hippo-cli 1.0.0

data/lib/hippo/repository.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+require 'digest'
+require 'git'
+require 'hippo/error'
+
+module Hippo
+  class Repository
+    def initialize(options)
+      @options = options
+    end
+
+    def url
+      @options['url']
+    end
+
+    # Return the path where this repository is stored on the local
+    # computer.
+    #
+    # @return [String]
+    def path
+      return @options['path'] if @options['path']
+
+      @path ||= begin
+        digest = Digest::SHA256.hexdigest(url)
+        File.join('', 'tmp', 'hippo-repos', digest)
+      end
+    end
+
+    # Clone this repository into the working directory for this
+    # application.
+    #
+    # @return [Boolean]
+    def clone
+      if File.directory?(path)
+        raise RepositoryAlreadyClonedError, "Repository has already been cloned to #{path}. Maybe you just want to pull?"
+      end
+
+      @git = Git.clone(url, path)
+      true
+    rescue Git::GitExecuteError => e
+      raise RepositoryCloneError, e.message
+    end
+
+    # Has this been cloned?
+    #
+    # @return [Boolean]
+    def cloned?
+      File.directory?(path)
+    end
+
+    # Fetch the latest copy of this repository
+    #
+    # @return [Boolean]
+    def fetch
+      git.fetch
+      true
+    rescue Git::GitExecuteError => e
+      raise RepositoryFetchError, e.message
+    end
+
+    # Checkout the version of the application for the given commit or
+    # branch name in the local copy.
+    #
+    # @param ref [String]
+    # @return [Boolean]
+    def checkout(ref)
+      git.checkout("origin/#{ref}")
+      true
+    rescue Git::GitExecuteError => e
+      if e.message =~ /did not match any file\(s\) known to git/
+        raise RepositoryCheckoutError, "No branch named '#{ref}' found in repository"
+      else
+        raise RepositoryCheckoutError, e.message
+      end
+    end
+
+    # Return the commit reference for the currently checked out branch
+    #
+    # @return [String]
+    def commit
+      git.log(1).first
+    end
+
+    # Get the commit reference for the given branch on the remote
+    # repository by asking it directly.
+    #
+    # @param name [String]
+    # @return [Git::Commit]
+    def commit_for_branch(branch)
+      git.object("origin/#{branch}").log(1).first
+    rescue Git::GitExecuteError => e
+      if e.message =~ /Not a valid object name/
+        raise Error, "'#{branch}' is not a valid branch name in repository"
+      else
+        raise
+      end
+    end
+
+    # Return the template variables for a repository
+    #
+    # @return [Hash]
+    def template_vars
+      {
+        'url' => url,
+        'path' => path
+      }
+    end
+
+    private
+
+    def git
+      @git ||= begin
+        if cloned?
+          Git.open(path)
+        else
+          raise Error, 'Could not create a git instance because there is no repository cloned for it.'
+        end
+      end
+    end
+  end
+end

data/lib/hippo/secret.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+require 'openssl'
+require 'encryptor'
+require 'hippo/util'
+
+module Hippo
+  class Secret
+    include Hippo::Util
+
+    HEADER = [
+      '# This file is encrypted and managed by Hippo.',
+      '# Use `hippo secret [stage] [name]` to make changes to it.',
+      '#',
+      '# Note: this cannot be applied directly to your Kubernetes server because',
+      '# HippoEncryptedSecret is not a valid object. It will be automatically ',
+      '# converted to a Secret when it is applied by Hippo.'
+    ].join("\n")
+
+    def initialize(manager, name)
+      @manager = manager
+      @name = name
+    end
+
+    # Return the path to the stored encrypted secret file
+    #
+    # @return [String]
+    def path
+      File.join(@manager.recipe.root, 'secrets', @manager.stage.name, "#{@name}.yaml")
+    end
+
+    # Does the secret file currently exist on the file system?
+    #
+    # @return [Boolean]
+    def exists?
+      File.file?(path)
+    end
+
+    # Return the secret file as it should be applied to Kubernetes.
+    #
+    # @return [String]
+    def to_secret_yaml
+      decrypted_parts.map do |part, _array|
+        part['kind'] = 'Secret'
+        part['metadata'] ||= {}
+        part['metadata']['namespace'] = @manager.stage.namespace
+
+        part['data'].each do |key, value|
+          part['data'][key] = Base64.encode64(value).gsub("\n", '').strip
+        end
+        part
+      end.map { |p| p.hash.to_yaml } .join("---\n")
+    end
+
+    # Return the secret file as it should be displayed for editting
+    #
+    # @return [String]
+    def to_editable_yaml
+      decrypted_parts.map { |p| p.hash.to_yaml } .join("---\n")
+    end
+
+    # Edit a secret file by opening an editor and allow changes to be made.
+    # When the editor completes, finish by writing the file back to the disk.
+    #
+    # @return [void]
+    def edit
+      return unless exists?
+
+      # Obtain a list of parts and map them to the name of the secret
+      # in the file.
+      original_decrypted_part_data = parse_parts(load_yaml_from_path(path), :decrypt)
+      original_encrypted_part_data = load_yaml_from_path(path).each_with_object({}) do |part, hash|
+        next if part.nil? || part.empty?
+
+        hash[part.dig('metadata', 'name')] = part['data']
+      end
+      original_part_data = original_decrypted_part_data.each_with_object({}) do |part, hash|
+        name = part.dig('metadata', 'name')
+        enc = original_encrypted_part_data[name]
+        next if enc.nil?
+
+        hash[part.dig('metadata', 'name')] = part['data'].each_with_object({}) do |(key, value), hash2|
+          hash2[key] = [value, enc[key]]
+        end
+      end
+
+      # Open the editor and gather what the user provides.
+      saved_contents = open_in_editor("secret-#{@name}", to_editable_yaml)
+
+      # This saved contents should now be validated to ensure it is valid
+      # YAML and, if so, it should be encrypted and then saved into the
+      # secret file as needed.
+      begin
+        yaml_parts = load_yaml_from_data(saved_contents)
+        parts = parse_parts(yaml_parts, :encrypt, original_part_data)
+        write(parts)
+      rescue StandardError => e
+        raise
+        puts "An error occurred parsing your file: #{e.message}"
+        saved_contents = open_in_editor("secret-#{@name}", saved_contents)
+        retry
+      end
+
+      puts "#{@name} secret has been editted"
+    end
+
+    # Create a new templated encrypted secret with the given name
+    #
+    # @return [void]
+    def create
+      template = {
+        'apiVersion' => 'v1',
+        'kind' => 'HippoEncryptedSecret',
+        'metadata' => {
+          'name' => @name
+        },
+        'data' => {
+          'example' => @manager.encrypt('This is an example secret!')
+        }
+      }
+      write([template])
+    end
+
+    private
+
+    def decrypted_parts
+      return unless exists?
+
+      yaml_parts = load_yaml_from_path(path)
+      parse_parts(yaml_parts, :decrypt)
+    end
+
+    def parse_parts(yaml_parts, method, skips = {})
+      yaml_parts.each_with_object([]) do |part, array|
+        next if part.hash.nil? || part.hash.empty?
+
+        part['data'].each do |key, value|
+          skip = skips[part.dig('metadata', 'name')]
+          part['data'][key] = if skip && skip[key] && skip[key][0] == value
+                                skip[key][1]
+                              else
+                                @manager.public_send(method, value.to_s)
+                              end
+        end
+
+        array << part
+      end
+    end
+
+    # Write the array of given parts into a file along with a suitable
+    # explanatory header.
+    #
+    # @return [void]
+    def write(parts)
+      parts = parts.map(&:to_yaml).join("---\n")
+      data_to_write = HEADER + "\n" + parts
+
+      FileUtils.mkdir_p(File.dirname(path))
+      File.open(path, 'w') do |f|
+        f.write(data_to_write)
+      end
+    end
+  end
+end

data/lib/hippo/secret_manager.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'hippo/secret'
+
+module Hippo
+  class SecretManager
+    attr_reader :recipe
+    attr_reader :stage
+    attr_reader :key
+
+    CIPHER = OpenSSL::Cipher.new('aes-256-gcm')
+
+    def initialize(recipe, stage)
+      @recipe = recipe
+      @stage = stage
+    end
+
+    # Generate and publish a new secret key to the Kubernetes API.
+    #
+    # @return [void]
+    def create_key
+      if key_available?
+        raise Hippo::Error, 'A key already exists on Kubernetes. Remove this first.'
+      end
+
+      CIPHER.encrypt
+      secret_key = CIPHER.random_key
+      secret_key64 = Base64.encode64(secret_key).gsub("\n", '').strip
+      object = {
+        'apiVersion' => 'v1',
+        'kind' => 'Secret',
+        'type' => 'hippo.adam.ac/secret-encryption-key',
+        'metadata' => { 'name' => 'hippo-secret-key', 'namespace' => @stage.namespace },
+        'data' => { 'key' => Base64.encode64(secret_key64).gsub("\n", '').strip }
+      }
+      @recipe.kubernetes.apply_with_kubectl(object.to_yaml)
+      @key = secret_key
+    end
+
+    # Download the current key from the Kubernetes API and set it as the
+    # key for this instance
+    #
+    # @return [void]
+    def download_key
+      return if @key
+
+      value = @recipe.kubernetes.get_with_kubectl(@stage, 'secret', 'hippo-secret-key').first
+      return if value.nil?
+      return if value.dig('data', 'key').nil?
+
+      @key = Base64.decode64(Base64.decode64(value['data']['key']))
+    rescue Hippo::Error => e
+      raise unless e.message =~ /not found/
+    end
+
+    def key_available?
+      download_key
+      !@key.nil?
+    end
+
+    def secret(name)
+      Secret.new(self, name)
+    end
+
+    def secrets
+      Dir[File.join('secrets', @stage.name, '**', '*.{yml,yaml}')].map do |path|
+        secret(path.split('/').last.sub(/\.ya?ml\z/, ''))
+      end
+    end
+
+    def encrypt(value)
+      CIPHER.encrypt
+      iv = CIPHER.random_iv
+      salt = SecureRandom.random_bytes(16)
+      encrypted_value = Encryptor.encrypt(value: value.to_s, key: @key, iv: iv, salt: salt)
+      'encrypted:' + Base64.encode64([
+        Base64.encode64(encrypted_value),
+        Base64.encode64(salt),
+        Base64.encode64(iv)
+      ].join('---')).gsub("\n", '')
+    end
+
+    # Decrypt the given value value and return it
+    #
+    # @param value [String]
+    # @return [String]
+    def decrypt(value)
+      value = value.to_s
+      if value =~ /\Aencrypted:(.*)/
+        value = Base64.decode64(Regexp.last_match(1))
+        encrypted_value, salt, iv = value.split('---', 3).map { |s| Base64.decode64(s) }
+        Encryptor.decrypt(value: encrypted_value, key: @key, iv: iv, salt: salt).to_s
+      else
+        value
+      end
+    end
+  end
+end

data/lib/hippo/stage.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Hippo
+  class Stage
+    def initialize(options)
+      @options = options
+    end
+
+    def name
+      @options['name']
+    end
+
+    def branch
+      @options['branch']
+    end
+
+    def namespace
+      @options['namespace']
+    end
+
+    def template_vars
+      {
+        'name' => name,
+        'branch' => branch,
+        'namespace' => namespace,
+        'vars' => @options['vars'] || {}
+      }
+    end
+
+    def kubectl(*command)
+      "kubectl -n #{namespace} #{command.join(' ')}"
+    end
+  end
+end

data/lib/hippo/util.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'hippo/error'
+require 'hippo/yaml_part'
+
+module Hippo
+  module Util
+    def load_yaml_from_path(path)
+      return nil if path.nil?
+      return nil unless File.file?(path)
+
+      data = File.read(path)
+      load_yaml_from_data(data, path)
+    end
+
+    def load_yaml_from_data(data, path = nil)
+      parts = data.split(/^\-\-\-$/)
+      parts.each_with_index.map do |part, index|
+        YAMLPart.new(part, path, index)
+      end
+    end
+
+    def load_yaml_from_directory(path)
+      return [] if path.nil?
+      return [] unless File.directory?(path)
+
+      Dir[File.join(path, '*.{yaml,yml}')].sort.each_with_object([]) do |path, array|
+        yaml = load_yaml_from_path(path)
+        next if yaml.nil?
+
+        array << yaml
+      end.flatten
+    end
+
+    def open_in_editor(name, contents)
+      tmp_root = File.join(ENV['HOME'], '.hippo')
+      FileUtils.mkdir_p(tmp_root)
+      begin
+        tmpfile = Tempfile.new([name, '.yaml'], tmp_root)
+        tmpfile.write(contents)
+        tmpfile.close
+        system("#{ENV['EDITOR']} #{tmpfile.path}")
+        tmpfile.open
+        tmpfile.read
+      ensure
+        tmpfile.unlink
+      end
+    end
+  end
+end

data/lib/hippo/version.rb

@@ -0,0 +1,3 @@
+module Hippo
+  VERSION = '1.0.0'
+end

data/lib/hippo/yaml_part.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Hippo
+  class YAMLPart
+    attr_reader :yaml
+
+    def initialize(yaml, path, index)
+      @yaml = yaml.strip
+      @path = path
+      @index = index
+    end
+
+    def hash
+      @hash ||= YAML.safe_load(@yaml)
+    rescue Psych::SyntaxError => e
+      raise Error, "YAML parsing error in #{@path} (index #{@index}) (#{e.message})"
+    end
+
+    def empty?
+      @yaml.nil? ||
+        @yaml.empty? ||
+        hash.nil? ||
+        hash.empty?
+    end
+
+    def to_yaml
+      hash.to_yaml
+    end
+
+    def dig(*args)
+      hash.dig(*args)
+    end
+
+    def [](name)
+      hash[name]
+    end
+
+    def []=(name, value)
+      hash[name] = value
+    end
+
+    def parse(recipe, stage, commit)
+      parsed_part = recipe.parse(stage, commit, @yaml)
+      self.class.new(parsed_part, @path, @index)
+    end
+  end
+end

data/lib/hippo.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Hippo
+  def self.root
+    File.expand_path('../', __dir__)
+  end
+end

data/template/Hippofile

@@ -0,0 +1,19 @@
+# Welcome to your Hippofile 🦛
+#
+# In here you configure how you wish to build, publish and
+# deploy your application using Docker & Kubernetes.
+
+# Where is the application that you wish to deploy hosted?
+repository:
+  url: git@github.com:username/repo
+
+# You can request multiple builds from the same repository to be built if
+# required. In most cases you'll probably only need one. You can reference
+# these in your Kubernetes objects to specify image details in PodSpecs.
+builds:
+  app:
+    dockerfile: Dockerfile
+    # This is the name of the image where the built-image should be uploaded
+    # to when build. You should not include any tag after the name. The
+    # commit ref that you're building will be automatically added.
+    image-name: myorg/myapp

data/template/config/production/env-vars.yaml

@@ -0,0 +1,7 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: env-vars
+data:
+  RAILS_ENV: production
+  RACK_TRUSTED_PROXIES: 127.0.0.1 ::1 10.217.0.0/16

data/template/deployments/web.yaml

@@ -0,0 +1,29 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: web
+spec:
+  selector:
+    matchLabels:
+      process_type: web
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        process_type: web
+    spec:
+      containers:
+        - name: myapp
+          image: "{{ builds.app.image-name }}:{{ commit.ref }}"
+          imagePullPolicy: Always
+          command:
+            - bundle
+            - exec
+            - puma
+            - -C
+            - config/puma.rb
+          envFrom:
+            - configMapRef:
+                name: env-vars
+          ports:
+            - containerPort: 3000

data/template/deployments/worker.yaml

@@ -0,0 +1,26 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: worker
+spec:
+  selector:
+    matchLabels:
+      app: worker
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: worker
+    spec:
+      containers:
+        - name: myapp
+          image: "{{ builds.app.image-name }}:{{ commit.ref }}"
+          imagePullPolicy: Always
+          command:
+            - bundle
+            - exec
+            - rake
+            - jobs:work
+          envFrom:
+            - configMapRef:
+                name: env-vars

data/template/jobs/install/load-schema.yaml

@@ -0,0 +1,22 @@
+kind: Job
+apiVersion: batch/v1
+metadata:
+  name: load-schema
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: myapp
+          image: "{{ builds.app.image-name }}:{{ commit.ref }}"
+          imagePullPolicy: Always
+          command:
+            - bundle
+            - exec
+            - rake
+            - db:schema:load
+          envFrom:
+            - configMapRef:
+                name: env-vars

data/template/jobs/upgrade/db-migration.yaml

@@ -0,0 +1,22 @@
+kind: Job
+apiVersion: batch/v1
+metadata:
+  name: migration
+spec:
+  backoffLimit: 0
+  ttlSecondsAfterFinished: 60
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: myapp
+          image: "{{ builds.app.image-name }}:{{ commit.ref }}"
+          imagePullPolicy: Always
+          command:
+            - bundle
+            - exec
+            - rake
+            - db:migrate
+          envFrom:
+            - configMapRef:
+                name: env-vars

data/template/services/main.ingress.yaml

@@ -0,0 +1,13 @@
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: myapp
+spec:
+  rules:
+    - host: "{{ stage.vars.hostname }}"
+      http:
+        paths:
+          - path: /
+            backend:
+              serviceName: web
+              servicePort: 80

data/template/services/web.svc.yaml

@@ -0,0 +1,11 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: web
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 3000
+  selector:
+    process_type: web

data/template/stages/production.yaml

@@ -0,0 +1,6 @@
+name: production
+branch: master
+namespace: myapp-production
+vars:
+  example: Hello world!
+  hostname: myapp.mydomain.com