def _init_namespace(instance_id, dry_run=False): logs.debug('Initializing helm-based instance deployment namespace', namespace=instance_id) if kubectl.get('ns', instance_id, required=False): logs.info(f'instance namespace already exists ({instance_id})') else: logs.info(f'creating instance namespace ({instance_id})') kubectl.apply(kubectl.get_resource('v1', 'Namespace', instance_id, {}), dry_run=dry_run) service_account_name = f'ckan-{instance_id}-operator' logs.debug('Creating service account', service_account_name=service_account_name) if not dry_run: kubectl_rbac_driver.update_service_account( f'ckan-{instance_id}-operator', {}, namespace=instance_id) role_name = f'ckan-{instance_id}-operator-role' logs.debug('Creating role and binding to the service account', role_name=role_name) if not dry_run: kubectl_rbac_driver.update_role(role_name, {}, [{ "apiGroups": ["*"], "resources": ['secrets', 'pods', 'pods/exec', 'pods/portforward'], "verbs": ["list", "get", "create"] }], namespace=instance_id) kubectl_rbac_driver.update_role_binding( name=f'ckan-{instance_id}-operator-rolebinding', role_name=f'ckan-{instance_id}-operator-role', namespace=instance_id, service_account_name=f'ckan-{instance_id}-operator', labels={})
def _apply_rbac(): labels = _get_resource_labels() rbac.update_service_account('efs-provisioner', labels, 'default') rbac.update_cluster_role('efs-provisioner-runner', [ dict(zip(['apiGroups', 'resources', 'verbs'], rule)) for rule in ( ([''], ['persistentvolumes'], ['get', 'list', 'watch', 'create', 'delete']), ([''], ['persistentvolumeclaims'], ['get', 'list', 'watch', 'update']), (['storage.k8s.io'], ['storageclasses'], ['get', 'list', 'watch']), ([''], ['events'], ['create', 'update', 'patch']), ) ], labels) rbac.update_cluster_role_binding( 'run-efs-provisioner', dict( kind='ServiceAccount', name='efs-provisioner', namespace='default', ), 'efs-provisioner-runner', labels) rbac.update_role('leader-locking-efs-provisioner', labels, [ dict(apiGroups=[''], resources=['endpoints'], verbs=['get', 'list', 'watch', 'create', 'update', 'patch']) ], 'default') rbac.update_role_binding('leader-locking-efs-provisioner', 'leader-locking-efs-provisioner', 'default', 'efs-provisioner', labels)
def _init_namespace(instance_id): if kubectl.get('ns', instance_id, required=False): logs.info(f'instance namespace already exists ({instance_id})') else: logs.info(f'creating instance namespace ({instance_id})') kubectl.apply(kubectl.get_resource('v1', 'Namespace', instance_id, {})) kubectl_rbac_driver.update_service_account( f'ckan-{instance_id}-operator', {}, namespace=instance_id) kubectl_rbac_driver.update_role( f'ckan-{instance_id}-operator-role', {}, [{ "apiGroups": ["*"], "resources": ['secrets', 'pods', 'pods/exec', 'pods/portforward'], "verbs": ["list", "get", "create"] }], namespace=instance_id) kubectl_rbac_driver.update_role_binding( name=f'ckan-{instance_id}-operator-rolebinding', role_name=f'ckan-{instance_id}-operator-role', namespace=instance_id, service_account_name=f'ckan-{instance_id}-operator', labels={})
def _update_service_account(user): rbac.update_service_account( service_account_name=_get_user_resource_name(user), labels=_get_user_resource_labels(user))