def get_desired_state(internal, use_jump_host, thread_pool_size):
gqlapi = gql.get_api()
all_namespaces = gqlapi.query(QUERY)['namespaces']
namespaces = []
for namespace in all_namespaces:
shard_key = f'{namespace["cluster"]["name"]}/{namespace["name"]}'
if is_in_shard(shard_key):
namespaces.append(namespace)
ri = ResourceInventory()
settings = queries.get_app_interface_settings()
oc_map = OC_Map(namespaces=namespaces,
integration=QONTRACT_INTEGRATION,
settings=settings,
internal=internal,
use_jump_host=use_jump_host,
thread_pool_size=thread_pool_size,
init_projects=True)
ob.init_specs_to_fetch(ri,
oc_map,
namespaces=namespaces,
override_managed_types=['Namespace'])
desired_state = []
for cluster, namespace, _, _ in ri:
if cluster not in oc_map.clusters():
continue
desired_state.append({"cluster": cluster, "namespace": namespace})
return oc_map, desired_state
def run(dry_run,
thread_pool_size=10,
internal=None,
use_jump_host=True,
providers=[],
cluster_name=None,
namespace_name=None,
init_api_resources=False,
defer=None):
gqlapi = gql.get_api()
namespaces = [
namespace_info
for namespace_info in gqlapi.query(NAMESPACES_QUERY)['namespaces']
if is_in_shard(f"{namespace_info['cluster']['name']}/" +
f"{namespace_info['name']}")
]
namespaces = \
filter_namespaces_by_cluster_and_namespace(
namespaces,
cluster_name,
namespace_name
)
namespaces = canonicalize_namespaces(namespaces, providers)
oc_map, ri = \
fetch_data(namespaces, thread_pool_size, internal, use_jump_host,
init_api_resources=init_api_resources)
defer(lambda: oc_map.cleanup())
ob.realize_data(dry_run, oc_map, ri)
if ri.has_error_registered():
sys.exit(1)
return ri
def run(dry_run,
thread_pool_size=10,
internal=None,
use_jump_host=True,
defer=None):
namespaces = [
namespace_info for namespace_info in queries.get_namespaces()
if namespace_info.get('managedRoles')
and is_in_shard(f"{namespace_info['cluster']['name']}/" +
f"{namespace_info['name']}")
]
ri, oc_map = ob.fetch_current_state(
namespaces=namespaces,
thread_pool_size=thread_pool_size,
integration=QONTRACT_INTEGRATION,
integration_version=QONTRACT_INTEGRATION_VERSION,
override_managed_types=['RoleBinding'],
internal=internal,
use_jump_host=use_jump_host)
defer(lambda: oc_map.cleanup())
fetch_desired_state(ri, oc_map)
ob.realize_data(dry_run, oc_map, ri)
if ri.has_error_registered():
sys.exit(1)
def run(dry_run,
thread_pool_size=10,
internal=None,
use_jump_host=True,
defer=None):
try:
gqlapi = gql.get_api()
namespaces = []
for namespace_info in gqlapi.query(NAMESPACES_QUERY)['namespaces']:
if not namespace_info.get('networkPoliciesAllow'):
continue
shard_key = (f"{namespace_info['cluster']['name']}/"
f"{namespace_info['name']}")
if not is_in_shard(shard_key):
continue
namespaces.append(namespace_info)
ri, oc_map = ob.fetch_current_state(
namespaces=namespaces,
thread_pool_size=thread_pool_size,
integration=QONTRACT_INTEGRATION,
integration_version=QONTRACT_INTEGRATION_VERSION,
override_managed_types=['NetworkPolicy'],
internal=internal,
use_jump_host=use_jump_host)
defer(lambda: oc_map.cleanup())
fetch_desired_state(namespaces, ri, oc_map)
ob.realize_data(dry_run, oc_map, ri)
if ri.has_error_registered():
sys.exit(1)
except Exception as e:
msg = 'There was problem running openshift network policies reconcile.'
msg += ' Exception: {}'
msg = msg.format(str(e))
logging.error(msg)
sys.exit(1)
def fetch_desired_state(ri, oc_map):
gqlapi = gql.get_api()
roles = gqlapi.query(ROLES_QUERY)['roles']
users_desired_state = []
for role in roles:
permissions = [{
'cluster': a['namespace']['cluster']['name'],
'namespace': a['namespace']['name'],
'role': a['role']
} for a in role['access'] or []
if None not in [a['namespace'], a['role']]
and a['namespace'].get('managedRoles')]
if not permissions:
continue
users = [user['github_username'] for user in role['users']]
bot_users = [
bot['github_username'] for bot in role['bots']
if bot.get('github_username')
]
users.extend(bot_users)
service_accounts = [
bot['openshift_serviceaccount'] for bot in role['bots']
if bot.get('openshift_serviceaccount')
]
for permission in permissions:
cluster = permission['cluster']
namespace = permission['namespace']
if not is_in_shard(f"{cluster}/{namespace}"):
continue
if oc_map and not oc_map.get(cluster):
continue
for user in users:
# used by openshift-users and github integrations
# this is just to simplify things a bit on the their side
users_desired_state.append({'cluster': cluster, 'user': user})
if ri is None:
continue
oc_resource, resource_name = \
construct_user_oc_resource(permission['role'], user)
try:
ri.add_desired(cluster, permission['namespace'],
'RoleBinding', resource_name, oc_resource)
except ResourceKeyExistsError:
# a user may have a Role assigned to them
# from multiple app-interface roles
pass
for sa in service_accounts:
if ri is None:
continue
namespace, sa_name = sa.split('/')
oc_resource, resource_name = \
construct_sa_oc_resource(
permission['role'], namespace, sa_name)
try:
ri.add_desired(permission['cluster'],
permission['namespace'], 'RoleBinding',
resource_name, oc_resource)
except ResourceKeyExistsError:
# a ServiceAccount may have a Role assigned to it
# from multiple app-interface roles
pass
return users_desired_state