outposts: use noop flag in each reconciler instead of raising Disabled and force use of get_referecen_object
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
parent
9b60fcb08b
commit
788fd00390
|
|
@ -30,11 +30,6 @@ class NeedsUpdate(ReconcileTrigger):
|
||||||
"""Exception to trigger an update to the Kubernetes Object"""
|
"""Exception to trigger an update to the Kubernetes Object"""
|
||||||
|
|
||||||
|
|
||||||
class Disabled(SentryIgnoredException):
|
|
||||||
"""Exception which can be thrown in a reconciler to signal than an
|
|
||||||
object should not be created."""
|
|
||||||
|
|
||||||
|
|
||||||
class KubernetesObjectReconciler(Generic[T]):
|
class KubernetesObjectReconciler(Generic[T]):
|
||||||
"""Base Kubernetes Reconciler, handles the basic logic."""
|
"""Base Kubernetes Reconciler, handles the basic logic."""
|
||||||
|
|
||||||
|
|
@ -45,6 +40,11 @@ class KubernetesObjectReconciler(Generic[T]):
|
||||||
self.namespace = controller.outpost.config.kubernetes_namespace
|
self.namespace = controller.outpost.config.kubernetes_namespace
|
||||||
self.logger = get_logger().bind(type=self.__class__.__name__)
|
self.logger = get_logger().bind(type=self.__class__.__name__)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def noop(self) -> bool:
|
||||||
|
"""Return true if this object should not be created/updated/deleted in this cluster"""
|
||||||
|
return False
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def name(self) -> str:
|
def name(self) -> str:
|
||||||
"""Get the name of the object this reconciler manages"""
|
"""Get the name of the object this reconciler manages"""
|
||||||
|
|
@ -59,11 +59,10 @@ class KubernetesObjectReconciler(Generic[T]):
|
||||||
def up(self):
|
def up(self):
|
||||||
"""Create object if it doesn't exist, update if needed or recreate if needed."""
|
"""Create object if it doesn't exist, update if needed or recreate if needed."""
|
||||||
current = None
|
current = None
|
||||||
try:
|
if self.noop:
|
||||||
reference = self.get_reference_object()
|
self.logger.debug("Object is noop")
|
||||||
except Disabled:
|
|
||||||
self.logger.debug("Object not required")
|
|
||||||
return
|
return
|
||||||
|
reference = self.get_reference_object()
|
||||||
try:
|
try:
|
||||||
try:
|
try:
|
||||||
current = self.retrieve()
|
current = self.retrieve()
|
||||||
|
|
@ -92,11 +91,8 @@ class KubernetesObjectReconciler(Generic[T]):
|
||||||
|
|
||||||
def down(self):
|
def down(self):
|
||||||
"""Delete object if found"""
|
"""Delete object if found"""
|
||||||
# Call self.get_reference_object to check if we even need to do anything
|
if self.noop:
|
||||||
try:
|
self.logger.debug("Object is noop")
|
||||||
self.get_reference_object()
|
|
||||||
except Disabled:
|
|
||||||
self.logger.debug("Object not required")
|
|
||||||
return
|
return
|
||||||
try:
|
try:
|
||||||
current = self.retrieve()
|
current = self.retrieve()
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ from structlog.testing import capture_logs
|
||||||
from yaml import dump_all
|
from yaml import dump_all
|
||||||
|
|
||||||
from authentik.outposts.controllers.base import BaseController, ControllerException
|
from authentik.outposts.controllers.base import BaseController, ControllerException
|
||||||
from authentik.outposts.controllers.k8s.base import Disabled, KubernetesObjectReconciler
|
from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
|
||||||
from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
|
from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
|
||||||
from authentik.outposts.controllers.k8s.secret import SecretReconciler
|
from authentik.outposts.controllers.k8s.secret import SecretReconciler
|
||||||
from authentik.outposts.controllers.k8s.service import ServiceReconciler
|
from authentik.outposts.controllers.k8s.service import ServiceReconciler
|
||||||
|
|
@ -89,10 +89,9 @@ class KubernetesController(BaseController):
|
||||||
documents = []
|
documents = []
|
||||||
for reconcile_key in self.reconcile_order:
|
for reconcile_key in self.reconcile_order:
|
||||||
reconciler = self.reconcilers[reconcile_key](self)
|
reconciler = self.reconcilers[reconcile_key](self)
|
||||||
try:
|
if reconciler.noop:
|
||||||
documents.append(reconciler.get_reference_object().to_dict())
|
|
||||||
except Disabled:
|
|
||||||
continue
|
continue
|
||||||
|
documents.append(reconciler.get_reference_object().to_dict())
|
||||||
|
|
||||||
with StringIO() as _str:
|
with StringIO() as _str:
|
||||||
dump_all(
|
dump_all(
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,6 @@ from kubernetes.client.models.networking_v1beta1_ingress_rule import (
|
||||||
|
|
||||||
from authentik.outposts.controllers.base import FIELD_MANAGER
|
from authentik.outposts.controllers.base import FIELD_MANAGER
|
||||||
from authentik.outposts.controllers.k8s.base import (
|
from authentik.outposts.controllers.k8s.base import (
|
||||||
Disabled,
|
|
||||||
KubernetesObjectReconciler,
|
KubernetesObjectReconciler,
|
||||||
NeedsUpdate,
|
NeedsUpdate,
|
||||||
)
|
)
|
||||||
|
|
@ -137,9 +136,6 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
rules.append(rule)
|
rules.append(rule)
|
||||||
if not rules:
|
|
||||||
self.logger.debug("No providers use proxying, no ingress needed")
|
|
||||||
raise Disabled()
|
|
||||||
tls_config = None
|
tls_config = None
|
||||||
if tls_hosts:
|
if tls_hosts:
|
||||||
tls_config = NetworkingV1beta1IngressTLS(
|
tls_config = NetworkingV1beta1IngressTLS(
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,6 @@ from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi
|
||||||
|
|
||||||
from authentik.outposts.controllers.base import FIELD_MANAGER
|
from authentik.outposts.controllers.base import FIELD_MANAGER
|
||||||
from authentik.outposts.controllers.k8s.base import (
|
from authentik.outposts.controllers.k8s.base import (
|
||||||
Disabled,
|
|
||||||
KubernetesObjectReconciler,
|
KubernetesObjectReconciler,
|
||||||
NeedsUpdate,
|
NeedsUpdate,
|
||||||
)
|
)
|
||||||
|
|
@ -70,6 +69,18 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
|
||||||
self.api_ex = ApiextensionsV1Api(controller.client)
|
self.api_ex = ApiextensionsV1Api(controller.client)
|
||||||
self.api = CustomObjectsApi(controller.client)
|
self.api = CustomObjectsApi(controller.client)
|
||||||
|
|
||||||
|
def noop(self) -> bool:
|
||||||
|
if not ProxyProvider.objects.filter(
|
||||||
|
outpost__in=[self.controller.outpost],
|
||||||
|
forward_auth_mode=True,
|
||||||
|
).exists():
|
||||||
|
self.logger.debug("No providers with forward auth enabled.")
|
||||||
|
return True
|
||||||
|
if not self._crd_exists():
|
||||||
|
self.logger.debug("CRD doesn't exist")
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
def _crd_exists(self) -> bool:
|
def _crd_exists(self) -> bool:
|
||||||
"""Check if the traefik middleware exists"""
|
"""Check if the traefik middleware exists"""
|
||||||
return bool(
|
return bool(
|
||||||
|
|
@ -87,15 +98,6 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
|
||||||
|
|
||||||
def get_reference_object(self) -> TraefikMiddleware:
|
def get_reference_object(self) -> TraefikMiddleware:
|
||||||
"""Get deployment object for outpost"""
|
"""Get deployment object for outpost"""
|
||||||
if not ProxyProvider.objects.filter(
|
|
||||||
outpost__in=[self.controller.outpost],
|
|
||||||
forward_auth_mode=True,
|
|
||||||
).exists():
|
|
||||||
self.logger.debug("No providers with forward auth enabled.")
|
|
||||||
raise Disabled()
|
|
||||||
if not self._crd_exists():
|
|
||||||
self.logger.debug("CRD doesn't exist")
|
|
||||||
raise Disabled()
|
|
||||||
return TraefikMiddleware(
|
return TraefikMiddleware(
|
||||||
apiVersion=f"{CRD_GROUP}/{CRD_VERSION}",
|
apiVersion=f"{CRD_GROUP}/{CRD_VERSION}",
|
||||||
kind="Middleware",
|
kind="Middleware",
|
||||||
|
|
|
||||||
Reference in New Issue