-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove clusterrole creation, move ldap to permissionables
- Loading branch information
1 parent
1d507c7
commit c6b4009
Showing
11 changed files
with
86 additions
and
209 deletions.
There are no files selected for viewing
31 changes: 31 additions & 0 deletions
31
charts/sessionspaces/templates/clusterrole-argo-workflows.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: argo-workflows | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["pods"] | ||
verbs: ["get", "watch", "patch"] | ||
- apiGroups: [""] | ||
resources: ["pods/logs"] | ||
verbs: ["get", "watch"] | ||
- apiGroups: [""] | ||
resources: ["pods/exec"] | ||
verbs: ["create"] | ||
- apiGroups: ["argoproj.io"] | ||
resources: [ | ||
"workflowtaskresults", | ||
] | ||
verbs: ["create","patch"] | ||
- apiGroups: ["argoproj.io"] | ||
resources: [ | ||
"workflowtasksets", | ||
"workflowartifactgctasks", | ||
] | ||
verbs: ["list", "watch"] | ||
- apiGroups: ["argoproj.io"] | ||
resources: [ | ||
"workflowtasksets/status", | ||
"workflowartifactgctasks/status", | ||
] | ||
verbs: ["patch"] |
20 changes: 20 additions & 0 deletions
20
charts/sessionspaces/templates/clusterrole-visit-member.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: visit-member | ||
rules: | ||
- apiGroups: ["argoproj.io"] | ||
resources: [ | ||
"eventsources", | ||
"sensors", | ||
"workflows", | ||
"workfloweventbindings", | ||
"workflowtemplates", | ||
"clusterworkflowtemplates", | ||
"cronworkflows", | ||
"workflowtaskresults", | ||
] | ||
verbs: ["get", "watch", "list"] | ||
- apiGroups: ["argoproj.io"] | ||
resources: ["workflows"] | ||
verbs: ["create"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
use ldap3::{LdapConnAsync, Scope, SearchEntry}; | ||
use tracing::info; | ||
|
||
pub async fn ldap_search(namespace: String) -> Result<String, Box<dyn std::error::Error>> { | ||
let (conn, mut ldap) = LdapConnAsync::new("ldap://ldap.diamond.ac.uk").await?; | ||
ldap3::drive!(conn); | ||
let common_name = namespace.replace("-", "_"); | ||
let filter = format!("(&(objectClass=posixgroup)(cn={common_name}))",); | ||
let (rs, _res) = ldap | ||
.search( | ||
"ou=Group,dc=diamond,dc=ac,dc=uk", | ||
Scope::Subtree, | ||
&filter, | ||
vec!["gidnumber"], | ||
) | ||
.await | ||
.unwrap() | ||
.success() | ||
.unwrap(); | ||
for entry in rs { | ||
if let Some(res) = SearchEntry::construct(entry).attrs.get("gidNumber") { | ||
return Ok(res.concat()); | ||
} | ||
} | ||
info!("gidNumber not found for session {}", common_name); | ||
Err("gidNumber not found".into()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,8 @@ | ||
/// gidNumber for sessions | ||
mod ldap; | ||
/// Beamline sessions | ||
mod session; | ||
/// Associations between subjects and sessions | ||
mod subject_session; | ||
|
||
pub use self::{session::Session, subject_session::SubjectSession}; | ||
pub use self::{ldap::ldap_search, session::Session, subject_session::SubjectSession}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,9 @@ | ||
/// The config map for kyverno policy | ||
mod config_maps; | ||
/// The visit-member ServiceAccount and corresponding Role | ||
mod member_sa; | ||
/// The Namespace for a beamline session | ||
mod namespace; | ||
/// The argo-workflows ServiceAccount and corresponding Role | ||
mod workflows_sa; | ||
|
||
pub use self::{ | ||
config_maps::create_configmap, | ||
member_sa::create_visit_member_role, | ||
namespace::{create_namespace, delete_namespace}, | ||
workflows_sa::create_argo_workflows_role, | ||
}; |
This file was deleted.
Oops, something went wrong.