Commit 17fdafef authored by Michael Völske's avatar Michael Völske

add provisional k8s-auth setup script

parent 8113a5ab
......@@ -8,6 +8,7 @@ from log import *
GROUP_ID_WEBISSTUD = 117
GROUP_ID_THIRDPARTY = 170
GROUP_ID_AUTH_K8S_USER = 352
try:
## Using Python3
......
#!/bin/sh
# Set up k8s access per gitlab groups
"true" '''\'
# try running as python3, if that fails fall back to (any) python
command -v python3 > /dev/null
if [ $? -eq 0 ]; then
exec env python3 "$0" "$@"
fi
command -v python > /dev/null
if [ $? -eq 0 ]; then
exec env python "$0" "$@"
else
echo -e "\033[91m[ERROR] Install Python and try again!" 1>&2
exit 1
fi
'''
from __future__ import print_function
import os
import shutil
import sys
import tempfile
import loader
import gitlab
from log import *
from lib import get_selection_from_list, confirm_prompt
from webis_gitlab import get_api_instance, GROUP_ID_AUTH_K8S_USER
template = """
apiVersion: v1
kind: Namespace
metadata:
name: {username}
labels:
source: webiscmd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {username}
name: {username}
labels:
source: webiscmd
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {username}-binding
namespace: {username}
labels:
source: webiscmd
subjects:
- kind: User
name: oidc:{email}
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: {username}
apiGroup: rbac.authorization.k8s.io"""
gl = get_api_instance()
group = gl.groups.get(GROUP_ID_AUTH_K8S_USER)
users = (dict(username=u.attributes['username'],email=gl.users.get(u.attributes['id']).attributes['email']) for u in group.members.list(all=True))
tmp = tempfile.mkdtemp()
roles_file = os.path.join(tmp, 'roles.yaml')
with open(roles_file, 'w') as f:
f.write("\n---\n".join(template.format(**u) for u in users))
lInfo("Deleting existing k8s-auth/user resources")
for obj in ['rolebinding', 'role']:
os.system('kubectl delete %s -l source==webiscmd -A' % obj)
lInfo("Creating up-to-date k8s-auth/user resources from gitlab group membership")
os.system('kubectl replace -f ' + roles_file)
shutil.rmtree(tmp)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment