diff options
Diffstat (limited to 'roles/lib_openshift/src')
23 files changed, 996 insertions, 49 deletions
diff --git a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py index c80c2eb44..10f1c9b4b 100644 --- a/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/ansible/oc_adm_ca_server_cert.py @@ -20,6 +20,7 @@ def main(): signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), + expire_days=dict(default=None, type='int'), ), supports_check_mode=True, ) diff --git a/roles/lib_openshift/src/ansible/oc_clusterrole.py b/roles/lib_openshift/src/ansible/oc_clusterrole.py new file mode 100644 index 000000000..7e4319d2c --- /dev/null +++ b/roles/lib_openshift/src/ansible/oc_clusterrole.py @@ -0,0 +1,29 @@ +# pylint: skip-file +# flake8: noqa + +def main(): + ''' + ansible oc module for clusterrole + ''' + + module = AnsibleModule( + argument_spec=dict( + kubeconfig=dict(default='/etc/origin/master/admin.kubeconfig', type='str'), + state=dict(default='present', type='str', + choices=['present', 'absent', 'list']), + debug=dict(default=False, type='bool'), + name=dict(default=None, type='str'), + rules=dict(default=None, type='list'), + ), + supports_check_mode=True, + ) + + results = OCClusterRole.run_ansible(module.params, module.check_mode) + + if 'failed' in results: + module.fail_json(**results) + + module.exit_json(**results) + +if __name__ == '__main__': + main() diff --git a/roles/lib_openshift/src/ansible/oc_obj.py b/roles/lib_openshift/src/ansible/oc_obj.py index 701740e4f..6ab53d044 100644 --- a/roles/lib_openshift/src/ansible/oc_obj.py +++ b/roles/lib_openshift/src/ansible/oc_obj.py @@ -23,7 +23,7 @@ def main(): force=dict(default=False, type='bool'), selector=dict(default=None, type='str'), ), - mutually_exclusive=[["content", "files"]], + mutually_exclusive=[["content", "files"], ["selector", "name"]], supports_check_mode=True, ) diff --git a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py index 18c69f2fa..cf99a6584 100644 --- a/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/src/class/oc_adm_ca_server_cert.py @@ -77,7 +77,10 @@ class CAServerCert(OpenShiftCLI): x509output, _ = proc.communicate() if proc.returncode == 0: regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE) - match = regex.search(x509output) # E501 + match = regex.search(x509output.decode()) # E501 + if not match: + return False + for entry in re.split(r", *", match.group(1)): if entry.startswith('DNS') or entry.startswith('IP Address'): cert_names.append(entry.split(':')[1]) @@ -102,6 +105,7 @@ class CAServerCert(OpenShiftCLI): 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, 'signer_serial': {'value': params['signer_serial'], 'include': True}, + 'expire_days': {'value': params['expire_days'], 'include': True}, 'backup': {'value': params['backup'], 'include': False}, }) @@ -123,7 +127,7 @@ class CAServerCert(OpenShiftCLI): api_rval = server_cert.create() if api_rval['returncode'] != 0: - return {'Failed': True, 'msg': api_rval} + return {'failed': True, 'msg': api_rval} return {'changed': True, 'results': api_rval, 'state': state} diff --git a/roles/lib_openshift/src/class/oc_adm_manage_node.py b/roles/lib_openshift/src/class/oc_adm_manage_node.py index c07320477..6d9f24baa 100644 --- a/roles/lib_openshift/src/class/oc_adm_manage_node.py +++ b/roles/lib_openshift/src/class/oc_adm_manage_node.py @@ -44,7 +44,7 @@ class ManageNode(OpenShiftCLI): if selector: _sel = selector - results = self._get('node', rname=_node, selector=_sel) + results = self._get('node', name=_node, selector=_sel) if results['returncode'] != 0: return results diff --git a/roles/lib_openshift/src/class/oc_adm_registry.py b/roles/lib_openshift/src/class/oc_adm_registry.py index 25519c9c9..720b44cdc 100644 --- a/roles/lib_openshift/src/class/oc_adm_registry.py +++ b/roles/lib_openshift/src/class/oc_adm_registry.py @@ -105,7 +105,7 @@ class Registry(OpenShiftCLI): rval = 0 for part in self.registry_parts: - result = self._get(part['kind'], rname=part['name']) + result = self._get(part['kind'], name=part['name']) if result['returncode'] == 0 and part['kind'] == 'dc': self.deploymentconfig = DeploymentConfig(result['results'][0]) elif result['returncode'] == 0 and part['kind'] == 'svc': diff --git a/roles/lib_openshift/src/class/oc_adm_router.py b/roles/lib_openshift/src/class/oc_adm_router.py index 356d06fdf..1a0b94b80 100644 --- a/roles/lib_openshift/src/class/oc_adm_router.py +++ b/roles/lib_openshift/src/class/oc_adm_router.py @@ -136,7 +136,7 @@ class Router(OpenShiftCLI): self.secret = None self.rolebinding = None for part in self.router_parts: - result = self._get(part['kind'], rname=part['name']) + result = self._get(part['kind'], name=part['name']) if result['returncode'] == 0 and part['kind'] == 'dc': self.deploymentconfig = DeploymentConfig(result['results'][0]) elif result['returncode'] == 0 and part['kind'] == 'svc': diff --git a/roles/lib_openshift/src/class/oc_clusterrole.py b/roles/lib_openshift/src/class/oc_clusterrole.py new file mode 100644 index 000000000..1d3d977db --- /dev/null +++ b/roles/lib_openshift/src/class/oc_clusterrole.py @@ -0,0 +1,163 @@ +# pylint: skip-file +# flake8: noqa + + +# pylint: disable=too-many-instance-attributes +class OCClusterRole(OpenShiftCLI): + ''' Class to manage clusterrole objects''' + kind = 'clusterrole' + + def __init__(self, + name, + rules=None, + kubeconfig=None, + verbose=False): + ''' Constructor for OCClusterRole ''' + super(OCClusterRole, self).__init__(None, kubeconfig=kubeconfig, verbose=verbose) + self.verbose = verbose + self.name = name + self._clusterrole = None + self._inc_clusterrole = ClusterRole.builder(name, rules) + + @property + def clusterrole(self): + ''' property for clusterrole''' + if not self._clusterrole: + self.get() + return self._clusterrole + + @clusterrole.setter + def clusterrole(self, data): + ''' setter function for clusterrole property''' + self._clusterrole = data + + @property + def inc_clusterrole(self): + ''' property for inc_clusterrole''' + return self._inc_clusterrole + + @inc_clusterrole.setter + def inc_clusterrole(self, data): + ''' setter function for inc_clusterrole property''' + self._inc_clusterrole = data + + def exists(self): + ''' return whether a clusterrole exists ''' + if self.clusterrole: + return True + + return False + + def get(self): + '''return a clusterrole ''' + result = self._get(self.kind, self.name) + + if result['returncode'] == 0: + self.clusterrole = ClusterRole(content=result['results'][0]) + result['results'] = self.clusterrole.yaml_dict + + elif 'clusterrole "{}" not found'.format(self.name) in result['stderr']: + result['returncode'] = 0 + + return result + + def delete(self): + '''delete the object''' + return self._delete(self.kind, self.name) + + def create(self): + '''create a clusterrole from the proposed incoming clusterrole''' + return self._create_from_content(self.name, self.inc_clusterrole.yaml_dict) + + def update(self): + '''update a project''' + return self._replace_content(self.kind, self.name, self.inc_clusterrole.yaml_dict) + + def needs_update(self): + ''' verify an update is needed''' + return not self.clusterrole.compare(self.inc_clusterrole, self.verbose) + + # pylint: disable=too-many-return-statements,too-many-branches + @staticmethod + def run_ansible(params, check_mode): + '''run the idempotent ansible code''' + + oc_clusterrole = OCClusterRole(params['name'], + params['rules'], + params['kubeconfig'], + params['debug']) + + state = params['state'] + + api_rval = oc_clusterrole.get() + + ##### + # Get + ##### + if state == 'list': + return {'changed': False, 'results': api_rval, 'state': state} + + ######## + # Delete + ######## + if state == 'absent': + if oc_clusterrole.exists(): + + if check_mode: + return {'changed': True, 'msg': 'CHECK_MODE: Would have performed a delete.'} + + api_rval = oc_clusterrole.delete() + + if api_rval['returncode'] != 0: + return {'failed': True, 'msg': api_rval} + + return {'changed': True, 'results': api_rval, 'state': state} + + return {'changed': False, 'state': state} + + if state == 'present': + ######## + # Create + ######## + if not oc_clusterrole.exists(): + + if check_mode: + return {'changed': True, 'msg': 'CHECK_MODE: Would have performed a create.'} + + # Create it here + api_rval = oc_clusterrole.create() + + # return the created object + api_rval = oc_clusterrole.get() + + if api_rval['returncode'] != 0: + return {'failed': True, 'msg': api_rval} + + return {'changed': True, 'results': api_rval, 'state': state} + + ######## + # Update + ######## + if oc_clusterrole.needs_update(): + + if check_mode: + return {'changed': True, 'msg': 'CHECK_MODE: Would have performed an update.'} + + api_rval = oc_clusterrole.update() + + if api_rval['returncode'] != 0: + return {'failed': True, 'msg': api_rval} + + # return the created object + api_rval = oc_clusterrole.get() + + if api_rval['returncode'] != 0: + return {'failed': True, 'msg': api_rval} + + return {'changed': True, 'results': api_rval, 'state': state} + + return {'changed': False, 'results': api_rval, 'state': state} + + return {'failed': True, + 'changed': False, + 'msg': 'Unknown state passed. [%s]' % state} diff --git a/roles/lib_openshift/src/class/oc_configmap.py b/roles/lib_openshift/src/class/oc_configmap.py index 87de3e1df..de77d1102 100644 --- a/roles/lib_openshift/src/class/oc_configmap.py +++ b/roles/lib_openshift/src/class/oc_configmap.py @@ -127,6 +127,10 @@ class OCConfigMap(OpenShiftCLI): if state == 'list': return {'changed': False, 'results': api_rval, 'state': state} + if not params['name']: + return {'failed': True, + 'msg': 'Please specify a name when state is absent|present.'} + ######## # Delete ######## diff --git a/roles/lib_openshift/src/class/oc_label.py b/roles/lib_openshift/src/class/oc_label.py index bd312c170..0a6895177 100644 --- a/roles/lib_openshift/src/class/oc_label.py +++ b/roles/lib_openshift/src/class/oc_label.py @@ -134,9 +134,9 @@ class OCLabel(OpenShiftCLI): label_list = [] if self.name: - result = self._get(resource=self.kind, rname=self.name, selector=self.selector) + result = self._get(resource=self.kind, name=self.name, selector=self.selector) - if 'labels' in result['results'][0]['metadata']: + if result['results'][0] and 'labels' in result['results'][0]['metadata']: label_list.append(result['results'][0]['metadata']['labels']) else: label_list.append({}) diff --git a/roles/lib_openshift/src/class/oc_obj.py b/roles/lib_openshift/src/class/oc_obj.py index 51d3ce996..667b98eac 100644 --- a/roles/lib_openshift/src/class/oc_obj.py +++ b/roles/lib_openshift/src/class/oc_obj.py @@ -10,7 +10,7 @@ class OCObject(OpenShiftCLI): def __init__(self, kind, namespace, - rname=None, + name=None, selector=None, kubeconfig='/etc/origin/master/admin.kubeconfig', verbose=False, @@ -19,21 +19,21 @@ class OCObject(OpenShiftCLI): super(OCObject, self).__init__(namespace, kubeconfig=kubeconfig, verbose=verbose, all_namespaces=all_namespaces) self.kind = kind - self.name = rname + self.name = name self.selector = selector def get(self): '''return a kind by name ''' - results = self._get(self.kind, rname=self.name, selector=self.selector) - if results['returncode'] != 0 and 'stderr' in results and \ - '\"%s\" not found' % self.name in results['stderr']: + results = self._get(self.kind, name=self.name, selector=self.selector) + if (results['returncode'] != 0 and 'stderr' in results and + '\"{}\" not found'.format(self.name) in results['stderr']): results['returncode'] = 0 return results def delete(self): - '''return all pods ''' - return self._delete(self.kind, self.name) + '''delete the object''' + return self._delete(self.kind, name=self.name, selector=self.selector) def create(self, files=None, content=None): ''' @@ -109,24 +109,33 @@ class OCObject(OpenShiftCLI): # Get ##### if state == 'list': - return {'changed': False, 'results': api_rval, 'state': 'list'} - - if not params['name']: - return {'failed': True, 'msg': 'Please specify a name when state is absent|present.'} # noqa: E501 + return {'changed': False, 'results': api_rval, 'state': state} ######## # Delete ######## if state == 'absent': - if not Utils.exists(api_rval['results'], params['name']): - return {'changed': False, 'state': 'absent'} + # if we were passed a name, verify its not in our results + if params['name'] is not None and not Utils.exists(api_rval['results'], params['name']): + return {'changed': False, 'state': state} + + # verify results are empty for the selector + if params['selector'] is not None and len(api_rval['results']) == 0: + return {'changed': False, 'state': state} if check_mode: return {'changed': True, 'msg': 'CHECK_MODE: Would have performed a delete'} api_rval = ocobj.delete() - return {'changed': True, 'results': api_rval, 'state': 'absent'} + if api_rval['returncode'] != 0: + return {'failed': True, 'msg': api_rval} + + return {'changed': True, 'results': api_rval, 'state': state} + + # create/update: Must define a name beyond this point + if not params['name']: + return {'failed': True, 'msg': 'Please specify a name when state is present.'} if state == 'present': ######## @@ -152,7 +161,7 @@ class OCObject(OpenShiftCLI): if params['files'] and params['delete_after']: Utils.cleanup(params['files']) - return {'changed': True, 'results': api_rval, 'state': "present"} + return {'changed': True, 'results': api_rval, 'state': state} ######## # Update @@ -167,7 +176,7 @@ class OCObject(OpenShiftCLI): if params['files'] and params['delete_after']: Utils.cleanup(params['files']) - return {'changed': False, 'results': api_rval['results'][0], 'state': "present"} + return {'changed': False, 'results': api_rval['results'][0], 'state': state} if check_mode: return {'changed': True, 'msg': 'CHECK_MODE: Would have performed an update.'} @@ -186,4 +195,4 @@ class OCObject(OpenShiftCLI): if api_rval['returncode'] != 0: return {'failed': True, 'msg': api_rval} - return {'changed': True, 'results': api_rval, 'state': "present"} + return {'changed': True, 'results': api_rval, 'state': state} diff --git a/roles/lib_openshift/src/class/oc_process.py b/roles/lib_openshift/src/class/oc_process.py index 9d29938aa..eba9a43cd 100644 --- a/roles/lib_openshift/src/class/oc_process.py +++ b/roles/lib_openshift/src/class/oc_process.py @@ -136,7 +136,7 @@ class OCProcess(OpenShiftCLI): if api_rval['returncode'] != 0: return {"failed": True, "msg" : api_rval} - return {"changed" : False, "results": api_rval, "state": "list"} + return {"changed" : False, "results": api_rval, "state": state} elif state == 'present': if check_mode and params['create']: @@ -158,9 +158,9 @@ class OCProcess(OpenShiftCLI): return {"failed": True, "msg": api_rval} if params['create']: - return {"changed": True, "results": api_rval, "state": "present"} + return {"changed": True, "results": api_rval, "state": state} - return {"changed": False, "results": api_rval, "state": "present"} + return {"changed": False, "results": api_rval, "state": state} # verify results update = False @@ -175,11 +175,11 @@ class OCProcess(OpenShiftCLI): update = True if not update: - return {"changed": update, "results": api_rval, "state": "present"} + return {"changed": update, "results": api_rval, "state": state} for cmd in rval: if cmd['returncode'] != 0: - return {"failed": True, "changed": update, "results": rval, "state": "present"} + return {"failed": True, "changed": update, "msg": rval, "state": state} - return {"changed": update, "results": rval, "state": "present"} + return {"changed": update, "results": rval, "state": state} diff --git a/roles/lib_openshift/src/class/oc_volume.py b/roles/lib_openshift/src/class/oc_volume.py index 5211a1afd..45b58a516 100644 --- a/roles/lib_openshift/src/class/oc_volume.py +++ b/roles/lib_openshift/src/class/oc_volume.py @@ -157,7 +157,7 @@ class OCVolume(OpenShiftCLI): if not oc_volume.exists(): if check_mode: - exit_json(changed=False, msg='Would have performed a create.') + return {'changed': True, 'msg': 'CHECK_MODE: Would have performed a create.'} # Create it here api_rval = oc_volume.put() diff --git a/roles/lib_openshift/src/doc/ca_server_cert b/roles/lib_openshift/src/doc/ca_server_cert index ff9229281..7f2be4ada 100644 --- a/roles/lib_openshift/src/doc/ca_server_cert +++ b/roles/lib_openshift/src/doc/ca_server_cert @@ -79,6 +79,12 @@ options: required: false default: True aliases: [] + expire_days: + description + - Validity of the certificate in days + required: false + default: None + aliases: [] author: - "Kenny Woodson <kwoodson@redhat.com>" extends_documentation_fragment: [] diff --git a/roles/lib_openshift/src/doc/clusterrole b/roles/lib_openshift/src/doc/clusterrole new file mode 100644 index 000000000..3d14a2dfb --- /dev/null +++ b/roles/lib_openshift/src/doc/clusterrole @@ -0,0 +1,66 @@ +# flake8: noqa +# pylint: skip-file + +DOCUMENTATION = ''' +--- +module: oc_clusterrole +short_description: Modify, and idempotently manage openshift clusterroles +description: + - Manage openshift clusterroles +options: + state: + description: + - Supported states, present, absent, list + - present - will ensure object is created or updated to the value specified + - list - will return a clusterrole + - absent - will remove a clusterrole + required: False + default: present + choices: ["present", 'absent', 'list'] + aliases: [] + kubeconfig: + description: + - The path for the kubeconfig file to use for authentication + required: false + default: /etc/origin/master/admin.kubeconfig + aliases: [] + debug: + description: + - Turn on debug output. + required: false + default: False + aliases: [] + name: + description: + - Name of the object that is being queried. + required: false + default: None + aliases: [] + rules: + description: + - A list of dictionaries that have the rule parameters. + - e.g. rules=[{'apiGroups': [""], 'attributeRestrictions': None, 'verbs': ['get'], 'resources': []}] + required: false + default: None + aliases: [] +author: +- "Kenny Woodson <kwoodson@redhat.com>" +extends_documentation_fragment: [] +''' + +EXAMPLES = ''' +- name: query a list of env vars on dc + oc_clusterrole: + name: myclusterrole + state: list + +- name: Set the following variables. + oc_clusterrole: + name: myclusterrole + rules: + apiGroups: + - "" + attributeRestrictions: null + verbs: [] + resources: [] +''' diff --git a/roles/lib_openshift/src/generate.py b/roles/lib_openshift/src/generate.py index 3f23455b5..2570f51dd 100755 --- a/roles/lib_openshift/src/generate.py +++ b/roles/lib_openshift/src/generate.py @@ -5,12 +5,16 @@ import argparse import os +import re import yaml import six OPENSHIFT_ANSIBLE_PATH = os.path.dirname(os.path.realpath(__file__)) OPENSHIFT_ANSIBLE_SOURCES_PATH = os.path.join(OPENSHIFT_ANSIBLE_PATH, 'sources.yml') # noqa: E501 LIBRARY = os.path.join(OPENSHIFT_ANSIBLE_PATH, '..', 'library/') +SKIP_COVERAGE_PATTERN = [re.compile('class Yedit.*$'), + re.compile('class Utils.*$')] +PRAGMA_STRING = ' # pragma: no cover' class GenerateAnsibleException(Exception): @@ -72,6 +76,11 @@ def generate(parts): if idx in [0, 1] and 'flake8: noqa' in line or 'pylint: skip-file' in line: # noqa: E501 continue + for skip in SKIP_COVERAGE_PATTERN: + if re.match(skip, line): + line = line.strip() + line += PRAGMA_STRING + os.linesep + data.write(line) fragment_banner(fpart, "footer", data) diff --git a/roles/lib_openshift/src/lib/base.py b/roles/lib_openshift/src/lib/base.py index 132c586c9..1868b1420 100644 --- a/roles/lib_openshift/src/lib/base.py +++ b/roles/lib_openshift/src/lib/base.py @@ -95,11 +95,15 @@ class OpenShiftCLI(object): '''call oc create on a filename''' return self.openshift_cmd(['create', '-f', fname]) - def _delete(self, resource, rname, selector=None): + def _delete(self, resource, name=None, selector=None): '''call oc delete on a resource''' - cmd = ['delete', resource, rname] - if selector: - cmd.append('--selector=%s' % selector) + cmd = ['delete', resource] + if selector is not None: + cmd.append('--selector={}'.format(selector)) + elif name is not None: + cmd.append(name) + else: + raise OpenShiftCLIError('Either name or selector is required when calling delete.') return self.openshift_cmd(cmd) @@ -117,7 +121,7 @@ class OpenShiftCLI(object): else: cmd.append(template_name) if params: - param_str = ["%s=%s" % (key, value) for key, value in params.items()] + param_str = ["{}={}".format(key, value) for key, value in params.items()] cmd.append('-v') cmd.extend(param_str) @@ -134,13 +138,13 @@ class OpenShiftCLI(object): return self.openshift_cmd(['create', '-f', fname]) - def _get(self, resource, rname=None, selector=None): + def _get(self, resource, name=None, selector=None): '''return a resource by name ''' cmd = ['get', resource] - if selector: - cmd.append('--selector=%s' % selector) - elif rname: - cmd.append(rname) + if selector is not None: + cmd.append('--selector={}'.format(selector)) + elif name is not None: + cmd.append(name) cmd.extend(['-o', 'json']) @@ -160,9 +164,9 @@ class OpenShiftCLI(object): if node: cmd.extend(node) else: - cmd.append('--selector=%s' % selector) + cmd.append('--selector={}'.format(selector)) - cmd.append('--schedulable=%s' % schedulable) + cmd.append('--schedulable={}'.format(schedulable)) return self.openshift_cmd(cmd, oadm=True, output=True, output_type='raw') # noqa: E501 @@ -177,10 +181,10 @@ class OpenShiftCLI(object): if node: cmd.extend(node) else: - cmd.append('--selector=%s' % selector) + cmd.append('--selector={}'.format(selector)) if pod_selector: - cmd.append('--pod-selector=%s' % pod_selector) + cmd.append('--pod-selector={}'.format(pod_selector)) cmd.extend(['--list-pods', '-o', 'json']) @@ -193,16 +197,16 @@ class OpenShiftCLI(object): if node: cmd.extend(node) else: - cmd.append('--selector=%s' % selector) + cmd.append('--selector={}'.format(selector)) if dry_run: cmd.append('--dry-run') if pod_selector: - cmd.append('--pod-selector=%s' % pod_selector) + cmd.append('--pod-selector={}'.format(pod_selector)) if grace_period: - cmd.append('--grace-period=%s' % int(grace_period)) + cmd.append('--grace-period={}'.format(int(grace_period))) if force: cmd.append('--force') diff --git a/roles/lib_openshift/src/lib/clusterrole.py b/roles/lib_openshift/src/lib/clusterrole.py new file mode 100644 index 000000000..93ffababf --- /dev/null +++ b/roles/lib_openshift/src/lib/clusterrole.py @@ -0,0 +1,68 @@ +# pylint: skip-file +# flake8: noqa + + +# pylint: disable=too-many-public-methods +class ClusterRole(Yedit): + ''' Class to model an openshift ClusterRole''' + rules_path = "rules" + + def __init__(self, name=None, content=None): + ''' Constructor for clusterrole ''' + if content is None: + content = ClusterRole.builder(name).yaml_dict + + super(ClusterRole, self).__init__(content=content) + + self.__rules = Rule.parse_rules(self.get(ClusterRole.rules_path)) or [] + + @property + def rules(self): + return self.__rules + + @rules.setter + def rules(self, data): + self.__rules = data + self.put(ClusterRole.rules_path, self.__rules) + + def rule_exists(self, inc_rule): + '''attempt to find the inc_rule in the rules list''' + for rule in self.rules: + if rule == inc_rule: + return True + + return False + + def compare(self, other, verbose=False): + '''compare function for clusterrole''' + for rule in other.rules: + if rule not in self.rules: + if verbose: + print('Rule in other not found in self. [{}]'.format(rule)) + return False + + for rule in self.rules: + if rule not in other.rules: + if verbose: + print('Rule in self not found in other. [{}]'.format(rule)) + return False + + return True + + @staticmethod + def builder(name='default_clusterrole', rules=None): + '''return a clusterrole with name and/or rules''' + if rules is None: + rules = [{'apiGroups': [""], + 'attributeRestrictions': None, + 'verbs': [], + 'resources': []}] + content = { + 'apiVersion': 'v1', + 'kind': 'ClusterRole', + 'metadata': {'name': '{}'.format(name)}, + 'rules': rules, + } + + return ClusterRole(content=content) + diff --git a/roles/lib_openshift/src/lib/rule.py b/roles/lib_openshift/src/lib/rule.py new file mode 100644 index 000000000..4590dcf90 --- /dev/null +++ b/roles/lib_openshift/src/lib/rule.py @@ -0,0 +1,144 @@ +# pylint: skip-file +# flake8: noqa + + +class Rule(object): + '''class to represent a clusterrole rule + + Example Rule Object's yaml: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - persistentvolumes + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + + ''' + def __init__(self, + api_groups=None, + attr_restrictions=None, + resources=None, + verbs=None): + self.__api_groups = api_groups if api_groups is not None else [""] + self.__verbs = verbs if verbs is not None else [] + self.__resources = resources if resources is not None else [] + self.__attribute_restrictions = attr_restrictions if attr_restrictions is not None else None + + @property + def verbs(self): + '''property for verbs''' + if self.__verbs is None: + return [] + + return self.__verbs + + @verbs.setter + def verbs(self, data): + '''setter for verbs''' + self.__verbs = data + + @property + def api_groups(self): + '''property for api_groups''' + if self.__api_groups is None: + return [] + return self.__api_groups + + @api_groups.setter + def api_groups(self, data): + '''setter for api_groups''' + self.__api_groups = data + + @property + def resources(self): + '''property for resources''' + if self.__resources is None: + return [] + + return self.__resources + + @resources.setter + def resources(self, data): + '''setter for resources''' + self.__resources = data + + @property + def attribute_restrictions(self): + '''property for attribute_restrictions''' + return self.__attribute_restrictions + + @attribute_restrictions.setter + def attribute_restrictions(self, data): + '''setter for attribute_restrictions''' + self.__attribute_restrictions = data + + def add_verb(self, inc_verb): + '''add a verb to the verbs array''' + self.verbs.append(inc_verb) + + def add_api_group(self, inc_apigroup): + '''add an api_group to the api_groups array''' + self.api_groups.append(inc_apigroup) + + def add_resource(self, inc_resource): + '''add an resource to the resources array''' + self.resources.append(inc_resource) + + def remove_verb(self, inc_verb): + '''add a verb to the verbs array''' + try: + self.verbs.remove(inc_verb) + return True + except ValueError: + pass + + return False + + def remove_api_group(self, inc_api_group): + '''add a verb to the verbs array''' + try: + self.api_groups.remove(inc_api_group) + return True + except ValueError: + pass + + return False + + def remove_resource(self, inc_resource): + '''add a verb to the verbs array''' + try: + self.resources.remove(inc_resource) + return True + except ValueError: + pass + + return False + + def __eq__(self, other): + '''return whether rules are equal''' + return (self.attribute_restrictions == other.attribute_restrictions and + self.api_groups == other.api_groups and + self.resources == other.resources and + self.verbs == other.verbs) + + + @staticmethod + def parse_rules(inc_rules): + '''create rules from an array''' + + results = [] + for rule in inc_rules: + results.append(Rule(rule['apiGroups'], + rule['attributeRestrictions'], + rule['resources'], + rule['verbs'])) + + return results diff --git a/roles/lib_openshift/src/sources.yml b/roles/lib_openshift/src/sources.yml index 135e2b752..9fa2a6c0e 100644 --- a/roles/lib_openshift/src/sources.yml +++ b/roles/lib_openshift/src/sources.yml @@ -89,6 +89,18 @@ oc_configmap.py: - class/oc_configmap.py - ansible/oc_configmap.py +oc_clusterrole.py: +- doc/generated +- doc/license +- lib/import.py +- doc/clusterrole +- ../../lib_utils/src/class/yedit.py +- lib/base.py +- lib/rule.py +- lib/clusterrole.py +- class/oc_clusterrole.py +- ansible/oc_clusterrole.py + oc_edit.py: - doc/generated - doc/license diff --git a/roles/lib_openshift/src/test/integration/oc_clusterrole.yml b/roles/lib_openshift/src/test/integration/oc_clusterrole.yml new file mode 100755 index 000000000..91b143f55 --- /dev/null +++ b/roles/lib_openshift/src/test/integration/oc_clusterrole.yml @@ -0,0 +1,106 @@ +#!/usr/bin/ansible-playbook --module-path=../../../library/ +## ./oc_configmap.yml -M ../../../library -e "cli_master_test=$OPENSHIFT_MASTER +--- +- hosts: "{{ cli_master_test }}" + gather_facts: no + user: root + + post_tasks: + - name: create a test project + oc_project: + name: test + description: for tests only + + ###### create test ########### + - name: create a clusterrole + oc_clusterrole: + state: present + name: operations + rules: + - apiGroups: + - "" + resources: + - persistentvolumes + attributeRestrictions: null + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + + - name: fetch the created clusterrole + oc_clusterrole: + name: operations + state: list + register: croleout + + - debug: var=croleout + + - name: assert clusterrole exists + assert: + that: + - croleout.results.results.metadata.name == 'operations' + - croleout.results.results.rules[0].resources[0] == 'persistentvolumes' + ###### end create test ########### + + ###### update test ########### + - name: update a clusterrole + oc_clusterrole: + state: present + name: operations + rules: + - apiGroups: + - "" + resources: + - persistentvolumes + - serviceaccounts + - services + attributeRestrictions: null + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + + - name: fetch the created clusterrole + oc_clusterrole: + name: operations + state: list + register: croleout + + - debug: var=croleout + + - name: assert clusterrole is updated + assert: + that: + - croleout.results.results.metadata.name == 'operations' + - "'persistentvolumes' in croleout.results.results.rules[0].resources" + - "'serviceaccounts' in croleout.results.results.rules[0].resources" + - "'services' in croleout.results.results.rules[0].resources" + ###### end create test ########### + + ###### delete test ########### + - name: delete a clusterrole + oc_clusterrole: + state: absent + name: operations + + - name: fetch the clusterrole + oc_clusterrole: + name: operations + state: list + register: croleout + + - debug: var=croleout + + - name: assert operations does not exist + assert: + that: "'\"operations\" not found' in croleout.results.stderr" diff --git a/roles/lib_openshift/src/test/integration/oc_obj.yml b/roles/lib_openshift/src/test/integration/oc_obj.yml new file mode 100755 index 000000000..c22a2f6a9 --- /dev/null +++ b/roles/lib_openshift/src/test/integration/oc_obj.yml @@ -0,0 +1,207 @@ +#!/usr/bin/ansible-playbook --module-path=../../../library/ +# ./oc_obj.yml -e "cli_master_test=$OPENSHIFT_MASTER +--- +- hosts: "{{ cli_master_test }}" + gather_facts: no + user: root + tasks: + - name: create test project + oc_project: + name: test + description: all things test + node_selector: "" + + # Create Check # + - name: create a dc + oc_obj: + state: present + name: mysql + namespace: test + kind: dc + content: + path: /tmp/dcout + data: + apiVersion: v1 + kind: DeploymentConfig + metadata: + labels: + name: mysql + name: mysql + spec: + replicas: 1 + selector: {} + strategy: + resources: {} + type: Recreate + template: + metadata: + labels: + name: mysql + spec: + containers: + - env: + - name: MYSQL_USER + value: mysql + - name: MYSQL_PASSWORD + value: mysql + - name: MYSQL_DATABASE + value: mysql + - name: MYSQL_ROOT_PASSWORD + value: mysql + image: openshift/mysql-55-centos7:latest + imagePullPolicy: Always + name: mysql + ports: + - containerPort: 3306 + name: tcp-3306 + protocol: TCP + resources: {} + securityContext: + capabilities: {} + privileged: false + terminationMessagePath: /dev/termination-log + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: {} + terminationGracePeriodSeconds: 31 + triggers: + - type: ConfigChange + - imageChangeParams: + automatic: true + containerNames: + - mysql + from: + kind: ImageStreamTag + name: mysql:latest + type: ImageChange + + - name: fetch created dc + oc_obj: + name: mysql + kind: dc + state: list + namespace: test + register: dcout + + - debug: var=dcout + + - assert: + that: + - dcout.results.returncode == 0 + - dcout.results.results[0].metadata.name == 'mysql' + # End Create Check # + + + # Delete Check # + - name: delete created dc + oc_obj: + name: mysql + kind: dc + state: absent + namespace: test + register: dcout + + - name: fetch delete dc + oc_obj: + name: mysql + kind: dc + state: list + namespace: test + register: dcout + + - debug: var=dcout + + - assert: + that: + - dcout.results.returncode == 0 + - "'\"mysql\" not found' in dcout.results.stderr" + # End Delete Check # + + # Delete selector Check # + - name: create a dc + oc_obj: + state: present + name: mysql + namespace: test + kind: dc + content: + path: /tmp/dcout + data: + apiVersion: v1 + kind: DeploymentConfig + metadata: + labels: + name: mysql + name: mysql + spec: + replicas: 1 + selector: {} + strategy: + resources: {} + type: Recreate + template: + metadata: + labels: + name: mysql + spec: + containers: + - env: + - name: MYSQL_USER + value: mysql + - name: MYSQL_PASSWORD + value: mysql + - name: MYSQL_DATABASE + value: mysql + - name: MYSQL_ROOT_PASSWORD + value: mysql + image: openshift/mysql-55-centos7:latest + imagePullPolicy: Always + name: mysql + ports: + - containerPort: 3306 + name: tcp-3306 + protocol: TCP + resources: {} + securityContext: + capabilities: {} + privileged: false + terminationMessagePath: /dev/termination-log + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: {} + terminationGracePeriodSeconds: 31 + triggers: + - type: ConfigChange + - imageChangeParams: + automatic: true + containerNames: + - mysql + from: + kind: ImageStreamTag + name: mysql:latest + type: ImageChange + + - name: delete using selector + oc_obj: + namespace: test + selector: name=mysql + kind: dc + state: absent + register: dcout + + - debug: var=dcout + + - name: get the dc + oc_obj: + namespace: test + selector: name=mysql + kind: dc + state: list + register: dcout + + - debug: var=dcout + + - assert: + that: + - dcout.results.returncode == 0 + - dcout.results.results[0]["items"]|length == 0 diff --git a/roles/lib_openshift/src/test/unit/test_oc_clusterrole.py b/roles/lib_openshift/src/test/unit/test_oc_clusterrole.py new file mode 100755 index 000000000..189f16bda --- /dev/null +++ b/roles/lib_openshift/src/test/unit/test_oc_clusterrole.py @@ -0,0 +1,115 @@ +''' + Unit tests for oc clusterrole +''' + +import copy +import os +import sys +import unittest +import mock + +# Removing invalid variable names for tests so that I can +# keep them brief +# pylint: disable=invalid-name,no-name-in-module +# Disable import-error b/c our libraries aren't loaded in jenkins +# pylint: disable=import-error,wrong-import-position +# place class in our python path +module_path = os.path.join('/'.join(os.path.realpath(__file__).split('/')[:-4]), 'library') # noqa: E501 +sys.path.insert(0, module_path) +from oc_clusterrole import OCClusterRole # noqa: E402 + + +class OCClusterRoleTest(unittest.TestCase): + ''' + Test class for OCClusterRole + ''' + + # run_ansible input parameters + params = { + 'state': 'present', + 'name': 'operations', + 'rules': [ + {'apiGroups': [''], + 'attributeRestrictions': None, + 'verbs': ['create', 'delete', 'deletecollection', + 'get', 'list', 'patch', 'update', 'watch'], + 'resources': ['persistentvolumes']} + ], + 'kubeconfig': '/etc/origin/master/admin.kubeconfig', + 'debug': False, + } + + @mock.patch('oc_clusterrole.locate_oc_binary') + @mock.patch('oc_clusterrole.Utils.create_tmpfile_copy') + @mock.patch('oc_clusterrole.Utils._write') + @mock.patch('oc_clusterrole.OCClusterRole._run') + def test_adding_a_clusterrole(self, mock_cmd, mock_write, mock_tmpfile_copy, mock_loc_binary): + ''' Testing adding a project ''' + + params = copy.deepcopy(OCClusterRoleTest.params) + + clusterrole = '''{ + "apiVersion": "v1", + "kind": "ClusterRole", + "metadata": { + "creationTimestamp": "2017-03-27T14:19:09Z", + "name": "operations", + "resourceVersion": "23", + "selfLink": "/oapi/v1/clusterrolesoperations", + "uid": "57d358fe-12f8-11e7-874a-0ec502977670" + }, + "rules": [ + { + "apiGroups": [ + "" + ], + "attributeRestrictions": null, + "resources": [ + "persistentvolumes" + ], + "verbs": [ + "create", + "delete", + "deletecollection", + "get", + "list", + "patch", + "update", + "watch" + ] + } + ] + }''' + + # Return values of our mocked function call. These get returned once per call. + mock_cmd.side_effect = [ + (1, '', 'Error from server: clusterrole "operations" not found'), + (1, '', 'Error from server: namespaces "operations" not found'), + (0, '', ''), # created + (0, clusterrole, ''), # fetch it + ] + + mock_tmpfile_copy.side_effect = [ + '/tmp/mocked_kubeconfig', + ] + + mock_loc_binary.side_effect = [ + 'oc', + ] + + # Act + results = OCClusterRole.run_ansible(params, False) + + # Assert + self.assertTrue(results['changed']) + self.assertEqual(results['results']['returncode'], 0) + self.assertEqual(results['results']['results']['metadata']['name'], 'operations') + self.assertEqual(results['state'], 'present') + + # Making sure our mock was called as we expected + mock_cmd.assert_has_calls([ + mock.call(['oc', 'get', 'clusterrole', 'operations', '-o', 'json'], None), + mock.call(['oc', 'get', 'clusterrole', 'operations', '-o', 'json'], None), + mock.call(['oc', 'create', '-f', mock.ANY], None), + mock.call(['oc', 'get', 'clusterrole', 'operations', '-o', 'json'], None), + ]) |