\)ddZddlmZddlmZddlmZddlmZmZddlm Z ddl m Z ddl mZddl m Zdd lmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZ ddlm Z ddl!m Z"ddl#m$Z$ddl#m%Z%ddl&m'Z'dZ(dZ)dgZ*gdZ+GddejXejZZ.dZ/y)z7Utilities for interacting with the Connect Gateway API.)absolute_import)division)unicode_literals)ListUnion) projects_api)util)client) enable_api)apis)base)api_util)gwkubeconfig_util) overrides)errors)log) properties) platformsz0connectgateway_{project}_{location}_{membership}zihttps://{service_name}/{version}/projects/{project_number}/locations/{location}/{collection}/{membership}gkehub.gateway.get)zgkehub.memberships.getrzserviceusage.services.getc ~eZdZdZddZ ddedededeedffdZdd Z d ed e efd Z d Z ddZ edZy)GetCredentialsCommandzeGetCredentialsCommand is a base class with util functions for Gateway credential generating commands.Ncltjtjj }t j jdt j jd|z|j|t tjjjdj}t!|t#j$|d|j'|||}d}|dk(rn:t)|dr.t)|j*dr|j*j,rd}|j/t#j$|||||||d |j1||||zd z}t j j|y#tj$rd}YwxYw) Nz'Starting to build Gateway kubeconfig...zCurrent project_id: gkehub membershipszgkeconnect-proberendpoint gkeClustergkeMembershipsA new kubeconfig entry "4" has been generated and set as the current context.)container_utilCheckKubectlInstalledhub_base HubCommandProjectrstatusPrint RunIamCheckREQUIRED_CLIENT_PERMISSIONSrVALUESapi_endpoint_overridesPropertyGetNoSuchPropertyErrorCheckGatewayApiEnablementr GetConnectGatewayServiceNameReadClusterMembershiphasattrrrGenerateKubeconfig KubeContext) self membership_id arg_location arg_namespace project_idhub_endpoint_override membership collectionmsgs 9lib/googlecloudsdk/command_lib/container/fleet/gateway.pyRunGetCredentialsz'GetCredentialsCommand.RunGetCredentials9s((*$$,,.JJJ>?JJ+j89Z!<=#(//FFOO   ))*?F ++L-J J((  J' J'' 6    * *#j ))*?N  #     m]   A  AJJSU  ) )#"#s 7FF32F3r5r6force_use_agentr7c  tjjdtjt j j}t j jd}|j|td}tjjr#tj|j}t!j"|5t%j&|j}|j)d|d|d||||} dddt*j,j/ j0} t*j,j3} | j5| d | j7t9| j:j=d | j?d | j@d } tjj| y#1swYxYw) aRunServerSide generates credentials using server-side kubeconfig generation. Args: membership_id: The short name of the membership to generate credentials for. arg_location: The location of the membership to generate credentials for. force_use_agent: Whether to force the use of Connect Agent in generated credentials. arg_namespace: The namespace to use in the kubeconfig context. zFetching Gateway kubeconfig...T)numberNz projects/z /locations/z /memberships/)namer?kubernetes_namespaceoperating_system) overwriterrr)!rr%r&r r!r"r#r$r'REQUIRED_SERVER_PERMISSIONSrOperatingSystem IsWindows gateway_utilWindowsOperatingSystem ReleaseTrackrRegionalGatewayEndpointgateway_client GatewayClientGenerateCredentialskconfig Kubeconfig LoadFromBytes kubeconfigDefaultMergeSetCurrentContextlistcontextskeys SaveToFilecurrent_context) r4r5r6r?r7r8project_numberrDr respnewrSr<s r= RunServerSidez#GetCredentialsCommand.RunServerSideqs"JJ56((*$$,,.J((000=N  Z!<=  **,%<<      * *< 8++D,=,=,?@f  ' '>*+l^=Q^P_`),+ (d 9    * *4?? ;C##++-JSD)  cll&7&7&9!:1!=> #:#=#=">?5 5JJS) 9 8s AG99HcJtj|||}|r|d|zz }|S)N)projectlocationr:z_ns-)KUBECONTEXT_FORMATformat)r4r8rbr: namespacekcs r=r3z!GetCredentialsCommand.KubeContexts7  " "X* # BFY b Ir8 permissionsctj|}tj||}|j}t |j t |stjy)z^Run an IAM check, making sure the caller has the necessary permissions to use the Gateway API.N) project_util ParseProjectrTestIamPermissionsrhsetissubsetmemberships_errorsInsufficientPermissionsError)r4r8rh project_refresultgranted_permissionss r=r'z!GetCredentialsCommand.RunIamChecks]++J7K  , ,[+ FF ,, {  $ $S)<%= >  ; ; == ?rgcZtj|||}tj|SN) hubapi_util MembershipRef GetMembership)r4r8rbr: resource_names r=r0z+GetCredentialsCommand.ReadClusterMemberships'--j(JOM  $ $] 33rgc Dtj|}|||tj||j ||||dd}ddi} i} |j ||||} |j |||} t jj} t j| | | || j| <t j| fi| | j| <t j| |dfi| | j| <| j| | j!| S)N) service_nameversionr\rbr;r:gcp)r:rbr8server auth_providerrr~)rjGetProjectNumber SERVER_FORMATrd GetVersionr3rPrQrTContextrXUserusersClusterclustersrVrZ)r4r{r8rbr;r:rer\kwargs user_kwargscluster_kwargscontextclusterrSs r=r2z(GetCredentialsCommand.GenerateKubeconfigs7"22:>N  &&%OO%)!! '  F KNz8ZKGz8Z@G##++-J#*??'9$J !( W D DJW#*??!$%3$J   ) rgc|jtjjury|jtjjury|jtjjuryy)Nv1alpha1v1beta1v1)rKr ALPHABETAGA)clss r=rz GetCredentialsCommand.GetVersionse T..444    t0055 5    t0033 3  rgru)FN)__name__ __module__ __qualname____doc__r>strboolrr_r3rr'r0r2 classmethodrrgr=rr5sm6x$(, 555 5 39% 5n>C>d3i>4*Xrgrc tj||s. tj||t j d||yy#tj j$rYywxYw)aChecks if the Connect Gateway API is enabled for a given project. Prompts the user to enable the API if the API is not enabled. Defaults to "No". Throws an error if the user declines to enable the API. Args: project_id: The ID of the project on which to check/enable the API. service_name: The name of the service to check/enable the API. Raises: memberships_errors.ServiceNotEnabledError: if the user declines to attempt to enable the API. exceptions.GetServicesPermissionDeniedException: if a 403 or 404 error is returned by the Get request. apitools_exceptions.HttpError: Another miscellaneous error with the listing service. api_exceptions.HttpException: API not enabled error if the user chooses to not enable the API. zConnect Gateway APIN)r IsServiceEnabledr PromptToEnableApiroServiceNotEnabledErrorapitools_exceptions RequestError)r8r{s r=r.r.si(  $ $Z >       3 3#\:  ?  # # 0 0   s,AA&%A&N)0r __future__rrrtypingrr+googlecloudsdk.api_lib.cloudresourcemanagerr googlecloudsdk.api_lib.containerr r 5googlecloudsdk.api_lib.container.fleet.connectgatewayr rMrIgooglecloudsdk.api_lib.servicesr googlecloudsdk.api_lib.utilr googlecloudsdk.callioper *googlecloudsdk.command_lib.container.fleetrrvr"rrPr6googlecloudsdk.command_lib.container.fleet.membershipsrro#googlecloudsdk.command_lib.projectsrjgooglecloudsdk.corerrgooglecloudsdk.core.utilrrcrrFr(r#Commandrr.rrgr=rs>&'DCZV6,(NGS@_GD#*.G{ ~H//~B  rg