, data):

    # _resolve_uri(k8s_base_uri, namespace, kind, name, api_ver=DEFAULT_API_VERSION)
    url = _resolve_uri(k8s_base_uri, namespace, kind)

    create_resp = k8s_api.post(url, json=data)

    if 200 <= create_resp.status_code <= 299:
        return None
    elif create_resp.json()['reason'] != 'AlreadyExists':
        return create_resp.content
    update_resp = k8s_api.put(_resolve_uri(k8s_base_uri, namespace, kind, name), json=data)
    if not 200 <= update_resp.status_code <= 299:
        return update_resp.content
    return None


def _resolve_ns(k8s_base_uri, namespace, api_ver=DEFAULT_API_VERSION,):
    api_group = 'api'
    if '/' in api_ver:
        api_group = 'apis'
    return '{base}/{api_group}/{api_ver}/namespaces'.format(base=k8s_base_uri, api_group=api_group, api_ver=api_ver) + ('/' + namespace if namespace else '')


def _resolve_uri(k8s_base_uri, namespace, kind, name=None, api_ver=DEFAULT_API_VERSION):
    if not namespace:
        namespace = 'default'
    return "/".join(itertools.chain.from_iterable([
        (_resolve_ns(k8s_base_uri, namespace, api_ver=api_ver),),
        ((kind + 's').lower(),),
        (name,) if name else (),
    ]))


class KubernetesDestinationPlugin(DestinationPlugin):
    title = 'Kubernetes'
    slug = 'kubernetes-destination'
    description = 'Allow the uploading of certificates to Kubernetes as secret'

    author = 'Mikhail Khodorovskiy'
    author_url = 'https://github.com/mik373/lemur'

    options = [
        {
            'name': 'kubernetesURL',
            'type': 'str',
            'required': True,
            'validation': '@(https?|http)://(-\.)?([^\s/?\.#-]+\.?)+(/[^\s]*)?$@iS',
            'helpMessage': 'Must be a valid Kubernetes server URL!',
        },
        {
            'name': 'kubernetesAuthToken',
            'type': 'str',
            'required': True,
            'validation': '/^$|\s+/',
            'helpMessage': 'Must be a valid Kubernetes server Token!',
        },
        {
            'name': 'kubernetesServerCertificate',
            'type': 'str',
            'required': True,
            'validation': '/^$|\s+/',
            'helpMessage': 'Must be a valid Kubernetes server Certificate!',
        },
        {
            'name': 'kubernetesNamespace',
            'type': 'str',
            'required': True,
            'validation': '/^$|\s+/',
            'helpMessage': 'Must be a valid Kubernetes Namespace!',
        },

    ]

    def __init__(self, *args, **kwargs):
        super(KubernetesDestinationPlugin, self).__init__(*args, **kwargs)

    def upload(self, name, body, private_key, cert_chain, options, **kwargs):

        k8_bearer = self.get_option('kubernetesAuthToken', options)
        k8_cert = self.get_option('kubernetesServerCertificate', options)
        k8_namespace = self.get_option('kubernetesNamespace', options)
        k8_base_uri = self.get_option('kubernetesURL', options)

        k8s_api = K8sSession(k8_bearer, k8_cert)

        cert = Certificate(body=body)

        # in the future once runtime properties can be passed-in - use passed-in secret name
        secret_name = 'certs-' + urllib.quote_plus(cert.name)

        err = ensure_resource(k8s_api, k8s_base_uri=k8_base_uri, namespace=k8_namespace, kind="secret", name=secret_name, data={
            'apiVersion': 'v1',
            'kind': 'Secret',
            'metadata': {
                'name': secret_name,
            },
            'data': {
                'combined.pem': base64.b64encode(body + private_key),
                'ca.crt': base64.b64encode(cert_chain),
                'service.key': base64.b64encode(private_key),
                'service.crt': base64.b64encode(body),
            }
        })

        if err is not None:
            raise Exception("Error uploading secret: " + err)


class K8sSession(requests.Session):

    def __init__(self, bearer, cert):
        super(K8sSession, self).__init__()

        self.headers.update({
            'Authorization': 'Bearer %s' % bearer
        })

        k8_ca = '/tmp/k8.cert'

        with open(k8_ca, "w") as text_file:
            text_file.write(cert)

        self.verify = k8_ca

    def request(self, method, url, params=None, data=None, headers=None, cookies=None, files=None, auth=None, timeout=30, allow_redirects=True, proxies=None,
                hooks=None, stream=None, verify=None, cert=None, json=None):
        """
        This method overrides the default timeout to be 10s.
        """
        return super(K8sSession, self).request(method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream,
                                               verify, cert, json)
Kubernetes desination plugin (#357) * Kubernetes desination plugin * fixing build warnings * fixing build warnings 2016-06-27 23:40:01 +02:00			`"""`
Minor documentation fixes/tweaks (#597) Mostly typos, grammar errors and inconsistent indentation in code examples. Some errors detected using Topy (https://github.com/intgr/topy), all changes verified by hand. 2016-12-14 18:29:04 +01:00			`.. module: lemur.plugins.lemur_kubernetes.plugin`
Kubernetes desination plugin (#357) * Kubernetes desination plugin * fixing build warnings * fixing build warnings 2016-06-27 23:40:01 +02:00			`:platform: Unix`
			`:copyright: (c) 2015 by Netflix Inc., see AUTHORS for more`
			`:license: Apache, see LICENSE for more details.`


			`The plugin inserts certificates and the private key as Kubernetes secret that`
			`can later be used to secure service endpoints running in Kubernetes pods`

Adding ACME Support (#178) 2016-06-28 00:57:53 +02:00			`.. moduleauthor:: Mikhail Khodorovskiy <mikhail.khodorovskiy@jivesoftware.com>`
Kubernetes desination plugin (#357) * Kubernetes desination plugin * fixing build warnings * fixing build warnings 2016-06-27 23:40:01 +02:00			`"""`
			`import base64`
			`import urllib`
Fixing a few issues with startup. (#374) 2016-06-28 23:28:05 +02:00			`import requests`
			`import itertools`

			`from lemur.certificates.models import Certificate`
			`from lemur.plugins.bases import DestinationPlugin`
Kubernetes desination plugin (#357) * Kubernetes desination plugin * fixing build warnings * fixing build warnings 2016-06-27 23:40:01 +02:00
			`DEFAULT_API_VERSION = 'v1'`


			`def ensure_resource(k8s_api, k8s_base_uri, namespace, kind, name, data):`

			`# _resolve_uri(k8s_base_uri, namespace, kind, name, api_ver=DEFAULT_API_VERSION)`
			`url = _resolve_uri(k8s_base_uri, namespace, kind)`

			`create_resp = k8s_api.post(url, json=data)`

			`if 200 <= create_resp.status_code <= 299:`
			`return None`
			`elif create_resp.json()['reason'] != 'AlreadyExists':`
			`return create_resp.content`
			`update_resp = k8s_api.put(_resolve_uri(k8s_base_uri, namespace, kind, name), json=data)`
			`if not 200 <= update_resp.status_code <= 299:`
			`return update_resp.content`
			`return None`


			`def _resolve_ns(k8s_base_uri, namespace, api_ver=DEFAULT_API_VERSION,):`
			`api_group = 'api'`
			`if '/' in api_ver:`
			`api_group = 'apis'`
			`return '{base}/{api_group}/{api_ver}/namespaces'.format(base=k8s_base_uri, api_group=api_group, api_ver=api_ver) + ('/' + namespace if namespace else '')`


			`def _resolve_uri(k8s_base_uri, namespace, kind, name=None, api_ver=DEFAULT_API_VERSION):`
			`if not namespace:`
			`namespace = 'default'`
			`return "/".join(itertools.chain.from_iterable([`
			`(_resolve_ns(k8s_base_uri, namespace, api_ver=api_ver),),`
			`((kind + 's').lower(),),`
			`(name,) if name else (),`
			`]))`


			`class KubernetesDestinationPlugin(DestinationPlugin):`
			`title = 'Kubernetes'`
			`slug = 'kubernetes-destination'`
			`description = 'Allow the uploading of certificates to Kubernetes as secret'`

			`author = 'Mikhail Khodorovskiy'`
			`author_url = 'https://github.com/mik373/lemur'`

			`options = [`
			`{`
			`'name': 'kubernetesURL',`
			`'type': 'str',`
			`'required': True,`
			`'validation': '@(https?\|http)://(-\.)?([^\s/?\.#-]+\.?)+(/[^\s]*)?$@iS',`
			`'helpMessage': 'Must be a valid Kubernetes server URL!',`
			`},`
			`{`
			`'name': 'kubernetesAuthToken',`
			`'type': 'str',`
			`'required': True,`
			`'validation': '/^$\|\s+/',`
			`'helpMessage': 'Must be a valid Kubernetes server Token!',`
			`},`
			`{`
			`'name': 'kubernetesServerCertificate',`
			`'type': 'str',`
			`'required': True,`
			`'validation': '/^$\|\s+/',`
			`'helpMessage': 'Must be a valid Kubernetes server Certificate!',`
			`},`
			`{`
			`'name': 'kubernetesNamespace',`
			`'type': 'str',`
			`'required': True,`
			`'validation': '/^$\|\s+/',`
			`'helpMessage': 'Must be a valid Kubernetes Namespace!',`
			`},`

			`]`

			`def __init__(self, args, *kwargs):`
			`super(KubernetesDestinationPlugin, self).__init__(args, *kwargs)`

			`def upload(self, name, body, private_key, cert_chain, options, **kwargs):`

			`k8_bearer = self.get_option('kubernetesAuthToken', options)`
			`k8_cert = self.get_option('kubernetesServerCertificate', options)`
			`k8_namespace = self.get_option('kubernetesNamespace', options)`
			`k8_base_uri = self.get_option('kubernetesURL', options)`

			`k8s_api = K8sSession(k8_bearer, k8_cert)`

Fixing a few issues with startup. (#374) 2016-06-28 23:28:05 +02:00			`cert = Certificate(body=body)`
Kubernetes desination plugin (#357) * Kubernetes desination plugin * fixing build warnings * fixing build warnings 2016-06-27 23:40:01 +02:00
			`# in the future once runtime properties can be passed-in - use passed-in secret name`
Fixing a few issues with startup. (#374) 2016-06-28 23:28:05 +02:00			`secret_name = 'certs-' + urllib.quote_plus(cert.name)`
Kubernetes desination plugin (#357) * Kubernetes desination plugin * fixing build warnings * fixing build warnings 2016-06-27 23:40:01 +02:00
			`err = ensure_resource(k8s_api, k8s_base_uri=k8_base_uri, namespace=k8_namespace, kind="secret", name=secret_name, data={`
			`'apiVersion': 'v1',`
			`'kind': 'Secret',`
			`'metadata': {`
			`'name': secret_name,`
			`},`
			`'data': {`
			`'combined.pem': base64.b64encode(body + private_key),`
			`'ca.crt': base64.b64encode(cert_chain),`
			`'service.key': base64.b64encode(private_key),`
			`'service.crt': base64.b64encode(body),`
			`}`
			`})`

			`if err is not None:`
			`raise Exception("Error uploading secret: " + err)`


			`class K8sSession(requests.Session):`

			`def __init__(self, bearer, cert):`
			`super(K8sSession, self).__init__()`

			`self.headers.update({`
			`'Authorization': 'Bearer %s' % bearer`
			`})`

			`k8_ca = '/tmp/k8.cert'`

			`with open(k8_ca, "w") as text_file:`
			`text_file.write(cert)`

			`self.verify = k8_ca`

			`def request(self, method, url, params=None, data=None, headers=None, cookies=None, files=None, auth=None, timeout=30, allow_redirects=True, proxies=None,`
			`hooks=None, stream=None, verify=None, cert=None, json=None):`
			`"""`
			`This method overrides the default timeout to be 10s.`
			`"""`
			`return super(K8sSession, self).request(method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream,`
			`verify, cert, json)`