コード例 #1
0
def get_desired_state(internal, use_jump_host, thread_pool_size):
    gqlapi = gql.get_api()
    all_namespaces = gqlapi.query(QUERY)['namespaces']

    namespaces = []
    for namespace in all_namespaces:
        shard_key = f'{namespace["cluster"]["name"]}/{namespace["name"]}'
        if is_in_shard(shard_key):
            namespaces.append(namespace)

    ri = ResourceInventory()
    settings = queries.get_app_interface_settings()
    oc_map = OC_Map(namespaces=namespaces,
                    integration=QONTRACT_INTEGRATION,
                    settings=settings,
                    internal=internal,
                    use_jump_host=use_jump_host,
                    thread_pool_size=thread_pool_size,
                    init_projects=True)
    ob.init_specs_to_fetch(ri,
                           oc_map,
                           namespaces=namespaces,
                           override_managed_types=['Namespace'])

    desired_state = []
    for cluster, namespace, _, _ in ri:
        if cluster not in oc_map.clusters():
            continue
        desired_state.append({"cluster": cluster, "namespace": namespace})

    return oc_map, desired_state
コード例 #2
0
def run(dry_run,
        thread_pool_size=10,
        internal=None,
        use_jump_host=True,
        providers=[],
        cluster_name=None,
        namespace_name=None,
        init_api_resources=False,
        defer=None):
    gqlapi = gql.get_api()
    namespaces = [
        namespace_info
        for namespace_info in gqlapi.query(NAMESPACES_QUERY)['namespaces']
        if is_in_shard(f"{namespace_info['cluster']['name']}/" +
                       f"{namespace_info['name']}")
    ]
    namespaces = \
        filter_namespaces_by_cluster_and_namespace(
            namespaces,
            cluster_name,
            namespace_name
        )
    namespaces = canonicalize_namespaces(namespaces, providers)
    oc_map, ri = \
        fetch_data(namespaces, thread_pool_size, internal, use_jump_host,
                   init_api_resources=init_api_resources)
    defer(lambda: oc_map.cleanup())

    ob.realize_data(dry_run, oc_map, ri)

    if ri.has_error_registered():
        sys.exit(1)

    return ri
コード例 #3
0
def run(dry_run,
        thread_pool_size=10,
        internal=None,
        use_jump_host=True,
        defer=None):
    namespaces = [
        namespace_info for namespace_info in queries.get_namespaces()
        if namespace_info.get('managedRoles')
        and is_in_shard(f"{namespace_info['cluster']['name']}/" +
                        f"{namespace_info['name']}")
    ]
    ri, oc_map = ob.fetch_current_state(
        namespaces=namespaces,
        thread_pool_size=thread_pool_size,
        integration=QONTRACT_INTEGRATION,
        integration_version=QONTRACT_INTEGRATION_VERSION,
        override_managed_types=['RoleBinding'],
        internal=internal,
        use_jump_host=use_jump_host)
    defer(lambda: oc_map.cleanup())
    fetch_desired_state(ri, oc_map)
    ob.realize_data(dry_run, oc_map, ri)

    if ri.has_error_registered():
        sys.exit(1)
コード例 #4
0
def run(dry_run,
        thread_pool_size=10,
        internal=None,
        use_jump_host=True,
        defer=None):

    try:
        gqlapi = gql.get_api()

        namespaces = []
        for namespace_info in gqlapi.query(NAMESPACES_QUERY)['namespaces']:
            if not namespace_info.get('networkPoliciesAllow'):
                continue

            shard_key = (f"{namespace_info['cluster']['name']}/"
                         f"{namespace_info['name']}")

            if not is_in_shard(shard_key):
                continue

            namespaces.append(namespace_info)

        ri, oc_map = ob.fetch_current_state(
            namespaces=namespaces,
            thread_pool_size=thread_pool_size,
            integration=QONTRACT_INTEGRATION,
            integration_version=QONTRACT_INTEGRATION_VERSION,
            override_managed_types=['NetworkPolicy'],
            internal=internal,
            use_jump_host=use_jump_host)
        defer(lambda: oc_map.cleanup())
        fetch_desired_state(namespaces, ri, oc_map)
        ob.realize_data(dry_run, oc_map, ri)

        if ri.has_error_registered():
            sys.exit(1)

    except Exception as e:
        msg = 'There was problem running openshift network policies reconcile.'
        msg += ' Exception: {}'
        msg = msg.format(str(e))
        logging.error(msg)
        sys.exit(1)
コード例 #5
0
def fetch_desired_state(ri, oc_map):
    gqlapi = gql.get_api()
    roles = gqlapi.query(ROLES_QUERY)['roles']
    users_desired_state = []
    for role in roles:
        permissions = [{
            'cluster': a['namespace']['cluster']['name'],
            'namespace': a['namespace']['name'],
            'role': a['role']
        } for a in role['access'] or []
                       if None not in [a['namespace'], a['role']]
                       and a['namespace'].get('managedRoles')]
        if not permissions:
            continue

        users = [user['github_username'] for user in role['users']]
        bot_users = [
            bot['github_username'] for bot in role['bots']
            if bot.get('github_username')
        ]
        users.extend(bot_users)
        service_accounts = [
            bot['openshift_serviceaccount'] for bot in role['bots']
            if bot.get('openshift_serviceaccount')
        ]

        for permission in permissions:
            cluster = permission['cluster']
            namespace = permission['namespace']
            if not is_in_shard(f"{cluster}/{namespace}"):
                continue
            if oc_map and not oc_map.get(cluster):
                continue
            for user in users:
                # used by openshift-users and github integrations
                # this is just to simplify things a bit on the their side
                users_desired_state.append({'cluster': cluster, 'user': user})
                if ri is None:
                    continue
                oc_resource, resource_name = \
                    construct_user_oc_resource(permission['role'], user)
                try:
                    ri.add_desired(cluster, permission['namespace'],
                                   'RoleBinding', resource_name, oc_resource)
                except ResourceKeyExistsError:
                    # a user may have a Role assigned to them
                    # from multiple app-interface roles
                    pass
            for sa in service_accounts:
                if ri is None:
                    continue
                namespace, sa_name = sa.split('/')
                oc_resource, resource_name = \
                    construct_sa_oc_resource(
                        permission['role'], namespace, sa_name)
                try:
                    ri.add_desired(permission['cluster'],
                                   permission['namespace'], 'RoleBinding',
                                   resource_name, oc_resource)
                except ResourceKeyExistsError:
                    # a ServiceAccount may have a Role assigned to it
                    # from multiple app-interface roles
                    pass

    return users_desired_state