qontract-reconcile 0.10.2.dev481__py3-none-any.whl → 0.10.2.dev484__py3-none-any.whl

reconcile/openshift_bindings/openshift_rolebindings.py

@@ -0,0 +1,135 @@
+"""OpenShift RoleBindings integration.
+
+Manages namespace-scoped RoleBindings within OpenShift namespaces.
+"""
+
+import sys
+from collections.abc import Callable
+from typing import TYPE_CHECKING
+
+import reconcile.openshift_base as ob
+from reconcile.openshift_bindings.constants import (
+    OPENSHIFT_ROLEBINDINGS_INTEGRATION_NAME,
+)
+from reconcile.openshift_bindings.models import RoleBindingSpec
+from reconcile.openshift_bindings.utils import (
+    is_valid_namespace,
+)
+from reconcile.typed_queries.app_interface_roles import get_app_interface_roles
+from reconcile.typed_queries.namespaces import get_namespaces
+from reconcile.utils import expiration
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
+from reconcile.utils.defer import defer
+from reconcile.utils.oc import OC_Map
+from reconcile.utils.openshift_resource import ResourceInventory
+from reconcile.utils.runtime.integration import (
+    PydanticRunParams,
+    QontractReconcileIntegration,
+)
+from reconcile.utils.semver_helper import make_semver
+
+if TYPE_CHECKING:
+    from reconcile.gql_definitions.common.app_interface_roles import RoleV1
+
+QONTRACT_INTEGRATION_VERSION = make_semver(0, 3, 0)
+QONTRACT_INTEGRATION_MANAGED_TYPE = "RoleBinding.rbac.authorization.k8s.io"
+
+
+class OpenShiftRoleBindingsIntegrationParams(PydanticRunParams):
+    support_role_ref: bool = False
+    enforced_user_keys: list[str] | None = None
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE
+    internal: bool | None = None
+    use_jump_host: bool = True
+
+
+class OpenShiftRoleBindingsIntegration(
+    QontractReconcileIntegration[OpenShiftRoleBindingsIntegrationParams],
+):
+    """Manages RoleBindings within OpenShift namespaces."""
+
+    @defer
+    def run(self, dry_run: bool, defer: Callable | None = None) -> None:
+        ri, oc_map = self.fetch_current_state()
+        if defer:
+            defer(oc_map.cleanup)
+        self.fetch_desired_state(
+            ri,
+            support_role_ref=self.params.support_role_ref,
+            enforced_user_keys=self.params.enforced_user_keys,
+            allowed_clusters=set(oc_map.clusters()),
+        )
+        ob.publish_metrics(ri, self.name)
+        ob.realize_data(dry_run, oc_map, ri, self.params.thread_pool_size)
+        if ri.has_error_registered():
+            sys.exit(1)
+
+    @property
+    def integration_version(self) -> str:
+        return QONTRACT_INTEGRATION_VERSION
+
+    @property
+    def name(self) -> str:
+        return OPENSHIFT_ROLEBINDINGS_INTEGRATION_NAME
+
+    def fetch_current_state(self) -> tuple[ResourceInventory, OC_Map]:
+        """Fetch current RoleBindings state from namespaces."""
+        namespaces = [
+            namespace.model_dump(by_alias=True, exclude={"openshift_resources"})
+            for namespace in get_namespaces()
+            if is_valid_namespace(namespace)
+        ]
+        return ob.fetch_current_state(
+            namespaces=namespaces,
+            thread_pool_size=self.params.thread_pool_size,
+            integration=self.name,
+            integration_version=self.integration_version,
+            override_managed_types=[QONTRACT_INTEGRATION_MANAGED_TYPE],
+            internal=self.params.internal,
+            use_jump_host=self.params.use_jump_host,
+        )
+
+    def fetch_desired_state(
+        self,
+        ri: ResourceInventory | None,
+        support_role_ref: bool = False,
+        enforced_user_keys: list[str] | None = None,
+        allowed_clusters: set[str] | None = None,
+    ) -> None:
+        if allowed_clusters is not None and not allowed_clusters:
+            return
+        if ri is None:
+            return
+        roles: list[RoleV1] = expiration.filter(get_app_interface_roles())
+        for role in roles:
+            rolebindings: list[RoleBindingSpec] = (
+                RoleBindingSpec.create_rb_specs_from_role(
+                    role, enforced_user_keys, support_role_ref
+                )
+            )
+            if allowed_clusters is not None:
+                rolebindings = [
+                    rolebinding
+                    for rolebinding in rolebindings
+                    if rolebinding.cluster.name in allowed_clusters
+                ]
+            for rolebinding in rolebindings:
+                for oc_resource in rolebinding.get_openshift_resources(
+                    self.name,
+                    self.integration_version,
+                    privileged=rolebinding.privileged,
+                ):
+                    if not ri.get_desired(
+                        rolebinding.cluster.name,
+                        rolebinding.namespace.name,
+                        QONTRACT_INTEGRATION_MANAGED_TYPE,
+                        oc_resource.resource_name,
+                    ):
+                        ri.add_desired(
+                            cluster=rolebinding.cluster.name,
+                            namespace=rolebinding.namespace.name,
+                            resource_type=QONTRACT_INTEGRATION_MANAGED_TYPE,
+                            name=oc_resource.resource_name,
+                            value=oc_resource.resource,
+                            privileged=oc_resource.privileged,
+                        )

reconcile/openshift_bindings/utils.py

@@ -0,0 +1,14 @@
+import reconcile.openshift_base as ob
+from reconcile.gql_definitions.common.app_interface_roles import NamespaceV1
+from reconcile.gql_definitions.common.namespaces import NamespaceV1 as CommonNamespaceV1
+from reconcile.utils.sharding import is_in_shard
+
+
+def is_valid_namespace(
+    namespace: NamespaceV1 | CommonNamespaceV1,
+) -> bool:
+    return (
+        bool(namespace.managed_roles)
+        and is_in_shard(f"{namespace.cluster.name}/{namespace.name}")
+        and not ob.is_namespace_deleted(namespace.model_dump(by_alias=True))
+    )

reconcile/openshift_users.py

@@ -5,23 +5,28 @@ from collections.abc import (
     Iterable,
     Mapping,
 )
-from typing import Any
+from typing import TYPE_CHECKING, Any
 
 from sretoolbox.utils import threaded
 
 from reconcile import (
     openshift_groups,
-    openshift_rolebindings,
 )
+
+if TYPE_CHECKING:
+    from reconcile.gql_definitions.common.app_interface_roles import RoleV1
 from reconcile.gql_definitions.common.clusters_minimal import (
     ClusterAuthOIDCV1,
     ClusterAuthRHIDPV1,
     ClusterV1,
 )
+from reconcile.openshift_bindings.models import RoleBindingSpec
+from reconcile.typed_queries.app_interface_roles import get_app_interface_roles
 from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
 from reconcile.typed_queries.clusters_minimal import get_clusters_minimal
+from reconcile.utils import expiration
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
 from reconcile.utils.oc_map import (
@@ -97,15 +102,55 @@ def fetch_current_state(
     return oc_map, current_state
 
 
+def fetch_rolebindings_desired_state(
+    allowed_clusters: set[str] | None = None,
+    enforced_user_keys: list[str] | None = None,
+) -> list[dict[str, str]]:
+    if allowed_clusters is not None and not allowed_clusters:
+        return []
+    roles: list[RoleV1] = expiration.filter(get_app_interface_roles())
+
+    users_desired_state: list[dict[str, str]] = [
+        user
+        for role in roles
+        for rolebinding in filter_rolebindings(
+            RoleBindingSpec.create_rb_specs_from_role(role, enforced_user_keys),
+            allowed_clusters,
+        )
+        for user in get_users_from_rolebinding_desired_state(rolebinding)
+    ]
+    return users_desired_state
+
+
+def get_users_from_rolebinding_desired_state(
+    role_binding: RoleBindingSpec,
+) -> list[dict[str, str]]:
+    return [
+        {"cluster": role_binding.cluster.name, "user": user}
+        for user in role_binding.usernames
+    ]
+
+
+def filter_rolebindings(
+    rolebindings: list[RoleBindingSpec], allowed_clusters: set[str] | None = None
+) -> list[RoleBindingSpec]:
+    if allowed_clusters is not None:
+        return [
+            rolebinding
+            for rolebinding in rolebindings
+            if rolebinding.cluster.name in allowed_clusters
+        ]
+    return rolebindings
+
+
 def fetch_desired_state(
     oc_map: OCMap | None, enforced_user_keys: Any = None
 ) -> list[Any]:
     desired_state = []
     filtered_clusters = oc_map.clusters() if oc_map else None
-    flat_rolebindings_desired_state = openshift_rolebindings.fetch_desired_state(
-        ri=None,
-        enforced_user_keys=enforced_user_keys,
+    flat_rolebindings_desired_state = fetch_rolebindings_desired_state(
         allowed_clusters=set(filtered_clusters) if filtered_clusters else None,
+        enforced_user_keys=enforced_user_keys,
     )
     desired_state.extend(flat_rolebindings_desired_state)
 

reconcile/typed_queries/app_interface_clusterroles.py

@@ -0,0 +1,10 @@
+from reconcile.gql_definitions.common.app_interface_clusterrole import (
+    RoleV1,
+    query,
+)
+from reconcile.utils import gql
+
+
+def get_app_interface_clusterroles() -> list[RoleV1]:
+    data = query(gql.get_api().query)
+    return list(data.cluster_roles or [])

reconcile/openshift_clusterrolebindings.py

@@ -1,192 +0,0 @@
-import contextlib
-import sys
-from collections.abc import Callable
-
-import reconcile.openshift_base as ob
-from reconcile import queries
-from reconcile.utils import (
-    expiration,
-    gql,
-)
-from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
-from reconcile.utils.defer import defer
-from reconcile.utils.openshift_resource import OpenshiftResource as OR
-from reconcile.utils.openshift_resource import (
-    ResourceInventory,
-    ResourceKeyExistsError,
-)
-from reconcile.utils.semver_helper import make_semver
-
-ROLES_QUERY = """
-{
-  roles: roles_v1 {
-    name
-    users {
-      org_username
-      github_username
-    }
-    bots {
-      openshift_serviceaccount
-    }
-    access {
-      cluster {
-        name
-        auth {
-          service
-        }
-      }
-      clusterRole
-    }
-    expirationDate
-  }
-}
-"""
-
-
-QONTRACT_INTEGRATION = "openshift-clusterrolebindings"
-QONTRACT_INTEGRATION_VERSION = make_semver(0, 1, 0)
-
-
-def construct_user_oc_resource(role: str, user: str) -> tuple[OR, str]:
-    name = f"{role}-{user}"
-    # Note: In OpenShift 4.x this resource is in rbac.authorization.k8s.io/v1
-    body = {
-        "apiVersion": "rbac.authorization.k8s.io/v1",
-        "kind": "ClusterRoleBinding",
-        "metadata": {"name": name},
-        "roleRef": {"name": role, "kind": "ClusterRole"},
-        "subjects": [{"kind": "User", "name": user}],
-    }
-    return (
-        OR(
-            body, QONTRACT_INTEGRATION, QONTRACT_INTEGRATION_VERSION, error_details=name
-        ),
-        name,
-    )
-
-
-def construct_sa_oc_resource(role: str, namespace: str, sa_name: str) -> tuple[OR, str]:
-    name = f"{role}-{namespace}-{sa_name}"
-    # Note: In OpenShift 4.x this resource is in rbac.authorization.k8s.io/v1
-    body = {
-        "apiVersion": "rbac.authorization.k8s.io/v1",
-        "kind": "ClusterRoleBinding",
-        "metadata": {"name": name},
-        "roleRef": {"name": role, "kind": "ClusterRole"},
-        "subjects": [
-            {"kind": "ServiceAccount", "name": sa_name, "namespace": namespace}
-        ],
-    }
-    return (
-        OR(
-            body, QONTRACT_INTEGRATION, QONTRACT_INTEGRATION_VERSION, error_details=name
-        ),
-        name,
-    )
-
-
-def fetch_desired_state(
-    ri: ResourceInventory | None, oc_map: ob.ClusterMap
-) -> list[dict[str, str]]:
-    gqlapi = gql.get_api()
-    roles: list[dict] = expiration.filter(gqlapi.query(ROLES_QUERY)["roles"])
-    users_desired_state = []
-    # set namespace to something indicative
-    namespace_cluster_scope = "cluster"
-    for role in roles:
-        permissions = [
-            {"cluster": a["cluster"], "cluster_role": a["clusterRole"]}
-            for a in role["access"] or []
-            if a["cluster"] and a["clusterRole"]
-        ]
-        if not permissions:
-            continue
-
-        service_accounts = [
-            bot["openshift_serviceaccount"]
-            for bot in role["bots"]
-            if bot.get("openshift_serviceaccount")
-        ]
-
-        for permission in permissions:
-            cluster_info = permission["cluster"]
-            cluster = cluster_info["name"]
-            if not oc_map.get(cluster):
-                continue
-
-            # get username keys based on used IDPs
-            user_keys = ob.determine_user_keys_for_access(cluster, cluster_info["auth"])
-            for user in role["users"]:
-                for username in {user[user_key] for user_key in user_keys}:
-                    # used by openshift-users and github integrations
-                    # this is just to simplify things a bit on the their side
-                    users_desired_state.append({"cluster": cluster, "user": username})
-                    if ri is None:
-                        continue
-                    oc_resource, resource_name = construct_user_oc_resource(
-                        permission["cluster_role"], username
-                    )
-                    with contextlib.suppress(ResourceKeyExistsError):
-                        # a user may have a Role assigned to them
-                        # from multiple app-interface roles
-                        ri.add_desired(
-                            cluster,
-                            namespace_cluster_scope,
-                            "ClusterRoleBinding.rbac.authorization.k8s.io",
-                            resource_name,
-                            oc_resource,
-                        )
-
-            for sa in service_accounts:
-                if ri is None:
-                    continue
-                namespace, sa_name = sa.split("/")
-                oc_resource, resource_name = construct_sa_oc_resource(
-                    permission["cluster_role"], namespace, sa_name
-                )
-
-                with contextlib.suppress(ResourceKeyExistsError):
-                    # a ServiceAccount may have a Role assigned to it
-                    # from multiple app-interface roles
-                    ri.add_desired(
-                        cluster,
-                        namespace_cluster_scope,
-                        "ClusterRoleBinding.rbac.authorization.k8s.io",
-                        resource_name,
-                        oc_resource,
-                    )
-
-    return users_desired_state
-
-
-@defer
-def run(
-    dry_run: bool,
-    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE,
-    internal: bool | None = None,
-    use_jump_host: bool = True,
-    defer: Callable | None = None,
-) -> None:
-    clusters = [
-        cluster_info
-        for cluster_info in queries.get_clusters()
-        if cluster_info.get("managedClusterRoles")
-        and cluster_info.get("automationToken")
-    ]
-    ri, oc_map = ob.fetch_current_state(
-        clusters=clusters,
-        thread_pool_size=thread_pool_size,
-        integration=QONTRACT_INTEGRATION,
-        integration_version=QONTRACT_INTEGRATION_VERSION,
-        override_managed_types=["ClusterRoleBinding.rbac.authorization.k8s.io"],
-        internal=internal,
-        use_jump_host=use_jump_host,
-    )
-    if defer:
-        defer(oc_map.cleanup)
-    fetch_desired_state(ri, oc_map)
-    ob.publish_metrics(ri, QONTRACT_INTEGRATION)
-    ob.realize_data(dry_run, oc_map, ri, thread_pool_size)
-
-    if ri.has_error_registered():
-        sys.exit(1)