github.xiaoq7.com/operator-framework/operator-sdk@v0.8.2/pkg/ansible/runner/runner.go (about)

     1  // Copyright 2018 The Operator-SDK Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package runner
    16  
    17  import (
    18  	"errors"
    19  	"fmt"
    20  	"io/ioutil"
    21  	"net/http"
    22  	"os"
    23  	"os/exec"
    24  	"path/filepath"
    25  	"strconv"
    26  	"strings"
    27  	"time"
    28  
    29  	"github.com/operator-framework/operator-sdk/pkg/ansible/metrics"
    30  	"github.com/operator-framework/operator-sdk/pkg/ansible/paramconv"
    31  	"github.com/operator-framework/operator-sdk/pkg/ansible/runner/eventapi"
    32  	"github.com/operator-framework/operator-sdk/pkg/ansible/runner/internal/inputdir"
    33  
    34  	yaml "gopkg.in/yaml.v2"
    35  	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
    36  	"k8s.io/apimachinery/pkg/runtime/schema"
    37  	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
    38  )
    39  
    40  var log = logf.Log.WithName("runner")
    41  
    42  const (
    43  	// MaxRunnerArtifactsAnnotation - annotation used by a user to specify the max artifacts to keep
    44  	// in the runner directory. This will override the value provided by the watches file for a
    45  	// particular CR. Setting this to zero will cause all artifact directories to be kept.
    46  	// Example usage "ansible.operator-sdk/max-runner-artifacts: 100"
    47  	MaxRunnerArtifactsAnnotation = "ansible.operator-sdk/max-runner-artifacts"
    48  )
    49  
    50  // Runner - a runnable that should take the parameters and name and namespace
    51  // and run the correct code.
    52  type Runner interface {
    53  	Run(string, *unstructured.Unstructured, string) (RunResult, error)
    54  	GetFinalizer() (string, bool)
    55  	GetReconcilePeriod() (time.Duration, bool)
    56  	GetManageStatus() bool
    57  	GetWatchDependentResources() bool
    58  	GetWatchClusterScopedResources() bool
    59  }
    60  
    61  // watch holds data used to create a mapping of GVK to ansible playbook or role.
    62  // The mapping is used to compose an ansible operator.
    63  type watch struct {
    64  	MaxRunnerArtifacts          int        `yaml:"maxRunnerArtifacts"`
    65  	Version                     string     `yaml:"version"`
    66  	Group                       string     `yaml:"group"`
    67  	Kind                        string     `yaml:"kind"`
    68  	Playbook                    string     `yaml:"playbook"`
    69  	Role                        string     `yaml:"role"`
    70  	ReconcilePeriod             string     `yaml:"reconcilePeriod"`
    71  	ManageStatus                bool       `yaml:"manageStatus"`
    72  	WatchDependentResources     bool       `yaml:"watchDependentResources"`
    73  	WatchClusterScopedResources bool       `yaml:"watchClusterScopedResources"`
    74  	Finalizer                   *Finalizer `yaml:"finalizer"`
    75  }
    76  
    77  // Finalizer - Expose finalizer to be used by a user.
    78  type Finalizer struct {
    79  	Name     string                 `yaml:"name"`
    80  	Playbook string                 `yaml:"playbook"`
    81  	Role     string                 `yaml:"role"`
    82  	Vars     map[string]interface{} `yaml:"vars"`
    83  }
    84  
    85  // UnmarshalYaml - implements the yaml.Unmarshaler interface
    86  func (w *watch) UnmarshalYAML(unmarshal func(interface{}) error) error {
    87  	// by default, the operator will manage status and watch dependent resources
    88  	// The operator will not manage cluster scoped resources by default.
    89  	w.ManageStatus = true
    90  	w.WatchDependentResources = true
    91  	w.MaxRunnerArtifacts = 20
    92  	w.WatchClusterScopedResources = false
    93  
    94  	// hide watch data in plain struct to prevent unmarshal from calling
    95  	// UnmarshalYAML again
    96  	type plain watch
    97  
    98  	return unmarshal((*plain)(w))
    99  }
   100  
   101  // NewFromWatches reads the operator's config file at the provided path.
   102  func NewFromWatches(path string) (map[schema.GroupVersionKind]Runner, error) {
   103  	b, err := ioutil.ReadFile(path)
   104  	if err != nil {
   105  		log.Error(err, "Failed to get config file")
   106  		return nil, err
   107  	}
   108  	watches := []watch{}
   109  	err = yaml.Unmarshal(b, &watches)
   110  	if err != nil {
   111  		log.Error(err, "Failed to unmarshal config")
   112  		return nil, err
   113  	}
   114  
   115  	m := map[schema.GroupVersionKind]Runner{}
   116  	for _, w := range watches {
   117  		s := schema.GroupVersionKind{
   118  			Group:   w.Group,
   119  			Version: w.Version,
   120  			Kind:    w.Kind,
   121  		}
   122  		var reconcilePeriod *time.Duration
   123  		if w.ReconcilePeriod != "" {
   124  			d, err := time.ParseDuration(w.ReconcilePeriod)
   125  			if err != nil {
   126  				return nil, fmt.Errorf("unable to parse duration: %v - %v, setting to default", w.ReconcilePeriod, err)
   127  			}
   128  			reconcilePeriod = &d
   129  		}
   130  
   131  		// Check if schema is a duplicate
   132  		if _, ok := m[s]; ok {
   133  			return nil, fmt.Errorf("duplicate GVK: %v", s.String())
   134  		}
   135  		switch {
   136  		case w.Playbook != "":
   137  			r, err := NewForPlaybook(w.Playbook, s, w.Finalizer, reconcilePeriod, w.ManageStatus, w.WatchDependentResources, w.WatchClusterScopedResources, w.MaxRunnerArtifacts)
   138  			if err != nil {
   139  				return nil, err
   140  			}
   141  			m[s] = r
   142  		case w.Role != "":
   143  			r, err := NewForRole(w.Role, s, w.Finalizer, reconcilePeriod, w.ManageStatus, w.WatchDependentResources, w.WatchClusterScopedResources, w.MaxRunnerArtifacts)
   144  			if err != nil {
   145  				return nil, err
   146  			}
   147  			m[s] = r
   148  		default:
   149  			return nil, fmt.Errorf("either playbook or role must be defined for %v", s)
   150  		}
   151  	}
   152  	return m, nil
   153  }
   154  
   155  // NewForPlaybook returns a new Runner based on the path to an ansible playbook.
   156  func NewForPlaybook(path string, gvk schema.GroupVersionKind, finalizer *Finalizer, reconcilePeriod *time.Duration, manageStatus, dependentResources, clusterScopedResources bool, maxArtifacts int) (Runner, error) {
   157  	if !filepath.IsAbs(path) {
   158  		return nil, fmt.Errorf("playbook path must be absolute for %v", gvk)
   159  	}
   160  	if _, err := os.Stat(path); err != nil {
   161  		return nil, fmt.Errorf("playbook: %v was not found for %v", path, gvk)
   162  	}
   163  	r := &runner{
   164  		Path: path,
   165  		GVK:  gvk,
   166  		cmdFunc: func(ident, inputDirPath string, maxArtifacts int) *exec.Cmd {
   167  			return exec.Command("ansible-runner", "-vv", "--rotate-artifacts", fmt.Sprintf("%v", maxArtifacts), "-p", path, "-i", ident, "run", inputDirPath)
   168  		},
   169  		maxRunnerArtifacts:          maxArtifacts,
   170  		reconcilePeriod:             reconcilePeriod,
   171  		manageStatus:                manageStatus,
   172  		watchDependentResources:     dependentResources,
   173  		watchClusterScopedResources: clusterScopedResources,
   174  	}
   175  	err := r.addFinalizer(finalizer)
   176  	if err != nil {
   177  		return nil, err
   178  	}
   179  	return r, nil
   180  }
   181  
   182  // NewForRole returns a new Runner based on the path to an ansible role.
   183  func NewForRole(path string, gvk schema.GroupVersionKind, finalizer *Finalizer, reconcilePeriod *time.Duration, manageStatus, dependentResources, clusterScopedResources bool, maxArtifacts int) (Runner, error) {
   184  	if !filepath.IsAbs(path) {
   185  		return nil, fmt.Errorf("role path must be absolute for %v", gvk)
   186  	}
   187  	if _, err := os.Stat(path); err != nil {
   188  		return nil, fmt.Errorf("role path: %v was not found for %v", path, gvk)
   189  	}
   190  	path = strings.TrimRight(path, "/")
   191  	r := &runner{
   192  		Path: path,
   193  		GVK:  gvk,
   194  		cmdFunc: func(ident, inputDirPath string, maxArtifacts int) *exec.Cmd {
   195  			rolePath, roleName := filepath.Split(path)
   196  			return exec.Command("ansible-runner", "-vv", "--rotate-artifacts", fmt.Sprintf("%v", maxArtifacts), "--role", roleName, "--roles-path", rolePath, "--hosts", "localhost", "-i", ident, "run", inputDirPath)
   197  		},
   198  		maxRunnerArtifacts:          maxArtifacts,
   199  		reconcilePeriod:             reconcilePeriod,
   200  		manageStatus:                manageStatus,
   201  		watchDependentResources:     dependentResources,
   202  		watchClusterScopedResources: clusterScopedResources,
   203  	}
   204  	err := r.addFinalizer(finalizer)
   205  	if err != nil {
   206  		return nil, err
   207  	}
   208  	return r, nil
   209  }
   210  
   211  // runner - implements the Runner interface for a GVK that's being watched.
   212  type runner struct {
   213  	maxRunnerArtifacts          int
   214  	Path                        string                  // path on disk to a playbook or role depending on what cmdFunc expects
   215  	GVK                         schema.GroupVersionKind // GVK being watched that corresponds to the Path
   216  	Finalizer                   *Finalizer
   217  	cmdFunc                     func(ident, inputDirPath string, maxArtifacts int) *exec.Cmd // returns a Cmd that runs ansible-runner
   218  	finalizerCmdFunc            func(ident, inputDirPath string, maxArtifacts int) *exec.Cmd
   219  	reconcilePeriod             *time.Duration
   220  	manageStatus                bool
   221  	watchDependentResources     bool
   222  	watchClusterScopedResources bool
   223  }
   224  
   225  func (r *runner) Run(ident string, u *unstructured.Unstructured, kubeconfig string) (RunResult, error) {
   226  
   227  	timer := metrics.ReconcileTimer(r.GVK.String())
   228  	defer timer.ObserveDuration()
   229  
   230  	if u.GetDeletionTimestamp() != nil && !r.isFinalizerRun(u) {
   231  		return nil, errors.New("resource has been deleted, but no finalizer was matched, skipping reconciliation")
   232  	}
   233  	logger := log.WithValues(
   234  		"job", ident,
   235  		"name", u.GetName(),
   236  		"namespace", u.GetNamespace(),
   237  	)
   238  
   239  	// start the event receiver. We'll check errChan for an error after
   240  	// ansible-runner exits.
   241  	errChan := make(chan error, 1)
   242  	receiver, err := eventapi.New(ident, errChan)
   243  	if err != nil {
   244  		return nil, err
   245  	}
   246  	inputDir := inputdir.InputDir{
   247  		Path:       filepath.Join("/tmp/ansible-operator/runner/", r.GVK.Group, r.GVK.Version, r.GVK.Kind, u.GetNamespace(), u.GetName()),
   248  		Parameters: r.makeParameters(u),
   249  		EnvVars: map[string]string{
   250  			"K8S_AUTH_KUBECONFIG": kubeconfig,
   251  			"KUBECONFIG":          kubeconfig,
   252  		},
   253  		Settings: map[string]string{
   254  			"runner_http_url":  receiver.SocketPath,
   255  			"runner_http_path": receiver.URLPath,
   256  		},
   257  	}
   258  	// If Path is a dir, assume it is a role path. Otherwise assume it's a
   259  	// playbook path
   260  	fi, err := os.Lstat(r.Path)
   261  	if err != nil {
   262  		return nil, err
   263  	}
   264  	if !fi.IsDir() {
   265  		inputDir.PlaybookPath = r.Path
   266  	}
   267  	err = inputDir.Write()
   268  	if err != nil {
   269  		return nil, err
   270  	}
   271  	maxArtifacts := r.maxRunnerArtifacts
   272  	if ma, ok := u.GetAnnotations()[MaxRunnerArtifactsAnnotation]; ok {
   273  		i, err := strconv.Atoi(ma)
   274  		if err != nil {
   275  			log.Info("Invalid max runner artifact annotation", "err", err, "value", ma)
   276  		}
   277  		maxArtifacts = i
   278  	}
   279  
   280  	go func() {
   281  		var dc *exec.Cmd
   282  		if r.isFinalizerRun(u) {
   283  			logger.V(1).Info("Resource is marked for deletion, running finalizer", "Finalizer", r.Finalizer.Name)
   284  			dc = r.finalizerCmdFunc(ident, inputDir.Path, maxArtifacts)
   285  		} else {
   286  			dc = r.cmdFunc(ident, inputDir.Path, maxArtifacts)
   287  		}
   288  		// Append current environment since setting dc.Env to anything other than nil overwrites current env
   289  		dc.Env = append(dc.Env, os.Environ()...)
   290  		dc.Env = append(dc.Env, fmt.Sprintf("K8S_AUTH_KUBECONFIG=%s", kubeconfig), fmt.Sprintf("KUBECONFIG=%s", kubeconfig))
   291  
   292  		output, err := dc.CombinedOutput()
   293  		if err != nil {
   294  			logger.Error(err, string(output))
   295  		} else {
   296  			logger.Info("Ansible-runner exited successfully")
   297  		}
   298  
   299  		receiver.Close()
   300  		err = <-errChan
   301  		// http.Server returns this in the case of being closed cleanly
   302  		if err != nil && err != http.ErrServerClosed {
   303  			logger.Error(err, "Error from event API")
   304  		}
   305  
   306  		// link the current run to the `latest` directory under artifacts
   307  		currentRun := filepath.Join(inputDir.Path, "artifacts", ident)
   308  		latestArtifacts := filepath.Join(inputDir.Path, "artifacts", "latest")
   309  		if _, err = os.Lstat(latestArtifacts); err == nil {
   310  			if err = os.Remove(latestArtifacts); err != nil {
   311  				logger.Error(err, "Error removing the latest artifacts symlink")
   312  			}
   313  		}
   314  		if err = os.Symlink(currentRun, latestArtifacts); err != nil {
   315  			logger.Error(err, "Error symlinking latest artifacts")
   316  		}
   317  
   318  	}()
   319  
   320  	return &runResult{
   321  		events:   receiver.Events,
   322  		inputDir: &inputDir,
   323  		ident:    ident,
   324  	}, nil
   325  }
   326  
   327  // GetReconcilePeriod - new reconcile period.
   328  func (r *runner) GetReconcilePeriod() (time.Duration, bool) {
   329  	if r.reconcilePeriod == nil {
   330  		return time.Duration(0), false
   331  	}
   332  	return *r.reconcilePeriod, true
   333  }
   334  
   335  // GetManageStatus - get the manage status
   336  func (r *runner) GetManageStatus() bool {
   337  	return r.manageStatus
   338  }
   339  
   340  // GetWatchDependentResources - get the watch dependent resources value
   341  func (r *runner) GetWatchDependentResources() bool {
   342  	return r.watchDependentResources
   343  }
   344  
   345  // GetWatchClusterScopedResources - get the watch cluster scoped resources value
   346  func (r *runner) GetWatchClusterScopedResources() bool {
   347  	return r.watchClusterScopedResources
   348  }
   349  
   350  func (r *runner) GetFinalizer() (string, bool) {
   351  	if r.Finalizer != nil {
   352  		return r.Finalizer.Name, true
   353  	}
   354  	return "", false
   355  }
   356  
   357  func (r *runner) isFinalizerRun(u *unstructured.Unstructured) bool {
   358  	finalizersSet := r.Finalizer != nil && u.GetFinalizers() != nil
   359  	// The resource is deleted and our finalizer is present, we need to run the finalizer
   360  	if finalizersSet && u.GetDeletionTimestamp() != nil {
   361  		for _, f := range u.GetFinalizers() {
   362  			if f == r.Finalizer.Name {
   363  				return true
   364  			}
   365  		}
   366  	}
   367  	return false
   368  }
   369  
   370  func (r *runner) addFinalizer(finalizer *Finalizer) error {
   371  	r.Finalizer = finalizer
   372  	switch {
   373  	case finalizer == nil:
   374  		return nil
   375  	case finalizer.Playbook != "":
   376  		if !filepath.IsAbs(finalizer.Playbook) {
   377  			return fmt.Errorf("finalizer playbook path must be absolute for %v", r.GVK)
   378  		}
   379  		r.finalizerCmdFunc = func(ident, inputDirPath string, maxArtifacts int) *exec.Cmd {
   380  			return exec.Command("ansible-runner", "-vv", "--rotate-artifacts", fmt.Sprintf("%v", maxArtifacts), "-p", finalizer.Playbook, "-i", ident, "run", inputDirPath)
   381  		}
   382  	case finalizer.Role != "":
   383  		if !filepath.IsAbs(finalizer.Role) {
   384  			return fmt.Errorf("finalizer role path must be absolute for %v", r.GVK)
   385  		}
   386  		r.finalizerCmdFunc = func(ident, inputDirPath string, maxArtifacts int) *exec.Cmd {
   387  			path := strings.TrimRight(finalizer.Role, "/")
   388  			rolePath, roleName := filepath.Split(path)
   389  			return exec.Command("ansible-runner", "-vv", "--rotate-artifacts", fmt.Sprintf("%v", maxArtifacts), "--role", roleName, "--roles-path", rolePath, "--hosts", "localhost", "-i", ident, "run", inputDirPath)
   390  		}
   391  	case len(finalizer.Vars) != 0:
   392  		r.finalizerCmdFunc = r.cmdFunc
   393  	}
   394  	return nil
   395  }
   396  
   397  // makeParameters - creates the extravars parameters for ansible
   398  // The resulting structure in json is:
   399  // { "meta": {
   400  //      "name": <object_name>,
   401  //      "namespace": <object_namespace>,
   402  //   },
   403  //   <cr_spec_fields_as_snake_case>,
   404  //   ...
   405  //   _<group_as_snake>_<kind>: {
   406  //       <cr_object as is
   407  //   }
   408  // }
   409  func (r *runner) makeParameters(u *unstructured.Unstructured) map[string]interface{} {
   410  	s := u.Object["spec"]
   411  	spec, ok := s.(map[string]interface{})
   412  	if !ok {
   413  		log.Info("Spec was not found for CR", "GroupVersionKind", u.GroupVersionKind(), "Namespace", u.GetNamespace(), "Name", u.GetName())
   414  		spec = map[string]interface{}{}
   415  	}
   416  	parameters := paramconv.MapToSnake(spec)
   417  	parameters["meta"] = map[string]string{"namespace": u.GetNamespace(), "name": u.GetName()}
   418  	objectKey := fmt.Sprintf("_%v_%v", strings.Replace(r.GVK.Group, ".", "_", -1), strings.ToLower(r.GVK.Kind))
   419  	parameters[objectKey] = u.Object
   420  	if r.isFinalizerRun(u) {
   421  		for k, v := range r.Finalizer.Vars {
   422  			parameters[k] = v
   423  		}
   424  	}
   425  	return parameters
   426  }
   427  
   428  // RunResult - result of a ansible run
   429  type RunResult interface {
   430  	// Stdout returns the stdout from ansible-runner if it is available, else an error.
   431  	Stdout() (string, error)
   432  	// Events returns the events from ansible-runner if it is available, else an error.
   433  	Events() <-chan eventapi.JobEvent
   434  }
   435  
   436  // RunResult facilitates access to information about a run of ansible.
   437  type runResult struct {
   438  	// Events is a channel of events from ansible that contain state related
   439  	// to a run of ansible.
   440  	events <-chan eventapi.JobEvent
   441  
   442  	ident    string
   443  	inputDir *inputdir.InputDir
   444  }
   445  
   446  // Stdout returns the stdout from ansible-runner if it is available, else an error.
   447  func (r *runResult) Stdout() (string, error) {
   448  	return r.inputDir.Stdout(r.ident)
   449  }
   450  
   451  // Events returns the events from ansible-runner if it is available, else an error.
   452  func (r *runResult) Events() <-chan eventapi.JobEvent {
   453  	return r.events
   454  }