def startup(logger, settings: kopf.OperatorSettings, **kwargs):
# set api watching delay to 1s
settings.watching.reconnect_backoff = 1
if os.getenv(USE_PROTECTED_MAPPING) == "true":
kopf.login_via_client(logger=logger, **kwargs)
pm = get_protected_mapping()
if pm is None:
# get current configmap and save values in protected mapping
auth_config_map = get_config_map()
role_mappings = AuthMappingList(data=auth_config_map.data)
logger.info(role_mappings)
write_protected_mapping(logger, role_mappings.get_values())
logger.info("Startup: {0}".format(pm))
def login_fn(**kwargs):
proxy = os.environ.get('KUBE_PROXY')
connect_info = kopf.login_via_client(**kwargs)
if proxy:
print('config proxy')
kubernetes.config.load_incluster_config()
config = kubernetes.client.Configuration()
config.proxy = proxy
header: Optional[str] = config.get_api_key_with_prefix('authorization')
parts: Sequence[str] = header.split(' ', 1) if header else []
scheme, token = ((None, None) if len(parts) == 0 else
(None, parts[0]) if len(parts) == 1 else
(parts[0], parts[1]))
return kopf.ConnectionInfo(
server=config.proxy,
# ca_path=config.ssl_ca_cert, # can be a temporary file
insecure=False,
# username=config.username or None, # an empty string when not defined
# password=config.password or None, # an empty string when not defined
scheme='Bear',
token=token,
# certificate_path=config.cert_file, # can be a temporary file
# private_key_path=config.key_file, # can be a temporary file
priority=PRIORITY_OF_CLIENT,
)
else:
return connect_info
def callback_login(**kwargs):
config.load_incluster_config()
api = client.CoreV1Api()
register_admin_key(api)
kwargs['logger'].info('Registered admin token.')
scan_cluster_namespaces(api)
kwargs['logger'].info('Registered active namespaces.')
return kopf.login_via_client(**kwargs)
def callback_login(**kwargs: Dict) -> kopf.ConnectionInfo:
"""
Execute the login routine, authenticating the client if needed.
:kwargs (Dict) A dictionary containing optional parameters (for compatibility).
"""
if utils.envvar_bool('AUTH'):
return kopf.ConnectionInfo(
server=os.environ.get('KUBERNETES_PORT').replace('tcp', 'https'),
ca_path='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt',
scheme='Bearer',
token=open("/var/run/secrets/kubernetes.io/serviceaccount/token", "r").read()
)
# Black magic here, don't ask why the second does not work
# Or look it out yourself, but be aware that you might encounter elves and dragons along the way...
return kopf.login_via_client(**kwargs)
def login_fn(**kwargs):
return kopf.login_via_client(**kwargs)