Skip to content

Commit

Permalink
feat(kubernetes): Omit desired namespaces (#1486)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lwander
lwander committed Mar 3, 2017
1 parent 18f7d58 commit 715e2fd
Show file tree
Hide file tree
Showing 13 changed files with 52 additions and 12 deletions.
1 change: 1 addition & 0 deletions .../netflix/spinnaker/clouddriver/kubernetes/config/KubernetesConfigurationProperties.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ class KubernetesConfigurationProperties {
String kubeconfigFile
Boolean serviceAccount
List<String> namespaces
List<String> omitNamespaces
int cacheThreads
List<LinkedDockerRegistryConfiguration> dockerRegistries
List<String> requiredGroupMembership
Expand Down
8 changes: 7 additions & 1 deletion ...n/groovy/com/netflix/spinnaker/clouddriver/kubernetes/security/KubernetesCredentials.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,12 @@
import javax.validation.ConstraintViolationException;
import java.io.UnsupportedEncodingException;
import java.util.*;
import java.util.stream.Collectors;

public class KubernetesCredentials {
private final KubernetesApiAdaptor apiAdaptor;
private final List<String> namespaces;
private final List<String> omitNamespaces;
private final List<LinkedDockerRegistryConfiguration> dockerRegistries;
private final HashMap<String, Set<String>> imagePullSecrets;
private final Logger LOG;
Expand All @@ -45,10 +47,12 @@ public class KubernetesCredentials {
// strictly a credential.
public KubernetesCredentials(KubernetesApiAdaptor apiAdaptor,
List<String> namespaces,
List<String> omitNamespaces,
List<LinkedDockerRegistryConfiguration> dockerRegistries,
AccountCredentialsRepository accountCredentialsRepository) {
this.apiAdaptor = apiAdaptor;
this.namespaces = namespaces != null ? namespaces : new ArrayList<>();
this.omitNamespaces = omitNamespaces != null ? omitNamespaces : new ArrayList<>();
this.oldNamespaces = this.namespaces;
this.dynamicRegistries = new HashSet<>();
this.dockerRegistries = dockerRegistries != null ? dockerRegistries : new ArrayList<>();
Expand All @@ -71,9 +75,11 @@ public List<String> getNamespaces() {
return namespaces;
} else {
List<String> addedNamespaces = apiAdaptor.getNamespacesByName();
addedNamespaces.removeAll(omitNamespaces);

List<String> resultNamespaces = new ArrayList<>(addedNamespaces);

// otherwise, find the namespaces that were added, and add docker secrets to them. No need to track deleted
// Find the namespaces that were added, and add docker secrets to them. No need to track deleted
// namespaces since they delete their secrets automatically.
addedNamespaces.removeAll(oldNamespaces);
reconfigureRegistries(addedNamespaces, resultNamespaces);
Expand Down
1 change: 1 addition & 0 deletions ...netflix/spinnaker/clouddriver/kubernetes/security/KubernetesCredentialsInitializer.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ class KubernetesCredentialsInitializer implements CredentialsInitializerSynchron
.kubeconfigFile(managedAccount.kubeconfigFile)
.serviceAccount(managedAccount.serviceAccount)
.namespaces(managedAccount.namespaces)
.omitNamespaces(managedAccount.omitNamespaces)
.cacheThreads(managedAccount.cacheThreads ?: DEFAULT_CACHE_THREADS)
.dockerRegistries(managedAccount.dockerRegistries)
.requiredGroupMembership(managedAccount.requiredGroupMembership)
Expand Down
15 changes: 15 additions & 0 deletions ...etflix/spinnaker/clouddriver/kubernetes/security/KubernetesNamedAccountCredentials.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ public class KubernetesNamedAccountCredentials implements AccountCredentials<Kub
final String kubeconfigFile
final Boolean serviceAccount
List<String> namespaces
List<String> omitNamespaces
final int cacheThreads
KubernetesCredentials credentials
final List<String> requiredGroupMembership
Expand All @@ -51,6 +52,7 @@ public class KubernetesNamedAccountCredentials implements AccountCredentials<Kub
String kubeconfigFile,
Boolean serviceAccount,
List<String> namespaces,
List<String> omitNamespaces,
int cacheThreads,
List<LinkedDockerRegistryConfiguration> dockerRegistries,
List<String> requiredGroupMembership,
Expand All @@ -65,6 +67,7 @@ public class KubernetesNamedAccountCredentials implements AccountCredentials<Kub
this.kubeconfigFile = kubeconfigFile
this.serviceAccount = serviceAccount
this.namespaces = namespaces
this.omitNamespaces = omitNamespaces
this.cacheThreads = cacheThreads
this.requiredGroupMembership = requiredGroupMembership
this.dockerRegistries = dockerRegistries
Expand All @@ -87,6 +90,7 @@ public class KubernetesNamedAccountCredentials implements AccountCredentials<Kub
String kubeconfigFile
Boolean serviceAccount
List<String> namespaces
List<String> omitNamespaces
int cacheThreads
KubernetesCredentials credentials
List<String> requiredGroupMembership
Expand Down Expand Up @@ -153,6 +157,11 @@ public class KubernetesNamedAccountCredentials implements AccountCredentials<Kub
return this
}

Builder omitNamespaces(List<String> omitNamespaces) {
this.omitNamespaces = omitNamespaces
return this
}

Builder cacheThreads(int cacheThreads) {
this.cacheThreads = cacheThreads
return this
Expand Down Expand Up @@ -181,6 +190,7 @@ public class KubernetesNamedAccountCredentials implements AccountCredentials<Kub
return new KubernetesCredentials(
new KubernetesApiAdaptor(name, config),
namespaces,
omitNamespaces,
dockerRegistries,
accountCredentialsRepository,
)
Expand All @@ -193,6 +203,10 @@ public class KubernetesNamedAccountCredentials implements AccountCredentials<Kub
if (!dockerRegistries || dockerRegistries.size() == 0) {
throw new IllegalArgumentException("Docker registries for Kubernetes account " + name + " missing.")
}
if (omitNamespaces && namespaces) {
throw new IllegalArgumentException("At most one of 'namespaces' and 'omitNamespaces' can be specified")
}

kubeconfigFile = kubeconfigFile != null && kubeconfigFile.length() > 0 ?
kubeconfigFile :
System.getProperty("user.home") + "/.kube/config"
Expand All @@ -211,6 +225,7 @@ public class KubernetesNamedAccountCredentials implements AccountCredentials<Kub
kubeconfigFile,
serviceAccount,
namespaces,
omitNamespaces,
cacheThreads,
dockerRegistries,
requiredGroupMembership,
Expand Down
2 changes: 1 addition & 1 deletion ...kubernetes/deploy/ops/loadbalancer/UpsertKubernetesLoadBalancerAtomicOperationSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ class UpsertKubernetesLoadBalancerAtomicOperationSpec extends Specification {
dockerRegistry = Mock(LinkedDockerRegistryConfiguration)
dockerRegistries = [dockerRegistry]
accountCredentialsRepositoryMock = Mock(AccountCredentialsRepository)
credentials = new KubernetesCredentials(apiMock, NAMESPACES, [], accountCredentialsRepositoryMock)
credentials = new KubernetesCredentials(apiMock, NAMESPACES, [], [], accountCredentialsRepositoryMock)
namedAccountCredentials = new KubernetesNamedAccountCredentials.Builder()
.name("accountName")
.credentials(credentials)
Expand Down
2 changes: 1 addition & 1 deletion ...r/clouddriver/kubernetes/deploy/ops/servergroup/CloneKubernetesAtomicOperationSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ class CloneKubernetesAtomicOperationSpec extends Specification {
accountCredentialsRepositoryMock = Mock(AccountCredentialsRepository)
dockerRegistry = Mock(LinkedDockerRegistryConfiguration)
dockerRegistries = [dockerRegistry]
credentials = new KubernetesCredentials(apiMock, [], [], accountCredentialsRepositoryMock)
credentials = new KubernetesCredentials(apiMock, [], [], [], accountCredentialsRepositoryMock)
namedAccountCredentials = new KubernetesNamedAccountCredentials.Builder()
.name("name")
.dockerRegistries(dockerRegistries)
Expand Down
2 changes: 1 addition & 1 deletion .../clouddriver/kubernetes/deploy/ops/servergroup/DeployKubernetesAtomicOperationSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ class DeployKubernetesAtomicOperationSpec extends Specification {

dockerRegistry = Mock(LinkedDockerRegistryConfiguration)
dockerRegistries = [dockerRegistry]
credentials = new KubernetesCredentials(apiMock, [NAMESPACE], DOCKER_REGISTRY_ACCOUNTS, accountCredentialsRepositoryMock)
credentials = new KubernetesCredentials(apiMock, [NAMESPACE], [], DOCKER_REGISTRY_ACCOUNTS, accountCredentialsRepositoryMock)
namedAccountCredentials = new KubernetesNamedAccountCredentials.Builder()
.name("name")
.dockerRegistries(dockerRegistries)
Expand Down
2 changes: 1 addition & 1 deletion .../clouddriver/kubernetes/deploy/validators/StandardKubernetesAttributeValidatorSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ class StandardKubernetesAttributeValidatorSpec extends Specification {

def dockerRegistry = Mock(LinkedDockerRegistryConfiguration)
def dockerRegistries = [dockerRegistry]
credentials = new KubernetesCredentials(apiMock, NAMESPACES, DOCKER_REGISTRY_ACCOUNTS, accountCredentialsRepositoryMock)
credentials = new KubernetesCredentials(apiMock, NAMESPACES, [], DOCKER_REGISTRY_ACCOUNTS, accountCredentialsRepositoryMock)
def namedAccountCredentials = new KubernetesNamedAccountCredentials.Builder()
.name(ACCOUNT_NAME)
.dockerRegistries(dockerRegistries)
Expand Down
2 changes: 1 addition & 1 deletion ...y/validators/loadbalancer/UpsertKubernetesLoadBalancerAtomicOperationValidatorSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ class UpsertKubernetesLoadBalancerAtomicOperationValidatorSpec extends Specifica

dockerRegistry = Mock(LinkedDockerRegistryConfiguration)
dockerRegistries = [dockerRegistry]
credentials = new KubernetesCredentials(apiMock, NAMESPACES, [], accountCredentialsRepositoryMock)
credentials = new KubernetesCredentials(apiMock, NAMESPACES, [], [], accountCredentialsRepositoryMock)
namedAccountCredentials = new KubernetesNamedAccountCredentials.Builder()
.name(VALID_ACCOUNT)
.dockerRegistries(dockerRegistries)
Expand Down
2 changes: 1 addition & 1 deletion ...bernetes/deploy/validators/servergroup/CloneKubernetesAtomicOperationValidatorSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ class CloneKubernetesAtomicOperationValidatorSpec extends Specification {

def dockerRegistry = Mock(LinkedDockerRegistryConfiguration)
def dockerRegistries = [dockerRegistry]
def credentials = new KubernetesCredentials(apiMock, NAMESPACES, DOCKER_REGISTRY_ACCOUNTS, accountCredentialsRepositoryMock)
def credentials = new KubernetesCredentials(apiMock, NAMESPACES, [], DOCKER_REGISTRY_ACCOUNTS, accountCredentialsRepositoryMock)
def namedAccountCredentials = new KubernetesNamedAccountCredentials.Builder()
.name(VALID_ACCOUNT)
.dockerRegistries(dockerRegistries)
Expand Down
2 changes: 1 addition & 1 deletion ...ernetes/deploy/validators/servergroup/DeployKubernetesAtomicOperationValidatorSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ class DeployKubernetesAtomicOperationValidatorSpec extends Specification {

def dockerRegistry = Mock(LinkedDockerRegistryConfiguration)
def dockerRegistries = [dockerRegistry]
def credentials = new KubernetesCredentials(apiMock, NAMESPACES, DOCKER_REGISTRY_ACCOUNTS, accountCredentialsRepositoryMock)
def credentials = new KubernetesCredentials(apiMock, NAMESPACES, [], DOCKER_REGISTRY_ACCOUNTS, accountCredentialsRepositoryMock)
def namedAccountCredentials = new KubernetesNamedAccountCredentials.Builder()
.name(VALID_ACCOUNT)
.dockerRegistries(dockerRegistries)
Expand Down
2 changes: 1 addition & 1 deletion ...nnaker/clouddriver/kubernetes/provider/agent/KubernetesServerGroupCachingAgentSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ class KubernetesServerGroupCachingAgentSpec extends Specification {

def accountCredentialsRepositoryMock = Mock(AccountCredentialsRepository)

kubernetesCredentials = new KubernetesCredentials(apiMock, [], [], accountCredentialsRepositoryMock)
kubernetesCredentials = new KubernetesCredentials(apiMock, [], [], [], accountCredentialsRepositoryMock)

applicationKey = Keys.getApplicationKey(APP)
clusterKey = Keys.getClusterKey(ACCOUNT_NAME, APP, 'serverGroup', CLUSTER)
Expand Down
23 changes: 20 additions & 3 deletions ...vy/com/netflix/spinnaker/clouddriver/kubernetes/security/KubernetesCredentialsSpec.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ class KubernetesCredentialsSpec extends Specification {
repositoryMock.getOne(ACCOUNT1) >> registryAccountMock

when:
def result = new KubernetesCredentials(adaptorMock, NAMESPACES1, REGISTRIES1, repositoryMock)
def result = new KubernetesCredentials(adaptorMock, NAMESPACES1, [], REGISTRIES1, repositoryMock)

then:
result.getNamespaces() == NAMESPACES1
Expand All @@ -77,13 +77,30 @@ class KubernetesCredentialsSpec extends Specification {
repositoryMock.getOne(ACCOUNT1) >> registryAccountMock

when:
def result = new KubernetesCredentials(adaptorMock, null, REGISTRIES2, repositoryMock)
def result = new KubernetesCredentials(adaptorMock, null, [], REGISTRIES2, repositoryMock)

then:
result.getNamespaces() == NAMESPACES2
result.dockerRegistries.get(0).namespaces == NAMESPACES2
}

void "should omit kubernetes namespaces"() {
setup:
KubernetesApiAdaptor adaptorMock = Mock(KubernetesApiAdaptor)
adaptorMock.getNamespacesByName() >> NAMESPACES2

AccountCredentialsRepository repositoryMock = Mock(AccountCredentialsRepository)
DockerRegistryNamedAccountCredentials registryAccountMock = mockCredentials(ACCOUNT1)
repositoryMock.getOne(ACCOUNT1) >> registryAccountMock

when:
def result = new KubernetesCredentials(adaptorMock, null, NAMESPACES2, REGISTRIES2, repositoryMock)

then:
result.getNamespaces() == []
result.dockerRegistries.get(0).namespaces == NAMESPACES2
}

void "should not use kubernetes namespaces only in registry"() {
setup:
KubernetesApiAdaptor adaptorMock = Mock(KubernetesApiAdaptor)
Expand All @@ -94,7 +111,7 @@ class KubernetesCredentialsSpec extends Specification {
repositoryMock.getOne(ACCOUNT1) >> registryAccountMock

when:
def result = new KubernetesCredentials(adaptorMock, null, REGISTRIES1, repositoryMock)
def result = new KubernetesCredentials(adaptorMock, null, [], REGISTRIES1, repositoryMock)

then:
result.getNamespaces() == NAMESPACES2
Expand Down

0 comments on commit 715e2fd

Please sign in to comment.