X-Git-Url: https://osm.etsi.org/gitweb/?p=osm%2FN2VC.git;a=blobdiff_plain;f=n2vc%2Flibjuju.py;h=a79d00d8c8a46b56da6b1242a02a27612512f8c5;hp=5a3ddbbb237fd1ea1436a775358d13ec204305e1;hb=refs%2Fchanges%2F47%2F10047%2F13;hpb=1c83f2e4d061ad37ba898e114cb42e70fdee5145 diff --git a/n2vc/libjuju.py b/n2vc/libjuju.py index 5a3ddbb..a79d00d 100644 --- a/n2vc/libjuju.py +++ b/n2vc/libjuju.py @@ -14,8 +14,7 @@ import asyncio import logging -from juju.controller import Controller -from juju.client import client + import time from juju.errors import JujuAPIError @@ -29,6 +28,10 @@ from juju.client._definitions import ( Cloud, CloudCredential, ) +from juju.controller import Controller +from juju.client import client +from juju import tag + from n2vc.juju_watcher import JujuModelWatcher from n2vc.provisioner import AsyncSSHProvisioner from n2vc.n2vc_conn import N2VCConnector @@ -46,6 +49,8 @@ from n2vc.utils import DB_DATA from osm_common.dbbase import DbException from kubernetes.client.configuration import Configuration +RBAC_LABEL_KEY_NAME = "rbac-id" + class Libjuju: def __init__( @@ -654,7 +659,8 @@ class Libjuju: try: # Get application application = self._get_application( - model, application_name=application_name, + model, + application_name=application_name, ) if application is None: raise JujuApplicationNotFound("Cannot execute action") @@ -744,7 +750,8 @@ class Libjuju: try: # Get application application = self._get_application( - model, application_name=application_name, + model, + application_name=application_name, ) # Return list of actions @@ -776,7 +783,10 @@ class Libjuju: return metrics async def add_relation( - self, model_name: str, endpoint_1: str, endpoint_2: str, + self, + model_name: str, + endpoint_1: str, + endpoint_2: str, ): """Add relation @@ -811,7 +821,9 @@ class Libjuju: await self.disconnect_controller(controller) async def consume( - self, offer_url: str, model_name: str, + self, + offer_url: str, + model_name: str, ): """ Adds a remote offer to the model. Relations can be created later using "juju relate". @@ -958,7 +970,8 @@ class Libjuju: try: model = await self.get_model(controller, model_name) application = self._get_application( - model, application_name=application_name, + model, + application_name=application_name, ) await application.set_config(config) finally: @@ -999,7 +1012,8 @@ class Libjuju: if not juju_info: try: self.db.create( - DB_DATA.api_endpoints.table, DB_DATA.api_endpoints.filter, + DB_DATA.api_endpoints.table, + DB_DATA.api_endpoints.filter, ) except DbException as e: # Racing condition: check if another N2VC worker has created it @@ -1071,6 +1085,9 @@ class Libjuju: async def add_k8s( self, name: str, + rbac_id: str, + token: str, + client_cert_data: str, configuration: Configuration, storage_class: str, credential_name: str = None, @@ -1094,17 +1111,17 @@ class Libjuju: raise Exception("configuration must be provided") endpoint = configuration.host - credential = self.get_k8s_cloud_credential(configuration) - ca_certificates = ( - [credential.attrs["ClientCertificateData"]] - if "ClientCertificateData" in credential.attrs - else [] + credential = self.get_k8s_cloud_credential( + configuration, + client_cert_data, + token, ) + credential.attrs[RBAC_LABEL_KEY_NAME] = rbac_id cloud = client.Cloud( type_="kubernetes", auth_types=[credential.auth_type], endpoint=endpoint, - ca_certificates=ca_certificates, + ca_certificates=[client_cert_data], config={ "operator-storage": storage_class, "workload-storage": storage_class, @@ -1116,30 +1133,21 @@ class Libjuju: ) def get_k8s_cloud_credential( - self, configuration: Configuration, + self, + configuration: Configuration, + client_cert_data: str, + token: str = None, ) -> client.CloudCredential: attrs = {} - ca_cert = configuration.ssl_ca_cert or configuration.cert_file - key = configuration.key_file - api_key = configuration.api_key - token = None + # TODO: Test with AKS + key = None # open(configuration.key_file, "r").read() username = configuration.username password = configuration.password - if "authorization" in api_key: - authorization = api_key["authorization"] - if "Bearer " in authorization: - bearer_list = authorization.split(" ") - if len(bearer_list) == 2: - [_, token] = bearer_list - else: - raise JujuInvalidK8sConfiguration("unknown format of api_key") - else: - token = authorization - if ca_cert: - attrs["ClientCertificateData"] = open(ca_cert, "r").read() + if client_cert_data: + attrs["ClientCertificateData"] = client_cert_data if key: - attrs["ClientKeyData"] = open(key, "r").read() + attrs["ClientKeyData"] = key if token: if username or password: raise JujuInvalidK8sConfiguration("Cannot set both token and user/pass") @@ -1148,6 +1156,8 @@ class Libjuju: auth_type = None if key: auth_type = "oauth2" + if client_cert_data: + auth_type = "oauth2withcert" if not token: raise JujuInvalidK8sConfiguration( "missing token for auth type {}".format(auth_type) @@ -1159,11 +1169,11 @@ class Libjuju: ) attrs["username"] = username attrs["password"] = password - if ca_cert: + if client_cert_data: auth_type = "userpasswithcert" else: auth_type = "userpass" - elif ca_cert and token: + elif client_cert_data and token: auth_type = "certificate" else: raise JujuInvalidK8sConfiguration("authentication method not supported") @@ -1218,3 +1228,13 @@ class Libjuju: unit = u break return unit + + async def get_cloud_credentials(self, cloud_name: str, credential_name: str): + controller = await self.get_controller() + try: + facade = client.CloudFacade.from_connection(controller.connection()) + cloud_cred_tag = tag.credential(cloud_name, self.username, credential_name) + params = [client.Entity(cloud_cred_tag)] + return (await facade.Credential(params)).results + finally: + await self.disconnect_controller(controller)