diff --git a/.pylintrc b/.pylintrc
new file mode 100644
index 0000000000000000000000000000000000000000..3f7a685c6d1bf59fd2bc821f0d0746f1f5258683
--- /dev/null
+++ b/.pylintrc
@@ -0,0 +1,610 @@
+[MAIN]
+
+# Analyse import fallback blocks. This can be used to support both Python 2 and
+# 3 compatible code, which means that the block might have code that exists
+# only in one or another interpreter, leading to false positives when analysed.
+analyse-fallback-blocks=no
+
+# Load and enable all available extensions. Use --list-extensions to see a list
+# all available extensions.
+#enable-all-extensions=
+
+# In error mode, messages with a category besides ERROR or FATAL are
+# suppressed, and no reports are done by default. Error mode is compatible with
+# disabling specific errors.
+#errors-only=
+
+# Always return a 0 (non-error) status code, even if lint errors are found.
+# This is primarily useful in continuous integration scripts.
+#exit-zero=
+
+# A comma-separated list of package or module names from where C extensions may
+# be loaded. Extensions are loading into the active Python interpreter and may
+# run arbitrary code.
+extension-pkg-allow-list=
+
+# A comma-separated list of package or module names from where C extensions may
+# be loaded. Extensions are loading into the active Python interpreter and may
+# run arbitrary code. (This is an alternative name to extension-pkg-allow-list
+# for backward compatibility.)
+extension-pkg-whitelist=
+
+# Return non-zero exit code if any of these messages/categories are detected,
+# even if score is above --fail-under value. Syntax same as enable. Messages
+# specified are enabled, while categories only check already-enabled messages.
+fail-on=
+
+# Specify a score threshold to be exceeded before program exits with error.
+fail-under=10
+
+# Interpret the stdin as a python script, whose filename needs to be passed as
+# the module_or_package argument.
+#from-stdin=
+
+# Files or directories to be skipped. They should be base names, not paths.
+ignore=CVS
+
+# Add files or directories matching the regex patterns to the ignore-list. The
+# regex matches against paths and can be in Posix or Windows format.
+ignore-paths=
+
+# Files or directories matching the regex patterns are skipped. The regex
+# matches against base names, not paths. The default value ignores Emacs file
+# locks
+ignore-patterns=^\.#
+
+# List of module names for which member attributes should not be checked
+# (useful for modules/projects where namespaces are manipulated during runtime
+# and thus existing member attributes cannot be deduced by static analysis). It
+# supports qualified module names, as well as Unix pattern matching.
+ignored-modules=
+
+# Python code to execute, usually for sys.path manipulation such as
+# pygtk.require().
+#init-hook=
+
+# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the
+# number of processors available to use, and will cap the count on Windows to
+# avoid hangs.
+jobs=1
+
+# Control the amount of potential inferred values when inferring a single
+# object. This can help the performance when dealing with large functions or
+# complex, nested conditions.
+limit-inference-results=100
+
+# List of plugins (as comma separated values of python module names) to load,
+# usually to register additional checkers.
+load-plugins=pylint_flask,pylint_flask_sqlalchemy
+
+# Pickle collected data for later comparisons.
+persistent=yes
+
+# Minimum Python version to use for version dependent checks. Will default to
+# the version used to run pylint.
+py-version=3.9
+
+# Discover python modules and packages in the file system subtree.
+recursive=no
+
+# When enabled, pylint would attempt to guess common misconfiguration and emit
+# user-friendly hints instead of false-positive error messages.
+suggestion-mode=yes
+
+# Allow loading of arbitrary C extensions. Extensions are imported into the
+# active Python interpreter and may run arbitrary code.
+unsafe-load-any-extension=no
+
+# In verbose mode, extra non-checker-related info will be displayed.
+#verbose=
+
+
+[REPORTS]
+
+# Python expression which should return a score less than or equal to 10. You
+# have access to the variables 'fatal', 'error', 'warning', 'refactor',
+# 'convention', and 'info' which contain the number of messages in each
+# category, as well as 'statement' which is the total number of statements
+# analyzed. This score is used by the global evaluation report (RP0004).
+evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10))
+
+# Template used to display messages. This is a python new-style format string
+# used to format the message information. See doc for all details.
+msg-template=
+
+# Set the output format. Available formats are text, parseable, colorized, json
+# and msvs (visual studio). You can also give a reporter class, e.g.
+# mypackage.mymodule.MyReporterClass.
+#output-format=
+
+# Tells whether to display a full report or only the messages.
+reports=no
+
+# Activate the evaluation score.
+score=yes
+
+
+[MESSAGES CONTROL]
+
+# Only show warnings with the listed confidence levels. Leave empty to show
+# all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE,
+# UNDEFINED.
+confidence=HIGH,
+ CONTROL_FLOW,
+ INFERENCE,
+ INFERENCE_FAILURE,
+ UNDEFINED
+
+# Disable the message, report, category or checker with the given id(s). You
+# can either give multiple identifiers separated by comma (,) or put this
+# option multiple times (only on the command line, not in the configuration
+# file where it should appear only once). You can also use "--disable=all" to
+# disable everything first and then re-enable specific checks. For example, if
+# you want to run only the similarities checker, you can use "--disable=all
+# --enable=similarities". If you want to run only the classes checker, but have
+# no Warning level messages displayed, use "--disable=all --enable=classes
+# --disable=W".
+disable=raw-checker-failed,
+ bad-inline-option,
+ locally-disabled,
+ file-ignored,
+ suppressed-message,
+ useless-suppression,
+ deprecated-pragma,
+ use-symbolic-message-instead
+
+# Enable the message, report, category or checker with the given id(s). You can
+# either give multiple identifier separated by comma (,) or put this option
+# multiple time (only on the command line, not in the configuration file where
+# it should appear only once). See also the "--disable" option for examples.
+enable=c-extension-no-member
+
+
+[CLASSES]
+
+# Warn about protected attribute access inside special methods
+check-protected-access-in-special-methods=no
+
+# List of method names used to declare (i.e. assign) instance attributes.
+defining-attr-methods=__init__,
+ __new__,
+ setUp,
+ __post_init__
+
+# List of member names, which should be excluded from the protected access
+# warning.
+exclude-protected=_asdict,
+ _fields,
+ _replace,
+ _source,
+ _make
+
+# List of valid names for the first argument in a class method.
+valid-classmethod-first-arg=cls
+
+# List of valid names for the first argument in a metaclass class method.
+valid-metaclass-classmethod-first-arg=cls
+
+
+[SIMILARITIES]
+
+# Comments are removed from the similarity computation
+ignore-comments=yes
+
+# Docstrings are removed from the similarity computation
+ignore-docstrings=yes
+
+# Imports are removed from the similarity computation
+ignore-imports=yes
+
+# Signatures are removed from the similarity computation
+ignore-signatures=yes
+
+# Minimum lines number of a similarity.
+min-similarity-lines=4
+
+
+[REFACTORING]
+
+# Maximum number of nested blocks for function / method body
+max-nested-blocks=5
+
+# Complete name of functions that never returns. When checking for
+# inconsistent-return-statements if a never returning function is called then
+# it will be considered as an explicit return statement and no message will be
+# printed.
+never-returning-functions=sys.exit,argparse.parse_error
+
+
+[BASIC]
+
+# Naming style matching correct argument names.
+argument-naming-style=snake_case
+
+# Regular expression matching correct argument names. Overrides argument-
+# naming-style. If left empty, argument names will be checked with the set
+# naming style.
+#argument-rgx=
+
+# Naming style matching correct attribute names.
+attr-naming-style=snake_case
+
+# Regular expression matching correct attribute names. Overrides attr-naming-
+# style. If left empty, attribute names will be checked with the set naming
+# style.
+#attr-rgx=
+
+# Bad variable names which should always be refused, separated by a comma.
+bad-names=foo,
+ bar,
+ baz,
+ toto,
+ tutu,
+ tata
+
+# Bad variable names regexes, separated by a comma. If names match any regex,
+# they will always be refused
+bad-names-rgxs=
+
+# Naming style matching correct class attribute names.
+class-attribute-naming-style=any
+
+# Regular expression matching correct class attribute names. Overrides class-
+# attribute-naming-style. If left empty, class attribute names will be checked
+# with the set naming style.
+#class-attribute-rgx=
+
+# Naming style matching correct class constant names.
+class-const-naming-style=UPPER_CASE
+
+# Regular expression matching correct class constant names. Overrides class-
+# const-naming-style. If left empty, class constant names will be checked with
+# the set naming style.
+#class-const-rgx=
+
+# Naming style matching correct class names.
+class-naming-style=PascalCase
+
+# Regular expression matching correct class names. Overrides class-naming-
+# style. If left empty, class names will be checked with the set naming style.
+#class-rgx=
+
+# Naming style matching correct constant names.
+const-naming-style=UPPER_CASE
+
+# Regular expression matching correct constant names. Overrides const-naming-
+# style. If left empty, constant names will be checked with the set naming
+# style.
+#const-rgx=
+
+# Minimum line length for functions/classes that require docstrings, shorter
+# ones are exempt.
+docstring-min-length=-1
+
+# Naming style matching correct function names.
+function-naming-style=snake_case
+
+# Regular expression matching correct function names. Overrides function-
+# naming-style. If left empty, function names will be checked with the set
+# naming style.
+#function-rgx=
+
+# Good variable names which should always be accepted, separated by a comma.
+good-names=i,
+ j,
+ k,
+ ex,
+ Run,
+ _
+
+# Good variable names regexes, separated by a comma. If names match any regex,
+# they will always be accepted
+good-names-rgxs=
+
+# Include a hint for the correct naming format with invalid-name.
+include-naming-hint=no
+
+# Naming style matching correct inline iteration names.
+inlinevar-naming-style=any
+
+# Regular expression matching correct inline iteration names. Overrides
+# inlinevar-naming-style. If left empty, inline iteration names will be checked
+# with the set naming style.
+#inlinevar-rgx=
+
+# Naming style matching correct method names.
+method-naming-style=snake_case
+
+# Regular expression matching correct method names. Overrides method-naming-
+# style. If left empty, method names will be checked with the set naming style.
+#method-rgx=
+
+# Naming style matching correct module names.
+module-naming-style=snake_case
+
+# Regular expression matching correct module names. Overrides module-naming-
+# style. If left empty, module names will be checked with the set naming style.
+#module-rgx=
+
+# Colon-delimited sets of names that determine each other's naming style when
+# the name regexes allow several styles.
+name-group=
+
+# Regular expression which should only match function or class names that do
+# not require a docstring.
+no-docstring-rgx=^_
+
+# List of decorators that produce properties, such as abc.abstractproperty. Add
+# to this list to register other decorators that produce valid properties.
+# These decorators are taken in consideration only for invalid-name.
+property-classes=abc.abstractproperty
+
+# Regular expression matching correct type variable names. If left empty, type
+# variable names will be checked with the set naming style.
+#typevar-rgx=
+
+# Naming style matching correct variable names.
+variable-naming-style=snake_case
+
+# Regular expression matching correct variable names. Overrides variable-
+# naming-style. If left empty, variable names will be checked with the set
+# naming style.
+#variable-rgx=
+
+
+[SPELLING]
+
+# Limits count of emitted suggestions for spelling mistakes.
+max-spelling-suggestions=4
+
+# Spelling dictionary name. Available dictionaries: none. To make it work,
+# install the 'python-enchant' package.
+spelling-dict=
+
+# List of comma separated words that should be considered directives if they
+# appear at the beginning of a comment and should not be checked.
+spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy:
+
+# List of comma separated words that should not be checked.
+spelling-ignore-words=
+
+# A path to a file that contains the private dictionary; one word per line.
+spelling-private-dict-file=
+
+# Tells whether to store unknown words to the private dictionary (see the
+# --spelling-private-dict-file option) instead of raising a message.
+spelling-store-unknown-words=no
+
+
+[VARIABLES]
+
+# List of additional names supposed to be defined in builtins. Remember that
+# you should avoid defining new builtins when possible.
+additional-builtins=
+
+# Tells whether unused global variables should be treated as a violation.
+allow-global-unused-variables=yes
+
+# List of names allowed to shadow builtins
+allowed-redefined-builtins=
+
+# List of strings which can identify a callback function by name. A callback
+# name must start or end with one of those strings.
+callbacks=cb_,
+ _cb
+
+# A regular expression matching the name of dummy variables (i.e. expected to
+# not be used).
+dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_
+
+# Argument names that match this expression will be ignored. Default to name
+# with leading underscore.
+ignored-argument-names=_.*|^ignored_|^unused_
+
+# Tells whether we should check for unused import in __init__ files.
+init-import=no
+
+# List of qualified module names which can have objects that can redefine
+# builtins.
+redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io
+
+
+[LOGGING]
+
+# The type of string formatting that logging methods do. `old` means using %
+# formatting, `new` is for `{}` formatting.
+logging-format-style=old
+
+# Logging modules to check that the string format arguments are in logging
+# function parameter format.
+logging-modules=logging
+
+
+[FORMAT]
+
+# Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
+expected-line-ending-format=
+
+# Regexp for a line that is allowed to be longer than the limit.
+ignore-long-lines=^\s*(# )?<?https?://\S+>?$
+
+# Number of spaces of indent required inside a hanging or continued line.
+indent-after-paren=4
+
+# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1
+# tab).
+indent-string=' '
+
+# Maximum number of characters on a single line.
+max-line-length=100
+
+# Maximum number of lines in a module.
+max-module-lines=1000
+
+# Allow the body of a class to be on the same line as the declaration if body
+# contains single statement.
+single-line-class-stmt=no
+
+# Allow the body of an if to be on the same line as the test if there is no
+# else.
+single-line-if-stmt=no
+
+
+[EXCEPTIONS]
+
+# Exceptions that will emit a warning when caught.
+overgeneral-exceptions=BaseException,
+ Exception
+
+
+[IMPORTS]
+
+# List of modules that can be imported at any level, not just the top level
+# one.
+allow-any-import-level=
+
+# Allow wildcard imports from modules that define __all__.
+allow-wildcard-with-all=no
+
+# Deprecated modules which should not be used, separated by a comma.
+deprecated-modules=
+
+# Output a graph (.gv or any supported image format) of external dependencies
+# to the given file (report RP0402 must not be disabled).
+ext-import-graph=
+
+# Output a graph (.gv or any supported image format) of all (i.e. internal and
+# external) dependencies to the given file (report RP0402 must not be
+# disabled).
+import-graph=
+
+# Output a graph (.gv or any supported image format) of internal dependencies
+# to the given file (report RP0402 must not be disabled).
+int-import-graph=
+
+# Force import order to recognize a module as part of the standard
+# compatibility libraries.
+known-standard-library=
+
+# Force import order to recognize a module as part of a third party library.
+known-third-party=enchant
+
+# Couples of modules and preferred modules, separated by a comma.
+preferred-modules=
+
+
+[TYPECHECK]
+
+# List of decorators that produce context managers, such as
+# contextlib.contextmanager. Add to this list to register other decorators that
+# produce valid context managers.
+contextmanager-decorators=contextlib.contextmanager
+
+# List of members which are set dynamically and missed by pylint inference
+# system, and so shouldn't trigger E1101 when accessed. Python regular
+# expressions are accepted.
+generated-members=
+
+# Tells whether to warn about missing members when the owner of the attribute
+# is inferred to be None.
+ignore-none=yes
+
+# This flag controls whether pylint should warn about no-member and similar
+# checks whenever an opaque object is returned when inferring. The inference
+# can return multiple potential results while evaluating a Python object, but
+# some branches might not be evaluated, which results in partial inference. In
+# that case, it might be useful to still emit no-member and other checks for
+# the rest of the inferred objects.
+ignore-on-opaque-inference=yes
+
+# List of symbolic message names to ignore for Mixin members.
+ignored-checks-for-mixins=no-member,
+ not-async-context-manager,
+ not-context-manager,
+ attribute-defined-outside-init
+
+# List of class names for which member attributes should not be checked (useful
+# for classes with dynamically set attributes). This supports the use of
+# qualified names.
+ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace,scoped_session
+
+# Show a hint with possible names when a member name was not found. The aspect
+# of finding the hint is based on edit distance.
+missing-member-hint=yes
+
+# The minimum edit distance a name should have in order to be considered a
+# similar match for a missing member name.
+missing-member-hint-distance=1
+
+# The total number of similar names that should be taken in consideration when
+# showing a hint for a missing member.
+missing-member-max-choices=1
+
+# Regex pattern to define which classes are considered mixins.
+mixin-class-rgx=.*[Mm]ixin
+
+# List of decorators that change the signature of a decorated function.
+signature-mutators=
+
+
+[MISCELLANEOUS]
+
+# List of note tags to take in consideration, separated by a comma.
+notes=FIXME,
+ XXX,
+ TODO
+
+# Regular expression of note tags to take in consideration.
+notes-rgx=
+
+
+[STRING]
+
+# This flag controls whether inconsistent-quotes generates a warning when the
+# character used as a quote delimiter is used inconsistently within a module.
+check-quote-consistency=no
+
+# This flag controls whether the implicit-str-concat should generate a warning
+# on implicit string concatenation in sequences defined over several lines.
+check-str-concat-over-line-jumps=no
+
+
+[DESIGN]
+
+# List of regular expressions of class ancestor names to ignore when counting
+# public methods (see R0903)
+exclude-too-few-public-methods=
+
+# List of qualified class names to ignore when counting class parents (see
+# R0901)
+ignored-parents=
+
+# Maximum number of arguments for function / method.
+max-args=5
+
+# Maximum number of attributes for a class (see R0902).
+max-attributes=7
+
+# Maximum number of boolean expressions in an if statement (see R0916).
+max-bool-expr=5
+
+# Maximum number of branch for function / method body.
+max-branches=12
+
+# Maximum number of locals for function / method body.
+max-locals=15
+
+# Maximum number of parents for a class (see R0901).
+max-parents=7
+
+# Maximum number of public methods for a class (see R0904).
+max-public-methods=20
+
+# Maximum number of return / yield for function / method body.
+max-returns=6
+
+# Maximum number of statements in function / method body.
+max-statements=50
+
+# Minimum number of public methods for a class (see R0903).
+min-public-methods=2
diff --git a/areas/apps/apps.py b/areas/apps/apps.py
index edfc85211048650934ff1b4aef353186bb2232ab..fe9f30a101189fb1381cb366950f5836b2a21ebb 100644
--- a/areas/apps/apps.py
+++ b/areas/apps/apps.py
@@ -24,6 +24,7 @@ APPS_DATA = [
APP_DATA = {"id": 1, "name": "Nextcloud", "selected": True, "status": "ON for everyone", "config": CONFIG_DATA},
+APP_NOT_INSTALLED_STATUS = "Not installed"
@api_v1.route('/apps', methods=['GET'])
@jwt_required()
diff --git a/areas/apps/models.py b/areas/apps/models.py
index a9afdaf307dd8a8f34da3352fceb272bf435287f..f28971e5ce1c7c4ab14141376f283039fb25e11a 100644
--- a/areas/apps/models.py
+++ b/areas/apps/models.py
@@ -1,6 +1,12 @@
+"""Everything to do with Apps"""
+
+import os
+
from sqlalchemy import ForeignKey, Integer, String
from sqlalchemy.orm import relationship
from database import db
+import helpers.kubernetes as k8s
+from .apps import APP_NOT_INSTALLED_STATUS
class App(db.Model):
@@ -16,8 +22,153 @@ class App(db.Model):
def __repr__(self):
return f"{self.id} <{self.name}>"
+ def get_status(self):
+ """Returns a string that describes the app state in the cluster"""
+ kustomization = self.kustomization
+ if kustomization is not None and "status" in kustomization:
+ ks_ready, ks_message = App.check_condition(kustomization['status'])
+ else:
+ ks_ready = None
+ for helmrelease in self.helmreleases['items']:
+ hr_status = helmrelease['status']
+ hr_ready, hr_message = App.check_condition(hr_status)
+
+ # For now, only show the message of the first HR that isn't ready
+ if not hr_ready:
+ break
+
+ if ks_ready is None:
+ return APP_NOT_INSTALLED_STATUS
+ # *Should* not happen, but just in case:
+ if (ks_ready is None and hr_ready is not None) or \
+ (hr_ready is None and ks_ready is not None):
+ return ("This app is in a strange state. Contact a Stackspin"
+ " administrator if this status stays for longer than 5 minutes")
+ if ks_ready and hr_ready:
+ return "App installed and running"
+ if not hr_ready:
+ return f"App HelmRelease status: {hr_message}"
+ if not ks_ready:
+ return f"App Kustomization status: {ks_message}"
+ return "App is installing..."
+
+
+ def install(self):
+ """Creates a Kustomization in the Kubernetes cluster that installs this application"""
+ # Generate the necessary passwords, etc. from a template
+ self.__generate_secrets()
+ # Create add-<app> kustomization
+ self.__create_kustomization()
+
+ def uninstall(self):
+ """
+ Delete the app kustomization.
+
+ This triggers a deletion of the app's PVCs (so deletes all data), as
+ well as any other Kustomizations and HelmReleases related to the app
+ """
+ self.__delete_kustomization()
+
+ def delete(self):
+ """
+ Fully deletes an application
+
+ This includes user roles, all kubernetes objects and also PVCs, so your
+ data will be *gone*
+ """
+ # Delete all roles first
+ for role in self.roles:
+ role.delete()
+
+ db.session.delete(self)
+ return db.session.commit()
+
+ def __generate_secrets(self):
+ """Generates passwords for app installation"""
+ # Create app variables secret
+ if self.variables_template_filepath:
+ k8s.create_variables_secret(self.slug, self.variables_template_filepath)
+
+ def __create_kustomization(self):
+ """Creates the `add-{app_slug}` kustomization in the Kubernetes cluster"""
+ kustomization_template_filepath = \
+ os.path.join(self.__get_templates_dir(),
+ "add-app-kustomization.yaml.jinja")
+ k8s.store_kustomization(kustomization_template_filepath, self.slug)
+
+ def __delete_kustomization(self):
+ """Deletes kustomization for this app"""
+ k8s.delete_kustomization(f"add-{self.slug}")
+
+
+ @property
+ def variables_template_filepath(self):
+ """Path to the variables template used to generate secrets the app needs"""
+ variables_template_filepath = os.path.join(self.__get_templates_dir(),
+ f"stackspin-{self.slug}-variables.yaml.jinja")
+ if os.path.exists(variables_template_filepath):
+ return variables_template_filepath
+ return None
+
+ @property
+ def namespace(self):
+ """
+ Returns the Kubernetes namespace of this app
+
+ FIXME: This should probably become a database field.
+ """
+ if self.slug in ['nextcloud', 'wordpress', 'wekan', 'zulip']:
+ return 'stackspin-apps'
+ return 'stackspin'
+
+ @property
+ def roles(self):
+ """
+ All roles that are linked to this app
+ """
+ return AppRole.query.filter_by(
+ app_id=self.id
+ ).all()
+
+ @property
+ def kustomization(self):
+ """Returns the kustomization object for this app"""
+ return k8s.get_kustomization(self.slug)
+
+
+ @property
+ def helmreleases(self):
+ """Returns the helmreleases associated with the kustomization for this app"""
+ return k8s.list_helmreleases(self.namespace,
+ f"kustomize.toolkit.fluxcd.io/name={self.slug}")
+
+ @staticmethod
+ def __get_templates_dir():
+ """Returns directory that contains the Jinja templates used to create app secrets."""
+ return os.path.join(os.path.dirname(os.path.realpath(__file__)), "templates")
+
+ @staticmethod
+ def check_condition(status):
+ """
+ Returns a tuple that has true/false for readiness and a message
+
+ Ready, in this case means that the condition's type == "Ready" and its
+ status == "True". If the condition type "Ready" does not occur, the
+ status is interpreted as not ready.
+
+ The message that is returned is the message that comes with the
+ condition with type "Ready"
+
+ :param status: Kubernetes resource's "status" object.
+ :type status: dict
+ """
+ for condition in status["conditions"]:
+ if condition["type"] == "Ready":
+ return condition["status"] == "True", condition["message"]
+ return False, "Condition with type 'Ready' not found"
+
-class AppRole(db.Model):
+class AppRole(db.Model): # pylint: disable=too-few-public-methods
"""
The AppRole object, stores the roles Users have on Apps
"""
@@ -29,4 +180,5 @@ class AppRole(db.Model):
role = relationship("Role")
def __repr__(self):
- return f"role_id: {self.role_id}, user_id: {self.user_id}, app_id: {self.app_id}, role: {self.role}"
+ return (f"role_id: {self.role_id}, user_id: {self.user_id},"
+ f" app_id: {self.app_id}, role: {self.role}")
diff --git a/areas/apps/templates/add-app-kustomization.yaml.jinja b/areas/apps/templates/add-app-kustomization.yaml.jinja
new file mode 100644
index 0000000000000000000000000000000000000000..60682459c17c04cf3a8c1322d3ca082a9234d9c5
--- /dev/null
+++ b/areas/apps/templates/add-app-kustomization.yaml.jinja
@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+ name: add-{{ app }}
+ namespace: flux-system
+spec:
+ interval: 1h0m0s
+ path: ./flux2/cluster/optional/{{ app }}
+ prune: true
+ sourceRef:
+ kind: GitRepository
+ name: stackspin
+
diff --git a/areas/apps/templates/stackspin-nextcloud-variables.yaml.jinja b/areas/apps/templates/stackspin-nextcloud-variables.yaml.jinja
new file mode 100644
index 0000000000000000000000000000000000000000..824749fd54bd988525f3b8cccdc346079971ec7a
--- /dev/null
+++ b/areas/apps/templates/stackspin-nextcloud-variables.yaml.jinja
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: stackspin-nextcloud-variables
+data:
+ nextcloud_password: "{{ 32 | generate_password | b64encode }}"
+ nextcloud_mariadb_password: "{{ 32 | generate_password | b64encode }}"
+ nextcloud_mariadb_root_password: "{{ 32 | generate_password | b64encode }}"
+ onlyoffice_database_password: "{{ 32 | generate_password | b64encode }}"
+ onlyoffice_jwt_secret: "{{ 32 | generate_password | b64encode }}"
+ onlyoffice_rabbitmq_password: "{{ 32 | generate_password | b64encode }}"
diff --git a/areas/apps/templates/stackspin-oauth-variables.yaml.jinja b/areas/apps/templates/stackspin-oauth-variables.yaml.jinja
new file mode 100644
index 0000000000000000000000000000000000000000..32a0ab0785d45ed113a39706af4b1c4f8601e080
--- /dev/null
+++ b/areas/apps/templates/stackspin-oauth-variables.yaml.jinja
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: stackspin-{{ app }}-oauth-variables
+data:
+ client_id: "{{ app | b64encode }}"
+ client_secret: "{{ 32 | generate_password | b64encode }}"
diff --git a/areas/apps/templates/stackspin-wekan-variables.yaml.jinja b/areas/apps/templates/stackspin-wekan-variables.yaml.jinja
new file mode 100644
index 0000000000000000000000000000000000000000..b5bad3dc2514f3f72d6ad30cf662ac794a6422a6
--- /dev/null
+++ b/areas/apps/templates/stackspin-wekan-variables.yaml.jinja
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: stackspin-wekan-variables
+data:
+ mongodb_password: "{{ 32 | generate_password | b64encode }}"
+ mongodb_root_password: "{{ 32 | generate_password | b64encode }}"
diff --git a/areas/apps/templates/stackspin-wordpress-variables.yaml.jinja b/areas/apps/templates/stackspin-wordpress-variables.yaml.jinja
new file mode 100644
index 0000000000000000000000000000000000000000..b491834d6d0ea9bc7dda576b8846988c6af8f09f
--- /dev/null
+++ b/areas/apps/templates/stackspin-wordpress-variables.yaml.jinja
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: stackspin-wordpress-variables
+data:
+ wordpress_admin_password: "{{ 32 | generate_password | b64encode }}"
+ wordpress_mariadb_password: "{{ 32 | generate_password | b64encode }}"
+ wordpress_mariadb_root_password: "{{ 32 | generate_password | b64encode }}"
diff --git a/areas/apps/templates/stackspin-zulip-variables.yaml.jinja b/areas/apps/templates/stackspin-zulip-variables.yaml.jinja
new file mode 100644
index 0000000000000000000000000000000000000000..80fc8f48207c62ff0f37896671590c74e9b6c797
--- /dev/null
+++ b/areas/apps/templates/stackspin-zulip-variables.yaml.jinja
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: stackspin-zulip-variables
+data:
+ admin_password: "{{ 32 | generate_password | b64encode }}"
+ memcached_password: "{{ 32 | generate_password | b64encode }}"
+ rabbitmq_password: "{{ 32 | generate_password | b64encode }}"
+ rabbitmq_erlang_cookie: "{{ 32 | generate_password | b64encode }}"
+ redis_password: "{{ 32 | generate_password | b64encode }}"
+ postgresql_password: "{{ 32 | generate_password | b64encode }}"
+ zulip_password: "{{ 32 | generate_password | b64encode }}"
diff --git a/cliapp/cliapp/cli.py b/cliapp/cliapp/cli.py
index 75194a1c5e640ed2f7d83ad45f14eb82941325a0..6a689bfd7f512327f89ff8bb354b0c77405819e3 100644
--- a/cliapp/cliapp/cli.py
+++ b/cliapp/cliapp/cli.py
@@ -13,11 +13,11 @@ from flask.cli import AppGroup
from ory_kratos_client.api import v0alpha2_api as kratos_api
from sqlalchemy import func
-from config import *
+from config import HYDRA_ADMIN_URL, KRATOS_ADMIN_URL, KRATOS_PUBLIC_URL
from helpers import KratosUser
from cliapp import cli
from areas.roles import Role
-from areas.apps import AppRole, App
+from areas.apps import AppRole, App, APP_NOT_INSTALLED_STATUS
from database import db
# APIs
@@ -66,7 +66,7 @@ def create_app(slug, name):
if app_obj:
current_app.logger.info(f"App definition: {name} ({slug}) already exists in database")
return
-
+
db.session.add(obj)
db.session.commit()
current_app.logger.info(f"App definition: {name} ({slug}) created")
@@ -92,20 +92,92 @@ def delete_app(slug):
:param slug: str Slug of app to remove
"""
current_app.logger.info(f"Trying to delete app: {slug}")
- obj = App.query.filter_by(slug=slug).first()
+ app_obj = App.query.filter_by(slug=slug).first()
- if not obj:
+ if not app_obj:
current_app.logger.info("Not found")
return
- # Deleting will (probably) fail if there are still roles attached. This is a
- # PoC implementation only. Actually management of apps and roles will be
- # done by the backend application
- db.session.delete(obj)
- db.session.commit()
- current_app.logger.info("Success")
+ deleted = app_obj.delete()
+ current_app.logger.info(f"Success: {deleted}")
return
+@app_cli.command(
+ "uninstall",
+)
+@click.argument("slug")
+def uninstall_app(slug):
+ """Uninstalls the app from the cluster
+ :param slug: str Slug of app to remove
+ """
+ current_app.logger.info(f"Trying to delete app: {slug}")
+ app_obj = App.query.filter_by(slug=slug).first()
+
+ if not app_obj:
+ current_app.logger.info("Not found")
+ return
+
+ uninstalled = app_obj.uninstall()
+ current_app.logger.info(f"Success: {uninstalled}")
+ return
+
+@app_cli.command("status")
+@click.argument("slug")
+def status_app(slug):
+ """Gets the current app status from the Kubernetes cluster
+ :param slug: str Slug of app to remove
+ """
+ current_app.logger.info(f"Getting status for app: {slug}")
+
+ app = App.query.filter_by(slug=slug).first()
+
+ if not app:
+ current_app.logger.error(f"App {slug} does not exist")
+ return
+
+ current_app.logger.info(f"Status: {app.get_status()}")
+
+@app_cli.command("install")
+@click.argument("slug")
+def install_app(slug):
+ """Installs app into Kubernetes cluster
+ :param slug: str Slug of app to install
+ """
+ current_app.logger.info(f"Installing app: {slug}")
+
+ app = App.query.filter_by(slug=slug).first()
+
+ if not app:
+ current_app.logger.error(f"App {slug} does not exist")
+ return
+
+ current_status = app.get_status()
+ if current_status == APP_NOT_INSTALLED_STATUS:
+ app.install()
+ current_app.logger.info(
+ f"App {slug} installing... use `status` to see status")
+ else:
+ current_app.logger.error("App {slug} should have status"
+ f" {APP_NOT_INSTALLED_STATUS} but has status: {current_status}")
+
+@app_cli.command("roles")
+@click.argument("slug")
+def roles_app(slug):
+ """Gets a list of roles for this app
+ :param slug: str Slug of app queried
+ """
+ current_app.logger.info(f"Getting roles for app: {slug}")
+
+ app = App.query.filter_by(slug=slug).first()
+
+ if not app:
+ current_app.logger.error(f"App {slug} does not exist")
+ return
+
+ current_app.logger.info("Roles: ")
+ for role in app.roles:
+ current_app.logger.info(role)
+
cli.cli.add_command(app_cli)
@@ -282,7 +354,7 @@ def setpassword_user(email, password):
# Execute UI sequence to set password, given we have a recovery URL
result = kratos_user.ui_set_password(KRATOS_PUBLIC_URL, url, password)
- except Exception as error:
+ except Exception as error: # pylint: disable=broad-except
current_app.logger.error(f"Error while setting password: {error}")
return False
@@ -321,7 +393,7 @@ def recover_user(email):
url = kratos_user.get_recovery_link()
print(url)
- except Exception as error:
+ except Exception as error: # pylint: disable=broad-except
current_app.logger.error(f"Error while getting reset link: {error}")
diff --git a/docker-compose.yml b/docker-compose.yml
index fdb2f71e9c041b34b973a1e5b4489e5d8ccaf788..e261b4850d680845d2d691f51801d8e79c219460 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -31,11 +31,13 @@ services:
# ENV variables that are deployment-specific
- SECRET_KEY=$FLASK_SECRET_KEY
- HYDRA_CLIENT_SECRET=$HYDRA_CLIENT_SECRET
- # - OAUTHLIB_INSECURE_TRANSPORT=1
+ - KUBECONFIG=/.kube/config
ports:
- "5000:5000"
+ user: "${KUBECTL_UID}:${KUBECTL_GID}"
volumes:
- .:/app
+ - "$KUBECONFIG:/.kube/config"
depends_on:
- kube_port_mysql
entrypoint: ["bash", "-c", "flask run --host $$(hostname -i)"]
diff --git a/helpers/kubernetes.py b/helpers/kubernetes.py
new file mode 100644
index 0000000000000000000000000000000000000000..9d843e291daadb7db964787e4e2ed9f3a5e2ea9e
--- /dev/null
+++ b/helpers/kubernetes.py
@@ -0,0 +1,327 @@
+"""
+List of functions to get data from Flux Kustomizations and Helmreleases
+"""
+import crypt
+import secrets
+import string
+
+import jinja2
+import yaml
+from kubernetes import client, config
+from kubernetes.client import api_client
+from kubernetes.client.exceptions import ApiException
+from kubernetes.utils import create_from_yaml
+from kubernetes.utils.create_from_yaml import FailToCreateError
+
+# Load the kube config once
+config.load_kube_config()
+
+def create_variables_secret(app_slug, variables_filepath):
+ """Checks if a variables secret for app_name already exists, generates it if necessary.
+
+ :param app_slug: The slug of the app, used in the oauth secrets
+ :type app_slug: string
+ :param variables_filepath: The path to an existing jinja2 template
+ :type variables_filepath: string
+ """
+ new_secret_dict = read_template_to_dict(
+ variables_filepath,
+ {"app": app_slug})
+ secret_name, secret_namespace = get_secret_metadata(new_secret_dict)
+ current_secret_data = get_kubernetes_secret_data(
+ secret_name, secret_namespace
+ )
+ if current_secret_data is None:
+ # Create new secret
+ update_secret = False
+ elif current_secret_data.keys() != new_secret_dict["data"].keys():
+ # Update current secret with new keys
+ update_secret = True
+ print(
+ f"Secret {secret_name} in namespace {secret_namespace}"
+ " already exists. Merging..."
+ )
+ # Merge dicts. Values from current_secret_data take precedence
+ new_secret_dict["data"] |= current_secret_data
+ else:
+ # Do Nothing
+ print(
+ f"Secret {secret_name} in namespace {secret_namespace}"
+ " is already in a good state, doing nothing."
+ )
+ return True
+ print(
+ f"Storing secret {secret_name} in namespace"
+ f" {secret_namespace} in cluster."
+ )
+ store_kubernetes_secret(
+ new_secret_dict, secret_namespace, update=update_secret
+ )
+ return True
+
+
+def get_secret_metadata(secret_dict):
+ """Returns secret name and namespace from metadata field in a yaml string."""
+ secret_name = secret_dict["metadata"]["name"]
+ # default namespace is flux-system, but other namespace can be
+ # provided in secret metadata
+ if "namespace" in secret_dict["metadata"]:
+ secret_namespace = secret_dict["metadata"]["namespace"]
+ else:
+ secret_namespace = "flux-system"
+ return secret_name, secret_namespace
+
+
+def get_kubernetes_secret_data(secret_name, namespace):
+ """Returns the contents of a kubernetes secret or None if the secret does not exist."""
+ api_client_instance = api_client.ApiClient()
+ api_instance = client.CoreV1Api(api_client_instance)
+ try:
+ secret = api_instance.read_namespaced_secret(secret_name, namespace).data
+ except ApiException as ex:
+ # 404 is expected when the optional secret does not exist.
+ if ex.status != 404:
+ raise ex
+ return None
+ return secret
+
+
+def store_kubernetes_secret(secret_dict, namespace, update=False):
+ """Stores either a new secret in the cluster, or updates an existing one."""
+ api_client_instance = api_client.ApiClient()
+ if update:
+ verb = "updated"
+ api_response = patch_kubernetes_secret(secret_dict, namespace)
+ else:
+ verb = "created"
+ try:
+ api_response = create_from_yaml(
+ api_client_instance,
+ yaml_objects=[secret_dict],
+ namespace=namespace
+ )
+ except FailToCreateError as ex:
+ print(f"Secret not {verb} because of exception {ex}")
+ return
+ print(f"Secret {verb} with api response: {api_response}")
+
+
+def store_kustomization(kustomization_template_filepath, app_slug):
+ """Add a kustomization that installs app {app_slug} to the cluster"""
+ kustomization_dict = read_template_to_dict(kustomization_template_filepath,
+ {"app": app_slug})
+ custom_objects_api = client.CustomObjectsApi()
+ try:
+ api_response = custom_objects_api.create_namespaced_custom_object(
+ group="kustomize.toolkit.fluxcd.io",
+ version="v1beta2",
+ namespace="flux-system",
+ plural="kustomizations",
+ body=kustomization_dict)
+ except FailToCreateError as ex:
+ print(f"Could not create {app_slug} Kustomization because of exception {ex}")
+ return
+ print(f"Kustomization created with api response: {api_response}")
+
+def delete_kustomization(kustomization_name):
+ """Deletes kustomization for an app_slug. Should also result in the
+ deletion of the app's HelmReleases, PVCs, OAuth2Client, etc. Nothing will
+ remain"""
+ custom_objects_api = client.CustomObjectsApi()
+ body = client.V1DeleteOptions()
+ try:
+ api_response = custom_objects_api.delete_namespaced_custom_object(
+ group="kustomize.toolkit.fluxcd.io",
+ version="v1beta2",
+ namespace="flux-system",
+ plural="kustomizations",
+ name=kustomization_name,
+ body=body)
+ except ApiException as ex:
+ print(f"Could not delete {kustomization_name} Kustomization because of exception {ex}")
+ return False
+ print(f"Kustomization deleted with api response: {api_response}")
+ return api_response
+
+
+def read_template_to_dict(template_filepath, template_globals):
+ """Reads a Jinja2 template that contains yaml and turns it into a dict
+
+ :param template_filepath: The path to an existing Jinja2 template
+ :type template_filepath: string
+ :param template_globals: The variables substituted in the template
+ :type template_globals: dict
+ :return: dict, or None if anything fails
+ """
+ env = jinja2.Environment(
+ extensions=["jinja2_base64_filters.Base64Filters"])
+ env.filters["generate_password"] = generate_password
+ # Check if k8s secret already exists, if not, generate it
+ with open(template_filepath, encoding="UTF-8") as template_file:
+ lines = template_file.read()
+ templated_dict = yaml.safe_load(
+ env.from_string(lines, globals=template_globals).render()
+ )
+ return templated_dict
+ return None
+
+
+def patch_kubernetes_secret(secret_dict, namespace):
+ """Patches secret in the cluster with new data."""
+ api_client_instance = api_client.ApiClient()
+ api_instance = client.CoreV1Api(api_client_instance)
+ name = secret_dict["metadata"]["name"]
+ body = {}
+ body["data"] = secret_dict["data"]
+ return api_instance.patch_namespaced_secret(name, namespace, body)
+
+
+def generate_password(length):
+ """Generates a password of "length" characters."""
+ length = int(length)
+ password = "".join((secrets.choice(string.ascii_letters)
+ for i in range(length)))
+ return password
+
+
+def gen_htpasswd(user, password):
+ """Generate htpasswd entry for user with password."""
+ return f"{user}:{crypt.crypt(password, crypt.mksalt(crypt.METHOD_SHA512))}"
+
+def get_all_kustomization_names(namespace='flux-system'):
+ """
+ Returns all flux kustomizations in a namespace.
+ :param namespace: namespace that contains kustomizations. Default: `flux-system`
+ :type namespace: str
+ :return: List of names for kustomizations in namespace
+ :rtype: list
+ """
+ kustomizations = get_all_kustomizations(namespace)
+ return_kustomizations = []
+ for kustomization in kustomizations['items']:
+ return_kustomizations.append(kustomization['metadata']['name'])
+ return return_kustomizations
+
+
+def get_all_kustomizations(namespace='flux-system'):
+ """
+ Returns all flux kustomizations in a namespace.
+ :param namespace: namespace that contains kustomizations. Default: `flux-system`
+ :type namespace: str
+ :return: Kustomizations as returned by CustomObjectsApi.list_namespaced_custom_object()
+ :rtype: object
+ """
+ api = client.CustomObjectsApi()
+ api_response = api.list_namespaced_custom_object(
+ group="kustomize.toolkit.fluxcd.io",
+ version="v1beta1",
+ plural="kustomizations",
+ namespace=namespace,
+ )
+ return api_response
+
+
+def get_all_helmrelease_names(namespace='stackspin'):
+ """
+ Returns names of all helmreleases in a namespace.
+ :param namespace: namespace that contains kustomizations. Default: `stackspin`
+ :type namespace: str
+ :return: List of names for helmreleases in namespace
+ :rtype: list
+ """
+ helmreleases = get_all_helmreleases(namespace)
+ return_helmreleases = []
+ for helmrelease in helmreleases['items']:
+ return_helmreleases.append(helmrelease['metadata']['name'])
+ return return_helmreleases
+
+def get_all_helmreleases(namespace='stackspin'):
+ """
+ Returns all helmreleases in a namespace.
+ :param namespace: namespace that contains kustomizations. Default: `stackspin`
+ :type namespace: str
+ :return: Helmreleases as returned by CustomObjectsApi.list_namespaced_custom_object()
+ :rtype: object
+ """
+ api = client.CustomObjectsApi()
+ api_response = api.list_namespaced_custom_object(
+ group="helm.toolkit.fluxcd.io",
+ version="v2beta1",
+ plural="helmreleases",
+ namespace=namespace,
+ )
+ return api_response
+
+
+def get_kustomization(name, namespace='flux-system'):
+ """Returns all info of a Flux kustomization with name 'name'"""
+ api = client.CustomObjectsApi()
+ try:
+ resource = api.get_namespaced_custom_object(
+ group="kustomize.toolkit.fluxcd.io",
+ version="v1beta1",
+ name=name,
+ namespace=namespace,
+ plural="kustomizations",
+ )
+ except client.exceptions.ApiException as error:
+ if error.status == 404:
+ return None
+ # Raise all non-404 errors
+ raise error
+ return resource
+
+
+def get_helmrelease(name, namespace='stackspin-apps'):
+ """Returns all info of a Flux helmrelease with name 'name'"""
+ api = client.CustomObjectsApi()
+ try:
+ resource = api.get_namespaced_custom_object(
+ group="helm.toolkit.fluxcd.io",
+ version="v2beta1",
+ name=name,
+ namespace=namespace,
+ plural="helmreleases",
+ )
+ except client.exceptions.ApiException as error:
+ if error.status == 404:
+ return None
+ # Raise all non-404 errors
+ raise error
+
+ return resource
+
+def list_helmreleases(namespace='stackspin-apps', label_selector=""):
+ """
+ Lists all helmreleases in a certain namespace (stackspin-apps by default)
+
+ Optionally takes a label selector to limit the list.
+ """
+ api_instance = client.CustomObjectsApi()
+
+ try:
+ api_response = api_instance.list_namespaced_custom_object(
+ group="helm.toolkit.fluxcd.io",
+ version="v2beta1",
+ namespace=namespace,
+ plural="helmreleases",
+ label_selector=label_selector)
+ except ApiException as error:
+ if error.status == 404:
+ return None
+ # Raise all non-404 errors
+ raise error
+ return api_response
+
+
+def get_readiness(app_status):
+ """
+ Parses an app status's 'conditions' to find a type field called 'Ready' and
+ returns its status. Works for Kustomizations as well as Helmreleases.
+ """
+ for condition in app_status['conditions']:
+ if condition['type'] == 'Ready':
+ return condition['status']
+ # If this point is reached, no condition "Ready" exists, so the application
+ # is not ready.
+ return False
diff --git a/requirements.txt b/requirements.txt
index a98cfdc41529a42ab73ba6a453ef6deb66846be8..eae5bd291b0e1fc6c0733dd3fc9ca23eb52145d1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -15,6 +15,8 @@ install==1.3.5
itsdangerous==2.1.1
jsonschema==4.4.0
Jinja2==3.0.3
+jinja2-base64-filters==0.1.4
+kubernetes==24.2.0
MarkupSafe==2.1.1
mypy-extensions==0.4.3
oauthlib==3.2.0