forked from muchlearning/kubernetes-haproxy
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwatch.py
More file actions
executable file
·292 lines (264 loc) · 10.4 KB
/
watch.py
File metadata and controls
executable file
·292 lines (264 loc) · 10.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
#!/usr/bin/python
import base64
import hashlib
import json
import jinja2
from operator import itemgetter
import os
import os.path
import re
import subprocess
import sys
import time
import urllib2
ETCD2BASE = os.getenv("ETCD2BASE") or "http://127.0.0.1:2379"
generation = None
class FellBehind(Exception):
pass
def etcd_open(path):
return urllib2.urlopen(ETCD2BASE + path)
def pod_ready(pod):
if "podIP" not in pod["status"] or not pod["status"]["podIP"]:
return False
if "containerStatuses" not in pod["status"]:
return False
containerStatuses = pod["status"]["containerStatuses"]
if len(containerStatuses) == 0:
return False
for status in containerStatuses:
if not status["ready"]:
return False
return True
def pod_matches(selector, pod):
if "metadata" in pod and "labels" in pod["metadata"] and pod_ready(pod):
labels = pod["metadata"]["labels"]
for key, value in selector.iteritems():
if key not in labels or labels[key] != value:
return False
return True
return len({}) == 0
def get_pods(config, cache):
namespace = config["namespace"]
if namespace not in cache:
try:
response = etcd_open("/v2/keys/registry/pods/" + namespace + "/")
response_json = response.read()
except urllib2.HTTPError as e:
if e.code == 404:
return ({}, cache)
else:
raise e
finally:
try:
response.close()
except:
pass
node = json.loads(response_json)["node"]
pods = node["nodes"] if "nodes" in node else []
cache[namespace] = [json.loads(pod["value"]) for pod in pods]
pods = {}
for pod in cache[namespace]:
if pod_matches(config["selector"], pod):
pods[pod["metadata"]["name"]] = pod
return (pods, cache)
def load_services(configmap):
services_nodes = configmap["data"]
services = {}
cache = {}
for key, service in services_nodes.iteritems():
service_config = json.loads(service)
set_service(services, key, service_config, cache)
return services
def set_service(services, key, service_config, cache = {}):
service_config["pods"], cache = get_pods(service_config, cache)
services[key] = service_config
services[key]["name"] = key
def load_certs(configmap):
return configmap["data"]
def load_keys(secrets):
return {name: base64.b64decode(b64key) for name, b64key in secrets["data"].iteritems()}
def merge_certs_and_keys(certs, keys):
result = {}
for name, cert in certs.iteritems():
result[name] = {"cert": cert}
for name, key in keys.iteritems():
if name in result:
result[name]["key"] = key
else:
result[name] = {"key": key}
return result
def refresh():
global generation
try:
response = etcd_open("/v2/keys/registry/configmaps/lb/services")
response_json = response.read()
generation = int(response.info().getheader('X-Etcd-Index'))
finally:
try:
response.close()
except:
pass
services = load_services(json.loads(json.loads(response_json)["node"]["value"]))
certs = {}
try:
response = etcd_open("/v2/keys/registry/configmaps/lb/certificates")
response_json = response.read()
certs = load_certs(json.loads(json.loads(response_json)["node"]["value"]))
except urllib2.HTTPError as e:
if e.code != 404:
raise e
finally:
try:
response.close()
except:
pass
keys = {}
try:
response = etcd_open("/v2/keys/registry/secrets/lb/keys")
response_json = response.read()
keys = load_keys(json.loads(json.loads(response_json)["node"]["value"]))
except urllib2.HTTPError as e:
if e.code != 404:
raise e
finally:
try:
response.close()
except:
pass
try:
response = etcd_open("/v2/keys/registry/configmaps/lb/config")
response_json = response.read()
finally:
try:
response.close()
except:
pass
node = json.loads(response_json)["node"]
config = json.loads(node["value"])["data"]
template = config["template"]
return {
"services": services,
"certificates": merge_certs_and_keys(certs, keys),
"template": template
}
pod_re = re.compile("^/registry/pods/([^/]+)/([^/]+)$")
def update(data):
services = data["services"]
certificates = data["certificates"]
global generation
while True:
try:
response = etcd_open("/v2/keys?wait=true&recursive=true&waitIndex=%d" % (generation + 1))
response_json = response.read()
if generation < int(response.info().getheader('X-Etcd-Index')) - 10:
raise FellBehind()
generation = generation + 1
finally:
try:
response.close()
except:
pass
event = json.loads(response_json)
if "node" in event:
node_key = event["node"]["key"]
if node_key == "/registry/configmaps/lb/services":
configmap = json.loads(event["node"]["value"])
data["services"] = load_services(configmap)
return
elif node_key.startswith("/registry/pods/"):
m = pod_re.match(node_key)
if m:
pod = json.loads(event["node"]["value"]) if "value" in event["node"] else {"status": {}}
namespace, podname = m.group(1, 2)
if event["action"] == "delete" or not pod_ready(pod):
changed = False
for service_config in services.itervalues():
if service_config["namespace"] == namespace and podname in service_config["pods"]:
changed = True
del service_config["pods"][podname]
if changed:
return
else:
changed = False
for service_config in services.itervalues():
if service_config["namespace"] == namespace and pod_matches(service_config["selector"], pod):
changed = True
service_config["pods"][podname] = pod
if changed:
return
elif node_key == "/registry/configmaps/lb/config":
config = json.loads(event["node"]["value"])["data"]
data["template"] = config["template"]
return
elif node_key == "/registry/configmaps/lb/certificates":
keys = {k: v["key"] for k, v in data["certificates"].iteritems() if "key" in v}
certs = load_certs(json.loads(event["node"]["value"]))
data["certificates"] = merge_certs_and_keys(certs, keys)
return
elif node_key == "/registry/secrets/lb/keys":
certs = {k: v["cert"] for k, v in data["certificates"].iteritems() if "cert" in v}
keys = load_keys(json.loads(event["node"]["value"]))
data["certificates"] = merge_certs_and_keys(certs, keys)
return
if __name__ == "__main__":
statspass = os.getenv("STATISTICS_PASSWORD")
lasthash = None
certhashes = {}
while True:
backoff = 1
while True:
try:
data = refresh()
break
except Exception as e:
sys.stderr.write("Error: Could not load configuration (%s). Will try again in %d s\n" % (str(e), backoff))
time.sleep(backoff)
if backoff < 32:
backoff *= 2
while True:
serviceslist = data["services"].values()
serviceslist.sort(key=itemgetter("name"))
certificatelist = [name for name, certdata in data["certificates"].iteritems() if "key" in certdata and "cert" in certdata]
config = jinja2.Template(data["template"]).render(stats={"username": "stats", "password": statspass},
services=serviceslist,
certificates=certificatelist,
ssldir=os.path.abspath("ssl"),
env=os.environ)
changed = False
currhash = hashlib.sha512(config).digest()
if currhash != lasthash:
changed = True
sys.stderr.write("Debug: writing new config\n")
with open("haproxy.cfg", "w") as f:
f.write(config)
else:
sys.stderr.write("Debug: config file did not change\n")
lasthash = currhash
for name, certdata in data["certificates"].iteritems():
if "key" in certdata and "cert" in certdata:
sha512 = hashlib.sha512(certdata["key"])
sha512.update(certdata["cert"])
currhash = sha512.digest()
if name not in certhashes or certhashes[name] != currhash:
changed = True
sys.stderr.write("Debug: writing SSL certificate for %s\n" % name)
with open("ssl/%s.pem" % name, 'w') as f:
f.write(certdata["key"])
f.write(certdata["cert"])
certhashes[name] = currhash
if changed:
cmd = ["/usr/sbin/haproxy", "-D", "-p", "/run/haproxy.pid", "-f", os.path.abspath("haproxy.cfg")]
try:
with open("/run/haproxy.pid", "r") as f:
pids = f.read().split()
cmd.append("-sf")
cmd.extend(pids)
except:
pass
sys.stderr.write("Debug: reloading HAProxy\n")
subprocess.call(cmd)
try:
update(data)
except Exception as e:
sys.stderr.write("Warning: Failed to update (%s). Reloading config\n" % (str(e)))
break