lenra-io · jonas-martinez · Feb 13, 2024 · Feb 13, 2024 · Feb 13, 2024 · Feb 13, 2024
diff --git a/.vscode/postman/lenra_server.postman_collection.json b/.vscode/postman/lenra_server.postman_collection.json
diff --git a/.vscode/postman/local.postman_environment.json b/.vscode/postman/local.postman_environment.json
@@ -0,0 +1,39 @@
+{
+	"id": "697ac5e7-6171-4875-a90d-276e7bc0d3ee",
+	"name": "Local",
+	"values": [
+		{
+			"key": "lenra_endpoint",
+			"value": "http://localhost:4000",
+			"type": "default",
+			"enabled": true
+		},
+		{
+			"key": "hydra_endpoint",
+			"value": "http://localhost:4444",
+			"type": "default",
+			"enabled": true
+		},
+		{
+			"key": "hydra_redirect_url",
+			"value": "https://oauthdebugger.com/debug",
+			"type": "default",
+			"enabled": true
+		},
+		{
+			"key": "hydra_client_scope",
+			"value": "profile store manage:account manage:apps",
+			"type": "default",
+			"enabled": true
+		},
+		{
+			"key": "lenra_client_id",
+			"value": "",
+			"type": "default",
+			"enabled": true
+		}
+	],
+	"_postman_variable_scope": "environment",
+	"_postman_exported_at": "2024-02-06T12:00:49.888Z",
+	"_postman_exported_using": "Postman/10.22.13-240205-0449"
+}
diff --git a/.vscode/postman/staging.postman_environment.json b/.vscode/postman/staging.postman_environment.json
@@ -0,0 +1,39 @@
+{
+	"id": "1461dd99-7ff3-4a84-a3d3-2b2f57fa466d",
+	"name": "Staging",
+	"values": [
+		{
+			"key": "lenra_endpoint",
+			"value": "https://api.staging.lenra.io",
+			"type": "default",
+			"enabled": true
+		},
+		{
+			"key": "hydra_endpoint",
+			"value": "https://auth.staging.lenra.io",
+			"type": "default",
+			"enabled": true
+		},
+		{
+			"key": "hydra_redirect_url",
+			"value": "https://oauthdebugger.com/debug",
+			"type": "default",
+			"enabled": true
+		},
+		{
+			"key": "hydra_client_scope",
+			"value": "profile store manage:account manage:apps",
+			"type": "default",
+			"enabled": true
+		},
+		{
+			"key": "lenra_client_id",
+			"value": "4f162a6c-dfdd-4c75-8305-097e30a19e6f",
+			"type": "default",
+			"enabled": true
+		}
+	],
+	"_postman_variable_scope": "environment",
+	"_postman_exported_at": "2024-02-06T11:58:57.655Z",
+	"_postman_exported_using": "Postman/10.22.13-240205-0449"
+}
diff --git a/apps/lenra/lib/lenra/errors/business_error.ex b/apps/lenra/lib/lenra/errors/business_error.ex
@@ -33,6 +33,10 @@ defmodule Lenra.Errors.BusinessError do
        "Currently not capable to handle this type of pipeline. (`pipeline_runner` can be: [GitLab, Kubernetes])"},
       {:subscription_required, "You need a subscirption", 402},
       {:stripe_error, "Stripe error"},
-      {:subscription_already_exist, "You already have a subscription for this app", 403}
+      {:subscription_already_exist, "You already have a subscription for this app", 403},
+      {:env_secret_already_exist, "You already have a secret with this key", 403},
+      {:env_secret_not_found, "The secret your tried to update didn't exist", 404},
+      {:api_return_unexpected_response, "A dependency API used in this call return an unexpected response", 500},
+      {:kubernetes_unexpected_response, "Kubernetes return an unexpected response", 500}
     ]
 end
diff --git a/apps/lenra/lib/lenra/kubernetes/api_services.ex b/apps/lenra/lib/lenra/kubernetes/api_services.ex
@@ -8,7 +8,8 @@
  alias Lenra.Apps.Build
   alias Lenra.Apps.Deployment
   alias Lenra.Kubernetes.StatusDynSup
   alias Lenra.Repo
+  alias Ecto
   require Logger
 
   @doc """
@@ -44,44 +45,19 @@
 
     build_name = "build-#{service_name}-#{build_number}"
 
-    base64_repository = Base.encode64(app_repository)
-    base64_repository_branch = Base.encode64(app_repository_branch || "")
-
-    base64_callback_url = Base.encode64("#{runner_callback_url}/runner/builds/#{build_id}?secret=#{runner_secret}")
-
-    base64_image_name = Base.encode64(Apps.image_name(service_name, build_number))
-
-    secret_body =
-      Jason.encode!(%{
-        apiVersion: "v1",
-        kind: "Secret",
-        type: "Opaque",
-        metadata: %{
-          name: build_name,
-          namespace: kubernetes_build_namespace
-        },
-        data: %{
-          APP_REPOSITORY: base64_repository,
-          REPOSITORY_BRANCH: base64_repository_branch,
-          CALLBACK_URL: base64_callback_url,
-          IMAGE_NAME: base64_image_name
-        }
-      })
-
     secret_response =
-      Finch.build(:post, secrets_url, headers, secret_body)
-      |> Finch.request(PipelineHttp)
-      |> response(:secret)
+      create_k8s_secret(build_name, kubernetes_build_namespace, %{
+        APP_REPOSITORY: app_repository,
+        REPOSITORY_BRANCH: app_repository_branch || "",
+        CALLBACK_URL: "#{runner_callback_url}/runner/builds/#{build_id}?secret=#{runner_secret}",
+        IMAGE_NAME: Apps.image_name(service_name, build_number)
+      })
 
     case secret_response do
-      {:ok, _} ->
+      {:ok} ->
         :ok
 
       :secret_exist ->
-        Finch.build(:delete, secrets_url <> "/#{build_name}", headers)
-        |> Finch.request(PipelineHttp)
-        |> response(:secret)
-
         if retry < 1 do
           create_pipeline(
             service_name,
@@ -203,6 +179,11 @@
     {:ok, Jason.decode!(body)}
   end
 
+  defp response({:ok, %Finch.Response{status: status_code, body: body}}, :secret)
+       when status_code in [404] do
+    {:error, :secret_not_found, Jason.decode!(body)}
+  end
+
   defp response({:ok, %Finch.Response{status: status_code, body: body}}, :build)
        when status_code in [200, 201, 202] do
     %{"metadata" => %{"name" => name}} = Jason.decode!(body)
@@ -213,20 +194,224 @@
     raise "Kubernetes API could not be reached. It should not happen. #{reason}"
   end
 
-  defp response(
-         {:ok,
-          %Finch.Response{
-            status: status_code
-          }},
-         _atom
-       )
+  defp response({:ok, %Finch.Response{status: status_code}}, _atom)
        when status_code in [409] do
-    :secret_exist
+    {:error, :secret_exist}
   end
 
   defp response({:ok, %Finch.Response{status: status_code, body: body}}, _atom) do
     Logger.critical("#{__MODULE__} kubernetes return status code #{status_code} with message #{inspect(body)}")
 
     {:error, :kubernetes_error}
   end
+
+  defp get_k8s_secret(secret_name, namespace) do
+    kubernetes_api_url = Application.fetch_env!(:lenra, :kubernetes_api_url)
+    kubernetes_api_token = Application.fetch_env!(:lenra, :kubernetes_api_token)
+
+    secrets_url = "#{kubernetes_api_url}/api/v1/namespaces/#{namespace}/secrets/#{secret_name}"
+
+    headers = [
+      {"Authorization", "Bearer #{kubernetes_api_token}"},
+      {"content-type", "application/json"}
+    ]
+
+    secret_response =
+      Finch.build(:get, secrets_url, headers)
+      |> Finch.request(PipelineHttp)
+      |> response(:secret)
+
+    case secret_response do
+      {:ok, body} ->
+        %{"data" => secret_data} = body
+        {:ok, Enum.into(Enum.map(secret_data, fn {key, value} -> {key, Base.decode64!(value)} end), %{})}
+
+      {:error, error, _reason} ->
+        {:error, error}
+    end
+  end
+
+  defp create_k8s_secret(secret_name, namespace, data) do
+    kubernetes_api_url = Application.fetch_env!(:lenra, :kubernetes_api_url)
+    kubernetes_api_token = Application.fetch_env!(:lenra, :kubernetes_api_token)
+
+    secrets_url = "#{kubernetes_api_url}/api/v1/namespaces/#{namespace}/secrets"
+
+    headers = [
+      {"Authorization", "Bearer #{kubernetes_api_token}"},
+      {"content-type", "application/json"}
+    ]
+
+    secret_body =
+      Jason.encode!(%{
+        apiVersion: "v1",
+        kind: "Secret",
+        type: "Opaque",
+        metadata: %{
+          name: secret_name,
+          namespace: namespace
+        },
+        data: Enum.into(Enum.map(data, fn {key, value} -> {key, Base.encode64(value)} end), %{})
+      })
+
+    secret_response =
+      Finch.build(:post, secrets_url, headers, secret_body)
+      |> Finch.request(PipelineHttp)
+      |> response(:secret)
+
+    case secret_response do
+      {:ok, _} -> {:ok, data}
+      {:error, error} -> {:error, error}
+    end
+  end
+
+  defp update_k8s_secret(secret_name, namespace, secrets) do
+    kubernetes_api_url = Application.fetch_env!(:lenra, :kubernetes_api_url)
+    kubernetes_api_token = Application.fetch_env!(:lenra, :kubernetes_api_token)
+
+    secrets_url = "#{kubernetes_api_url}/api/v1/namespaces/#{namespace}/secrets/#{secret_name}"
+
+    headers = [
+      {"Authorization", "Bearer #{kubernetes_api_token}"},
+      {"content-type", "application/json"}
+    ]
+
+    secret_body =
+      Jason.encode!(%{
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: %{
+          name: secret_name
+        },
+        data: Enum.into(Enum.map(secrets, fn {key, value} -> {key, Base.encode64(value)} end), %{})
+      })
+
+    secret_response =
+      Finch.build(:put, secrets_url, headers, secret_body)
+      |> Finch.request(PipelineHttp)
+      |> response(:secret)
+
+    case secret_response do
+      {:ok, _secret} -> {:ok}
+      _other -> {:secret_not_found}
+    end
+  end
+
+  defp delete_k8s_secret(secret_name, namespace) do
+    kubernetes_api_url = Application.fetch_env!(:lenra, :kubernetes_api_url)
+    kubernetes_api_token = Application.fetch_env!(:lenra, :kubernetes_api_token)
+
+    secrets_url = "#{kubernetes_api_url}/api/v1/namespaces/#{namespace}/secrets/#{secret_name}"
+
+    headers = [
+      {"Authorization", "Bearer #{kubernetes_api_token}"},
+      {"content-type", "application/json"}
+    ]
+
+    secret_response =
+      Finch.build(:delete, secrets_url, headers)
+      |> Finch.request(PipelineHttp)
+      |> response(:secret)
+
+    case secret_response do
+      {:ok, _secret} -> {:ok}
+      _error -> {:secret_not_found}
+    end
+  end
+
+  def get_environment_secrets(service_name, env_id) do
+    secret_name = "#{service_name}-secret-#{env_id}"
+    kubernetes_apps_namespace = Application.fetch_env!(:lenra, :kubernetes_apps_namespace)
+
+    case get_k8s_secret(secret_name, kubernetes_apps_namespace) do
+      {:ok, secrets} -> {:ok, Enum.map(secrets, fn {key, _value} -> key end)}
+      {:error, :secret_not_found} -> {:error, :secret_not_found}
+      {:error, error} -> {:error, error}
+    end
+  end
+
+  def create_environment_secrets(service_name, env_id, secrets) do
+    secret_name = "#{service_name}-secret-#{env_id}"
+    kubernetes_apps_namespace = Application.fetch_env!(:lenra, :kubernetes_apps_namespace)
+
+    case create_k8s_secret(secret_name, kubernetes_apps_namespace, secrets) do
+      {:ok, secrets} ->
+        {:ok, partial_env} = Apps.fetch_env(env_id)
+        env = partial_env |> Repo.preload(deployment: [:build]) |> Repo.preload([:application])
+        build_number = env.deployment.build.build_number
+
+        Lenra.OpenfaasServices.update_secrets(
+          env.application,
+          service_name,
+          build_number,
+          [secret_name]
+        )
+
+        {:ok, Enum.map(secrets, fn {key, _value} -> key end)}
+
+      {:error, :secret_exist} ->
+        {:error, :secret_exist}
+
+      _other ->
+        {:error, :unexpected_response}
+    end
+  end
+
+  def update_environment_secrets(service_name, env_id, secrets) do
+    secret_name = "#{service_name}-secret-#{env_id}"
+    kubernetes_apps_namespace = Application.fetch_env!(:lenra, :kubernetes_apps_namespace)
+
+    case get_k8s_secret(secret_name, kubernetes_apps_namespace) do
+      {:ok, current_secrets} ->
+        case update_k8s_secret(secret_name, kubernetes_apps_namespace, Map.merge(current_secrets, secrets)) do
+          {:ok} -> {:ok, Enum.map(secrets, fn {key, _value} -> key end)}
+          {:secret_not_found} -> {:error, :secret_not_found}
+          _other -> {:error, :unexpected_response}
+        end
+
+      error ->
+        error
+    end
+  end
+
+  def delete_environment_secrets(service_name, env_id, key) do
+    secret_name = "#{service_name}-secret-#{env_id}"
+    kubernetes_apps_namespace = Application.fetch_env!(:lenra, :kubernetes_apps_namespace)
+
+    case get_k8s_secret(secret_name, kubernetes_apps_namespace) do
+      {:ok, current_secrets} ->
+        case length(Map.keys(current_secrets)) do
+          len when len <= 1 ->
+            {:ok, partial_env} = Apps.fetch_env(env_id)
+
+            case partial_env
+                 |> Repo.preload(deployment: [:build])
+                 |> Repo.preload([:application]) do
+              %{application: app, deployment: %{build: build}} when not is_nil(build) ->
+                Lenra.OpenfaasServices.update_secrets(app, service_name, build.build_number, [])
+                # TODO: Return all other secrets
+                {:ok, []}
+
+              _other ->
+                {:error, :build_not_exist}
+            end
+
+            case delete_k8s_secret(secret_name, kubernetes_apps_namespace) do
+              {:ok, _secret} -> {:ok, []}
+              {:secret_not_found} -> {:error, :secret_not_found}
+              _other -> {:error, :unexpected_response}
+            end
+
+          _other ->
+            case update_k8s_secret(secret_name, kubernetes_apps_namespace, Map.drop(current_secrets, [key])) do
+              {:ok, secrets} -> {:ok, Enum.map(secrets, fn {key, _value} -> key end)}
+              {:secret_not_found} -> {:error, :secret_not_found}
+              _other -> {:error, :unexpected_response}
+            end
+        end
+
+      error ->
+        error
+    end
+  end
 end