def set_kubeconfig_certificate_authority_data(ca_data, cluster_name=None, _kc_model=None):
"""
Sets the certificate authority data for one or more clusters in the kubeconfig.
:param ca_data: The certificate authority data (PEM format). The chain will be encoded into
base64 before being set in the kubeconfig.
:param cluster_name: The cluster name to affect. If not specified, the ca data will be
set for the current context.
:param _kc_model: Internally used to cache kubeconfig info.
:return: n/a
"""
kc = _get_kubeconfig_model(_kc_model=_kc_model)
if not cluster_name:
cluster_name = get_kubeconfig_current_cluster_name(_kc_model=kc)
# The kubeconfig cluster entry may have an existing certificate-authority file or have
# insecure-skip-tls-verify set to true. Have ca-data set alongside either of these is
# an invalid state for the kubeconfig, so we use a trick: setting insecure-skip-tls-verify
# will clear existing certificate authority entries. When we set it back to true, we can
# safely poke in the ca-data
remove_kubeconfig_certifcate_authority(cluster_name=cluster_name, _kc_model=kc)
b64_data = base64.b64encode(ca_data)
# Now we can poke in the value that we need
oc.invoke('config',
# https://github.com/kubernetes/kubectl/issues/501#issuecomment-406890261
cmd_args=['set',
'clusters.{}.certificate-authority-data'.format(cluster_name),
b64_data
],
no_namespace=True)
def main():
org = env_set('PIPELINE_MANIFEST_MIRROR_ORG', 'acm-d')
mirror_tag = env_set('PIPELINE_MANIFEST_MIRROR_TAG', 'multicluster-engine-1.0-rhel-8-container-candidate')
max_retries = 5
results = list_tags(mirror_tag)
results = results.decode('utf8').replace("'", '"')
images = json.loads(results)
for index, image_data in enumerate(images):
image_done = False
retries = 0
while image_done == False:
try:
if (retries == 0):
retry_phrase = ""
else:
retry_phrase = "(retry {} of {})".format(retries, max_retries)
nvr = image_data['nvr']
results2 = brew_build_info(nvr).decode('utf8').replace("'", '"')
build = json.loads(results2)
pullspec = build['extra']['image']['index']['pull'][0]
nicespec = build['extra']['image']['index']['pull'][1].replace(
'registry-proxy.engineering.redhat.com/rh-osbs/multicluster-engine-', ''
)
print('Initiating mirror of {} to {}, image {} of {} {}'.format(pullspec,nicespec,index+1,len(images),retry_phrase))
oc.invoke(
'image',
cmd_args=[
'mirror',
'--keep-manifest-list=true',
'--filter-by-os=.*',
'{0}'.format(pullspec),
'quay.io/{0}/{1}'.format(org, nicespec)
]
)
image_done = True
except oc.OpenShiftPythonException as error:
print('Unable to mirror image {}'.format(nicespec))
try:
# Try to pluck out just the exact thing that went wrong
error_info = json.loads(str(error).strip("[Non-zero return code from invoke action]"))
print('{}'.format(error_info['actions'][0]['err']))
except:
# If things go really awry, just print out the whole thing
print('error: {}'.format(str(error)))
retries += 1
if (retries < max_retries):
delay = 10 * retries
print("Sleeping for {} seconds before retrying...".format(delay))
time.sleep(delay)
else:
print('Maximum retries reached for image; continuing')
image_done = True
def set_kubeconfig_insecure_skip_tls_verify(active, cluster_name=None, _kc_model=None):
"""
Sets or removes insecure-skip-tls-verify for the specified cluster (or the current cluster if
not specified).
:param active: If True, enable insecure-skip-tls-verify for the the cluster
:param cluster_name: The cluster name to modify. If not specified, the current context's cluster will be modified.
:param _kc_model: Internally used to cache kubeconfig info.
"""
if not cluster_name:
cluster_name = get_kubeconfig_current_cluster_name(_kc_model=_kc_model)
oc.invoke('config',
cmd_args=['set-cluster',
cluster_name,
'--insecure-skip-tls-verify={}'.format(str(active).lower()),
],
no_namespace=True)
def get_kubeconfig():
"""
:return: Returns the current kubeconfig as a python dict
"""
return json.loads(oc.invoke('config',
cmd_args=['view',
'-o=json',
'--raw',
],
no_namespace=True).out().strip())
