def run(dry_run):
quay_api_store = get_quay_api_store()
current_state = fetch_current_state(quay_api_store)
desired_state = fetch_desired_state()
# calculate diff
diff = current_state.diff(desired_state)
# Ensure all quay org/teams are declared as dependencies:
# any item that appears in `diff['insert']` means that it's not listed
# in a `/dependencies/quay-org-1.yml` datafile.
if len(diff['insert']) > 0:
unknown_teams = [
"- {}/{}".format(
item["params"]["org"],
item["params"]["team"],
) for item in diff['insert']
]
raise RunnerException(("Unknown quay/org/team found:\n"
"{}").format("\n".join(unknown_teams)))
# Run actions
runner_action = RunnerAction(dry_run, quay_api_store)
runner = AggregatedDiffRunner(diff)
runner.register("update-insert", runner_action.add_to_team())
runner.register("update-delete", runner_action.del_from_team())
runner.register("delete", runner_action.del_from_team())
runner.run()
def run(dry_run):
gqlapi = gql.get_api()
apps = gqlapi.query(QUAY_REPOS_QUERY)['apps']
quay_api_store = get_quay_api_store()
error = False
for app in apps:
quay_repo_configs = app.get('quayRepos')
if not quay_repo_configs:
continue
for quay_repo_config in quay_repo_configs:
org_name = quay_repo_config['org']['name']
quay_api = quay_api_store[org_name]['api']
teams = quay_repo_config.get('teams')
if not teams:
continue
repos = quay_repo_config['items']
for repo in repos:
repo_name = repo['name']
for team in teams:
permissions = team['permissions']
role = team['role']
for permission in permissions:
if permission['service'] != 'quay-membership':
logging.warning('wrong service kind, ' +
'should be quay-membership')
continue
if permission['org'] != org_name:
logging.warning('wrong org, ' +
f'should be {org_name}')
continue
team_name = permission['team']
current_role = \
quay_api.get_repo_team_permissions(
repo_name, team_name)
if current_role != role:
logging.info([
'update_role', org_name, repo_name, team_name,
role
])
if not dry_run:
try:
quay_api.set_repo_team_permissions(
repo_name, team_name, role)
except Exception as e:
error = True
logging.error(
'could not set repo permissions: ' +
f'repo name: {repo_name}, ' +
f'team name: {team_name}. ' +
f'details: {str(e)}')
if error:
sys.exit(ExitCodes.ERROR)
def run(dry_run):
quay_api_store = get_quay_api_store()
current_state = fetch_current_state(quay_api_store)
desired_state = fetch_desired_state()
# calculate diff
diff = current_state.diff(desired_state)
logging.debug("State diff: %s", diff)
# Run actions
runner_action = RunnerAction(dry_run, quay_api_store)
runner = AggregatedDiffRunner(diff)
runner.register("insert", runner_action.create_team())
runner.register("update-insert", runner_action.add_to_team())
runner.register("update-delete", runner_action.del_from_team())
runner.register("delete", runner_action.del_from_team())
status = runner.run()
if not status:
sys.exit(ExitCodes.ERROR)
def run(dry_run):
quay_api_store = get_quay_api_store(managed_repos=True)
current_state = fetch_current_state(quay_api_store)
desired_state = fetch_desired_state()
# calculate diff
diff = current_state.diff(desired_state)
# Verify that there are no repeated repo declarations
for items in diff.values():
for repo in items:
assert len(repo['items']) == 1
# Run actions
runner_action = RunnerAction(dry_run, quay_api_store)
runner = AggregatedDiffRunner(diff)
runner.register("update-insert",
runner_action.update_fields(current_state))
runner.register("insert", runner_action.create_repo())
runner.register("delete", runner_action.delete_repo())
runner.run()
def run(dry_run):
quay_api_store = get_quay_api_store()
# consistency checks
for org_key, org_info in quay_api_store.items():
if org_info.get('mirror'):
# ensure there are no circular mirror dependencies
mirror_org_key = org_info['mirror']
mirror_org = quay_api_store[mirror_org_key]
if mirror_org.get('mirror'):
logging.error('%s can\'t have mirrors and be a mirror',
mirror_org_key)
sys.exit(ExitCodes.ERROR)
# ensure no org defines `managedRepos` and `mirror` at the same
if org_info.get('managedRepos'):
logging.error('%s has defined mirror and managedRepos',
org_key)
sys.exit(ExitCodes.ERROR)
# run integration
current_state = fetch_current_state(quay_api_store)
desired_state = fetch_desired_state(quay_api_store)
act(dry_run, quay_api_store, current_state, desired_state)
def __init__(self, dry_run=False):
self.dry_run = dry_run
self.skopeo_cli = Skopeo(dry_run)
self.quay_api_store = get_quay_api_store()
def __init__(self, dry_run, instance):
self.dry_run = dry_run
self.settings = queries.get_app_interface_settings()
cluster_info = instance['hiveCluster']
hive_cluster = instance['hiveCluster']['name']
# Getting the OCM Client for the hive cluster
ocm_map = OCMMap(clusters=[cluster_info],
integration=QONTRACT_INTEGRATION,
settings=self.settings)
self.ocm_cli = ocm_map.get(hive_cluster)
if not self.ocm_cli:
raise OcpReleaseMirrorError(f"Can't create ocm client for "
f"cluster {hive_cluster}")
# Getting the OC Client for the hive cluster
oc_map = OC_Map(clusters=[cluster_info],
integration=QONTRACT_INTEGRATION,
settings=self.settings)
self.oc_cli = oc_map.get(hive_cluster)
if not self.oc_cli:
raise OcpReleaseMirrorError(f"Can't create oc client for "
f"cluster {hive_cluster}")
namespace = instance['ecrResourcesNamespace']
ocp_release_identifier = instance['ocpReleaseEcrIdentifier']
ocp_art_dev_identifier = instance['ocpArtDevEcrIdentifier']
ocp_release_info = self._get_tf_resource_info(namespace,
ocp_release_identifier)
if ocp_release_info is None:
raise OcpReleaseMirrorError(f"Could not find rds "
f"identifier "
f"{ocp_release_identifier} in "
f"namespace {namespace['name']}")
ocp_art_dev_info = self._get_tf_resource_info(namespace,
ocp_art_dev_identifier)
if ocp_art_dev_info is None:
raise OcpReleaseMirrorError(f"Could not find rds identifier"
f" {ocp_art_dev_identifier} in"
f"namespace {namespace['name']}")
# Getting the AWS Client for the accounts
aws_accounts = [
self._get_aws_account_info(account=ocp_release_info['account']),
self._get_aws_account_info(account=ocp_art_dev_info['account'])
]
self.aws_cli = AWSApi(thread_pool_size=1,
accounts=aws_accounts,
settings=self.settings,
init_ecr_auth_tokens=True)
self.aws_cli.map_ecr_resources()
self.ocp_release_ecr_uri = self._get_image_uri(
account=ocp_release_info['account'],
repository=ocp_release_identifier)
if self.ocp_release_ecr_uri is None:
raise OcpReleaseMirrorError(f"Could not find the "
f"ECR repository "
f"{ocp_release_identifier}")
self.ocp_art_dev_ecr_uri = self._get_image_uri(
account=ocp_art_dev_info['account'],
repository=ocp_art_dev_identifier)
if self.ocp_art_dev_ecr_uri is None:
raise OcpReleaseMirrorError(f"Could not find the "
f"ECR repository "
f"{ocp_art_dev_identifier}")
# Process all the quayOrgTargets
quay_api_store = get_quay_api_store()
self.quay_target_orgs = []
for quayTargetOrg in instance['quayTargetOrgs']:
org_name = quayTargetOrg['name']
instance_name = quayTargetOrg['instance']['name']
org_key = OrgKey(instance_name, org_name)
org_info = quay_api_store[org_key]
if not org_info['push_token']:
raise OcpReleaseMirrorError(
f'{org_key} has no push_token defined.')
url = org_info['url']
user = org_info['push_token']['user']
token = org_info['push_token']['token']
self.quay_target_orgs.append({
'url':
url,
'dest_ocp_release':
f"{url}/{org_name}/ocp-release",
'dest_ocp_art_dev':
f"{url}/{org_name}/ocp-v4.0-art-dev",
'auths':
self._build_quay_auths(url, user, token)
})
# Getting all the credentials
quay_creds = self._get_quay_creds()
ocp_release_creds = self._get_ecr_creds(
account=ocp_release_info['account'],
region=ocp_release_info['region'])
ocp_art_dev_creds = self._get_ecr_creds(
account=ocp_art_dev_info['account'],
region=ocp_art_dev_info['region'])
# Creating a single dictionary with all credentials to be used by the
# "oc adm release mirror" command
self.registry_creds = {
'auths': {
**quay_creds['auths'],
**ocp_release_creds['auths'],
**ocp_art_dev_creds['auths'],
}
}
# Append quay_target_orgs auths to registry_creds
for quay_target_org in self.quay_target_orgs:
url = quay_target_org['url']
if url in self.registry_creds['auths'].keys():
OcpReleaseMirrorError('Cannot mirror to the same Quay '
f'instance multiple times: {url}')
self.registry_creds['auths'].update(quay_target_org['auths'])
# Initiate channel groups
self.channel_groups = instance['mirrorChannels']
def run(dry_run):
gqlapi = gql.get_api()
apps = gqlapi.query(QUAY_REPOS_QUERY)["apps"]
quay_api_store = get_quay_api_store()
error = False
for app in apps:
quay_repo_configs = app.get("quayRepos")
if not quay_repo_configs:
continue
for quay_repo_config in quay_repo_configs:
instance_name = quay_repo_config["org"]["instance"]["name"]
org_name = quay_repo_config["org"]["name"]
org_key = (instance_name, org_name)
# processing quayRepos section
logging.debug(["app", app["name"], instance_name, org_name])
quay_api = quay_api_store[org_key]["api"]
teams = quay_repo_config.get("teams")
if not teams:
continue
repos = quay_repo_config["items"]
for repo in repos:
repo_name = repo["name"]
# processing repo section
logging.debug(["repo", repo_name])
for team in teams:
permissions = team["permissions"]
role = team["role"]
for permission in permissions:
if permission["service"] != "quay-membership":
logging.warning("wrong service kind, "
"should be quay-membership")
continue
perm_org_key = (
permission["quayOrg"]["instance"]["name"],
permission["quayOrg"]["name"],
)
if perm_org_key != org_key:
logging.warning(f"wrong org, should be {org_key}")
continue
team_name = permission["team"]
# processing team section
logging.debug(["team", team_name])
try:
current_role = quay_api.get_repo_team_permissions(
repo_name, team_name)
if current_role != role:
logging.info([
"update_role", org_key, repo_name,
team_name, role
])
if not dry_run:
quay_api.set_repo_team_permissions(
repo_name, team_name, role)
except Exception:
error = True
logging.exception(
"could not manage repo permissions: "
f"repo name: {repo_name}, "
f"team name: {team_name}")
if error:
sys.exit(ExitCodes.ERROR)
def run(dry_run):
gqlapi = gql.get_api()
apps = gqlapi.query(QUAY_REPOS_QUERY)['apps']
quay_api_store = get_quay_api_store()
error = False
for app in apps:
quay_repo_configs = app.get('quayRepos')
if not quay_repo_configs:
continue
for quay_repo_config in quay_repo_configs:
instance_name = quay_repo_config['org']['instance']['name']
org_name = quay_repo_config['org']['name']
org_key = (instance_name, org_name)
# processing quayRepos section
logging.debug(['app', app['name'], instance_name, org_name])
quay_api = quay_api_store[org_key]['api']
teams = quay_repo_config.get('teams')
if not teams:
continue
repos = quay_repo_config['items']
for repo in repos:
repo_name = repo['name']
# processing repo section
logging.debug(['repo', repo_name])
for team in teams:
permissions = team['permissions']
role = team['role']
for permission in permissions:
if permission['service'] != 'quay-membership':
logging.warning('wrong service kind, '
'should be quay-membership')
continue
perm_org_key = (
permission['quayOrg']['instance']['name'],
permission['quayOrg']['name'])
if perm_org_key != org_key:
logging.warning(f'wrong org, should be {org_key}')
continue
team_name = permission['team']
# processing team section
logging.debug(['team', team_name])
try:
current_role = \
quay_api.get_repo_team_permissions(
repo_name, team_name)
if current_role != role:
logging.info([
'update_role', org_key, repo_name,
team_name, role
])
if not dry_run:
quay_api.set_repo_team_permissions(
repo_name, team_name, role)
except Exception:
error = True
logging.exception(
'could not manage repo permissions: '
f'repo name: {repo_name}, '
f'team name: {team_name}')
if error:
sys.exit(ExitCodes.ERROR)
