def create_role(api: client.RbacAuthorizationV1Api, configmap: Resource, cro_spec: ResourceChunk, ns: str, name_suffix: str, psp: client.PolicyV1beta1PodSecurityPolicy = None): logger = logging.getLogger('kopf.objects') role_name = cro_spec.get("role", {}).get("name") if not role_name: tpl = yaml.safe_load(configmap.data['chaostoolkit-role.yaml']) role_name = tpl["metadata"]["name"] role_name = f"{role_name}-{name_suffix}" tpl["metadata"]["name"] = role_name set_ns(tpl, ns) # when a PSP is defined, we add a rule to use that PSP if psp: logger.info( f"Adding pod security policy {psp.metadata.name} use to role") psp_rule = yaml.safe_load( configmap.data['chaostoolkit-role-psp-rule.yaml']) set_rule_psp_name(psp_rule, psp.metadata.name) tpl["rules"].append(psp_rule) logger.debug(f"Creating role with template:\n{tpl}") try: api.create_namespaced_role(body=tpl, namespace=ns) return tpl except ApiException as e: if e.status == 409: logger.info(f"Role '{role_name}' already exists.") else: raise kopf.PermanentError( f"Failed to create role: {str(e)}")
def create_role(api: client.RbacAuthorizationV1Api, configmap: Resource, cro_spec: ResourceChunk, ns: str, name_suffix: str, logger: logging.Logger): role_name = cro_spec.get("role", {}).get("name") if not role_name: tpl = yaml.safe_load(configmap.data['chaostoolkit-role.yaml']) role_name = tpl["metadata"]["name"] role_name = f"{role_name}-{name_suffix}" tpl["metadata"]["name"] = role_name set_ns(tpl, ns) try: api.create_namespaced_role(body=tpl, namespace=ns) return tpl except ApiException as e: if e.status == 409: logger.info(f"Role '{role_name}' already exists.") else: raise kopf.PermanentError( f"Failed to create role: {str(e)}")