Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Refactoring the provider-kubeconfig.py #1326

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[WIP] Refactoring the provider-kubeconfig.py #1326

wants to merge 1 commit into from

Conversation

chiukapoor
Copy link
Contributor

@chiukapoor chiukapoor commented Jul 4, 2024
edited
Loading

Issue

Updates

  • Use python kube-client
  • Modularize delete functionality
  • Add -n, --namespace parameter for namespace
  • Error handling

TODO

  • Test UPDATE functionality
  • Use logger
  • Need refactor the below code blocks once the JSON format is provided by @devdattakulkarni

    kubeplus/provider-kubeconfig.py

    Lines 346 to 391 in d4d61ce

    def _update_rbac(self, permissionfile, sa, namespace, kubeconfig):
    rbac_v1 = client.RbacAuthorizationV1Api()
    role = {}
    role["apiVersion"] = "rbac.authorization.k8s.io/v1"
    role["kind"] = "ClusterRole"
    metadata = {}
    metadata["name"] = sa + "-update"
    role["metadata"] = metadata
    ruleList = []
    ruleGroup = {}
    fp = open(permissionfile, "r")
    data = fp.read()
    perms_data = json.loads(data)
    perms = perms_data["perms"]
    new_resources_set = set()
    for apiGroup, res_actions in perms.items():
    for res in res_actions:
    for resource, verbs in res.items():
    print(apiGroup + " " + resource + " " + str(verbs))
    if resource not in new_resources_set:
    new_resources_set.add(resource.strip())
    ruleGroup = {}
    if apiGroup == "non-apigroup":
    if 'nonResourceURL' in resource:
    parts = resource.split("nonResourceURL::")
    nonRes = parts[0].strip()
    ruleGroup['nonResourceURLs'] = [nonRes]
    ruleGroup['verbs'] = verbs
    else:
    ruleGroup["apiGroups"] = [apiGroup]
    ruleGroup["verbs"] = verbs
    if 'resourceName' in resource:
    parts = resource.split("/resourceName::")
    resNameParent = parts[0].strip()
    resName = parts[1].strip()
    ruleGroup["resources"] = [resNameParent]
    ruleGroup["resourceNames"] = [resName]
    else:
    ruleGroup["resources"] = [resource]
    ruleList.append(ruleGroup)
    role["rules"] = ruleList

    kubeplus/provider-kubeconfig.py

    Lines 421 to 439 in d4d61ce

    # Read configmap to get earlier permissions; delete it and create it with all new permissions:
    cmd = "kubectl get configmap kubeplus-saas-provider-perms -o json -n " + namespace
    out1, err1 = self.run_command(cmd)
    print("Original Perms Out:" + str(out1))
    print("Perms Err:" + str(err1))
    kubeplus_perms = []
    if out1 != '':
    json_op = json.loads(out1)
    perms = json_op['data']['kubeplus-saas-provider-perms.txt']
    print(perms)
    k_perms = perms.split(",")
    for p in k_perms:
    p = p.replace("'","")
    p = p.replace("[","")
    p = p.replace("]","")
    p = p.strip()
    kubeplus_perms.append(p)
    new_resources_set.extend(kubeplus_perms)

@devdattakulkarni
Copy link
Contributor

Looks like CI has failed:
https://github.com/cloud-ark/kubeplus/actions/runs/9838082051/job/27157203380?pr=1326#step:5:1896

@chiukapoor chiukapoor force-pushed the refactor-provider-py branch 2 times, most recently from 8d27eb2 to 553d884 Compare July 8, 2024 11:04
@devdattakulkarni
Copy link
Contributor

https://github.com/cloud-ark/kubeplus/actions/runs/9838401881/job/27158227902?pr=1326#step:5:1901

Need to add kubernetes to requirements.txt.

@chiukapoor chiukapoor force-pushed the refactor-provider-py branch 7 times, most recently from b7faeb2 to aa17328 Compare July 8, 2024 12:56
@chiukapoor
Copy link
Contributor Author

@devdattakulkarni I would like to propose that we move the provider-kubeconfig.py and requirements.txt to a new folder (ex kubeconfig-generator)?

@chiukapoor
Copy link
Contributor Author

Rebased with master

devdattakulkarni
devdattakulkarni reviewed Aug 3, 2024
View reviewed changes
.github/workflows/pr.yaml Outdated
@@ -53,7 +53,7 @@ jobs:
pip3 install -r requirements.txt
apiserver=`kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'`
echo "API_SERVER_URL:$apiserver"
python3 provider-kubeconfig.py -s $apiserver create $KUBEPLUS_NS
python3 provider-kubeconfig.py create -s $apiserver -n $KUBEPLUS_NS
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

About putting Namespace as a parameter under a flag - the problem is it will make Namespace an optional parameter. We want to keep Namespace a required parameter. Keeping it a positional parameter achieves this. So I suggest we keep Namespace as a positional parameter.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to keep namespace as a positional parameter.

@devdattakulkarni
Copy link
Contributor

@chiukapoor I have started testing the changes. Here is a gist with early results.

https://gist.github.com/devdattakulkarni/bb3833c9589ca3139c971da43ac2fa62

I would suggest you try all the flags with all the commands to verify whether all combinations of commands and flags are working correctly.

@chiukapoor
Copy link
Contributor Author

@devdattakulkarni

Test 2: "Namespace does not exist" is working fine for me.

❯ kubectl get namespaces -A
NAME                 STATUS   AGE
default              Active   7m7s
kube-node-lease      Active   7m7s
kube-public          Active   7m7s
kube-system          Active   7m7s
local-path-storage   Active   7m4s
testkubeconfig2      Active   53s
❯ python3 provider-kubeconfig.py create -n testkubeconfig3 -s $apiserver
API Server IP: https://127.0.0.1:36921
Namespace 'testkubeconfig3' created successfully.
Namespace 'testkubeconfig3' labeled successfully.
ServiceAccount 'kubeplus-saas-provider' created successfully.
Secret 'kubeplus-saas-provider' created successfully.
Kubeconfig file 'kubeplus-saas-provider.json' created successfully.
ClusterRole 'kubeplus-saas-provider' replaced successfully.
ClusterRole 'kubeplus-saas-provider' replaced successfully.
Provider kubeconfig created: kubeplus-saas-provider.json

Rest of the issues are resolved in latest commit.

@chiukapoor
Refactoring provider-kubeconfig.py
976738f 
* Use python kube-client
* Modularize delete functionality
* Add check to verify if API server is reachable
* Error handling

Signed-off-by: Chirayu Kapoor <[email protected]>
@chiukapoor
Copy link
Contributor Author

Rebased the PR @devdattakulkarni

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devdattakulkarni devdattakulkarni Awaiting requested review from devdattakulkarni

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Refactor the provider-kubeconfig.py to use python Kubernetes Client
2 participants
@chiukapoor @devdattakulkarni