def create_role_binding(api: client.RbacAuthorizationV1Api, configmap: Resource, cro_spec: ResourceChunk, ns: str, name_suffix: str, logger: logging.Logger): role_bind_name = cro_spec.get("role", {}).get("bind") if not role_bind_name: tpl = yaml.safe_load(configmap.data['chaostoolkit-role-binding.yaml']) role_binding_name = tpl["metadata"]["name"] role_binding_name = f"{role_binding_name}-{name_suffix}" tpl["metadata"]["name"] = role_binding_name # change sa subject name sa_name = tpl["subjects"][0]["name"] sa_name = f"{sa_name}-{name_suffix}" tpl["subjects"][0]["name"] = sa_name # change role name role_name = tpl["roleRef"]["name"] role_name = f"{role_name}-{name_suffix}" tpl["roleRef"]["name"] = role_name set_ns(tpl, ns) try: api.create_namespaced_role_binding(body=tpl, namespace=ns) return tpl except ApiException as e: if e.status == 409: logger.info( f"Role binding '{role_binding_name}' already exists.") else: raise kopf.PermanentError( f"Failed to bind to role: {str(e)}")
def create_role_binding(api: client.RbacAuthorizationV1Api, configmap: Resource, cro_spec: ResourceChunk, ns: str, name_suffix: str): logger = logging.getLogger('kopf.objects') role_bind_name = cro_spec.get("role", {}).get("bind") cluster_role_bind_namespaces = cro_spec.get("clusterRoleBindNamespaces", []) if not role_bind_name: tpl = yaml.safe_load(configmap.data['chaostoolkit-role-binding.yaml']) role_binding_name = tpl["metadata"]["name"] role_binding_name = f"{role_binding_name}-{name_suffix}" tpl["metadata"]["name"] = role_binding_name # change sa subject name sa_name = tpl["subjects"][0]["name"] sa_name = f"{sa_name}-{name_suffix}" tpl["subjects"][0]["name"] = sa_name # change sa subject namespace tpl["subjects"][0]["namespace"] = ns # change role name role_name = tpl["roleRef"]["name"] role_name = f"{role_name}-{name_suffix}" tpl["roleRef"]["name"] = role_name logger.debug(f"Creating role binding with template:\n{tpl}") if len(cluster_role_bind_namespaces) > 0: cluster_tpl = tpl for namespace in cluster_role_bind_namespaces: set_ns(cluster_tpl, namespace) try: api.create_namespaced_role_binding(body=cluster_tpl, namespace=namespace) except ApiException as e: if e.status == 409: logger.info(f"Role binding '{role_binding_name}' \ already exists in {namespace}.") else: raise kopf.PermanentError( f"Failed to bind to role: {str(e)}") set_ns(tpl, ns) try: api.create_namespaced_role_binding(body=tpl, namespace=ns) return tpl except ApiException as e: if e.status == 409: logger.info( f"Role binding '{role_binding_name}' already exists.") else: raise kopf.PermanentError(f"Failed to bind to role: {str(e)}")