cleanup: remove kubewatch.py and associated python deps

Kubewatch was a hold over from pre golang watt code. By
removing it we can remove quite a few python deps that
have caused noise for us in the past with cve scanners.

Signed-off-by: Lance Austin <[email protected]>

DEPENDENCIES.md

@@ -168,36 +168,25 @@ libraries:
     Werkzeug            3.0.1      3-clause BSD license
     blinker             1.7.0      MIT license
     build               1.0.3      MIT license
-    cachetools          5.3.2      MIT license
     certifi             2023.7.22  Mozilla Public License 2.0
     charset-normalizer  3.3.2      MIT license
     click               8.1.7      3-clause BSD license
     dpath               2.1.6      MIT license
     durationpy          0.5        MIT license
     expiringdict        1.2.2      Apache License 2.0
-    google-auth         2.23.4     Apache License 2.0
     gunicorn            21.2.0     MIT license
     idna                3.4        3-clause BSD license
     itsdangerous        2.1.2      3-clause BSD license
     jsonpatch           1.33       3-clause BSD license
     jsonpointer         2.4        3-clause BSD license
-    kubernetes          28.1.0     Apache License 2.0
-    oauthlib            3.2.2      3-clause BSD license
     orjson              3.9.10     Apache License 2.0, MIT license
     packaging           23.1       2-clause BSD license, Apache License 2.0
     pip-tools           7.3.0      3-clause BSD license
     prometheus-client   0.18.0     Apache License 2.0
-    pyasn1              0.5.0      2-clause BSD license
-    pyasn1-modules      0.3.0      2-clause BSD license
     pyparsing           3.0.9      MIT license
     pyproject_hooks     1.0.0      MIT license
-    python-dateutil     2.8.2      3-clause BSD license, Apache License 2.0
     python-json-logger  2.0.7      2-clause BSD license
     requests            2.31.0     Apache License 2.0
-    requests-oauthlib   1.3.1      ISC license
-    rsa                 4.9        Apache License 2.0
     semantic-version    2.10.0     2-clause BSD license
-    six                 1.16.0     MIT license
     typing_extensions   4.8.0      Python Software Foundation license
     urllib3             1.26.18    MIT license
-    websocket-client    1.6.4      Apache License 2.0

build-aux/Dockerfile

@@ -48,8 +48,7 @@ ENV KUBECONFIG=/buildroot/kubeconfig.yaml
 # XXX: this will go away
 RUN mkdir -p /ambassador/sidecars && \
     ln -s /buildroot/ambassador/python/post_update.py /ambassador/post_update.py && \
-    ln -s /buildroot/ambassador/python/watch_hook.py /ambassador/watch_hook.py && \
-    ln -s /buildroot/ambassador/python/kubewatch.py /ambassador/kubewatch.py
+    ln -s /buildroot/ambassador/python/watch_hook.py /ambassador/watch_hook.py
 
 RUN adduser dw --disabled-password
 # SUDO_USERS HOSTS=(AS_USER) TAGS COMMANDS
@@ -106,8 +105,7 @@ RUN bash post-compile.sh
 # XXX: this will go away
 RUN mkdir -p /ambassador/sidecars && \
     ln -s /buildroot/ambassador/python/post_update.py /ambassador/post_update.py && \
-    ln -s /buildroot/ambassador/python/watch_hook.py /ambassador/watch_hook.py && \
-    ln -s /buildroot/ambassador/python/kubewatch.py /ambassador/kubewatch.py
+    ln -s /buildroot/ambassador/python/watch_hook.py /ambassador/watch_hook.py
 
 # These will be extracted into the optimized image later
 ADD manifests/emissary/emissary-crds.yaml.in manifests/emissary/emissary-crds.yaml

charts/emissary-ingress/ci.in/tests/manifests/ci-default-values.yaml

@@ -1,6 +1,5 @@
 #env:
 #  AMBASSADOR_SINGLE_NAMESPACE: true
-#  AMBASSADOR_NO_KUBEWATCH: no_kubewatch
 
 deploymentStrategy:
   type: Recreate

pkg/environment/helper.go

@@ -3,10 +3,9 @@ package environment
 import (
 	"context"
 	"os"
-	"os/exec"
-	"strings"
 
 	"github.com/datawire/dlib/dlog"
+	"github.com/emissary-ingress/emissary/v3/cmd/entrypoint"
 )
 
 const (
@@ -17,36 +16,7 @@ const (
 
 // EnvironmentSetupEntrypoint replicates the entrypoint.sh environment bootstrapping if the docker entrypoint was changed
 func EnvironmentSetupEntrypoint(ctx context.Context) {
-	if os.Getenv(ambassadorClusterIdEnvVar) != "" {
-		return
-	}
-	ambassadorRoot := "/ambassador"
-	ambassadorConfigBaseDir := ambassadorRoot
-	if os.Getenv(ambassadorRootEnvVar) != "" {
-		ambassadorRoot = os.Getenv(ambassadorRootEnvVar)
-	}
-	if os.Getenv(ambassadorConfigBaseDirEnvVar) != "" {
-		ambassadorConfigBaseDir = os.Getenv(ambassadorConfigBaseDirEnvVar)
-	}
-
-	// build kubewatch.py command
-	cmd := exec.Command("python3", ambassadorRoot+"/kubewatch.py", "--debug")
-
-	// inherit all existing environment variables & inject python's own
-	cmd.Env = os.Environ()
-	if os.Getenv("PYTHON_EGG_CACHE") == "" {
-		cmd.Env = append(cmd.Env, "PYTHON_EGG_CACHE="+ambassadorConfigBaseDir+"/.cache")
-	}
-	cmd.Env = append(cmd.Env, "PYTHONUNBUFFERED=true")
-
-	// execute and read output
-	out, err := cmd.Output()
-	if err != nil {
-		dlog.Printf(ctx, "%s failed with %s\n%s\n", cmd.String(), err, string(out))
-		return
-	}
-
-	// set the AMBASSADOR_CLUSTER_ID
-	os.Setenv(ambassadorClusterIdEnvVar, strings.TrimSpace(string(out)))
+	clusterID := entrypoint.GetClusterID(ctx)
+	os.Setenv(ambassadorClusterIdEnvVar, clusterID)
 	dlog.Printf(ctx, "%s=%s", ambassadorClusterIdEnvVar, os.Getenv(ambassadorClusterIdEnvVar))
 }

python/README.md

@@ -14,20 +14,19 @@ Ambassador config => IR => Envoy config
 
 Ambassador comprises several different components:
 
-| Component                 | Type   | Function.                                                                                                 |
-| :------------------------ | :----  | :------------------------                                                                                 |
-| `diagd`                   | Python | Increasingly-misnamed core of the system; manages changing configurations and provides the diagnostics UI |
-| `entrypoint/ambex`        | Go     | Envoy `go-control-plane` implementation; supplies Envoy with current configuration                        |
-| `entrypoint/watcher`      | Go     | Service/secret discovery; interface to Kubernetes and Consul                                              |
-| `envoy`                   | C++    | The actual proxy process                                                                                  |
-| `kubewatch.py`            | Python | Used only to determine the cluster's installation ID; needs to be subsumed by `watt`                      |
+| Component            | Type   | Function.                                                                                                 |
+| :------------------- | :----- | :-------------------------------------------------------------------------------------------------------- |
+| `diagd`              | Python | Increasingly-misnamed core of the system; manages changing configurations and provides the diagnostics UI |
+| `entrypoint/ambex`   | Go     | Envoy `go-control-plane` implementation; supplies Envoy with current configuration                        |
+| `entrypoint/watcher` | Go     | Service/secret discovery; interface to Kubernetes and Consul                                              |
+| `envoy`              | C++    | The actual proxy process                                                                                  |
 
 `entrypoint`, `diagd`, and `envoy` are all long-running daemons.  If any of them exit, the pod as a whole will exit.
 
 Ambassador uses several TCP ports while running. All but one of them are in the range 8000-8499, and any future assignments for Ambassador ports should come from this range.
 
 | Port | Process                               | Function                                                                                                           |
-| :--- |:--------------------------------------|:-------------------------------------------------------------------------------------------------------------------|
+| :--- | :------------------------------------ | :----------------------------------------------------------------------------------------------------------------- |
 | 8001 | `envoy`                               | Internal stats, logging, etc.; not exposed outside pod                                                             |
 | 8002 | `entrypoint/watcher`                  | Internal `watt` snapshot access; not exposed outside pod                                                           |
 | 8003 | `entrypoint/ambex`                    | Internal `ambex` snapshot access; not exposed outside pod                                                          |

python/ambassador/fetch/fetcher.py

@@ -30,31 +30,6 @@
 
 AnyDict = Dict[str, Any]
 
-# XXX ALL OF THE BELOW COMMENT IS PROBABLY OUT OF DATE. (Flynn, 2019-10-29)
-#
-# Some thoughts:
-# - loading a bunch of Ambassador resources is different from loading a bunch of K8s
-#   services, because we should assume that if we're being a fed a bunch of Ambassador
-#   resources, we'll get a full set. The whole 'secret loader' thing needs to have the
-#   concept of a TLSSecret resource that can be force-fed to us, or that can be fetched
-#   through the loader if needed.
-# - If you're running a debug-loop Ambassador, you should just have a flat (or
-#   recursive, I don't care) directory full of Ambassador YAML, including TLSSecrets
-#   and Endpoints and whatnot, as needed. All of it will get read by
-#   load_from_filesystem and end up in the elements array.
-# - If you're running expecting to be fed by kubewatch, at present kubewatch will
-#   send over K8s Service records, and anything annotated in there will end up in
-#   elements. This may include TLSSecrets or Endpoints. Any TLSSecret mentioned that
-#   isn't already in elements will need to be fetched.
-# - Ambassador resources do not have namespaces. They have the ambassador_id. That's
-#   it. The ambassador_id is completely orthogonal to the namespace. No element with
-#   the wrong ambassador_id will end up in elements. It would be nice if they were
-#   never sent by kubewatch, but, well, y'know.
-# - TLSSecret resources are not TLSContexts. TLSSecrets only have a name, a private
-#   half, and a public half. They do _not_ have other TLSContext information.
-# - Endpoint resources probably have just a name, a service name, and an endpoint
-#   address.
-
 k8sLabelMatcher = re.compile(r"([\w\-_./]+)=\"(.+)\"")
 
 

python/ambassador/utils.py

@@ -1165,27 +1165,6 @@ def load_secret(
         return self.secret_info_from_k8s(resource, secret_name, namespace, source, serialization)
 
 
-class KubewatchSecretHandler(SecretHandler):
-    # XXX NO LONGER USED
-    def load_secret(
-        self, resource: "IRResource", secret_name: str, namespace: str
-    ) -> Optional[SecretInfo]:
-        self.logger.debug(
-            "FSSecretHandler (%s %s): load secret %s in namespace %s"
-            % (resource.kind, resource.name, secret_name, namespace)
-        )
-
-        source = "%s/secrets/%s/%s" % (self.source_root, namespace, secret_name)
-        serialization = load_url_contents(self.logger, source)
-
-        if not serialization:
-            self.logger.error(
-                "%s %s: SCC.url_reader could not load %s" % (resource.kind, resource.name, source)
-            )
-
-        return self.secret_info_from_k8s(resource, secret_name, namespace, source, serialization)
-
-
 # TODO(gsagula): This duplicates code from ircluster.py.
 class ParsedService:
     def __init__(