feat(identity-mapper): MVP tool to apply user groups compliant with incoming cluster admin policies#1366
feat(identity-mapper): MVP tool to apply user groups compliant with incoming cluster admin policies#1366davehadley wants to merge 1 commit into
Conversation
…luster admin policies
davehadley
force-pushed
the
drh/identity-mapper-mvp-3
branch
from
bd96ad5 to
9fa9190
Compare
|
|
||
| jobs: | ||
|
|
||
| changes: |
There was a problem hiding this comment.
should there be a better name for this ci?
My understanding is that it is "changes"
There was a problem hiding this comment.
Fine for MVP but this is a lot of memory being used at once to create identity for every person at Diamond. Maybe implementing some form of pagination / multiple K8s API calls could be done?
| def lookup_identities_in_ldap( | ||
| ldap: ldap3.Connection, | ||
| ) -> dict[int, Identity]: | ||
| people_base_dn = _BASE_DN |
There was a problem hiding this comment.
the key here is int. but in sync it is a string. Is that on purpose? Wouldn't that cause the difference in the K8s state always? And user identity to be recreated every 30 minutes?
| kubernetes_data: dict[int, Identity], | ||
| ) -> None: | ||
| desired_state = { | ||
| str(uid_num): { |
There was a problem hiding this comment.
referencing to different key type from above
| path_parts = operation["path"].strip("/").split("/") | ||
| username = path_parts[0] # The user ID string (e.g., "10023") | ||
|
|
||
| if op_type == "add" and len(path_parts) == 1: |
There was a problem hiding this comment.
for next review. Probably better to use a match -> case instead of if / elif
| IdentityCrd.GROUP, IdentityCrd.VERSION, IdentityCrd.PLURAL, body | ||
| ) | ||
|
|
||
| elif op_type == "remove" and len(path_parts) == 1: |
There was a problem hiding this comment.
what happens if you try remove a suplementalgroup? {"op": "remove", "path": "/1001/suplementalGroups/dasc"}. How is this handled as the len of path_parts are 3 here
| ) | ||
|
|
||
|
|
||
| def test_lookup_identities_in_kubernetes() -> None: |
There was a problem hiding this comment.
could add a test case of syncing / updating to ensure that the things are not being deleted and brought back
| dependencies = [ | ||
| "kubernetes==35.0.0", | ||
| "ldap3>=2.9.1", | ||
| "structlog>=25.5.0", |
There was a problem hiding this comment.
do not see structlog being used but logging is used throughout.
| securityContext: | ||
| runAsUser: "{{`{{ request.object.spec.securityContext.runAsUser }}`}}" | ||
| runAsGroup: "{{`{{ request.object.spec.securityContext.runAsGroup }}`}}" | ||
| {{- end }} No newline at end of file |
| name: noop | ||
| spec: | ||
| steps: | ||
| - try: No newline at end of file |
| targetRevision: HEAD | ||
| extraValueFiles: | ||
| - staging-values.yaml | ||
| valuesObject: {} No newline at end of file |
| enabled: false | ||
| targetRevision: HEAD | ||
| extraValueFiles: | ||
| - dev-values.yaml No newline at end of file |
| WORKDIR /app | ||
| RUN uv sync --locked | ||
|
|
||
| CMD ["uv", "run", "--no-sync", "identity-mapper"] No newline at end of file |
3 participants
No description provided.