hippo-cli 1.0.1 → 1.1.0

data/lib/hippo/deployment_monitor.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module Hippo
+  class DeploymentMonitor
+    def initialize(stage, deployment_id, sleep: 4, count: 15)
+      @stage = stage
+      @deployment_id = deployment_id
+      @sleep = sleep
+      @count = count
+    end
+
+    def on_wait(&block)
+      @on_wait = block
+    end
+
+    def on_failure(&block)
+      @on_failure = block
+    end
+
+    def on_success(&block)
+      @on_success = block
+    end
+
+    def wait
+      count = 0
+      loop do
+        sleep @sleep
+        poll = Poll.new(@stage, @deployment_id)
+        if poll.pending.empty?
+          @on_success&.call(poll)
+          return true
+        else
+          if count >= @count
+            @on_failure&.call(poll)
+            return false
+          else
+            count += 1
+            @on_wait&.call(poll)
+          end
+        end
+      end
+    end
+
+    private
+
+    class Poll
+      def initialize(stage, deployment_id)
+        @stage = stage
+        @deployment_id = deployment_id
+
+        @replica_sets = @stage.get(
+          'rs',
+          '--selector',
+          'hippo.adam.ac/deployID=' + @deployment_id
+        )
+
+        @pending = @replica_sets.reject do |deploy|
+          deploy['status']['availableReplicas'] == deploy['status']['replicas']
+        end
+      end
+
+      attr_reader :pending
+      attr_reader :replica_sets
+
+      def pending_names
+        make_names(@pending)
+      end
+
+      def names
+        make_names(@replica_sets)
+      end
+
+      private
+
+      def make_names(array)
+        array.map do |d|
+          d.name.split('-').first
+        end
+      end
+    end
+  end
+end

data/lib/hippo/error.rb

@@ -3,16 +3,4 @@
 module Hippo
   class Error < StandardError
   end
-
-  class RepositoryAlreadyClonedError < Error
-  end
-
-  class RepositoryCloneError < Error
-  end
-
-  class RepositoryFetchError < Error
-  end
-
-  class RepositoryCheckoutError < Error
-  end
 end

data/lib/hippo/image.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require 'git'
+require 'net/http'
+
+module Hippo
+  class Image
+    def initialize(name, options)
+      @name = name
+      @options = options
+    end
+
+    attr_reader :name
+
+    def url
+      @options['url']
+    end
+
+    def repository
+      @options['repository']
+    end
+
+    def template_vars
+      {
+        'url' => url,
+        'repository' => repository
+      }
+    end
+
+    def commit_ref_for_branch(branch)
+      remote_refs.dig('branches', branch, :sha)
+    end
+
+    def image_path_for_branch(branch)
+      "#{url}:#{commit_ref_for_branch(branch)}"
+    end
+
+    def remote_refs
+      @remote_refs ||= begin
+        Git.ls_remote(repository)
+      end
+    end
+
+    def exists_for_commit?(commit)
+      credentials = Hippo.config.dig('docker', 'credentials', registry_host)
+
+      http = Net::HTTP.new(registry_host, 443)
+      http.use_ssl = true
+      request = Net::HTTP::Head.new("/v2/#{registry_image_name}/manifests/#{commit}")
+      if credentials
+        request.basic_auth(credentials['username'], credentials['password'])
+      end
+      response = http.request(request)
+      case response
+      when Net::HTTPOK
+        true
+      when Net::HTTPUnauthorized
+        raise Error, "Could not authenticate to #{registry_host} to verify image existence"
+      when Net::HTTPNotFound
+        false
+      else
+        raise Error, "Got #{response.code} status when verifying imag existence with #{registry_host}"
+      end
+    end
+
+    def registry_host
+      url.split('/').first
+    end
+
+    def registry_image_name
+      url.split('/', 2).last
+    end
+  end
+end

data/lib/hippo/manifest.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require 'hippo/util'
+require 'hippo/stage'
+require 'hippo/image'
+
+module Hippo
+  class Manifest
+    # Load a new manifest from a given Hippofile.
+    #
+    # @param path [String]
+    # @return [Hippo::Manifest]
+    class << self
+      def load_from_file(path)
+        unless File.file?(path)
+          raise Error, "Hippofile file not found at #{path}"
+        end
+
+        root = File.dirname(path)
+        new(Util.load_yaml_from_file(path).first, root)
+      end
+    end
+
+    attr_reader :root
+
+    def initialize(options, root)
+      @options = options
+      @root = File.expand_path(root)
+    end
+
+    def name
+      @options['name'] || 'app'
+    end
+
+    def console
+      @options['console']
+    end
+
+    def template_vars
+      {
+        'name' => name,
+        'images' => images.each_with_object({}) { |(name, image), hash| hash[name.to_s] = image.template_vars }
+      }
+    end
+
+    def images
+      return {} unless @options['images'].is_a?(Hash)
+
+      @images ||= begin
+        @options['images'].each_with_object({}) do |(key, value), hash|
+          hash[key] = Image.new(key, value)
+        end
+      end
+    end
+
+    # Load all stages that are available in the manifest
+    #
+    # @return [Hash<Symbol, Hippo::Stage>]
+    def stages
+      objects('stages').each_with_object({}) do |(_, objects), hash|
+        objects.each do |obj|
+          stage = Stage.new(self, obj)
+          hash[stage.name] = stage
+        end
+      end
+    end
+
+    # Load all YAML objects at a given path and return them.
+    #
+    # @param path [String]
+    # @param decorator [Proc] an optional parser to run across the raw YAML file
+    # @return [Array<Hash>]
+    def objects(path, decorator: nil)
+      files = Dir[File.join(@root, path, '*.{yaml,yml}')]
+      files.each_with_object({}) do |path, objects|
+        file = Util.load_yaml_from_file(path, decorator: decorator)
+        objects[path.sub(%r{\A#{@root}/}, '')] = file
+      end
+    end
+  end
+end

data/lib/hippo/object_definition.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+module Hippo
+  class ObjectDefinition
+    def initialize(object, stage, clean: false)
+      @object = object
+      @stage = stage
+
+      unless clean
+        insert_namespace!
+        insert_default_labels!
+      end
+    end
+
+    def [](name)
+      @object[name]
+    end
+
+    def dig(*args)
+      @object.dig(*args)
+    end
+
+    def name
+      metadata['name']
+    end
+
+    def metadata
+      @object['metadata'] ||= {}
+    end
+
+    def kind
+      @object['kind']
+    end
+
+    def yaml
+      @object.to_yaml
+    end
+
+    def insert_namespace!
+      metadata['namespace'] = @stage.namespace
+    end
+
+    def insert_default_labels!
+      metadata['labels'] ||= {}
+      metadata['labels']['app.kubernetes.io/name'] = @stage.manifest.name
+      metadata['labels']['app.kubernetes.io/instance'] = @stage.name
+      metadata['labels']['app.kubernetes.io/managed-by'] = 'hippo'
+    end
+
+    def insert_deployment_id!(deployment_id)
+      metadata['labels'] ||= {}
+      metadata['labels']['hippo.adam.ac/deployID'] = deployment_id
+
+      # For deployments, insert the ID on the template too for deployments.
+      if kind == 'Deployment' && pod_metadata = @object.dig('spec', 'template', 'metadata')
+        pod_metadata['labels'] ||= {}
+        pod_metadata['labels']['hippo.adam.ac/deployID'] = deployment_id
+      end
+    end
+  end
+end

data/lib/hippo/secret.rb

@@ -1,165 +1,112 @@
 # frozen_string_literal: true
 
-require 'securerandom'
-require 'openssl'
-require 'encryptor'
-require 'hippo/util'
-
 module Hippo
   class Secret
-    include Hippo::Util
-
     HEADER = [
       '# This file is encrypted and managed by Hippo.',
-      '# Use `hippo secret [stage] [name]` to make changes to it.',
+      '# Use `hippo [stage] secrets:edit [name]` to make changes to it.',
       '#',
       '# Note: this cannot be applied directly to your Kubernetes server because',
       '# HippoEncryptedSecret is not a valid object. It will be automatically ',
       '# converted to a Secret when it is applied by Hippo.'
     ].join("\n")
 
+    EDIT_HEADER = [
+      '# This file has been unencrypted for you to edit it.',
+      '# Make your changes and close your edit to re-encrypt and save the file.',
+      '# You can change the apiVersion or add any additional metadata.',
+      '#',
+      '# You should not change the kind of document, it should be HippoEncryptedSecret.'
+    ].join("\n")
+
     def initialize(manager, name)
       @manager = manager
       @name = name
     end
 
-    # Return the path to the stored encrypted secret file
+    # Return the path where this secret is stored
     #
     # @return [String]
     def path
-      File.join(@manager.recipe.root, 'secrets', @manager.stage.name, "#{@name}.yaml")
+      File.join(@manager.root, "#{@name}.yaml")
     end
 
-    # Does the secret file currently exist on the file system?
+    # Does this secret exist yet?
     #
     # @return [Boolean]
     def exists?
       File.file?(path)
     end
 
-    # Return the secret file as it should be applied to Kubernetes.
+    # Create a new empty secret file on the file system
     #
-    # @return [String]
-    def to_secret_yaml
-      decrypted_parts.map do |part, _array|
-        part['kind'] = 'Secret'
-        part['metadata'] ||= {}
-        part['metadata']['namespace'] = @manager.stage.namespace
-
-        part['data'].each do |key, value|
-          part['data'][key] = Base64.encode64(value).gsub("\n", '').strip
-        end
-        part
-      end.map { |p| p.hash.to_yaml } .join("---\n")
+    # @return [void]
+    def create
+      return if exists?
+
+      od = ObjectDefinition.new(
+        {
+          'kind' => 'HippoEncryptedSecret',
+          'apiVersion' => 'v1',
+          'metadata' => {
+            'name' => @name
+          },
+          'data' => {
+            'example-value' => @manager.encrypt('This is an example encrypted value!')
+          }
+        },
+        @manager.stage,
+        clean: true
+      )
+      File.open(path, 'w') { |f| f.write(HEADER + "\n" + od.yaml) }
     end
 
-    # Return the secret file as it should be displayed for editting
+    # Read the value from the file and decrypt all values that are present
     #
     # @return [String]
-    def to_editable_yaml
-      decrypted_parts.map { |p| p.hash.to_yaml } .join("---\n")
-    end
-
-    # Edit a secret file by opening an editor and allow changes to be made.
-    # When the editor completes, finish by writing the file back to the disk.
-    #
-    # @return [void]
-    def edit
+    def editable_yaml
       return unless exists?
 
-      # Obtain a list of parts and map them to the name of the secret
-      # in the file.
-      original_decrypted_part_data = parse_parts(load_yaml_from_path(path), :decrypt)
-      original_encrypted_part_data = load_yaml_from_path(path).each_with_object({}) do |part, hash|
-        next if part.nil? || part.empty?
-
-        hash[part.dig('metadata', 'name')] = part['data']
-      end
-      original_part_data = original_decrypted_part_data.each_with_object({}) do |part, hash|
-        name = part.dig('metadata', 'name')
-        enc = original_encrypted_part_data[name]
-        next if enc.nil?
-
-        hash[part.dig('metadata', 'name')] = part['data'].each_with_object({}) do |(key, value), hash2|
-          hash2[key] = [value, enc[key]]
+      objects = Util.load_yaml_from_file(path)
+      objects.each do |hash|
+        hash['data'].each do |key, value|
+          hash['data'][key] = @manager.decrypt(value)
         end
       end
 
-      # Open the editor and gather what the user provides.
-      saved_contents = open_in_editor("secret-#{@name}", to_editable_yaml)
-
-      # This saved contents should now be validated to ensure it is valid
-      # YAML and, if so, it should be encrypted and then saved into the
-      # secret file as needed.
-      begin
-        yaml_parts = load_yaml_from_data(saved_contents)
-        parts = parse_parts(yaml_parts, :encrypt, original_part_data)
-        write(parts)
-      rescue StandardError => e
-        raise
-        puts "An error occurred parsing your file: #{e.message}"
-        saved_contents = open_in_editor("secret-#{@name}", saved_contents)
-        retry
-      end
-
-      puts "#{@name} secret has been editted"
+      objects.map(&:to_yaml).join("\n---\n")
     end
 
-    # Create a new templated encrypted secret with the given name
+    # Edit this secret
     #
     # @return [void]
-    def create
-      template = {
-        'apiVersion' => 'v1',
-        'kind' => 'HippoEncryptedSecret',
-        'metadata' => {
-          'name' => @name
-        },
-        'data' => {
-          'example' => @manager.encrypt('This is an example secret!')
-        }
-      }
-      write([template])
-    end
-
-    private
-
-    def decrypted_parts
-      return unless exists?
-
-      yaml_parts = load_yaml_from_path(path)
-      parse_parts(yaml_parts, :decrypt)
-    end
-
-    def parse_parts(yaml_parts, method, skips = {})
-      yaml_parts.each_with_object([]) do |part, array|
-        next if part.hash.nil? || part.hash.empty?
-
-        part['data'].each do |key, value|
-          skip = skips[part.dig('metadata', 'name')]
-          part['data'][key] = if skip && skip[key] && skip[key][0] == value
-                                skip[key][1]
-                              else
-                                @manager.public_send(method, value.to_s)
-                              end
+    def edit
+      contents = Util.open_in_editor("secret-#{@name}", EDIT_HEADER + "\n" + editable_yaml)
+      yamls = Util.load_yaml_from_data(contents)
+      ods = Util.create_object_definitions({ 'secret' => yamls }, @manager.stage, required_kinds: ['HippoEncryptedSecret'], clean: true)
+      ods.each do |od|
+        od['data'].each do |key, value|
+          od['data'][key] = @manager.encrypt(value)
         end
-
-        array << part
       end
+      File.open(path, 'w') { |f| f.write(HEADER + "\n" + ods.map(&:yaml).join("\n---\n")) }
+    rescue StandardError => e
+      puts "Failed to edit secret (#{e.message})"
+      retry
     end
 
-    # Write the array of given parts into a file along with a suitable
-    # explanatory header.
+    # Return this secret as it can be exported to kubernetes
     #
-    # @return [void]
-    def write(parts)
-      parts = parts.map(&:to_yaml).join("---\n")
-      data_to_write = HEADER + "\n" + parts
-
-      FileUtils.mkdir_p(File.dirname(path))
-      File.open(path, 'w') do |f|
-        f.write(data_to_write)
+    # @return [Array<ObjectDefinition>]
+    def applyable_yaml
+      objects = Util.load_yaml_from_file(path)
+      objects = objects.each do |hash|
+        hash['kind'] = 'Secret'
+        hash['data'].each do |key, value|
+          hash['data'][key] = Base64.encode64(@manager.decrypt(value)).gsub("\n", '')
+        end
       end
+      Util.create_object_definitions({ 'secret' => objects }, @manager.stage)
     end
   end
 end