Skip to content

Commit cfbe35f

Browse files
steven-zousteven-zou
authored
Merge pull request #11 from willisren/resync-policies
Add script to resync custom role and rolebindings after being imported
2 parents 4da2408 + c5da539 commit cfbe35f

2 files changed

Lines changed: 72 additions & 1 deletion

File tree

061-cluster-access-policies-resync.sh

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
#! /bin/bash
2+
3+
source utils/common.sh
4+
5+
register_last_words "Resync rolebindings on clusters and namespaces"
6+
7+
TMC_NAMESPACE="vmware-system-tmc"
8+
9+
DATA_DIR="data"
10+
SRC_DIR="$DATA_DIR/policies/iam"
11+
TEMP_DIR="$PWD/$SRC_DIR/$(date +%s)"
12+
TEMPKUBECONFIG="$TEMP_DIR/kubeconfig"
13+
14+
# Create temp directory
15+
mkdir -p "$TEMP_DIR"
16+
17+
export KUBECONFIG=$TEMPKUBECONFIG
18+
19+
log "************************************************************************"
20+
log "* Resync Rolebindings on Clusters and Namespaces ..."
21+
log "************************************************************************"
22+
23+
if [[ -z "$ONBOARDED_CLUSTER_INDEX_FILE" ]]; then
24+
log error "ONBOARDED_CLUSTER_INDEX_FILE is not set"
25+
exit 1
26+
elif [[ ! -f "$ONBOARDED_CLUSTER_INDEX_FILE" ]]; then
27+
log error "$ONBOARDED_CLUSTER_INDEX_FILE doesn't exist"
28+
exit 1
29+
fi
30+
31+
while IFS="." read -r mgmt prvn cls; do
32+
log info "Connecting to the cluster $mgmt/$prvn/$cls..."
33+
if ! tanzu tmc cluster kubeconfig get $cls -m $mgmt -p $prvn > ${TEMPKUBECONFIG} 2>/dev/null; then
34+
log error "Failed to get kubeconfig for cluster $mgmt/$prvn/$cls"
35+
exit 1
36+
fi
37+
38+
# Verify cluster connection
39+
if ! kubectl cluster-info >/dev/null 2>&1; then
40+
log error "Failed to connect to cluster $mgmt/$prvn/$cls"
41+
exit 1
42+
fi
43+
44+
log info "Delete stale custom cluster roles for $mgmt/$prvn/$cls ..."
45+
kubectl get customrole --no-headers -o custom-columns=":metadata.name" | while read -r role; do
46+
kubectl delete clusterrole $role
47+
done
48+
49+
org_id=$(kubectl -n $TMC_NAMESPACE get cm stack-config -o jsonpath='{.data.org_id}' 2>/dev/null)
50+
if [[ -z "$org_id" ]]; then
51+
log error "Failed to get org_id for the cluster $mgmt/$prvn/$cls"
52+
exit 1
53+
fi
54+
55+
log info "Delete stale cluster rolebindings on $mgmt/$prvn/$cls ..."
56+
kubectl get clusterrolebinding --no-headers -o custom-columns=":metadata.name" -A | while read -r binding; do
57+
if [[ $binding =~ org-.*-rbac.authorization.k8s.io ]] && [[ ! $binding =~ $org_id ]]; then
58+
kubectl delete clusterrolebinding $binding
59+
fi
60+
done
61+
62+
log info "Delete stale rolebindings for $mgmt/$prvn/$cls ..."
63+
kubectl get rolebinding --no-headers -o custom-columns=":metadata.name,:metadata.namespace" | while read -r binding namespace; do
64+
if [[ $binding =~ org-.*-rbac.authorization.k8s.io ]] && [[ ! $binding =~ $org_id ]]; then
65+
kubectl delete rolebinding $binding -n $namespace
66+
fi
67+
done
68+
69+
log info "Restart policy sync extension to resync access policies ..."
70+
kubectl rollout restart deployment policy-sync-extension -n $TMC_NAMESPACE
71+
done < $ONBOARDED_CLUSTER_INDEX_FILE

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ This is a repo to store the scripts in the [Migrate TMC SaaS to SM](https://docs
7373
| [059-admin-settings-import.sh](./059-admin-settings-import.sh) | Import settings to TMC SM | Ready | |
7474
| [060-admin-access-import.sh](./060-admin-access-import.sh) | Import access to TMC SM | Ready | |
7575
| [061-base-access-policies-import.sh](./061-base-access-policies-import.sh) | Import access policies on organization/clustegroups/workspaces | READY | The customer should manually edit the access policies with correct user and usergroup identities in the idP of TMC SM after imported. |
76-
| [061-cluster-access-policies-import.sh](./061-cluster-access-policies-import.sh) | Import access policies on clusters/namespaces | READY | The customer should manually edit the access policies with correct user and usergroup identities in the idP of TMC SM after imported. |
76+
| [061-cluster-access-policies-resync.sh](./061-cluster-access-policies-resync.sh) | Clean up stale rolebindings and resync them on clusters/namespaces | READY | |
7777
| [062-base-policy-templates-import.sh](./062-base-policy-templates-import.sh) | Import policy templates | READY | |
7878
| [063-base-policy-assignments-import.sh](./063-base-policy-assignments-import.sh) | Import policy assignments on organization/clustergroups/workspaces | READY | |
7979
| [063-cluster-policy-assignments-import.sh](./063-cluster-policy-assignments-import.sh) | Import policy assignments on clusters | READY | |

0 commit comments

Comments
 (0)