Also enhance unit tests to do more robust checking of results.
Issue-ID: DCAEGEN2-1550
Change-Id: Icf6e5357d828e19db73bb58b98fd60e9f111d0dc
Signed-off-by: Jack Lucas <jflucas@research.att.com>
TLS_CERT_PATH = "/opt/tls/shared"
TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.0"
+TLS_CA_CERT_PATH = "/opt/dcae/cacert/cacert.pem"
+TLS_CA_CONFIGMAP = "dcae-cacert-configmap"
+
+CBS_BASE_URL = "https://config-binding-service:10443/service_component_all"
def _set_defaults():
""" Set default configuration parameters """
"config_map" : FB_CONFIG_MAP, # ConfigMap holding the filebeat configuration
"image": FB_IMAGE # Docker image to use for filebeat
},
- "tls": { # Configuration for setting up TLS init container
+ "tls": { # Configuration for setting up TLS
"cert_path" : TLS_CERT_PATH, # mount point for certificate volume in TLS init container
- "image": TLS_IMAGE # Docker image to use for TLS init container
+ "image": TLS_IMAGE, # Docker image to use for TLS init container
+ "component_ca_cert_path": TLS_CA_CERT_PATH, # Mount point for CA cert for components that are clients only
+ "ca_cert_configmap": TLS_CA_CONFIGMAP # ConfigMap holding CA cert for components that are clients only
+ },
+ "cbs": {
+ "base_url" : CBS_BASE_URL # URL prefix for accessing config binding service
}
+
}
def configure(config_path=_CONFIG_PATH, key = _CONSUL_KEY):
tosca_definitions_version: cloudify_dsl_1_3
-imports:
- - http://www.getcloudify.org/spec/cloudify/3.4/types.yaml
-
plugins:
k8s:
executor: 'central_deployment_agent'
package_name: k8splugin
- package_version: 1.4.13
+ package_version: 1.5.0
data_types:
raise ValueError("Bad interval specification: {0}".format(t))
return time
-def _create_probe(hc, port, use_tls=False):
+def _create_probe(hc, port):
''' Create a Kubernetes probe based on info in the health check dictionary hc '''
probe_type = hc['type']
probe = None
else:
return None
-def _create_container_object(name, image, always_pull, use_tls=False, env={}, container_ports=[], volume_mounts = [], resources = None, readiness = None, liveness = None):
+def _create_container_object(name, image, always_pull, env={}, container_ports=[], volume_mounts = [], resources = None, readiness = None, liveness = None):
# Set up environment variables
# Copy any passed in environment variables
env_vars = [client.V1EnvVar(name=k, value=env[k]) for k in env.keys()]
hc_port = None
if len(container_ports) > 0:
(hc_port, proto) = container_ports[0]
- probe = _create_probe(readiness, hc_port, use_tls)
+ probe = _create_probe(readiness, hc_port)
if liveness:
hc_port = None
if len(container_ports) > 0:
(hc_port, proto) = container_ports[0]
- live_probe = _create_probe(liveness, hc_port, use_tls)
+ live_probe = _create_probe(liveness, hc_port)
if resources:
resources_obj = _create_resources(resources)
"config_subpath" : subpath for config data in filebeat container
"config_map" : ConfigMap holding the filebeat configuration
"image": Docker image to use for filebeat
- - tls: a dictionary of TLS init container parameters:
+ - tls: a dictionary of TLS-related information:
"cert_path": mount point for certificate volume in init container
"image": Docker image to use for TLS init container
+ "component_ca_cert_path" : mount point for CA cert for client-only containers
+ "ca_cert_configmap": the name of the ConfigMap where the CA cert is stored
kwargs may have:
- volumes: array of volume objects, where a volume object is:
{"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw_or_ro"}
sidecar_volume_mounts.append(client.V1VolumeMount(name="filebeat-data", mount_path=fb["data_path"]))
# Create the container for the sidecar
- containers.append(_create_container_object("filebeat", fb["image"], False, False, {}, [], sidecar_volume_mounts))
+ containers.append(_create_container_object("filebeat", fb["image"], False, {}, [], sidecar_volume_mounts))
# Create the volume for the sidecar configuration data and the volume mount for it
# The configuration data is in a k8s ConfigMap that should be created when DCAE is installed.
sidecar_volume_mounts.append(
client.V1VolumeMount(name="filebeat-conf", mount_path=fb["config_path"], sub_path=fb["config_subpath"]))
- # Set up the TLS init container, if needed
- tls_info = kwargs.get("tls_info")
- use_tls = False
- if tls_info and "use_tls" in tls_info and tls_info["use_tls"]:
- if "cert_directory" in tls_info and len(tls_info["cert_directory"]) > 0:
- use_tls = True
- tls_config = k8sconfig["tls"]
+ # Set up TLS information
+ # Two different ways of doing this, depending on whether the container will act as a TLS server or as a client only
+ # If a server, then tls_info will be passed, and tls_info["use_tls"] will be set to true. We create an InitContainer
+ # that sets up the CA cert, the server cert, and the keys.
+ # If a client only, only the CA cert is needed. We mount the CA cert from a ConfigMap that has been created as part
+ # of the installation process. If there is cert_directory information in tls_info, we use that directory in the mount path.
+ # Otherwise, we use the configured default path in tls_config.
+ tls_info = kwargs.get("tls_info")
+ tls_config = k8sconfig["tls"]
+ tls_server = False
+ cert_directory = None
+
+ if tls_info and "cert_directory" in tls_info and len(tls_info["cert_directory"]) > 0:
+ cert_directory = tls_info["cert_directory"]
+ if tls_info and tls_info.get("use_tls", False):
+ tls_server = True
+ # Use an InitContainer to set up the certificate information
# Create the certificate volume and volume mounts
volumes.append(client.V1Volume(name="tls-info", empty_dir=client.V1EmptyDirVolumeSource()))
- volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=tls_info["cert_directory"]))
+ volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=cert_directory))
init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_config["cert_path"])]
# Create the init container
- init_containers.append(_create_container_object("init-tls", tls_config["image"], False, False, {}, [], init_volume_mounts))
+ init_containers.append(_create_container_object("init-tls", tls_config["image"], False, {}, [], init_volume_mounts))
+
+ if not tls_server:
+ # Use a config map
+ # Create the CA cert volume
+ volumes.append(client.V1Volume(name="tls-cacert", config_map=client.V1ConfigMapVolumeSource(name=tls_config["ca_cert_configmap"])))
+
+ # Create the volume mount
+ mount_path= cert_directory if cert_directory else os.path.dirname(tls_config["component_ca_cert_path"])
+ volume_mounts.append(client.V1VolumeMount(name="tls-cacert", mount_path=mount_path))
# Create the container for the component
# Make it the first container in the pod
- containers.insert(0, _create_container_object(component_name, image, always_pull, use_tls, kwargs.get("env", {}), container_ports, volume_mounts, resources, kwargs["readiness"], kwargs.get("liveness")))
+ containers.insert(0, _create_container_object(component_name, image, always_pull, kwargs.get("env", {}), container_ports, volume_mounts, resources, kwargs["readiness"], kwargs.get("liveness")))
# Build the k8s Deployment object
labels = kwargs.get("labels", {})
DCAE_NAMESPACE = plugin_conf.get("namespace")
DEFAULT_MAX_WAIT = plugin_conf.get("max_wait", 1800)
DEFAULT_K8S_LOCATION = plugin_conf.get("default_k8s_location")
+COMPONENT_CA_CERT_PATH = plugin_conf.get("tls").get("component_ca_cert_path")
+CBS_BASE_URL = plugin_conf.get("cbs").get("base_url")
# Used to construct delivery urls for data router subscribers. Data router in FTL
# requires https but this author believes that ONAP is to be defaulted to http.
- msb_list: array of msb objects, where an msb object is as described in msb/msb.py.
- log_info: an object with info for setting up ELK logging, with the form:
{"log_directory": "/path/to/container/log/directory", "alternate_fb_path" : "/alternate/sidecar/log/path"}"
+ - tls_info: an object with information for setting up the component to act as a TLS server, with the form:
+ {"use_tls" : true_or_false, "cert_directory": "/path/to/directory_where_certs_should_be_placed" }
- replicas: number of replicas to be launched initially
- readiness: object with information needed to create a readiness check
- liveness: object with information needed to create a liveness check
- k8s_location: name of the Kubernetes location (cluster) where the component is to be deployed
'''
+ tls_info = kwargs.get("tls_info")
env = { "CONSUL_HOST": CONSUL_INTERNAL_NAME,
- "CONFIG_BINDING_SERVICE": "config-binding-service" }
+ "CONFIG_BINDING_SERVICE": "config-binding-service",
+ "DCAE_CA_CERTPATH" : "{0}/cacert.pem".format(tls_info["cert_directory"]) if (tls_info and tls_info["cert_directory"]) else COMPONENT_CA_CERT_PATH,
+ "CBS_CONFIG_URL" : "{0}/{1}".format(CBS_BASE_URL, container_name)
+ }
env.update(kwargs.get("envs", {}))
ctx.logger.info("Starting k8s deployment for {}, image: {}, env: {}, kwargs: {}".format(container_name, image, env, kwargs))
ctx.logger.info("Passing k8sconfig: {}".format(plugin_conf))
<groupId>org.onap.dcaegen2.platform.plugins</groupId>
<artifactId>k8s</artifactId>
<name>k8s-plugin</name>
- <version>1.4.13-SNAPSHOT</version>
+ <version>1.5.0-SNAPSHOT</version>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
setup(
name='k8splugin',
description='Cloudify plugin for containerized components deployed using Kubernetes',
- version="1.4.13",
+ version="1.5.0",
author='J. F. Lucas, Michael Hwang, Tommy Carpenter',
packages=['k8splugin','k8sclient','msb','configure'],
zip_safe=False,
--- /dev/null
+# ============LICENSE_START=======================================================
+# org.onap.dcae
+# ================================================================================
+# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+# Common functions for unit testing
+def _set_k8s_configuration():
+ ''' Set up the basic k8s configuration '''
+ return {
+ "image_pull_secrets" : ["secret0", "secret1"],
+ "filebeat" : {
+ "log_path": "/var/log/onap",
+ "data_path": "/usr/share/filebeat/data",
+ "config_path": "/usr/share/filebeat/filebeat.yml",
+ "config_subpath": "filebeat.yml",
+ "image" : "filebeat-repo/filebeat:latest",
+ "config_map" : "dcae-filebeat-configmap"
+ },
+ "tls" : {
+ "cert_path": "/opt/certs",
+ "image": "tlsrepo/tls-init-container:1.2.3",
+ "component_ca_cert_path": "/opt/dcae/cacert/cacert.pem",
+ "ca_cert_configmap": "dcae-cacert-configmap"
+ },
+ "cbs": {
+ "base_url": "https://config-binding-service:10443/service_component_all/test-component"
+ }
+ }
+
+def _set_resources():
+ ''' Set resources '''
+ return {
+ "limits": {
+ "cpu" : 0.5,
+ "memory" : "2Gi"
+ },
+ "requests": {
+ "cpu" : 0.5,
+ "memory" : "2Gi"
+ }
+ }
+
+def _set_common_kwargs():
+ ''' Set kwargs common to all test cases '''
+ return {
+ "volumes": [
+ {"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw"}}
+ ],
+ "ports": ["80:0", "443:0"],
+ "env": {"NAME0": "value0", "NAME1": "value1"},
+ "log_info": {"log_directory": "/path/to/container/log/directory"},
+ "readiness": {"type": "http", "endpoint" : "/ready"}
+ }
+
+def _get_item_by_name(list, name):
+ ''' Search a list of k8s API objects with the specified name '''
+ for item in list:
+ if item.name == name:
+ return item
+ return None
+
+def check_env_var(env_list, name, value):
+ e = _get_item_by_name(env_list, name)
+ assert e and e.value == value
+
+def verify_common(dep, deployment_description):
+ ''' Check results common to all test cases '''
+ assert deployment_description["deployment"] == "dep-testcomponent"
+ assert deployment_description["namespace"] == "k8stest"
+ assert deployment_description["services"][0] == "testcomponent"
+
+ # For unit test purposes, we want to make sure that the deployment object
+ # we're passing to the k8s API is correct
+ app_container = dep.spec.template.spec.containers[0]
+ assert app_container.image == "example.com/testcomponent:1.4.3"
+ assert app_container.image_pull_policy == "IfNotPresent"
+ assert len(app_container.ports) == 2
+ assert app_container.ports[0].container_port == 80
+ assert app_container.ports[1].container_port == 443
+ assert app_container.readiness_probe.http_get.path == "/ready"
+ assert app_container.readiness_probe.http_get.scheme == "HTTP"
+ assert len(app_container.volume_mounts) == 3
+ assert app_container.volume_mounts[0].mount_path == "/path/on/container"
+ assert app_container.volume_mounts[1].mount_path == "/path/to/container/log/directory"
+
+ # Check environment variables
+ env = app_container.env
+ check_env_var(env, "NAME0", "value0")
+ check_env_var(env, "NAME1", "value1")
+
+ # Should have a log container with volume mounts
+ log_container = dep.spec.template.spec.containers[1]
+ assert log_container.image == "filebeat-repo/filebeat:latest"
+ assert log_container.volume_mounts[0].mount_path == "/var/log/onap/testcomponent"
+ assert log_container.volume_mounts[0].name == "component-log"
+ assert log_container.volume_mounts[1].mount_path == "/usr/share/filebeat/data"
+ assert log_container.volume_mounts[1].name == "filebeat-data"
+ assert log_container.volume_mounts[2].mount_path == "/usr/share/filebeat/filebeat.yml"
+ assert log_container.volume_mounts[2].name == "filebeat-conf"
+
+ # Needs to be correctly labeled so that the Service can find it
+ assert dep.spec.template.metadata.labels["app"] == "testcomponent"
+
+
+def do_deploy(tls_info=None):
+ ''' Common deployment operations '''
+ import k8sclient.k8sclient
+
+ k8s_test_config = _set_k8s_configuration()
+
+ resources = _set_resources()
+
+ kwargs = _set_common_kwargs()
+ if tls_info:
+ kwargs["tls_info"] = tls_info
+
+ dep, deployment_description = k8sclient.k8sclient.deploy("k8stest","testcomponent","example.com/testcomponent:1.4.3",1,False, k8s_test_config, resources, **kwargs)
+
+ # Make sure all of the basic k8s parameters are correct
+ verify_common(dep, deployment_description)
+
+ return dep, deployment_description
\ No newline at end of file
# ============LICENSE_START=======================================================
# org.onap.dcae
# ================================================================================
-# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@pytest.fixture()
def mockconfig(monkeypatch):
+ from configure import configure
""" Override the regular configure() routine that reads a file and calls Consul"""
def altconfig():
- return {
- "consul_host": "consul",
- "namespace":"dcae",
- "consul_dns_name" : "consul",
- "image_pull_secrets" : []
- }
- from configure import configure
- monkeypatch.setattr(configure, 'configure', altconfig)
\ No newline at end of file
+ config = configure._set_defaults()
+ config["consul_host"] = config["consul_dns_name"]
+ return config
+ monkeypatch.setattr(configure, 'configure', altconfig)
+
+@pytest.fixture()
+def mockk8sapi(monkeypatch):
+ import k8sclient.k8sclient
+ from kubernetes import client
+
+ # We need to patch the kubernetes 'client' module
+ # Awkward because of the way it requires a function call
+ # to get an API object
+ core = client.CoreV1Api()
+ ext = client.ExtensionsV1beta1Api()
+
+ def pseudo_deploy(namespace, dep):
+ return dep
+
+ def pseudo_service(namespace, svc):
+ return svc
+
+ # patched_core returns a CoreV1Api object with the
+ # create_namespaced_service method stubbed out so that there
+ # is no attempt to call the k8s API server
+ def patched_core():
+ monkeypatch.setattr(core, "create_namespaced_service", pseudo_service)
+ return core
+
+ # patched_ext returns an ExtensionsV1beta1Api object with the
+ # create_namespaced_deployment method stubbed out so that there
+ # is no attempt to call the k8s API server
+ def patched_ext():
+ monkeypatch.setattr(ext,"create_namespaced_deployment", pseudo_deploy)
+ return ext
+
+ def pseudo_configure(loc):
+ pass
+
+ monkeypatch.setattr(k8sclient.k8sclient,"_configure_api", pseudo_configure)
+ monkeypatch.setattr(client, "CoreV1Api", patched_core)
+ monkeypatch.setattr(client,"ExtensionsV1beta1Api", patched_ext)
# limitations under the License.
# ============LICENSE_END=========================================================
+# Basic sanity tests for k8sclient functions
+
import pytest
def test_parse_interval():
for hc in script_checks:
probe = _create_probe(hc, 13131)
assert probe._exec.command[0] == hc["script"]
-
-def test_deploy(monkeypatch):
- import k8sclient.k8sclient
- from kubernetes import client
-
- # We need to patch the kubernetes 'client' module
- # Awkward because of the way it requires a function call
- # to get an API object
- core = client.CoreV1Api()
- ext = client.ExtensionsV1beta1Api()
-
- def pseudo_deploy(namespace, dep):
- return dep
-
- def pseudo_service(namespace, svc):
- return svc
-
- # patched_core returns a CoreV1Api object with the
- # create_namespaced_service method stubbed out so that there
- # is no attempt to call the k8s API server
- def patched_core():
- monkeypatch.setattr(core, "create_namespaced_service", pseudo_service)
- return core
-
- # patched_ext returns an ExtensionsV1beta1Api object with the
- # create_namespaced_deployment method stubbed out so that there
- # is no attempt to call the k8s API server
- def patched_ext():
- monkeypatch.setattr(ext,"create_namespaced_deployment", pseudo_deploy)
- return ext
-
- def pseudo_configure(loc):
- pass
-
- monkeypatch.setattr(k8sclient.k8sclient,"_configure_api", pseudo_configure)
- monkeypatch.setattr(client, "CoreV1Api", patched_core)
- monkeypatch.setattr(client,"ExtensionsV1beta1Api", patched_ext)
-
- k8s_test_config = {
- "image_pull_secrets" : ["secret0", "secret1"],
- "filebeat" : {
- "log_path": "/var/log/onap",
- "data_path": "/usr/share/filebeat/data",
- "config_path": "/usr/share/filebeat/filebeat.yml",
- "config_subpath": "filebeat.yml",
- "image" : "filebeat-repo/filebeat:latest",
- "config_map" : "dcae-filebeat-configmap"
- },
- "tls" : {
- "cert_path": "/opt/certs",
- "image": "tlsrepo/tls-init-container:1.2.3"
- }
- }
-
- resources = {
- "limits": {
- "cpu" : 0.5,
- "memory" : "2Gi"
- },
- "requests": {
- "cpu" : 0.5,
- "memory" : "2Gi"
- }
- }
-
- kwargs = {
- "volumes": [
- {"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw"}}
- ],
- "ports": ["80:0", "443:0"],
- "env": {"name0": "value0", "name1": "value1"},
- "log_info": {"log_directory": "/path/to/container/log/directory"},
- "tls_info": {"use_tls": True, "cert_directory": "/path/to/container/cert/directory" },
- "readiness": {"type": "http", "endpoint" : "/ready"}
- }
- dep, deployment_description = k8sclient.k8sclient.deploy("k8stest","testcomponent","example.com/testcomponent:1.4.3",1,False, k8s_test_config, resources, **kwargs)
-
- assert deployment_description["deployment"] == "dep-testcomponent"
- assert deployment_description["namespace"] == "k8stest"
- assert deployment_description["services"][0] == "testcomponent"
-
- # For unit test purposes, we want to make sure that the deployment object
- # we're passing to the k8s API is correct
- app_container = dep.spec.template.spec.containers[0]
- assert app_container.image == "example.com/testcomponent:1.4.3"
- assert app_container.image_pull_policy == "IfNotPresent"
- assert len(app_container.ports) == 2
- assert app_container.ports[0].container_port == 80
- assert app_container.ports[1].container_port == 443
- assert app_container.readiness_probe.http_get.path == "/ready"
- assert app_container.readiness_probe.http_get.scheme == "HTTP"
- assert len(app_container.volume_mounts) == 3
- assert app_container.volume_mounts[0].mount_path == "/path/on/container"
- assert app_container.volume_mounts[1].mount_path == "/path/to/container/log/directory"
- assert app_container.volume_mounts[2].mount_path == "/path/to/container/cert/directory"
-
- # Needs to be correctly labeled so that the Service can find it
- assert dep.spec.template.metadata.labels["app"] == "testcomponent"
--- /dev/null
+# ============LICENSE_START=======================================================
+# org.onap.dcae
+# ================================================================================
+# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+# Test k8sclient deployment functions
+# Verify that for a given configuration and set of inputs, k8sclient generates the proper
+# Kubernetes entities
+
+import pytest
+from common import do_deploy
+
+def test_deploy_full_tls(mockk8sapi):
+ ''' Deploy component with a full TLS configuration, to act as a server '''
+
+ dep, deployment_description = do_deploy({"use_tls": True, "cert_directory": "/path/to/container/cert/directory" })
+
+ app_container = dep.spec.template.spec.containers[0]
+ assert app_container.volume_mounts[2].mount_path == "/path/to/container/cert/directory"
+
+def test_deploy_tls_off(mockk8sapi):
+ ''' TLS client only, but with cert directory configured '''
+
+ dep, deployment_description = do_deploy({"use_tls": False, "cert_directory": "/path/to/container/cert/directory" })
+
+ app_container = dep.spec.template.spec.containers[0]
+ assert app_container.volume_mounts[2].mount_path == "/path/to/container/cert/directory"
+
+def test_deploy_no_tls_info(mockk8sapi):
+ ''' TLS client only, but with cert directory configured '''
+
+ dep, deployment_description = do_deploy()
+
+ app_container = dep.spec.template.spec.containers[0]
+ assert app_container.volume_mounts[2].mount_path == "/opt/dcae/cacert"
Code Review / dcaegen2 / platform / plugins.git / commitdiff