Add controller for specializing k8se pods (#7083)

Author: divyagandhisethi

src/WebJobs.Script.WebHost/Controllers/KubernetesPodController.cs

@@ -0,0 +1,50 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Azure.WebJobs.Script.WebHost.Management;
+using Microsoft.Azure.WebJobs.Script.WebHost.Models;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security.Authorization.Policies;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.Azure.WebJobs.Script.WebHost.Controllers
+{
+    public class KubernetesPodController : Controller
+    {
+        private readonly IEnvironment _environment;
+        private readonly IInstanceManager _instanceManager;
+        private readonly ILogger _logger;
+        private readonly StartupContextProvider _startupContextProvider;
+
+        public KubernetesPodController(IEnvironment environment, IInstanceManager instanceManager, ILoggerFactory loggerFactory, StartupContextProvider startupContextProvider)
+        {
+            _environment = environment;
+            _instanceManager = instanceManager;
+            _logger = loggerFactory.CreateLogger<KubernetesPodController>();
+            _startupContextProvider = startupContextProvider;
+        }
+
+        [HttpPost]
+        [Route("admin/pod/assign")]
+        public async Task<IActionResult> Assign([FromBody] EncryptedHostAssignmentContext encryptedAssignmentContext)
+        {
+            _logger.LogDebug($"Starting container assignment for host : {Request?.Host}");
+            var assignmentContext = _startupContextProvider.SetContext(encryptedAssignmentContext);
+
+            string error = await _instanceManager.ValidateContext(assignmentContext);
+            if (error != null)
+            {
+                return StatusCode(StatusCodes.Status400BadRequest, error);
+            }
+
+            var succeeded = _instanceManager.StartAssignment(assignmentContext);
+
+            return succeeded
+                ? Accepted()
+                : StatusCode(StatusCodes.Status409Conflict, "Instance already assigned");
+        }
+    }
+}

src/WebJobs.Script.WebHost/Security/SimpleWebTokenHelper.cs

@@ -86,6 +86,11 @@ public static string Decrypt(byte[] encryptionKey, string value)
 
         public static string Decrypt(string value, IEnvironment environment = null)
         {
+            if ((environment != null) && environment.IsKubernetesManagedHosting())
+            {
+                var encryptionKey = GetPodEncryptionKey(environment);
+                return Decrypt(encryptionKey, value);
+            }
             // Use WebSiteAuthEncryptionKey if available else fallback to ContainerEncryptionKey.
             // Until the container is specialized to a specific site WebSiteAuthEncryptionKey will not be available.
             byte[] key;
@@ -153,6 +158,16 @@ private static bool TryGetEncryptionKey(IEnvironment environment, string keyName
             return true;
         }
 
+        private static byte[] GetPodEncryptionKey(IEnvironment environment)
+        {
+            var podEncryptionKey = environment.GetEnvironmentVariable(EnvironmentSettingNames.PodEncryptionKey);
+            if (string.IsNullOrEmpty(podEncryptionKey))
+            {
+                throw new Exception("Pod encryption key is empty.");
+            }
+            return Convert.FromBase64String(podEncryptionKey);
+        }
+
         public static byte[] ToKeyBytes(this string hexOrBase64)
         {
             // only support 32 bytes (256 bits) key length

src/WebJobs.Script/Environment/EnvironmentSettingNames.cs

@@ -62,6 +62,7 @@ public static class EnvironmentSettingNames
         //Function in Kubernetes
         public const string PodNamespace = "POD_NAMESPACE";
         public const string PodName = "POD_NAME";
+        public const string PodEncryptionKey = "POD_ENCRYPTION_KEY";
 
         /// <summary>
         /// Environment variable dynamically set by the platform when it is safe to

test/WebJobs.Script.Tests.Integration/Management/KubernetesPodControllerTests.cs

@@ -0,0 +1,142 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System.Collections.Generic;
+using System.Net;
+using System.Net.Http;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Azure.WebJobs.Script.WebHost;
+using Microsoft.Azure.WebJobs.Script.WebHost.Controllers;
+using Microsoft.Azure.WebJobs.Script.WebHost.Management;
+using Microsoft.Azure.WebJobs.Script.WebHost.Models;
+using Microsoft.Azure.WebJobs.Script.WebHost.Security;
+using Microsoft.Extensions.Logging;
+using Microsoft.WebJobs.Script.Tests;
+using Moq;
+using Moq.Protected;
+using Newtonsoft.Json;
+using Xunit;
+
+namespace Microsoft.Azure.WebJobs.Script.Tests.Managment
+{
+    [Trait(TestTraits.Category, TestTraits.EndToEnd)]
+    [Trait(TestTraits.Group, TestTraits.ContainerInstanceTests)]
+    public class KubernetesPodControllerTests
+    {
+        private readonly TestOptionsFactory<ScriptApplicationHostOptions> _optionsFactory = new TestOptionsFactory<ScriptApplicationHostOptions>(new ScriptApplicationHostOptions());
+
+        [Fact]
+        public async Task Assignment_Succeeds_With_Encryption_Key()
+        {
+            var environment = new TestEnvironment();
+            environment.SetEnvironmentVariable(EnvironmentSettingNames.AzureWebsitePlaceholderMode, "1");
+
+            var scriptWebEnvironment = new ScriptWebHostEnvironment(environment);
+
+            var loggerFactory = new LoggerFactory();
+            var loggerProvider = new TestLoggerProvider();
+            loggerFactory.AddProvider(loggerProvider);
+
+            var handlerMock = new Mock<HttpMessageHandler>(MockBehavior.Strict);
+
+            handlerMock.Protected().Setup<Task<HttpResponseMessage>>("SendAsync",
+            ItExpr.IsAny<HttpRequestMessage>(),
+            ItExpr.IsAny<CancellationToken>()).ReturnsAsync(new HttpResponseMessage
+            {
+                StatusCode = HttpStatusCode.OK
+            });
+
+            var instanceManager = new InstanceManager(_optionsFactory, new HttpClient(handlerMock.Object), scriptWebEnvironment, environment, loggerFactory.CreateLogger<InstanceManager>(), new TestMetricsLogger(), null);
+            var startupContextProvider = new StartupContextProvider(environment, loggerFactory.CreateLogger<StartupContextProvider>());
+
+            InstanceManager.Reset();
+
+            var podController = new KubernetesPodController(environment, instanceManager, loggerFactory, startupContextProvider);
+
+            const string podEncryptionKey = "/a/vXvWJ3Hzgx4PFxlDUJJhQm5QVyGiu0NNLFm/ZMMg=";
+            var hostAssignmentContext = new HostAssignmentContext
+            {
+                Environment = new Dictionary<string, string>()
+                {
+                    [EnvironmentSettingNames.AzureWebsiteRunFromPackage] = "http://localhost:1234"
+                }
+            };
+            hostAssignmentContext.Secrets = new FunctionAppSecrets();
+            hostAssignmentContext.IsWarmupRequest = false;
+
+            var encryptedHostAssignmentValue = SimpleWebTokenHelper.Encrypt(JsonConvert.SerializeObject(hostAssignmentContext), podEncryptionKey.ToKeyBytes());
+
+            var encryptedHostAssignmentContext = new EncryptedHostAssignmentContext()
+            {
+                EncryptedContext = encryptedHostAssignmentValue
+            };
+
+            environment.SetEnvironmentVariable(EnvironmentSettingNames.PodEncryptionKey, podEncryptionKey);
+            environment.SetEnvironmentVariable(EnvironmentSettingNames.KubernetesServiceHost, "http://localhost:80");
+            environment.SetEnvironmentVariable(EnvironmentSettingNames.PodNamespace, "k8se-apps");
+
+            var result = await podController.Assign(encryptedHostAssignmentContext);
+            Assert.NotNull(startupContextProvider.Context);
+            Assert.IsType<AcceptedResult>(result);
+        }
+
+        [Fact]
+        public async Task Assignment_Fails_Without_Encryption_Key()
+        {
+            var environment = new TestEnvironment();
+            environment.SetEnvironmentVariable(EnvironmentSettingNames.AzureWebsitePlaceholderMode, "1");
+
+            var scriptWebEnvironment = new ScriptWebHostEnvironment(environment);
+
+            var loggerFactory = new LoggerFactory();
+            var loggerProvider = new TestLoggerProvider();
+            loggerFactory.AddProvider(loggerProvider);
+
+            var handlerMock = new Mock<HttpMessageHandler>(MockBehavior.Strict);
+
+            handlerMock.Protected().Setup<Task<HttpResponseMessage>>("SendAsync",
+            ItExpr.IsAny<HttpRequestMessage>(),
+            ItExpr.IsAny<CancellationToken>()).ReturnsAsync(new HttpResponseMessage
+            {
+                StatusCode = HttpStatusCode.OK
+            });
+
+            var instanceManager = new InstanceManager(_optionsFactory, new HttpClient(handlerMock.Object), scriptWebEnvironment, environment, loggerFactory.CreateLogger<InstanceManager>(), new TestMetricsLogger(), null);
+            var startupContextProvider = new StartupContextProvider(environment, loggerFactory.CreateLogger<StartupContextProvider>());
+
+            InstanceManager.Reset();
+
+            const string podEncryptionKey = "/a/vXvWJ3Hzgx4PFxlDUJJhQm5QVyGiu0NNLFm/ZMMg=";
+            var podController = new KubernetesPodController(environment, instanceManager, loggerFactory, startupContextProvider);
+
+            var hostAssignmentContext = new HostAssignmentContext
+            {
+                Environment = new Dictionary<string, string>()
+                {
+                    [EnvironmentSettingNames.AzureWebsiteRunFromPackage] = "http://localhost:1234"
+                }
+            };
+            hostAssignmentContext.Secrets = new FunctionAppSecrets();
+            hostAssignmentContext.IsWarmupRequest = false;
+
+            var encryptedHostAssignmentValue = SimpleWebTokenHelper.Encrypt(JsonConvert.SerializeObject(hostAssignmentContext), podEncryptionKey.ToKeyBytes());
+
+            var encryptedHostAssignmentContext = new EncryptedHostAssignmentContext()
+            {
+                EncryptedContext = encryptedHostAssignmentValue
+            };
+
+            environment.SetEnvironmentVariable(EnvironmentSettingNames.KubernetesServiceHost, "http://localhost:80");
+            environment.SetEnvironmentVariable(EnvironmentSettingNames.PodNamespace, "k8se-apps");
+
+            var ex = await Assert.ThrowsAsync<System.Exception>(async () =>
+            {
+                await (podController.Assign(encryptedHostAssignmentContext));
+            });
+            Assert.Null(startupContextProvider.Context);
+        }
+
+    }
+}