Add null cloud provider (#364)

Co-authored-by: Matt Pryor <[email protected]>
Co-authored-by: John Garbutt <[email protected]>

Author: 3 people

api/azimuth/apps/app.py

@@ -7,8 +7,6 @@
 
 import httpx
 
-import yaml
-
 from easykube import (
     Configuration,
     ApiError,
@@ -65,9 +63,14 @@ class Provider(base.Provider):
     """
     Base class for Cluster API providers.
     """
-    def __init__(self):
+    def __init__(
+        self,
+        # The label to use to find the default kubeconfig secret
+        default_kubeconfig_secret_label: str = "apps.azimuth-cloud.io/default-kubeconfig"
+    ):
         # Get the easykube configuration from the environment
         self._ekconfig = Configuration.from_environment()
+        self._default_kubeconfig_secret_label = default_kubeconfig_secret_label
 
     def session(self, cloud_session: cloud_base.ScopedSession) -> 'Session':
         """
@@ -78,16 +81,22 @@ def session(self, cloud_session: cloud_base.ScopedSession) -> 'Session':
         namespace = get_namespace(client, cloud_session.tenancy())
         # Set the target namespace as the default namespace for the client
         client.default_namespace = namespace
-        return Session(client, cloud_session)
+        return Session(client, cloud_session, self._default_kubeconfig_secret_label)
 
 
 class Session(base.Session):
     """
     Base class for a scoped session.
     """
-    def __init__(self, client: SyncClient, cloud_session: cloud_base.ScopedSession):
+    def __init__(
+        self,
+        client: SyncClient,
+        cloud_session: cloud_base.ScopedSession,
+        default_kubeconfig_secret_label: str
+    ):
         self._client = client
         self._cloud_session = cloud_session
+        self._default_kubeconfig_secret_label = default_kubeconfig_secret_label
 
     def _log(self, message, *args, level = logging.INFO, **kwargs):
         logger.log(
@@ -234,6 +243,23 @@ def find_app(self, id: str) -> dto.App:
         app = self._client.api(APPS_API_VERSION).resource("apps").fetch(id)
         return self._from_api_app(app)
 
+    def _find_default_kubeconfig_secret(self) -> t.Optional[t.Dict[str, t.Any]]:
+        """
+        Attempts to locate a default kubeconfig secret in the namespace.
+        """
+        # Find the first secret with the expected label
+        secret = self._client.api("v1").resource("secrets").first(
+            labels = { self._default_kubeconfig_secret_label: PRESENT }
+        )
+        if secret:
+            # Use the first key in the secret (we expect it to be the only key)
+            try:
+                return secret.metadata.name, next(iter(secret.get("data", {}).keys()))
+            except StopIteration:
+                # Fall through to the exception
+                pass
+        raise errors.BadInputError("Unable to determine Kubernetes cluster for app.")
+
     @convert_exceptions
     def create_app(
         self,
@@ -247,12 +273,15 @@ def create_app(
         """
         Create a new app in the tenancy.
         """
-        # For now, we require a Kubernetes cluster
-        if not kubernetes_cluster:
-            raise errors.BadInputError("No Kubernetes cluster specified.")
         # This driver requires the Zenith identity realm to be specified
         if not zenith_identity_realm_name:
             raise errors.BadInputError("No Zenith identity realm specified.")
+        # Decide which kubeconfig to use
+        if kubernetes_cluster:
+            kubeconfig_secret_name = f"{kubernetes_cluster.id}-kubeconfig"
+            kubeconfig_secret_key = "value"
+        else:
+            kubeconfig_secret_name, kubeconfig_secret_key = self._find_default_kubeconfig_secret()
         # NOTE(mkjpryor)
         # We know that the target namespace exists because it has a cluster in
         return self._from_api_app(
@@ -266,9 +295,11 @@ def create_app(
                             "app.kubernetes.io/managed-by": "azimuth",
                         },
                         # If the app belongs to a cluster, store that in an annotation
-                        "annotations": {
-                            "azimuth.stackhpc.com/cluster": kubernetes_cluster.id,
-                        },
+                        "annotations": (
+                            { "azimuth.stackhpc.com/cluster": kubernetes_cluster.id }
+                            if kubernetes_cluster
+                            else {}
+                        ),
                     },
                     "spec": {
                         "template": {
@@ -277,9 +308,8 @@ def create_app(
                             "version": template.versions[0].name,
                         },
                         "kubeconfigSecret": {
-                            # Use the kubeconfig for the cluster
-                            "name": f"{kubernetes_cluster.id}-kubeconfig",
-                            "key": "value",
+                            "name": kubeconfig_secret_name,
+                            "key": kubeconfig_secret_key,
                         },
                         "zenithIdentityRealmName": zenith_identity_realm_name,
                         "values": values,

api/azimuth/provider/base.py

@@ -127,6 +127,13 @@ def tenancies(self) -> Iterable[dto.Tenancy]:
         # Convert the tenancies from the auth DTO to the provider DTO
         return [dto.Tenancy(t.id, t.name) for t in self.auth_session.tenancies()]
 
+    def _requires_credential(self) -> bool:
+        """
+        Indicates whether the provider requires a credential.
+        """
+        # By default, we always require a credential
+        return True
+
     def _scoped_session(
         self,
         auth_user: auth_dto.User,
@@ -154,13 +161,21 @@ def scoped_session(self, tenancy: Union[dto.Tenancy, str]) -> 'ScopedSession':
                 raise errors.ObjectNotFoundError(
                     "Could not find tenancy with ID {}.".format(tenancy)
                 )
-        # Get the credential from the auth session for this provider
-        credential = self.auth_session.credential(tenancy.id, self.provider_name)
-        # If the auth session is unable to supply a credential for the provider, bail
-        if not credential:
-            msg = f"no credentials available for {self.provider_name} provider"
-            raise errors.InvalidOperationError(msg)
-        return self._scoped_session(self.auth_user, tenancy, credential.data)
+        # If the provider requires a credential, try to find one
+        if self._requires_credential():
+            # Get the credential from the auth session for this provider
+            credential = self.auth_session.credential(tenancy.id, self.provider_name)
+            # If a credential is available, extract the data
+            # If the auth session is unable to supply a credential, bail
+            if credential:
+                credential_data = credential.data
+            else:
+                msg = f"no credentials available for {self.provider_name} provider"
+                raise errors.InvalidOperationError(msg)
+        else:
+            # If the provider does not require a credential, just pass empty data
+            credential_data = ""
+        return self._scoped_session(self.auth_user, tenancy, credential_data)
 
     def close(self):
         """

api/azimuth/provider/null.py

@@ -0,0 +1,35 @@
+from . import base, dto
+
+
+class Provider(base.Provider):
+    """
+    Null provider implementation that doesn't implement anything.
+    """
+    provider_name = "null"
+
+    def _from_auth_session(self, auth_session, auth_user):
+        return UnscopedSession(auth_session, auth_user)
+
+
+class UnscopedSession(base.UnscopedSession):
+    """
+    Unscoped session implementation for the null provider.
+    """
+    provider_name = "null"
+
+    def _requires_credential(self):
+        # The null provider does not require a credential
+        return False
+
+    def _scoped_session(self, auth_user, tenancy, credential_data):
+        return ScopedSession(auth_user, tenancy)
+
+
+class ScopedSession(base.ScopedSession):
+    """
+    Scoped session implementation for the null provider.
+    """
+    provider_name = "null"
+
+    def capabilities(self):
+        return dto.Capabilities(supports_volumes = False)

api/azimuth/serializers.py

@@ -1053,7 +1053,10 @@ class CreateKubernetesAppSerializer(serializers.Serializer):
         "^[a-z0-9-]+$",
         write_only = True,
         # The apps driver decides whether the cluster is required or not
-        required = False
+        # So the field is not required and empty strings and null are allowed
+        required = False,
+        allow_blank = True,
+        allow_null = True
     )
     values = serializers.JSONField(write_only = True)
 

api/azimuth/settings.py

@@ -120,15 +120,18 @@ class AppsProviderSetting(ObjectFactorySetting):
     Custom setting for the Kubernetes app provider.
     """
     def _get_default(self, instance):
-        # For now, apps are only available if a Kubernetes provider is configured
+        # If a Cluster API provider is configured, use the helmrelease provider
+        # If not, use the app provider with the default settings
         if instance.CLUSTER_API_PROVIDER:
-            # By default, we use the HelmRelease provider (for now)
             return {
                 "FACTORY": "azimuth.apps.helmrelease.Provider",
                 "PARAMS": {},
             }
         else:
-            return None
+            return {
+                "FACTORY": "azimuth.apps.app.Provider",
+                "PARAMS": {},
+            }
 
 
 class AppsSettings(SettingsObject):

chart/files/api/settings/04-cloud-provider.yaml

@@ -17,6 +17,9 @@ AZIMUTH:
       {{- with .Values.provider.openstack.internalNetDNSNameservers }}
       INTERNAL_NET_DNS_NAMESERVERS: {{ toYaml . | nindent 8 }}
       {{- end }}
+    {{- else if (eq .Values.provider.type "null")}}
+    FACTORY: azimuth.provider.null.Provider
+    PARAMS: {}
     {{- else }}
     {{- fail (printf "Unrecognised cloud provider '%s'" .Values.provider.type) }}
     {{- end }}

chart/files/api/settings/12-apps-provider.yaml

@@ -1,8 +1,18 @@
+{{- if .Values.appsProvider.enabled }}
+{{- if eq .Values.appsProvider.type "app" }}
 AZIMUTH:
-  {{- if .Values.appsProvider.enabled }}
   APPS_PROVIDER:
-    FACTORY: azimuth.apps.{{ .Values.appsProvider.type }}.Provider
+    FACTORY: azimuth.apps.app.Provider
     PARAMS: {}
-  {{- else }}
-  APPS_PROVIDER: null
-  {{- end }}
+{{- else if eq .Values.appsProvider.type "helmrelease" }}
+AZIMUTH:
+  APPS_PROVIDER:
+    FACTORY: azimuth.apps.helmrelease.Provider
+    PARAMS: {}
+{{- else if ne .Values.appsProvider.type "default" }}
+{{- fail (printf "Unrecognised apps provider '%s'" .Values.appsProvider.type) }}
+{{- end }}
+{{- else }}
+AZIMUTH:
+  APPS_PROVIDER: ~
+{{- end }}

chart/values.yaml

@@ -250,7 +250,9 @@ authentication:
 
 # The cloud provider to use
 provider:
-  # The type of provider to use (currently only openstack is supported)
+  # The type of provider to use - openstack and null are supported
+  # The null provider does not support any cloud functionality, but does support deploying
+  # apps on a pre-configured Kubernetes cluster
   type: openstack
   # Parameters for the openstack provider
   openstack:
@@ -406,10 +408,13 @@ scheduling:
 
 # Settings for the Kubernetes apps provider
 appsProvider:
-  # Indicates whether the apps provider should be enabled
+  # Indicates if the apps provider should be enabled
   enabled: true
-  # The type of provider to use, one of "helmrelease" or "app"
-  type: helmrelease
+  # The apps provider to use - valid options are default, helmrelease and app
+  #   If default is specified then the helmrelease provider is used if Cluster
+  #   API is available (for backwards compatibility), and the app provider is
+  #   used when Cluster API is not available
+  type: default
 
 # Properties for applying themes
 theme:

ui/Dockerfile

@@ -29,8 +29,6 @@ RUN gpg2 --keyserver hkp://keyserver.ubuntu.com:80 --keyserver-options timeout=1
 
 FROM ubuntu:jammy
 
-ARG NGINX_VERSION
-
 # Copy the GPG key from the intermediate container
 COPY --from=nginx-gpg-key /usr/share/keyrings/nginx-archive-keyring.gpg /usr/share/keyrings/
 
@@ -45,6 +43,7 @@ COPY --from=nginx-gpg-key /usr/share/keyrings/nginx-archive-keyring.gpg /usr/sha
 #   3. Use a subdirectory of /var/run for the pid file that is writable by the nginx user
 #      When running with a RO filesystem we will mount a writable directory over it,
 #      but we don't want to make all of /var/run writable
+RUN echo "Target NGINX version: ${NGINX_VERSION}"
 RUN apt-get update && \
     apt-get install --no-install-recommends --no-install-suggests -y ca-certificates && \
     echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/ubuntu/ jammy nginx" \

ui/src/application.js

@@ -140,7 +140,7 @@ const ConnectedTenancyResourcePage = connect(
 
     // Ensure that we initialise the resources we need to decide if platforms are supported
     // Platforms are supported if:
-    //   The tenancy has access to at least one cluster type or Kubernetes template
+    //   The tenancy has access to at least one platform type (i.e. CaaS, Kubernetes, Kubernetes app)
     //   OR
     //   There is at least one platform deployed in the tenancy
     useResourceInitialised(
@@ -159,23 +159,35 @@ const ConnectedTenancyResourcePage = connect(
         currentTenancy.kubernetesClusters,
         boundTenancyActions.kubernetesCluster.fetchList
     );
+    useResourceInitialised(
+        currentTenancy.kubernetesAppTemplates,
+        boundTenancyActions.kubernetesAppTemplate.fetchList
+    );
+    useResourceInitialised(
+        currentTenancy.kubernetesApps,
+        boundTenancyActions.kubernetesApp.fetchList
+    );
 
     // Decide whether we have enough information yet to decide if platforms are supported
     let supportsPlatforms;
     if(
         Object.keys(currentTenancy.clusterTypes.data || {}).length > 0 ||
         Object.keys(currentTenancy.kubernetesClusterTemplates.data || {}).length > 0 ||
+        Object.keys(currentTenancy.kubernetesAppTemplates.data || {}).length > 0 ||
         Object.keys(currentTenancy.clusters.data || {}).length > 0 ||
-        Object.keys(currentTenancy.kubernetesClusters.data || {}).length > 0
+        Object.keys(currentTenancy.kubernetesClusters.data || {}).length > 0 ||
+        Object.keys(currentTenancy.kubernetesApps.data || {}).length > 0
     ) {
         // If one of the resources has some data, platforms are supported
         supportsPlatforms = true;
     }
     else if(
         currentTenancy.clusterTypes.initialised &&
         currentTenancy.kubernetesClusterTemplates.initialised &&
+        currentTenancy.kubernetesAppTemplates.initialised &&
         currentTenancy.clusters.initialised &&
-        currentTenancy.kubernetesClusters.initialised
+        currentTenancy.kubernetesClusters.initialised &&
+        currentTenancy.kubernetesApps.initialised
     ) {
         // If none of the resources has any data but they are all initialised, platforms
         // are not supported
@@ -184,8 +196,10 @@ const ConnectedTenancyResourcePage = connect(
     else if(
         currentTenancy.clusterTypes.fetching ||
         currentTenancy.kubernetesClusterTemplates.fetching ||
+        currentTenancy.kubernetesAppTemplates.fetching ||
         currentTenancy.clusters.fetching ||
-        currentTenancy.kubernetesClusters.fetching
+        currentTenancy.kubernetesClusters.fetching ||
+        currentTenancy.kubernetesApps.fetching
     ) {
         // If one of the resources is still fetching, we can't decide yet
         return (
@@ -204,8 +218,10 @@ const ConnectedTenancyResourcePage = connect(
             [
                 currentTenancy.clusterTypes.fetchError,
                 currentTenancy.kubernetesClusterTemplates.fetchError,
+                currentTenancy.kubernetesAppTemplates.fetchError,
                 currentTenancy.clusters.fetchError,
-                currentTenancy.kubernetesClusters.fetchError
+                currentTenancy.kubernetesClusters.fetchError,
+                currentTenancy.kubernetesApps.fetchError
             ].filter(e => !!e)
         );
         if( fetchErrors.length == 0 ) {