projects / osm / devops.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Adding security_context flag to charms
[osm/devops.git] / installers / charm / lcm / src / charm.py
1 #!/usr/bin/env python3
2 # Copyright 2021 Canonical Ltd.
3 #
4 # Licensed under the Apache License, Version 2.0 (the "License"); you may
5 # not use this file except in compliance with the License. You may obtain
6 # a copy of the License at
7 #
8 # http://www.apache.org/licenses/LICENSE-2.0
9 #
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 # License for the specific language governing permissions and limitations
14 # under the License.
15 #
16 # For those usages not covered by the Apache License, Version 2.0 please
17 # contact: legal@canonical.com
18 #
19 # To get in touch with the maintainers, please contact:
20 # osm-charmers@lists.launchpad.net
21 ##
22
23 # pylint: disable=E0213
24
25
26 import logging
27 from typing import NoReturn, Optional
28
29
30 from ops.main import main
31 from opslib.osm.charm import CharmedOsmBase, RelationsMissing
32 from opslib.osm.interfaces.http import HttpClient
33 from opslib.osm.interfaces.kafka import KafkaClient
34 from opslib.osm.interfaces.mongo import MongoClient
35 from opslib.osm.pod import ContainerV3Builder, PodRestartPolicy, PodSpecV3Builder
36 from opslib.osm.validator import ModelValidator, validator
37
38
39 logger = logging.getLogger(__name__)
40
41 PORT = 9999
42
43
44 class ConfigModel(ModelValidator):
45 vca_host: Optional[str]
46 vca_port: Optional[int]
47 vca_user: Optional[str]
48 vca_secret: Optional[str]
49 vca_pubkey: Optional[str]
50 vca_cacert: Optional[str]
51 vca_cloud: Optional[str]
52 vca_k8s_cloud: Optional[str]
53 database_commonkey: str
54 mongodb_uri: Optional[str]
55 log_level: str
56 vca_apiproxy: Optional[str]
57 # Model-config options
58 vca_model_config_agent_metadata_url: Optional[str]
59 vca_model_config_agent_stream: Optional[str]
60 vca_model_config_apt_ftp_proxy: Optional[str]
61 vca_model_config_apt_http_proxy: Optional[str]
62 vca_model_config_apt_https_proxy: Optional[str]
63 vca_model_config_apt_mirror: Optional[str]
64 vca_model_config_apt_no_proxy: Optional[str]
65 vca_model_config_automatically_retry_hooks: Optional[bool]
66 vca_model_config_backup_dir: Optional[str]
67 vca_model_config_cloudinit_userdata: Optional[str]
68 vca_model_config_container_image_metadata_url: Optional[str]
69 vca_model_config_container_image_stream: Optional[str]
70 vca_model_config_container_inherit_properties: Optional[str]
71 vca_model_config_container_networking_method: Optional[str]
72 vca_model_config_default_series: Optional[str]
73 vca_model_config_default_space: Optional[str]
74 vca_model_config_development: Optional[bool]
75 vca_model_config_disable_network_management: Optional[bool]
76 vca_model_config_egress_subnets: Optional[str]
77 vca_model_config_enable_os_refresh_update: Optional[bool]
78 vca_model_config_enable_os_upgrade: Optional[bool]
79 vca_model_config_fan_config: Optional[str]
80 vca_model_config_firewall_mode: Optional[str]
81 vca_model_config_ftp_proxy: Optional[str]
82 vca_model_config_http_proxy: Optional[str]
83 vca_model_config_https_proxy: Optional[str]
84 vca_model_config_ignore_machine_addresses: Optional[bool]
85 vca_model_config_image_metadata_url: Optional[str]
86 vca_model_config_image_stream: Optional[str]
87 vca_model_config_juju_ftp_proxy: Optional[str]
88 vca_model_config_juju_http_proxy: Optional[str]
89 vca_model_config_juju_https_proxy: Optional[str]
90 vca_model_config_juju_no_proxy: Optional[str]
91 vca_model_config_logforward_enabled: Optional[bool]
92 vca_model_config_logging_config: Optional[str]
93 vca_model_config_lxd_snap_channel: Optional[str]
94 vca_model_config_max_action_results_age: Optional[str]
95 vca_model_config_max_action_results_size: Optional[str]
96 vca_model_config_max_status_history_age: Optional[str]
97 vca_model_config_max_status_history_size: Optional[str]
98 vca_model_config_net_bond_reconfigure_delay: Optional[str]
99 vca_model_config_no_proxy: Optional[str]
100 vca_model_config_provisioner_harvest_mode: Optional[str]
101 vca_model_config_proxy_ssh: Optional[bool]
102 vca_model_config_snap_http_proxy: Optional[str]
103 vca_model_config_snap_https_proxy: Optional[str]
104 vca_model_config_snap_store_assertions: Optional[str]
105 vca_model_config_snap_store_proxy: Optional[str]
106 vca_model_config_snap_store_proxy_url: Optional[str]
107 vca_model_config_ssl_hostname_verification: Optional[bool]
108 vca_model_config_test_mode: Optional[bool]
109 vca_model_config_transmit_vendor_metrics: Optional[bool]
110 vca_model_config_update_status_hook_interval: Optional[str]
111 vca_stablerepourl: Optional[str]
112 vca_helm_ca_certs: Optional[str]
113 image_pull_policy: str
114 debug_mode: bool
115 security_context: bool
116
117 @validator("log_level")
118 def validate_log_level(cls, v):
119 if v not in {"INFO", "DEBUG"}:
120 raise ValueError("value must be INFO or DEBUG")
121 return v
122
123 @validator("mongodb_uri")
124 def validate_mongodb_uri(cls, v):
125 if v and not v.startswith("mongodb://"):
126 raise ValueError("mongodb_uri is not properly formed")
127 return v
128
129 @validator("image_pull_policy")
130 def validate_image_pull_policy(cls, v):
131 values = {
132 "always": "Always",
133 "ifnotpresent": "IfNotPresent",
134 "never": "Never",
135 }
136 v = v.lower()
137 if v not in values.keys():
138 raise ValueError("value must be always, ifnotpresent or never")
139 return values[v]
140
141
142 class LcmCharm(CharmedOsmBase):
143 def __init__(self, *args) -> NoReturn:
144 super().__init__(
145 *args,
146 oci_image="image",
147 debug_mode_config_key="debug_mode",
148 debug_pubkey_config_key="debug_pubkey",
149 vscode_workspace=VSCODE_WORKSPACE,
150 )
151 self.kafka_client = KafkaClient(self, "kafka")
152 self.framework.observe(self.on["kafka"].relation_changed, self.configure_pod)
153 self.framework.observe(self.on["kafka"].relation_broken, self.configure_pod)
154
155 self.mongodb_client = MongoClient(self, "mongodb")
156 self.framework.observe(self.on["mongodb"].relation_changed, self.configure_pod)
157 self.framework.observe(self.on["mongodb"].relation_broken, self.configure_pod)
158
159 self.ro_client = HttpClient(self, "ro")
160 self.framework.observe(self.on["ro"].relation_changed, self.configure_pod)
161 self.framework.observe(self.on["ro"].relation_broken, self.configure_pod)
162
163 def _check_missing_dependencies(self, config: ConfigModel):
164 missing_relations = []
165
166 if self.kafka_client.is_missing_data_in_unit():
167 missing_relations.append("kafka")
168 if not config.mongodb_uri and self.mongodb_client.is_missing_data_in_unit():
169 missing_relations.append("mongodb")
170 if self.ro_client.is_missing_data_in_app():
171 missing_relations.append("ro")
172
173 if missing_relations:
174 raise RelationsMissing(missing_relations)
175
176 def build_pod_spec(self, image_info):
177 # Validate config
178 config = ConfigModel(**dict(self.config))
179
180 if config.mongodb_uri and not self.mongodb_client.is_missing_data_in_unit():
181 raise Exception("Mongodb data cannot be provided via config and relation")
182
183 # Check relations
184 self._check_missing_dependencies(config)
185
186 security_context_enabled = (
187 config.security_context if not config.debug_mode else False
188 )
189
190 # Create Builder for the PodSpec
191 pod_spec_builder = PodSpecV3Builder(
192 enable_security_context=security_context_enabled
193 )
194
195 # Add secrets to the pod
196 lcm_secret_name = f"{self.app.name}-lcm-secret"
197 pod_spec_builder.add_secret(
198 lcm_secret_name,
199 {
200 "uri": config.mongodb_uri or self.mongodb_client.connection_string,
201 "commonkey": config.database_commonkey,
202 "helm_ca_certs": config.vca_helm_ca_certs,
203 },
204 )
205
206 # Build Container
207 container_builder = ContainerV3Builder(
208 self.app.name,
209 image_info,
210 config.image_pull_policy,
211 run_as_non_root=security_context_enabled,
212 )
213 container_builder.add_port(name=self.app.name, port=PORT)
214 container_builder.add_envs(
215 {
216 # General configuration
217 "ALLOW_ANONYMOUS_LOGIN": "yes",
218 "OSMLCM_GLOBAL_LOGLEVEL": config.log_level,
219 # RO configuration
220 "OSMLCM_RO_HOST": self.ro_client.host,
221 "OSMLCM_RO_PORT": self.ro_client.port,
222 "OSMLCM_RO_TENANT": "osm",
223 # Kafka configuration
224 "OSMLCM_MESSAGE_DRIVER": "kafka",
225 "OSMLCM_MESSAGE_HOST": self.kafka_client.host,
226 "OSMLCM_MESSAGE_PORT": self.kafka_client.port,
227 # Database configuration
228 "OSMLCM_DATABASE_DRIVER": "mongo",
229 # Storage configuration
230 "OSMLCM_STORAGE_DRIVER": "mongo",
231 "OSMLCM_STORAGE_PATH": "/app/storage",
232 "OSMLCM_STORAGE_COLLECTION": "files",
233 "OSMLCM_VCA_STABLEREPOURL": config.vca_stablerepourl,
234 }
235 )
236 container_builder.add_secret_envs(
237 secret_name=lcm_secret_name,
238 envs={
239 "OSMLCM_DATABASE_URI": "uri",
240 "OSMLCM_DATABASE_COMMONKEY": "commonkey",
241 "OSMLCM_STORAGE_URI": "uri",
242 "OSMLCM_VCA_HELM_CA_CERTS": "helm_ca_certs",
243 },
244 )
245 if config.vca_host:
246 vca_secret_name = f"{self.app.name}-vca-secret"
247 pod_spec_builder.add_secret(
248 vca_secret_name,
249 {
250 "host": config.vca_host,
251 "port": str(config.vca_port),
252 "user": config.vca_user,
253 "pubkey": config.vca_pubkey,
254 "secret": config.vca_secret,
255 "cacert": config.vca_cacert,
256 "cloud": config.vca_cloud,
257 "k8s_cloud": config.vca_k8s_cloud,
258 },
259 )
260 container_builder.add_secret_envs(
261 secret_name=vca_secret_name,
262 envs={
263 # VCA configuration
264 "OSMLCM_VCA_HOST": "host",
265 "OSMLCM_VCA_PORT": "port",
266 "OSMLCM_VCA_USER": "user",
267 "OSMLCM_VCA_PUBKEY": "pubkey",
268 "OSMLCM_VCA_SECRET": "secret",
269 "OSMLCM_VCA_CACERT": "cacert",
270 "OSMLCM_VCA_CLOUD": "cloud",
271 "OSMLCM_VCA_K8S_CLOUD": "k8s_cloud",
272 },
273 )
274 if config.vca_apiproxy:
275 container_builder.add_env("OSMLCM_VCA_APIPROXY", config.vca_apiproxy)
276
277 model_config_envs = {
278 f"OSMLCM_{k.upper()}": v
279 for k, v in self.config.items()
280 if k.startswith("vca_model_config")
281 }
282 if model_config_envs:
283 container_builder.add_envs(model_config_envs)
284 container = container_builder.build()
285
286 # Add container to pod spec
287 pod_spec_builder.add_container(container)
288
289 # Add restart policy
290 restart_policy = PodRestartPolicy()
291 restart_policy.add_secrets()
292 pod_spec_builder.set_restart_policy(restart_policy)
293
294 return pod_spec_builder.build()
295
296
297 VSCODE_WORKSPACE = {
298 "folders": [
299 {"path": "/usr/lib/python3/dist-packages/osm_lcm"},
300 {"path": "/usr/lib/python3/dist-packages/osm_n2vc"},
301 {"path": "/usr/lib/python3/dist-packages/osm_common"},
302 ],
303 "settings": {},
304 "launch": {
305 "version": "0.2.0",
306 "configurations": [
307 {
308 "name": "LCM",
309 "type": "python",
310 "request": "launch",
311 "module": "osm_lcm.lcm",
312 "justMyCode": False,
313 }
314 ],
315 },
316 }
317
318
319 if __name__ == "__main__":
320 main(LcmCharm)
321
322
323 # class ConfigurePodEvent(EventBase):
324 # """Configure Pod event"""
325
326 # pass
327
328
329 # class LcmEvents(CharmEvents):
330 # """LCM Events"""
331
332 # configure_pod = EventSource(ConfigurePodEvent)
333
334
335 # class LcmCharm(CharmBase):
336 # """LCM Charm."""
337
338 # state = StoredState()
339 # on = LcmEvents()
340
341 # def __init__(self, *args) -> NoReturn:
342 # """LCM Charm constructor."""
343 # super().__init__(*args)
344
345 # # Internal state initialization
346 # self.state.set_default(pod_spec=None)
347
348 # # Message bus data initialization
349 # self.state.set_default(message_host=None)
350 # self.state.set_default(message_port=None)
351
352 # # Database data initialization
353 # self.state.set_default(database_uri=None)
354
355 # # RO data initialization
356 # self.state.set_default(ro_host=None)
357 # self.state.set_default(ro_port=None)
358
359 # self.port = LCM_PORT
360 # self.image = OCIImageResource(self, "image")
361
362 # # Registering regular events
363 # self.framework.observe(self.on.start, self.configure_pod)
364 # self.framework.observe(self.on.config_changed, self.configure_pod)
365 # self.framework.observe(self.on.upgrade_charm, self.configure_pod)
366
367 # # Registering custom internal events
368 # self.framework.observe(self.on.configure_pod, self.configure_pod)
369
370 # # Registering required relation events
371 # self.framework.observe(
372 # self.on.kafka_relation_changed, self._on_kafka_relation_changed
373 # )
374 # self.framework.observe(
375 # self.on.mongodb_relation_changed, self._on_mongodb_relation_changed
376 # )
377 # self.framework.observe(
378 # self.on.ro_relation_changed, self._on_ro_relation_changed
379 # )
380
381 # # Registering required relation broken events
382 # self.framework.observe(
383 # self.on.kafka_relation_broken, self._on_kafka_relation_broken
384 # )
385 # self.framework.observe(
386 # self.on.mongodb_relation_broken, self._on_mongodb_relation_broken
387 # )
388 # self.framework.observe(
389 # self.on.ro_relation_broken, self._on_ro_relation_broken
390 # )
391
392 # def _on_kafka_relation_changed(self, event: EventBase) -> NoReturn:
393 # """Reads information about the kafka relation.
394
395 # Args:
396 # event (EventBase): Kafka relation event.
397 # """
398 # message_host = event.relation.data[event.unit].get("host")
399 # message_port = event.relation.data[event.unit].get("port")
400
401 # if (
402 # message_host
403 # and message_port
404 # and (
405 # self.state.message_host != message_host
406 # or self.state.message_port != message_port
407 # )
408 # ):
409 # self.state.message_host = message_host
410 # self.state.message_port = message_port
411 # self.on.configure_pod.emit()
412
413 # def _on_kafka_relation_broken(self, event: EventBase) -> NoReturn:
414 # """Clears data from kafka relation.
415
416 # Args:
417 # event (EventBase): Kafka relation event.
418 # """
419 # self.state.message_host = None
420 # self.state.message_port = None
421 # self.on.configure_pod.emit()
422
423 # def _on_mongodb_relation_changed(self, event: EventBase) -> NoReturn:
424 # """Reads information about the DB relation.
425
426 # Args:
427 # event (EventBase): DB relation event.
428 # """
429 # database_uri = event.relation.data[event.unit].get("connection_string")
430
431 # if database_uri and self.state.database_uri != database_uri:
432 # self.state.database_uri = database_uri
433 # self.on.configure_pod.emit()
434
435 # def _on_mongodb_relation_broken(self, event: EventBase) -> NoReturn:
436 # """Clears data from mongodb relation.
437
438 # Args:
439 # event (EventBase): DB relation event.
440 # """
441 # self.state.database_uri = None
442 # self.on.configure_pod.emit()
443
444 # def _on_ro_relation_changed(self, event: EventBase) -> NoReturn:
445 # """Reads information about the RO relation.
446
447 # Args:
448 # event (EventBase): Keystone relation event.
449 # """
450 # ro_host = event.relation.data[event.unit].get("host")
451 # ro_port = event.relation.data[event.unit].get("port")
452
453 # if (
454 # ro_host
455 # and ro_port
456 # and (self.state.ro_host != ro_host or self.state.ro_port != ro_port)
457 # ):
458 # self.state.ro_host = ro_host
459 # self.state.ro_port = ro_port
460 # self.on.configure_pod.emit()
461
462 # def _on_ro_relation_broken(self, event: EventBase) -> NoReturn:
463 # """Clears data from ro relation.
464
465 # Args:
466 # event (EventBase): Keystone relation event.
467 # """
468 # self.state.ro_host = None
469 # self.state.ro_port = None
470 # self.on.configure_pod.emit()
471
472 # def _missing_relations(self) -> str:
473 # """Checks if there missing relations.
474
475 # Returns:
476 # str: string with missing relations
477 # """
478 # data_status = {
479 # "kafka": self.state.message_host,
480 # "mongodb": self.state.database_uri,
481 # "ro": self.state.ro_host,
482 # }
483
484 # missing_relations = [k for k, v in data_status.items() if not v]
485
486 # return ", ".join(missing_relations)
487
488 # @property
489 # def relation_state(self) -> Dict[str, Any]:
490 # """Collects relation state configuration for pod spec assembly.
491
492 # Returns:
493 # Dict[str, Any]: relation state information.
494 # """
495 # relation_state = {
496 # "message_host": self.state.message_host,
497 # "message_port": self.state.message_port,
498 # "database_uri": self.state.database_uri,
499 # "ro_host": self.state.ro_host,
500 # "ro_port": self.state.ro_port,
501 # }
502
503 # return relation_state
504
505 # def configure_pod(self, event: EventBase) -> NoReturn:
506 # """Assemble the pod spec and apply it, if possible.
507
508 # Args:
509 # event (EventBase): Hook or Relation event that started the
510 # function.
511 # """
512 # if missing := self._missing_relations():
513 # self.unit.status = BlockedStatus(
514 # "Waiting for {0} relation{1}".format(
515 # missing, "s" if "," in missing else ""
516 # )
517 # )
518 # return
519
520 # if not self.unit.is_leader():
521 # self.unit.status = ActiveStatus("ready")
522 # return
523
524 # self.unit.status = MaintenanceStatus("Assembling pod spec")
525
526 # # Fetch image information
527 # try:
528 # self.unit.status = MaintenanceStatus("Fetching image information")
529 # image_info = self.image.fetch()
530 # except OCIImageResourceError:
531 # self.unit.status = BlockedStatus("Error fetching image information")
532 # return
533
534 # try:
535 # pod_spec = make_pod_spec(
536 # image_info,
537 # self.model.config,
538 # self.relation_state,
539 # self.model.app.name,
540 # self.port,
541 # )
542 # except ValueError as exc:
543 # logger.exception("Config/Relation data validation error")
544 # self.unit.status = BlockedStatus(str(exc))
545 # return
546
547 # if self.state.pod_spec != pod_spec:
548 # self.model.pod.set_spec(pod_spec)
549 # self.state.pod_spec = pod_spec
550
551 # self.unit.status = ActiveStatus("ready")
552
553
554 # if __name__ == "__main__":
555 # main(LcmCharm)