saner logic for DNS updates/reloads

Author: travisghansen

CHANGELOG.md

@@ -1,3 +1,10 @@
+# v0.1.9
+
+Released 2019-11-30
+
+- better logic for restarting DNS services
+- minor cleanups
+
 # v0.1.8
 
 Released 2019-10-22

README.md

@@ -8,6 +8,8 @@ This is generally achieved using the standard Kubernetes API along with the xmlr
 the Kubernetes API is `watch`ed and appropriate updates are sent to pfSense (`config.xml`) via xmlrpc calls along with
 appropriate reload/restart/update/sync actions to apply changes.
 
+Please note, this controller is not designed to run multiple instances simultaneously (ie: do NOT crank up the replicas).
+
 Disclaimer: this is new software bound to have bugs.  Please make a backup before using it as it may eat your
 configuration.  Having said that, all known code paths appear to be solid and working without issue.  If you find a bug,
 please report it! 
@@ -198,4 +200,4 @@ haproxy
  * https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/
  * https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/
  * https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- * https://github.com/MacFJA/PharBuilder
+ * https://github.com/MacFJA/PharBuilder

deploy/deployment.yaml

@@ -1,11 +1,14 @@
 ---
 kind: Deployment
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 metadata:
   name: kubernetes-pfsense-controller
   namespace: kube-system
 spec:
   replicas: 1
+  selector:
+    matchLabels:
+      app: kubernetes-pfsense-controller
   strategy:
     type: Recreate
   template:
@@ -16,7 +19,7 @@ spec:
       serviceAccountName: kubernetes-pfsense-controller
       containers:
         - name: kubernetes-pfsense-controller
-          image: docker.io/travisghansen/kubernetes-pfsense-controller:v0.1.5
+          image: docker.io/travisghansen/kubernetes-pfsense-controller:v0.1.9
           env:
             - name: PFSENSE_URL
               value: "https://192.168.1.1"

deploy/rbac.yaml

@@ -31,6 +31,7 @@ rules:
   - patch
 - apiGroups:
   - extensions
+  - networking.k8s.io
   resources:
   - ingresses
   verbs:

src/KubernetesPfSenseController/Plugin/CommonTrait.php

@@ -109,9 +109,19 @@ private function getWatchCallback($stateKey, $options = [])
             switch ($event['type']) {
                 case 'ADDED':
                 case 'MODIFIED':
+                    $result = KubernetesUtils::findListItem($items, $item['metadata']['name']);
+                    $itemKey = $result['key'];
+                    $oldItem = $result['item'];
+
                     KubernetesUtils::putListItem($items, $item);
                     if ($trigger) {
-                        $this->delayedAction();
+                        $shouldTriggerFromWatchUpdate = true;
+                        if ($itemKey !== null && method_exists($this, 'shouldTriggerFromWatchUpdate')) {
+                            $shouldTriggerFromWatchUpdate = $this->shouldTriggerFromWatchUpdate($oldItem, $item);
+                        }
+                        if ($shouldTriggerFromWatchUpdate) {
+                            $this->delayedAction();
+                        }
                     }
                     break;
                 case 'DELETED':
@@ -137,11 +147,15 @@ private function getWatchCallback($stateKey, $options = [])
      */
     protected function getKubernetesResourceDetails($resource)
     {
+        $apiVersion = KubernetesUtils::getResourceApiVersion($resource);
+        $kind = KubernetesUtils::getResourceKind($resource);
         $name = KubernetesUtils::getResourceName($resource);
         $namespace = KubernetesUtils::getResourceNamespace($resource);
         $selfLink = KubernetesUtils::getResourceSelfLink($resource);
 
         $values = [
+            //'apiVersion' => $apiVersion,
+            //'kind' => $kind,
             'selfLink' => $selfLink,
             'name' => $name,
         ];

src/KubernetesPfSenseController/Plugin/DNSHAProxyIngressProxy.php

@@ -55,6 +55,7 @@ public function init()
         ];
         $options = [
             'trigger' => false,
+            'log' => true
         ];
         $watch = $controller->getKubernetesClient()->createWatch($ingressResourceWatchPath, $params, $this->getWatchCallback('ingresses', $options));
         $this->addWatch($watch);

src/KubernetesPfSenseController/Plugin/DNSIngresses.php

@@ -53,7 +53,7 @@ public function init()
             'fieldSelector' => $ingressFieldSelector,
             'resourceVersion' => $ingresses['metadata']['resourceVersion'],
         ];
-        $watch = $controller->getKubernetesClient()->createWatch($ingressResourceWatchPath, $params, $this->getWatchCallback('resources'));
+        $watch = $controller->getKubernetesClient()->createWatch($ingressResourceWatchPath, $params, $this->getWatchCallback('resources', ['log' => true]));
         $this->addWatch($watch);
         $this->delayedAction();
     }

src/KubernetesPfSenseController/Plugin/DNSResourceTrait.php

@@ -68,6 +68,9 @@ public function doAction()
 
             if ($dnsmasqEnabled) {
                 $dnsmasqConfig = PfSenseConfigBlock::getRootConfigBlock($this->getController()->getRegistryItem('pfSenseClient'), 'dnsmasq');
+                if (!is_array($dnsmasqConfig->data['hosts'])) {
+                    $dnsmasqConfig->data['hosts'] = [];
+                }
                 foreach ($hosts as $host) {
                     Utils::putListItemMultiKey($dnsmasqConfig->data['hosts'], $host, ['host', 'domain']);
                 }
@@ -83,6 +86,9 @@ public function doAction()
 
             if ($unboundEnabled) {
                 $unboundConfig = PfSenseConfigBlock::getRootConfigBlock($this->getController()->getRegistryItem('pfSenseClient'), 'unbound');
+                if (!is_array($unboundConfig->data['hosts'])) {
+                    $unboundConfig->data['hosts'] = [];
+                }
                 foreach ($hosts as $host) {
                     Utils::putListItemMultiKey($unboundConfig->data['hosts'], $host, ['host', 'domain']);
                 }
@@ -119,4 +125,26 @@ public function doAction()
             return false;
         }
     }
+
+    /**
+     * Does a sanity check to prevent over-aggressive updates when watch resources are technically
+     * modified but the things we care about are not
+     *
+     * @param $oldItem
+     * @param $item
+     * @return bool
+     */
+    public function shouldTriggerFromWatchUpdate($oldItem, $item)
+    {
+        $oldResourceHosts = [];
+        $newResourceHosts = [];
+
+        $this->buildResourceHosts($oldResourceHosts, $oldItem);
+        $this->buildResourceHosts($newResourceHosts, $item);
+
+        if (md5(json_encode($oldResourceHosts)) != md5(json_encode($newResourceHosts))) {
+            return false;
+        }
+        return true;
+    }
 }

src/KubernetesPfSenseController/Plugin/KubernetesUtils.php

@@ -67,6 +67,28 @@ public static function getResourceByNamespaceName($resources, $namespace, $name)
         }
     }
 
+    /**
+     * Get apiVersion property from resource
+     *
+     * @param $resource
+     * @return mixed
+     */
+    public static function getResourceApiVersion($resource)
+    {
+        return $resource['apiVersion'];
+    }
+
+    /**
+     * Get kind property from resource
+     *
+     * @param $resource
+     * @return mixed
+     */
+    public static function getResourceKind($resource)
+    {
+        return $resource['kind'];
+    }
+
     /**
      * Get selfLink property from resource
      *