-
Notifications
You must be signed in to change notification settings - Fork 0
/
app.rb
executable file
·210 lines (164 loc) · 5.39 KB
/
app.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#!/usr/bin/env ruby
# PUT zones/:zone_identifier/dns_records/:identifier
require 'http'
require 'json'
def debug? = ENV['DEBUG_OUTPUT'] =~ /[Yy]/
def debug(msg)
if debug?
puts "[DEBUG]: #{msg}"
end
end
def info(msg)
puts "[INFO]: #{msg}"
end
def warning(msg)
puts "[WARNING]: #{msg}"
end
def error(msg)
puts "[ERROR]: #{msg}"
end
def get_nodes
# In k8s, the ca cert is mounted here:
# /run/secrets/kubernetes.io/serviceaccount/ca.crt
# In dev, ca cert verification can be disabled
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
#ctx.ca_file = '/run/secrets/kubernetes.io/serviceaccount/ca.crt'
resp = HTTP
.auth("Bearer #{k8s_token}")
.headers(accept: 'application/json')
.headers('content-type': 'application/json')
.get("https://kubernetes.default.svc/api/v1/nodes", ssl_context: ctx)
.body
# This object is very large, so comment out for now
# debug("Retrieved nodes: #{resp}")
JSON.parse(resp)
end
def get_node_ips
# Get list of all nodes from the k8s API, then filter out only the ones that are part of the main pool,
# and extract the ExternalIP of each node
get_nodes()['items']
.select { |item| item['metadata']['labels']['ameelio.org/pool'] == 'main' }
.map { |item|
item['status']['addresses']
.select { |a| a['type'] == 'ExternalIP' }
.map { |a| a['address'] }
}
.flatten
end
def get_a_records
resp = HTTP
.auth("Bearer #{cf_token}")
.headers(accept: 'application/json')
.headers('content-type': 'application/json')
.get("https://api.cloudflare.com/client/v4/zones/#{zone_id}/dns_records?name=#{full_hostname}&type=A")
.body
js = JSON.parse(resp)
if js["success"] == false
error("Cloudflare API call failed. Cloudflare returned:")
error(JSON.pretty_unparse(js))
if js["errors"][0]["code"] == 10000
error("Cloudflare Authentication failed. Double check the CF_TOKEN value")
exit 1
end
end
js
end
def relevant_a_records
get_a_records['result']
.select { |a_record| a_record['name'] =~ /^#{hostname}/i }
.map { |a_record| a_record['content'] }
end
def create_a_record(ip:)
# POST zones/:zone_identifier/dns_records
info "Creating A record for IP #{ip}"
result = HTTP
.auth("Bearer #{cf_token}")
.headers(accept: 'application/json')
.headers('content-type': 'application/json')
.post("https://api.cloudflare.com/client/v4/zones/#{zone_id}/dns_records", json: {
type: "A",
name: hostname,
content: ip,
ttl: 360,
proxied: false
})
.body
info("Creation result: #{result}")
result
end
def remove_a_record(ip:)
info "Removing A record for IP #{ip}"
debug "Retrieving ID for A record for IP #{ip}"
# First get the record's ID
# TODO: Limit search to cvh-staging.ameelio.org
resp = HTTP
.auth("Bearer #{cf_token}")
.headers(accept: 'application/json')
.headers('content-type': 'application/json')
.get("https://api.cloudflare.com/client/v4/zones/#{zone_id}/dns_records?type=A&match=all&content=#{ip}&name=#{full_hostname}")
.body
debug "Parsing ID for A record for IP #{ip}"
record = JSON.parse(resp)['result']
.select { |a_record| a_record['content'] == ip }
.first
id = record['id']
debug "Parsed ID for A record for IP #{ip}. ID is '#{id}'"
# DELETE zones/:zone_identifier/dns_records/:identifier
result = HTTP
.auth("Bearer #{cf_token}")
.headers(accept: 'application/json')
.headers('content-type': 'application/json')
.delete("https://api.cloudflare.com/client/v4/zones/#{zone_id}/dns_records/#{id}")
.body
info("Removal result: #{result}")
end
def read_k8s_token = File.read('/var/run/secrets/kubernetes.io/serviceaccount/token')
def k8s_token
$k8s_token ||= read_k8s_token
$k8s_token
end
def cf_token = ENV['CF_TOKEN']
def hostname = ENV['HOSTNAME']
def domain = ENV['DOMAIN']
def full_hostname = "#{hostname}.#{domain}"
def zone_id = ENV['ZONE_ID']
def cf_auth_email = ENV['CF_AUTH_EMAIL']
def cf_auth_key = ENV['CF_AUTH_KEY']
def main(args)
info("Starting Cloudflare updater cycle")
info("- Start time: #{`date`}")
info("- Hostname: #{hostname}")
info("- Domain: #{domain}")
info("- Full Hostname: #{full_hostname}")
info("- Zone ID: #{zone_id}")
# Get the IP addresses for all the nodes in our cluster
node_ips = get_node_ips
info("Successfully Retrieved node_ips: #{node_ips}")
# Get all A records from Cloudflare
cf_a_records = relevant_a_records
info("Successfully retrieved relevant A records from Cloudflare: #{cf_a_records}")
a_record_creation_errors = []
node_ips.each do |node_ip|
# If there's not an A record for this IP already, add it
unless cf_a_records.include?(node_ip)
res = create_a_record(ip: node_ip)
# Check that res hash contains "success":true
unless res["success"] == true
err_msg = "Failed to create A record for IP #{node_ip}. Cloudflare returned: #{res}"
error(err_msg)
a_record_creation_errors.push(err_msg)
end
end
end
if a_record_creation_errors.any?
error("Errors occurred during Cloudflare update cycle. Exiting with failure status.")
exit 1
end
cf_a_records.each do |a_record|
# If there's not a node corresponding to this IP, remove it
remove_a_record(ip: a_record) unless node_ips.include?(a_record)
end
info("Finished Cloudflare updater cycle")
end
main ARGV