def _init_namespace(instance_id, dry_run=False):
logs.debug('Initializing helm-based instance deployment namespace',
namespace=instance_id)
if kubectl.get('ns', instance_id, required=False):
logs.info(f'instance namespace already exists ({instance_id})')
else:
logs.info(f'creating instance namespace ({instance_id})')
kubectl.apply(kubectl.get_resource('v1', 'Namespace', instance_id, {}),
dry_run=dry_run)
service_account_name = f'ckan-{instance_id}-operator'
logs.debug('Creating service account',
service_account_name=service_account_name)
if not dry_run:
kubectl_rbac_driver.update_service_account(
f'ckan-{instance_id}-operator', {}, namespace=instance_id)
role_name = f'ckan-{instance_id}-operator-role'
logs.debug('Creating role and binding to the service account',
role_name=role_name)
if not dry_run:
kubectl_rbac_driver.update_role(role_name, {}, [{
"apiGroups": ["*"],
"resources":
['secrets', 'pods', 'pods/exec', 'pods/portforward'],
"verbs": ["list", "get", "create"]
}],
namespace=instance_id)
kubectl_rbac_driver.update_role_binding(
name=f'ckan-{instance_id}-operator-rolebinding',
role_name=f'ckan-{instance_id}-operator-role',
namespace=instance_id,
service_account_name=f'ckan-{instance_id}-operator',
labels={})
def _apply_rbac():
labels = _get_resource_labels()
rbac.update_service_account('efs-provisioner', labels, 'default')
rbac.update_cluster_role('efs-provisioner-runner', [
dict(zip(['apiGroups', 'resources', 'verbs'], rule)) for rule in (
([''], ['persistentvolumes'],
['get', 'list', 'watch', 'create', 'delete']),
([''], ['persistentvolumeclaims'],
['get', 'list', 'watch', 'update']),
(['storage.k8s.io'], ['storageclasses'], ['get', 'list', 'watch']),
([''], ['events'], ['create', 'update', 'patch']),
)
], labels)
rbac.update_cluster_role_binding(
'run-efs-provisioner',
dict(
kind='ServiceAccount',
name='efs-provisioner',
namespace='default',
), 'efs-provisioner-runner', labels)
rbac.update_role('leader-locking-efs-provisioner', labels, [
dict(apiGroups=[''],
resources=['endpoints'],
verbs=['get', 'list', 'watch', 'create', 'update', 'patch'])
], 'default')
rbac.update_role_binding('leader-locking-efs-provisioner',
'leader-locking-efs-provisioner', 'default',
'efs-provisioner', labels)
def _init_namespace(instance_id):
if kubectl.get('ns', instance_id, required=False):
logs.info(f'instance namespace already exists ({instance_id})')
else:
logs.info(f'creating instance namespace ({instance_id})')
kubectl.apply(kubectl.get_resource('v1', 'Namespace', instance_id, {}))
kubectl_rbac_driver.update_service_account(
f'ckan-{instance_id}-operator', {}, namespace=instance_id)
kubectl_rbac_driver.update_role(
f'ckan-{instance_id}-operator-role', {}, [{
"apiGroups": ["*"],
"resources":
['secrets', 'pods', 'pods/exec', 'pods/portforward'],
"verbs": ["list", "get", "create"]
}],
namespace=instance_id)
kubectl_rbac_driver.update_role_binding(
name=f'ckan-{instance_id}-operator-rolebinding',
role_name=f'ckan-{instance_id}-operator-role',
namespace=instance_id,
service_account_name=f'ckan-{instance_id}-operator',
labels={})
def _update_service_account(user):
rbac.update_service_account(
service_account_name=_get_user_resource_name(user),
labels=_get_user_resource_labels(user))
