def run(dry_run): quay_api_store = get_quay_api_store() current_state = fetch_current_state(quay_api_store) desired_state = fetch_desired_state() # calculate diff diff = current_state.diff(desired_state) # Ensure all quay org/teams are declared as dependencies: # any item that appears in `diff['insert']` means that it's not listed # in a `/dependencies/quay-org-1.yml` datafile. if len(diff['insert']) > 0: unknown_teams = [ "- {}/{}".format( item["params"]["org"], item["params"]["team"], ) for item in diff['insert'] ] raise RunnerException(("Unknown quay/org/team found:\n" "{}").format("\n".join(unknown_teams))) # Run actions runner_action = RunnerAction(dry_run, quay_api_store) runner = AggregatedDiffRunner(diff) runner.register("update-insert", runner_action.add_to_team()) runner.register("update-delete", runner_action.del_from_team()) runner.register("delete", runner_action.del_from_team()) runner.run()
def run(dry_run): gqlapi = gql.get_api() apps = gqlapi.query(QUAY_REPOS_QUERY)['apps'] quay_api_store = get_quay_api_store() error = False for app in apps: quay_repo_configs = app.get('quayRepos') if not quay_repo_configs: continue for quay_repo_config in quay_repo_configs: org_name = quay_repo_config['org']['name'] quay_api = quay_api_store[org_name]['api'] teams = quay_repo_config.get('teams') if not teams: continue repos = quay_repo_config['items'] for repo in repos: repo_name = repo['name'] for team in teams: permissions = team['permissions'] role = team['role'] for permission in permissions: if permission['service'] != 'quay-membership': logging.warning('wrong service kind, ' + 'should be quay-membership') continue if permission['org'] != org_name: logging.warning('wrong org, ' + f'should be {org_name}') continue team_name = permission['team'] current_role = \ quay_api.get_repo_team_permissions( repo_name, team_name) if current_role != role: logging.info([ 'update_role', org_name, repo_name, team_name, role ]) if not dry_run: try: quay_api.set_repo_team_permissions( repo_name, team_name, role) except Exception as e: error = True logging.error( 'could not set repo permissions: ' + f'repo name: {repo_name}, ' + f'team name: {team_name}. ' + f'details: {str(e)}') if error: sys.exit(ExitCodes.ERROR)
def run(dry_run): quay_api_store = get_quay_api_store() current_state = fetch_current_state(quay_api_store) desired_state = fetch_desired_state() # calculate diff diff = current_state.diff(desired_state) logging.debug("State diff: %s", diff) # Run actions runner_action = RunnerAction(dry_run, quay_api_store) runner = AggregatedDiffRunner(diff) runner.register("insert", runner_action.create_team()) runner.register("update-insert", runner_action.add_to_team()) runner.register("update-delete", runner_action.del_from_team()) runner.register("delete", runner_action.del_from_team()) status = runner.run() if not status: sys.exit(ExitCodes.ERROR)
def run(dry_run): quay_api_store = get_quay_api_store(managed_repos=True) current_state = fetch_current_state(quay_api_store) desired_state = fetch_desired_state() # calculate diff diff = current_state.diff(desired_state) # Verify that there are no repeated repo declarations for items in diff.values(): for repo in items: assert len(repo['items']) == 1 # Run actions runner_action = RunnerAction(dry_run, quay_api_store) runner = AggregatedDiffRunner(diff) runner.register("update-insert", runner_action.update_fields(current_state)) runner.register("insert", runner_action.create_repo()) runner.register("delete", runner_action.delete_repo()) runner.run()
def run(dry_run): quay_api_store = get_quay_api_store() # consistency checks for org_key, org_info in quay_api_store.items(): if org_info.get('mirror'): # ensure there are no circular mirror dependencies mirror_org_key = org_info['mirror'] mirror_org = quay_api_store[mirror_org_key] if mirror_org.get('mirror'): logging.error('%s can\'t have mirrors and be a mirror', mirror_org_key) sys.exit(ExitCodes.ERROR) # ensure no org defines `managedRepos` and `mirror` at the same if org_info.get('managedRepos'): logging.error('%s has defined mirror and managedRepos', org_key) sys.exit(ExitCodes.ERROR) # run integration current_state = fetch_current_state(quay_api_store) desired_state = fetch_desired_state(quay_api_store) act(dry_run, quay_api_store, current_state, desired_state)
def __init__(self, dry_run=False): self.dry_run = dry_run self.skopeo_cli = Skopeo(dry_run) self.quay_api_store = get_quay_api_store()
def __init__(self, dry_run, instance): self.dry_run = dry_run self.settings = queries.get_app_interface_settings() cluster_info = instance['hiveCluster'] hive_cluster = instance['hiveCluster']['name'] # Getting the OCM Client for the hive cluster ocm_map = OCMMap(clusters=[cluster_info], integration=QONTRACT_INTEGRATION, settings=self.settings) self.ocm_cli = ocm_map.get(hive_cluster) if not self.ocm_cli: raise OcpReleaseMirrorError(f"Can't create ocm client for " f"cluster {hive_cluster}") # Getting the OC Client for the hive cluster oc_map = OC_Map(clusters=[cluster_info], integration=QONTRACT_INTEGRATION, settings=self.settings) self.oc_cli = oc_map.get(hive_cluster) if not self.oc_cli: raise OcpReleaseMirrorError(f"Can't create oc client for " f"cluster {hive_cluster}") namespace = instance['ecrResourcesNamespace'] ocp_release_identifier = instance['ocpReleaseEcrIdentifier'] ocp_art_dev_identifier = instance['ocpArtDevEcrIdentifier'] ocp_release_info = self._get_tf_resource_info(namespace, ocp_release_identifier) if ocp_release_info is None: raise OcpReleaseMirrorError(f"Could not find rds " f"identifier " f"{ocp_release_identifier} in " f"namespace {namespace['name']}") ocp_art_dev_info = self._get_tf_resource_info(namespace, ocp_art_dev_identifier) if ocp_art_dev_info is None: raise OcpReleaseMirrorError(f"Could not find rds identifier" f" {ocp_art_dev_identifier} in" f"namespace {namespace['name']}") # Getting the AWS Client for the accounts aws_accounts = [ self._get_aws_account_info(account=ocp_release_info['account']), self._get_aws_account_info(account=ocp_art_dev_info['account']) ] self.aws_cli = AWSApi(thread_pool_size=1, accounts=aws_accounts, settings=self.settings, init_ecr_auth_tokens=True) self.aws_cli.map_ecr_resources() self.ocp_release_ecr_uri = self._get_image_uri( account=ocp_release_info['account'], repository=ocp_release_identifier) if self.ocp_release_ecr_uri is None: raise OcpReleaseMirrorError(f"Could not find the " f"ECR repository " f"{ocp_release_identifier}") self.ocp_art_dev_ecr_uri = self._get_image_uri( account=ocp_art_dev_info['account'], repository=ocp_art_dev_identifier) if self.ocp_art_dev_ecr_uri is None: raise OcpReleaseMirrorError(f"Could not find the " f"ECR repository " f"{ocp_art_dev_identifier}") # Process all the quayOrgTargets quay_api_store = get_quay_api_store() self.quay_target_orgs = [] for quayTargetOrg in instance['quayTargetOrgs']: org_name = quayTargetOrg['name'] instance_name = quayTargetOrg['instance']['name'] org_key = OrgKey(instance_name, org_name) org_info = quay_api_store[org_key] if not org_info['push_token']: raise OcpReleaseMirrorError( f'{org_key} has no push_token defined.') url = org_info['url'] user = org_info['push_token']['user'] token = org_info['push_token']['token'] self.quay_target_orgs.append({ 'url': url, 'dest_ocp_release': f"{url}/{org_name}/ocp-release", 'dest_ocp_art_dev': f"{url}/{org_name}/ocp-v4.0-art-dev", 'auths': self._build_quay_auths(url, user, token) }) # Getting all the credentials quay_creds = self._get_quay_creds() ocp_release_creds = self._get_ecr_creds( account=ocp_release_info['account'], region=ocp_release_info['region']) ocp_art_dev_creds = self._get_ecr_creds( account=ocp_art_dev_info['account'], region=ocp_art_dev_info['region']) # Creating a single dictionary with all credentials to be used by the # "oc adm release mirror" command self.registry_creds = { 'auths': { **quay_creds['auths'], **ocp_release_creds['auths'], **ocp_art_dev_creds['auths'], } } # Append quay_target_orgs auths to registry_creds for quay_target_org in self.quay_target_orgs: url = quay_target_org['url'] if url in self.registry_creds['auths'].keys(): OcpReleaseMirrorError('Cannot mirror to the same Quay ' f'instance multiple times: {url}') self.registry_creds['auths'].update(quay_target_org['auths']) # Initiate channel groups self.channel_groups = instance['mirrorChannels']
def run(dry_run): gqlapi = gql.get_api() apps = gqlapi.query(QUAY_REPOS_QUERY)["apps"] quay_api_store = get_quay_api_store() error = False for app in apps: quay_repo_configs = app.get("quayRepos") if not quay_repo_configs: continue for quay_repo_config in quay_repo_configs: instance_name = quay_repo_config["org"]["instance"]["name"] org_name = quay_repo_config["org"]["name"] org_key = (instance_name, org_name) # processing quayRepos section logging.debug(["app", app["name"], instance_name, org_name]) quay_api = quay_api_store[org_key]["api"] teams = quay_repo_config.get("teams") if not teams: continue repos = quay_repo_config["items"] for repo in repos: repo_name = repo["name"] # processing repo section logging.debug(["repo", repo_name]) for team in teams: permissions = team["permissions"] role = team["role"] for permission in permissions: if permission["service"] != "quay-membership": logging.warning("wrong service kind, " "should be quay-membership") continue perm_org_key = ( permission["quayOrg"]["instance"]["name"], permission["quayOrg"]["name"], ) if perm_org_key != org_key: logging.warning(f"wrong org, should be {org_key}") continue team_name = permission["team"] # processing team section logging.debug(["team", team_name]) try: current_role = quay_api.get_repo_team_permissions( repo_name, team_name) if current_role != role: logging.info([ "update_role", org_key, repo_name, team_name, role ]) if not dry_run: quay_api.set_repo_team_permissions( repo_name, team_name, role) except Exception: error = True logging.exception( "could not manage repo permissions: " f"repo name: {repo_name}, " f"team name: {team_name}") if error: sys.exit(ExitCodes.ERROR)
def run(dry_run): gqlapi = gql.get_api() apps = gqlapi.query(QUAY_REPOS_QUERY)['apps'] quay_api_store = get_quay_api_store() error = False for app in apps: quay_repo_configs = app.get('quayRepos') if not quay_repo_configs: continue for quay_repo_config in quay_repo_configs: instance_name = quay_repo_config['org']['instance']['name'] org_name = quay_repo_config['org']['name'] org_key = (instance_name, org_name) # processing quayRepos section logging.debug(['app', app['name'], instance_name, org_name]) quay_api = quay_api_store[org_key]['api'] teams = quay_repo_config.get('teams') if not teams: continue repos = quay_repo_config['items'] for repo in repos: repo_name = repo['name'] # processing repo section logging.debug(['repo', repo_name]) for team in teams: permissions = team['permissions'] role = team['role'] for permission in permissions: if permission['service'] != 'quay-membership': logging.warning('wrong service kind, ' 'should be quay-membership') continue perm_org_key = ( permission['quayOrg']['instance']['name'], permission['quayOrg']['name']) if perm_org_key != org_key: logging.warning(f'wrong org, should be {org_key}') continue team_name = permission['team'] # processing team section logging.debug(['team', team_name]) try: current_role = \ quay_api.get_repo_team_permissions( repo_name, team_name) if current_role != role: logging.info([ 'update_role', org_key, repo_name, team_name, role ]) if not dry_run: quay_api.set_repo_team_permissions( repo_name, team_name, role) except Exception: error = True logging.exception( 'could not manage repo permissions: ' f'repo name: {repo_name}, ' f'team name: {team_name}') if error: sys.exit(ExitCodes.ERROR)