Use existing certificates if available and update status command

2025-02-10 11:44:28 +05:30 · 2025-02-10 11:44:28 +05:30 · e491545354
commit e491545354
parent 9bc8ce4866
2 changed files with 42 additions and 30 deletions
--- a/stack_orchestrator/deploy/k8s/cluster_info.py
+++ b/stack_orchestrator/deploy/k8s/cluster_info.py
@ -114,7 +114,7 @@ class ClusterInfo:
                        nodeports.append(service)
        return nodeports

-    def get_ingress(self, use_tls=False, certificate=None, cluster_issuer="letsencrypt-prod"):
+    def get_ingress(self, use_tls=False, certificate_by_host={}, cluster_issuer="letsencrypt-prod"):
        # No ingress for a deployment that has no http-proxy defined, for now
        http_proxy_info_list = self.spec.get_http_proxy()
        if not http_proxy_info_list:
@ -127,6 +127,7 @@ class ClusterInfo:
                print(f"http-proxy: {http_proxy_info}")
            # TODO: good enough parsing for webapp deployment for now
            host_name = http_proxy_info["host-name"]
+            certificate = certificate_by_host[host_name] if host_name in certificate_by_host else None

            if use_tls:
                tls.append(client.V1IngressTLS(
--- a/stack_orchestrator/deploy/k8s/deploy_k8s.py
+++ b/stack_orchestrator/deploy/k8s/deploy_k8s.py
@ -227,16 +227,18 @@ class K8sDeployer(Deployer):
        self._create_volume_data()
        self._create_deployment()

-        http_proxy_info = self.cluster_info.spec.get_http_proxy()
+        http_proxy_info_list = self.cluster_info.spec.get_http_proxy()
        # Note: at present we don't support tls for kind (and enabling tls causes errors)
-        use_tls = http_proxy_info and not self.is_kind()
-        # TODO Handle for multiple http_proxy_info
-        certificate = self._find_certificate_for_host_name(http_proxy_info[0]["host-name"]) if use_tls else None
-        if opts.o.debug:
-            if certificate:
-                print(f"Using existing certificate: {certificate}")
+        use_tls = http_proxy_info_list and not self.is_kind()
+        certificate_by_host = {}
+        if use_tls:
+            for http_proxy_info in http_proxy_info_list:
+                certificate = self._find_certificate_for_host_name(http_proxy_info["host-name"])
+                if opts.o.debug and certificate:
+                    print(f"Using existing certificate: {certificate}")
+                certificate_by_host[http_proxy_info["host-name"]] = certificate

-        ingress: client.V1Ingress = self.cluster_info.get_ingress(use_tls=use_tls, certificate=certificate)
+        ingress: client.V1Ingress = self.cluster_info.get_ingress(use_tls=use_tls, certificates_by_host_name=certificate_by_host)
        if ingress:
            if opts.o.debug:
                print(f"Sending this ingress: {ingress}")
@ -368,7 +370,6 @@ class K8sDeployer(Deployer):
            # Destroy the kind cluster
            destroy_cluster(self.kind_cluster_name)

-    # TODO: Update for multiple host-names
    def status(self):
        self.connect_api()
        # Call whatever API we need to get the running container list
@ -383,36 +384,46 @@ class K8sDeployer(Deployer):
        if not pods:
            return

-        hostname = "?"
-        ip = "?"
-        tls = "?"
+        tls_by_host = {}
        try:
            ingress = self.networking_api.read_namespaced_ingress(namespace=self.k8s_namespace,
                                                                  name=self.cluster_info.get_ingress().metadata.name)

-            cert = self.custom_obj_api.get_namespaced_custom_object(
-                group="cert-manager.io",
-                version="v1",
-                namespace=self.k8s_namespace,
-                plural="certificates",
-                name=ingress.spec.tls[0].secret_name
-            )
-
-            hostname = ingress.spec.rules[0].host
            ip = ingress.status.load_balancer.ingress[0].ip
-            tls = "notBefore: %s; notAfter: %s; names: %s" % (
-                cert["status"]["notBefore"], cert["status"]["notAfter"], ingress.spec.tls[0].hosts
-            )
+            for rule in ingress.spec.rules:
+                hostname = rule.host
+                tls_spec = next((tls for tls in ingress.spec.tls if hostname in tls.hosts), None)
+                if tls_spec:
+                    cert = self.custom_obj_api.get_namespaced_custom_object(
+                        group="cert-manager.io",
+                        version="v1",
+                        namespace=self.k8s_namespace,
+                        plural="certificates",
+                        name=tls_spec.secret_name
+                    )
+                    tls = "notBefore: %s; notAfter: %s; names: %s" % (
+                        cert["status"]["notBefore"], cert["status"]["notAfter"], tls_spec.hosts
+                    )
+                    tls_by_host[hostname] = tls
+                else:
+                    tls_by_host[hostname] = None
        except:  # noqa: E722
            pass

        print("Ingress:")
-        print("\tHostname:", hostname)
-        print("\tIP:", ip)
-        print("\tTLS:", tls)
-        print("")
-        print("Pods:")
+        if len(tls_by_host) == 0:
+            print("\tHostname:", "?")
+            print("\tIP:", "?")
+            print("\tTLS:", "?")
+            print("")

+        for hostname, tls in tls_by_host.items():
+            print("\tHostname:", hostname)
+            print("\tIP:", ip)
+            print("\tTLS:", tls)
+            print("")
+
+        print("Pods:")
        for p in pods:
            if p.metadata.deletion_timestamp:
                print(f"\t{p.metadata.namespace}/{p.metadata.name}: Terminating ({p.metadata.deletion_timestamp})")