| Scott Baker | 3fd18e5 | 2018-04-17 09:18:21 -0700 | [diff] [blame] | 1 | |
| 2 | # Copyright 2017-present Open Networking Foundation |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. |
| 6 | # You may obtain a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | # See the License for the specific language governing permissions and |
| 14 | # limitations under the License. |
| 15 | |
| 16 | """ |
| 17 | sync_principal.py |
| 18 | |
| 19 | Synchronize Principals. Principals correspond roughly to Kubernetes ServiceAccounts. |
| 20 | """ |
| 21 | |
| 22 | from synchronizers.new_base.syncstep import SyncStep |
| 23 | from synchronizers.new_base.modelaccessor import Principal |
| 24 | |
| 25 | from xosconfig import Config |
| 26 | from multistructlog import create_logger |
| 27 | |
| 28 | from kubernetes.client.rest import ApiException |
| 29 | from kubernetes import client as kubernetes_client, config as kubernetes_config |
| 30 | |
| 31 | log = create_logger(Config().get('logging')) |
| 32 | |
| 33 | class SyncPrincipal(SyncStep): |
| 34 | |
| 35 | """ |
| 36 | SyncPrincipal |
| 37 | |
| 38 | Implements sync step for syncing Principals. |
| 39 | """ |
| 40 | |
| 41 | provides = [Principal] |
| 42 | observes = Principal |
| 43 | requested_interval = 0 |
| 44 | |
| 45 | def __init__(self, *args, **kwargs): |
| 46 | super(SyncPrincipal, self).__init__(*args, **kwargs) |
| 47 | kubernetes_config.load_incluster_config() |
| 48 | self.v1 = kubernetes_client.CoreV1Api() |
| 49 | |
| 50 | def get_service_account(self, o): |
| 51 | """ Given an XOS Principal object, read the corresponding ServiceAccount from Kubernetes. |
| 52 | return None if no ServiceAccount exists. |
| 53 | """ |
| 54 | try: |
| 55 | service_account = self.v1.read_namespaced_service_account(o.name, o.trust_domain.name) |
| 56 | except ApiException, e: |
| 57 | if e.status == 404: |
| 58 | return None |
| 59 | raise |
| 60 | return service_account |
| 61 | |
| 62 | def fetch_pending(self, deleted): |
| 63 | """ Figure out which Principals are interesting to the K8s synchronizer. |
| 64 | As each Principal exists within a Trust Domain, this reduces to figuring out which Trust Domains are |
| 65 | interesting. |
| 66 | """ |
| 67 | objs = super(SyncPrincipal, self).fetch_pending(deleted) |
| 68 | for obj in objs[:]: |
| 69 | # If the Principal isn't in a TrustDomain, then the K8s synchronizer can't do anything with it |
| 70 | if not obj.trust_domain: |
| 71 | objs.remove(obj) |
| 72 | continue |
| 73 | |
| 74 | # If the Principal's TrustDomain isn't part of the K8s service, then it's someone else's principal |
| 75 | if "KubernetesService" not in obj.trust_domain.owner.leaf_model.class_names: |
| 76 | objs.remove(obj) |
| 77 | return objs |
| 78 | |
| 79 | def sync_record(self, o): |
| 80 | service_account = self.get_service_account(o) |
| 81 | if not service_account: |
| 82 | service_account = kubernetes_client.V1ServiceAccount() |
| 83 | service_account.metadata = kubernetes_client.V1ObjectMeta(name=o.name) |
| 84 | |
| 85 | service_account = self.v1.create_namespaced_service_account(o.trust_domain.name, service_account) |
| 86 | |
| 87 | if (not o.backend_handle): |
| 88 | o.backend_handle = service_account.metadata.self_link |
| 89 | o.save(update_fields=["backend_handle"]) |
| 90 | |
| 91 | def delete_record(self, port): |
| 92 | # TODO(smbaker): Implement delete step |
| 93 | pass |
| 94 | |