qontract-reconcile 0.10.2.dev299__py3-none-any.whl → 0.10.2.dev430__py3-none-any.whl

reconcile/openshift_rolebindings.py

@@ -1,58 +1,209 @@
-import contextlib
 import sys
-from collections.abc import Callable, Mapping, Sequence
-from typing import Any
+from collections.abc import Callable
+from dataclasses import dataclass
+from typing import Any, Self
+
+from pydantic.main import BaseModel
 
 import reconcile.openshift_base as ob
-from reconcile import queries
+from reconcile.gql_definitions.common.app_interface_roles import (
+    AccessV1,
+    BotV1,
+    ClusterV1,
+    NamespaceV1,
+    RoleV1,
+    UserV1,
+)
+from reconcile.gql_definitions.common.namespaces import NamespaceV1 as CommonNamespaceV1
+from reconcile.typed_queries.app_interface_roles import get_app_interface_roles
+from reconcile.typed_queries.namespaces import get_namespaces
 from reconcile.utils import (
     expiration,
-    gql,
 )
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.openshift_resource import OpenshiftResource as OR
 from reconcile.utils.openshift_resource import (
     ResourceInventory,
-    ResourceKeyExistsError,
 )
 from reconcile.utils.semver_helper import make_semver
 from reconcile.utils.sharding import is_in_shard
 
-ROLES_QUERY = """
-{
-  roles: roles_v1 {
-    name
-    users {
-      org_username
-      github_username
-    }
-    bots {
-      openshift_serviceaccount
-    }
-    access {
-      namespace {
-        name
-        clusterAdmin
-        managedRoles
-        delete
-        cluster {
-          name
-          auth {
-            service
-          }
+QONTRACT_INTEGRATION = "openshift-rolebindings"
+QONTRACT_INTEGRATION_VERSION = make_semver(0, 3, 0)
+
+
+class OCResource(BaseModel, arbitrary_types_allowed=True):
+    resource: OR
+    resource_name: str
+    privileged: bool
+
+
+@dataclass
+class ServiceAccountSpec:
+    sa_namespace_name: str
+    sa_name: str
+
+    @classmethod
+    def create_sa_spec(cls, bots: list[BotV1] | None) -> list[Self]:
+        return [
+            cls(
+                sa_namespace_name=full_service_account[0],
+                sa_name=full_service_account[1],
+            )
+            for bot in bots or []
+            if bot.openshift_serviceaccount
+            and (full_service_account := bot.openshift_serviceaccount.split("/"))
+            and len(full_service_account) == 2
+        ]
+
+
+class RoleBindingSpec(BaseModel, validate_by_alias=True, arbitrary_types_allowed=True):
+    role_name: str
+    role_kind: str
+    namespace: NamespaceV1
+    cluster: ClusterV1
+    privileged: bool
+    usernames: set[str]
+    openshift_service_accounts: list[ServiceAccountSpec]
+
+    def get_users_desired_state(self) -> list[dict[str, str]]:
+        return [
+            {"cluster": self.cluster.name, "user": username}
+            for username in self.usernames
+        ]
+
+    @classmethod
+    def create_role_binding_spec(
+        cls,
+        access: AccessV1,
+        users: list[UserV1] | None = None,
+        enforced_user_keys: list[str] | None = None,
+        bots: list[BotV1] | None = None,
+        support_role_ref: bool = False,
+    ) -> Self | None:
+        if not access.namespace:
+            return None
+        if not (access.role or access.cluster_role):
+            return None
+        privileged = access.namespace.cluster_admin or False
+        auth_dict = [
+            auth.model_dump(by_alias=True) for auth in access.namespace.cluster.auth
+        ]
+        usernames = RoleBindingSpec.get_usernames_from_users(
+            users,
+            ob.determine_user_keys_for_access(
+                access.namespace.cluster.name,
+                auth_dict,
+                enforced_user_keys,
+            ),
+        )
+        service_accounts = ServiceAccountSpec.create_sa_spec(bots) if bots else []
+        role_kind = "Role" if access.role and support_role_ref else "ClusterRole"
+        return cls(
+            role_name=access.role or access.cluster_role,
+            role_kind=role_kind,
+            namespace=access.namespace,
+            cluster=access.namespace.cluster,
+            privileged=privileged,
+            usernames=usernames,
+            openshift_service_accounts=service_accounts,
+        )
+
+    @classmethod
+    def create_rb_specs_from_role(
+        cls,
+        role: RoleV1,
+        enforced_user_keys: list[str] | None = None,
+        support_role_ref: bool = False,
+    ) -> list[Self]:
+        rolebinding_spec_list = [
+            role_binding_spec
+            for access in role.access or []
+            if (
+                access.namespace
+                and is_valid_namespace(access.namespace)
+                and (
+                    role_binding_spec := cls.create_role_binding_spec(
+                        access,
+                        role.users,
+                        enforced_user_keys,
+                        role.bots,
+                        support_role_ref,
+                    )
+                )
+            )
+        ]
+        return rolebinding_spec_list
+
+    @staticmethod
+    def get_usernames_from_users(
+        users: list[UserV1] | None = None, user_keys: list[str] | None = None
+    ) -> set[str]:
+        return {
+            name
+            for user in users or []
+            for user_key in user_keys or []
+            if (name := getattr(user, user_key, None))
         }
-      }
-      role
-    }
-    expirationDate
-  }
-}
-"""
 
+    def construct_user_oc_resource(self, user: str) -> OCResource:
+        name = f"{self.role_name}-{user}"
+        body: dict[str, Any] = {
+            "apiVersion": "rbac.authorization.k8s.io/v1",
+            "kind": "RoleBinding",
+            "metadata": {"name": name},
+            "roleRef": {"kind": self.role_kind, "name": self.role_name},
+            "subjects": [{"kind": "User", "name": user}],
+        }
+        return OCResource(
+            resource=OR(
+                body,
+                QONTRACT_INTEGRATION,
+                QONTRACT_INTEGRATION_VERSION,
+                error_details=name,
+            ),
+            resource_name=name,
+            privileged=self.privileged,
+        )
 
-QONTRACT_INTEGRATION = "openshift-rolebindings"
-QONTRACT_INTEGRATION_VERSION = make_semver(0, 3, 0)
+    def get_oc_resources(self) -> list[OCResource]:
+        user_oc_resources = [
+            self.construct_user_oc_resource(username) for username in self.usernames
+        ]
+        sa_oc_resources = [
+            self.construct_sa_oc_resource(sa.sa_namespace_name, sa.sa_name)
+            for sa in self.openshift_service_accounts
+        ]
+        return user_oc_resources + sa_oc_resources
+
+    def construct_sa_oc_resource(
+        self, sa_namespace_name: str, sa_name: str
+    ) -> OCResource:
+        name = f"{self.role_name}-{sa_namespace_name}-{sa_name}"
+        body: dict[str, Any] = {
+            "apiVersion": "rbac.authorization.k8s.io/v1",
+            "kind": "RoleBinding",
+            "metadata": {"name": name},
+            "roleRef": {"kind": self.role_kind, "name": self.role_name},
+            "subjects": [
+                {
+                    "kind": "ServiceAccount",
+                    "name": sa_name,
+                    "namespace": sa_namespace_name,
+                }
+            ],
+        }
+        return OCResource(
+            resource=OR(
+                body,
+                QONTRACT_INTEGRATION,
+                QONTRACT_INTEGRATION_VERSION,
+                error_details=name,
+            ),
+            resource_name=name,
+            privileged=self.privileged,
+        )
 
 
 def construct_user_oc_resource(role: str, user: str) -> tuple[OR, str]:
@@ -93,116 +244,65 @@ def construct_sa_oc_resource(role: str, namespace: str, sa_name: str) -> tuple[O
 
 def fetch_desired_state(
     ri: ResourceInventory | None,
-    oc_map: ob.ClusterMap | None,
+    support_role_ref: bool = False,
     enforced_user_keys: list[str] | None = None,
+    allowed_clusters: set[str] | None = None,
 ) -> list[dict[str, str]]:
-    gqlapi = gql.get_api()
-    roles_query_result = gqlapi.query(ROLES_QUERY)
-    if not roles_query_result:
+    if allowed_clusters is not None and not allowed_clusters:
         return []
-    roles: Sequence[Mapping[str, Any]] = expiration.filter(roles_query_result["roles"])
-    users_desired_state = []
+    roles: list[RoleV1] = expiration.filter(get_app_interface_roles())
+    users_desired_state: list[dict[str, str]] = []
     for role in roles:
-        permissions = [
-            {
-                "cluster": a["namespace"]["cluster"],
-                "namespace": a["namespace"],
-                "role": a["role"],
-            }
-            for a in role["access"] or []
-            if a["namespace"]
-            and a["role"]
-            and a["namespace"].get("managedRoles")
-            and not ob.is_namespace_deleted(a["namespace"])
-        ]
-        if not permissions:
-            continue
-
-        service_accounts = [
-            bot["openshift_serviceaccount"]
-            for bot in role["bots"]
-            if bot.get("openshift_serviceaccount")
-        ]
-
-        for permission in permissions:
-            cluster_info = permission["cluster"]
-            cluster = cluster_info["name"]
-            namespace_info = permission["namespace"]
-            perm_namespace_name = namespace_info["name"]
-            privileged = namespace_info.get("clusterAdmin") or False
-            if not is_in_shard(f"{cluster}/{perm_namespace_name}"):
-                continue
-            if oc_map and not oc_map.get(cluster):
+        rolebindings: list[RoleBindingSpec] = RoleBindingSpec.create_rb_specs_from_role(
+            role, enforced_user_keys, support_role_ref
+        )
+        if allowed_clusters is not None:
+            rolebindings = [
+                rolebinding
+                for rolebinding in rolebindings
+                if rolebinding.cluster.name in allowed_clusters
+            ]
+        for rolebinding in rolebindings:
+            users_desired_state.extend(rolebinding.get_users_desired_state())
+            if ri is None:
                 continue
-
-            # get username keys based on used IDPs
-            user_keys = ob.determine_user_keys_for_access(
-                cluster,
-                cluster_info.get("auth") or [],
-                enforced_user_keys=enforced_user_keys,
-            )
-            # create user rolebindings for user * user_keys
-            for user in role.get("users") or []:
-                for username in {user.get(key) for key in user_keys}:
-                    if not username:
-                        continue
-                    # used by openshift-users and github integrations
-                    # this is just to simplify things a bit on the their side
-                    users_desired_state.append({"cluster": cluster, "user": username})
-                    if ri is None:
-                        continue
-                    oc_resource, resource_name = construct_user_oc_resource(
-                        permission["role"], username
-                    )
-                    with contextlib.suppress(ResourceKeyExistsError):
-                        # a user may have a Role assigned to them
-                        # from multiple app-interface roles
-                        ri.add_desired(
-                            cluster,
-                            perm_namespace_name,
-                            "RoleBinding.rbac.authorization.k8s.io",
-                            resource_name,
-                            oc_resource,
-                            privileged=privileged,
-                        )
-
-            for sa in service_accounts:
-                if ri is None:
-                    continue
-                sa_namespace_name, sa_name = sa.split("/")
-                oc_resource, resource_name = construct_sa_oc_resource(
-                    permission["role"], sa_namespace_name, sa_name
-                )
-                with contextlib.suppress(ResourceKeyExistsError):
-                    # a ServiceAccount may have a Role assigned to it
-                    # from multiple app-interface roles
-                    ri.add_desired(
-                        cluster,
-                        perm_namespace_name,
-                        "RoleBinding.rbac.authorization.k8s.io",
-                        resource_name,
-                        oc_resource,
-                        privileged=privileged,
+            for oc_resource in rolebinding.get_oc_resources():
+                if not ri.get_desired(
+                    rolebinding.cluster.name,
+                    rolebinding.namespace.name,
+                    "RoleBinding.rbac.authorization.k8s.io",
+                    oc_resource.resource_name,
+                ):
+                    ri.add_desired_resource(
+                        cluster=rolebinding.cluster.name,
+                        namespace=rolebinding.namespace.name,
+                        resource=oc_resource.resource,
+                        privileged=oc_resource.privileged,
                     )
     return users_desired_state
 
 
+def is_valid_namespace(namespace: NamespaceV1 | CommonNamespaceV1) -> bool:
+    return (
+        bool(namespace.managed_roles)
+        and is_in_shard(f"{namespace.cluster.name}/{namespace.name}")
+        and not ob.is_namespace_deleted(namespace.model_dump(by_alias=True))
+    )
+
+
 @defer
 def run(
     dry_run: bool,
     thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
     internal: bool | None = None,
     use_jump_host: bool = True,
+    support_role_ref: bool = False,
     defer: Callable | None = None,
 ) -> None:
     namespaces = [
-        namespace_info
-        for namespace_info in queries.get_namespaces()
-        if namespace_info.get("managedRoles")
-        and is_in_shard(
-            f"{namespace_info['cluster']['name']}/" + f"{namespace_info['name']}"
-        )
-        and not ob.is_namespace_deleted(namespace_info)
+        namespace.model_dump(by_alias=True, exclude={"openshift_resources"})
+        for namespace in get_namespaces()
+        if is_valid_namespace(namespace)
     ]
     ri, oc_map = ob.fetch_current_state(
         namespaces=namespaces,
@@ -215,7 +315,7 @@ def run(
     )
     if defer:
         defer(oc_map.cleanup)
-    fetch_desired_state(ri, oc_map)
+    fetch_desired_state(ri, support_role_ref, allowed_clusters=set(oc_map.clusters()))
     ob.publish_metrics(ri, QONTRACT_INTEGRATION)
     ob.realize_data(dry_run, oc_map, ri, thread_pool_size)
 

reconcile/openshift_saas_deploy.py

@@ -1,4 +1,3 @@
-import json
 import logging
 import os
 import sys
@@ -28,6 +27,7 @@ from reconcile.typed_queries.saas_files import (
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.gitlab_api import GitLabApi
+from reconcile.utils.json import json_dumps
 from reconcile.utils.openshift_resource import ResourceInventory
 from reconcile.utils.saasherder import SaasHerder
 from reconcile.utils.secret_reader import create_secret_reader
@@ -150,7 +150,7 @@ def run(
                     + "when using slack notifications"
                 )
             slack = slackapi_from_slack_workspace(
-                saas_file.slack.dict(by_alias=True),
+                saas_file.slack.model_dump(by_alias=True),
                 secret_reader,
                 QONTRACT_INTEGRATION,
                 init_usergroups=False,
@@ -224,7 +224,7 @@ def run(
         default=False,
     )
     ri, oc_map = ob.fetch_current_state(
-        namespaces=[ns.dict(by_alias=True) for ns in saasherder.namespaces],
+        namespaces=[ns.model_dump(by_alias=True) for ns in saasherder.namespaces],
         thread_pool_size=thread_pool_size,
         integration=QONTRACT_INTEGRATION,
         integration_version=QONTRACT_INTEGRATION_VERSION,
@@ -319,14 +319,13 @@ def run(
         openshift_saas_deploy_trigger_upstream_jobs.QONTRACT_INTEGRATION,
         openshift_saas_deploy_trigger_images.QONTRACT_INTEGRATION,
     ]
-    scan = (
+    if (
         not dry_run
         and len(saas_files) == 1
         and trigger_integration
         and trigger_integration in allowed_integration
         and trigger_reason
-    )
-    if scan:
+    ):
         saas_file = saas_files[0]
         owners = saas_file.app.service_owners or []
         emails = " ".join([o.email for o in owners])
@@ -346,4 +345,4 @@ def run(
         if image_auth.auth_server:
             json_file = os.path.join(io_dir, "dockerconfigjson")
             with open(json_file, "w", encoding="locale") as f:
-                f.write(json.dumps(image_auth.get_docker_config_json(), indent=2))
+                f.write(json_dumps(image_auth.get_docker_config_json(), indent=2))

reconcile/openshift_saas_deploy_change_tester.py

@@ -34,7 +34,7 @@ class Definition(BaseModel):
 class State(BaseModel):
     saas_file_path: str
     saas_file_name: str
-    saas_file_deploy_resources: DeployResourcesV1 | None
+    saas_file_deploy_resources: DeployResourcesV1 | None = None
     resource_template_name: str
     cluster: str
     namespace: str
@@ -44,10 +44,10 @@ class State(BaseModel):
     parameters: dict[str, Any]
     secret_parameters: dict[str, VaultSecret]
     saas_file_definitions: Definition
-    upstream: SaasResourceTemplateTargetUpstreamV1 | None
-    disable: bool | None
-    delete: bool | None
-    target_path: str | None
+    upstream: SaasResourceTemplateTargetUpstreamV1 | None = None
+    disable: bool | None = None
+    delete: bool | None = None
+    target_path: str | None = None
 
 
 def osd_run_wrapper(
@@ -213,11 +213,13 @@ def run(
     saas_file_list = SaasFileList()
     desired_saas_file_state = collect_state(saas_file_list.saas_files)
     # compare dicts against dicts which is much faster than comparing BaseModel objects
-    comparison_saas_file_state_dicts = [s.dict() for s in comparison_saas_file_state]
+    comparison_saas_file_state_dicts = [
+        s.model_dump() for s in comparison_saas_file_state
+    ]
     saas_file_state_diffs = [
         s
         for s in desired_saas_file_state
-        if s.dict() not in comparison_saas_file_state_dicts
+        if s.model_dump() not in comparison_saas_file_state_dicts
     ]
     if not saas_file_state_diffs:
         return

reconcile/openshift_saas_deploy_trigger_cleaner.py

@@ -1,14 +1,11 @@
 import logging
 from collections.abc import Callable
 from datetime import (
-    UTC,
     datetime,
     timedelta,
 )
 from typing import Any
 
-from dateutil import parser
-
 from reconcile.gql_definitions.fragments.pipeline_provider_retention import (
     PipelineProviderRetention,
 )
@@ -19,6 +16,7 @@ from reconcile.typed_queries.tekton_pipeline_providers import (
     get_tekton_pipeline_providers,
 )
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
+from reconcile.utils.datetime_util import from_utc_iso_format, utc_now
 from reconcile.utils.defer import defer
 from reconcile.utils.oc_map import (
     OCLogMsg,
@@ -35,7 +33,7 @@ def within_retention_days(
     resource: dict[str, Any], days: int, now_date: datetime
 ) -> bool:
     metadata = resource["metadata"]
-    creation_date = parser.parse(metadata["creationTimestamp"])
+    creation_date = from_utc_iso_format(metadata["creationTimestamp"])
     interval = now_date.timestamp() - creation_date.timestamp()
 
     return interval < timedelta(days=days).total_seconds()
@@ -69,7 +67,7 @@ def run(
     use_jump_host: bool = True,
     defer: Callable | None = None,
 ) -> None:
-    now_date = datetime.now(UTC)
+    now_date = utc_now()
     vault_settings = get_app_interface_vault_settings()
     secret_reader = create_secret_reader(use_vault=vault_settings.vault)
     pipeline_providers = get_tekton_pipeline_providers()

reconcile/openshift_serviceaccount_tokens.py

@@ -87,13 +87,14 @@ def fetch_desired_state(
         if not namespace.openshift_service_account_tokens:
             continue
 
-        if not (oc := oc_map.get(namespace.cluster.name)):
+        oc = oc_map.get(namespace.cluster.name)
+        if isinstance(oc, ob.OCLogMsg):
             logging.log(level=oc.log_level, msg=oc.message)
             continue
 
         for sat in namespace.openshift_service_account_tokens:
             oc = oc_map.get(sat.namespace.cluster.name)
-            if not oc:
+            if isinstance(oc, ob.OCLogMsg):
                 if oc.log_level >= logging.ERROR:
                     ri.register_error()
                 logging.log(level=oc.log_level, msg=oc.message)
@@ -156,11 +157,11 @@ def write_outputs_to_vault(
                     f"{vault_path}/{integration_name}/{cluster}/{namespace}/{name}"
                 )
                 secret = {"path": secret_path, "data": body_data}
-                vault_client.write(secret)  # type: ignore
+                vault_client.write(secret)
                 # write secret to shared-resources location
                 secret_path = f"{vault_path}/{integration_name}/shared-resources/{name}"
                 secret = {"path": secret_path, "data": body_data}
-                vault_client.write(secret)  # type: ignore
+                vault_client.write(secret)
 
 
 def canonicalize_namespaces(namespaces: Iterable[NamespaceV1]) -> list[NamespaceV1]:
@@ -176,7 +177,7 @@ def canonicalize_namespaces(namespaces: Iterable[NamespaceV1]) -> list[Namespace
             key = f"{sat.namespace.cluster.name}/{sat.namespace.name}"
             if key not in canonicalized_namespaces:
                 canonicalized_namespaces[key] = NamespaceV1(
-                    **sat.namespace.dict(by_alias=True),
+                    **sat.namespace.model_dump(by_alias=True),
                     sharedResources=None,
                     openshiftServiceAccountTokens=None,
                 )
@@ -216,7 +217,7 @@ def run(
         get_namespaces_with_serviceaccount_tokens(gql_api.query)
     )
     ri, oc_map = ob.fetch_current_state(
-        namespaces=[ns.dict(by_alias=True) for ns in namespaces],
+        namespaces=[ns.model_dump(by_alias=True) for ns in namespaces],
         thread_pool_size=thread_pool_size,
         integration=QONTRACT_INTEGRATION,
         integration_version=QONTRACT_INTEGRATION_VERSION,
@@ -230,7 +231,7 @@ def run(
     ob.publish_metrics(ri, QONTRACT_INTEGRATION)
     ob.realize_data(dry_run, oc_map, ri, thread_pool_size)
     if not dry_run and vault_output_path:
-        write_outputs_to_vault(VaultClient(), vault_output_path, ri)
+        write_outputs_to_vault(VaultClient.get_instance(), vault_output_path, ri)
 
     if ri.has_error_registered():
         sys.exit(1)

reconcile/openshift_tekton_resources.py

@@ -456,7 +456,7 @@ def run(
 
     LOG.debug("Adding desired resources to inventory")
     for desired_resource in desired_resources:
-        ri.add_desired(**desired_resource)
+        ri.add_desired(**desired_resource)  # type: ignore
 
     LOG.debug("Publishing metrics")
     ob.publish_metrics(ri, QONTRACT_INTEGRATION)

reconcile/openshift_upgrade_watcher.py

@@ -3,7 +3,6 @@ from collections.abc import (
     Callable,
     Iterable,
 )
-from datetime import datetime
 
 from reconcile import queries
 from reconcile.gql_definitions.common.clusters import ClusterV1
@@ -13,6 +12,7 @@ from reconcile.typed_queries.app_interface_vault_settings import (
 )
 from reconcile.typed_queries.clusters import get_clusters
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
+from reconcile.utils.datetime_util import from_utc_iso_format, utc_now
 from reconcile.utils.defer import defer
 from reconcile.utils.oc_map import (
     OCLogMsg,
@@ -101,7 +101,7 @@ def notify_upgrades_start(
     state: State,
     slack: SlackApi | None,
 ) -> None:
-    now = datetime.utcnow()
+    now = utc_now()
     for cluster in clusters:
         if cluster.spec and not cluster.spec.hypershift:
             upgrade_at, version = _get_start_osd(oc_map, cluster.name)
@@ -113,7 +113,7 @@ def notify_upgrades_start(
             continue
 
         if upgrade_at and version:
-            upgrade_at_obj = datetime.strptime(upgrade_at, "%Y-%m-%dT%H:%M:%SZ")
+            upgrade_at_obj = from_utc_iso_format(upgrade_at)
             state_key = f"{cluster.name}-{upgrade_at}1"
             # if this is the first iteration in which 'now' had passed
             # the upgrade at date time, we send a notification
@@ -185,7 +185,7 @@ def run(
     if defer:
         defer(oc_map.cleanup)
 
-    cluster_like_objects = [cluster.dict(by_alias=True) for cluster in clusters]
+    cluster_like_objects = [cluster.model_dump(by_alias=True) for cluster in clusters]
     ocm_map = OCMMap(
         clusters=cluster_like_objects,
         integration=QONTRACT_INTEGRATION,

reconcile/openshift_users.py

@@ -101,14 +101,16 @@ def fetch_desired_state(
     oc_map: OCMap | None, enforced_user_keys: Any = None
 ) -> list[Any]:
     desired_state = []
-
+    filtered_clusters = oc_map.clusters() if oc_map else None
     flat_rolebindings_desired_state = openshift_rolebindings.fetch_desired_state(
-        ri=None, oc_map=oc_map, enforced_user_keys=enforced_user_keys
+        ri=None,
+        enforced_user_keys=enforced_user_keys,
+        allowed_clusters=set(filtered_clusters) if filtered_clusters else None,
     )
     desired_state.extend(flat_rolebindings_desired_state)
 
     groups_desired_state = openshift_groups.fetch_desired_state(
-        clusters=oc_map.clusters() if oc_map else [],
+        clusters=filtered_clusters or [],
         enforced_user_keys=enforced_user_keys,
     )
     flat_groups_desired_state = [