Allow direct communication with Openshift Quota API

The Openshift allocator will now only make the minimal
`resourcequota` object for each namespace, with no
support for scopes.

Most of the integration code and test cases have been
adapted from `openshift-acct-mgt`. Notable exclusions
were any code pertaining to the `quota.json`[1] and
`limits.json`[2].

[1] https://github.com/CCI-MOC/openshift-acct-mgt/blob/master/k8s/base/quotas.json
[2] https://github.com/CCI-MOC/openshift-acct-mgt/blob/master/k8s/base/limits.json

Author: QuanMPhm

src/coldfront_plugin_cloud/attributes.py

@@ -18,8 +18,8 @@ class CloudAllocationAttribute:
     is_changeable: bool = True
 
 
-RESOURCE_API_URL = 'OpenShift API Endpoint URL'
 RESOURCE_AUTH_URL = 'Identity Endpoint URL'
+RESOURCE_API_URL = 'OpenShift API Endpoint URL'
 RESOURCE_IDENTITY_NAME = 'OpenShift Identity Provider Name'
 RESOURCE_ROLE = 'Role for User in Project'
 
@@ -33,8 +33,8 @@ class CloudAllocationAttribute:
 RESOURCE_EULA_URL = "EULA URL"
 
 RESOURCE_ATTRIBUTES = [
-    CloudResourceAttribute(name=RESOURCE_API_URL),
     CloudResourceAttribute(name=RESOURCE_AUTH_URL),
+    CloudResourceAttribute(name=RESOURCE_API_URL),
     CloudResourceAttribute(name=RESOURCE_IDENTITY_NAME),
     CloudResourceAttribute(name=RESOURCE_FEDERATION_PROTOCOL),
     CloudResourceAttribute(name=RESOURCE_IDP),

src/coldfront_plugin_cloud/openshift.py

@@ -36,12 +36,12 @@ def clean_openshift_metadata(obj):
     return obj
 
 QUOTA_KEY_MAPPING = {
-    attributes.QUOTA_LIMITS_CPU: lambda x: {":limits.cpu": f"{x * 1000}m"},
-    attributes.QUOTA_LIMITS_MEMORY: lambda x: {":limits.memory": f"{x}Mi"},
-    attributes.QUOTA_LIMITS_EPHEMERAL_STORAGE_GB: lambda x: {":limits.ephemeral-storage": f"{x}Gi"},
-    attributes.QUOTA_REQUESTS_STORAGE: lambda x: {":requests.storage": f"{x}Gi"},
-    attributes.QUOTA_REQUESTS_GPU: lambda x: {":requests.nvidia.com/gpu": f"{x}"},
-    attributes.QUOTA_PVC: lambda x: {":persistentvolumeclaims": f"{x}"},
+    attributes.QUOTA_LIMITS_CPU: lambda x: {"limits.cpu": f"{x * 1000}m"},
+    attributes.QUOTA_LIMITS_MEMORY: lambda x: {"limits.memory": f"{x}Mi"},
+    attributes.QUOTA_LIMITS_EPHEMERAL_STORAGE_GB: lambda x: {"limits.ephemeral-storage": f"{x}Gi"},
+    attributes.QUOTA_REQUESTS_STORAGE: lambda x: {"requests.storage": f"{x}Gi"},
+    attributes.QUOTA_REQUESTS_GPU: lambda x: {"requests.nvidia.com/gpu": f"{x}"},
+    attributes.QUOTA_PVC: lambda x: {"persistentvolumeclaims": f"{x}"},
 }
 
 
@@ -146,20 +146,64 @@ def create_project(self, suggested_project_name):
         project_name = project_id
         self._create_project(project_name, project_id)
         return self.Project(project_name, project_id)
+    
+    def delete_moc_quotas(self, project_id):
+        """deletes all resourcequotas from an openshift project"""
+        resourcequotas = self._openshift_get_resourcequotas(project_id)
+        for resourcequota in resourcequotas:
+            self._openshift_delete_resourcequota(project_id, resourcequota["metadata"]["name"])
+
+        logger.info(f"All quotas for {project_id} successfully deleted")
 
     def set_quota(self, project_id):
-        url = f"{self.auth_url}/projects/{project_id}/quota"
-        payload = dict()
+        """Sets the quota for a project, creating a minimal resourcequota
+        object in the project namespace with no extra scopes"""
+
+        quota_spec = {}
         for key, func in QUOTA_KEY_MAPPING.items():
             if (x := self.allocation.get_attribute(key)) is not None:
-                payload.update(func(x))
-        r = self.session.put(url, data=json.dumps({'Quota': payload}))
-        self.check_response(r)
+                quota_spec.update(func(x))
+
+        quota_def = {
+            "metadata": {"name": f"{project_id}-project"},
+            "spec": {"hard": quota_spec},
+        }
+
+        self.delete_moc_quotas(project_id)
+        self._openshift_create_resourcequota(project_id, quota_def)
+
+        logger.info(f"Quota for {project_id} successfully created")
+
+    def _get_moc_quota_from_resourcequotas(self, project_id):
+        """This returns a dictionary suitable for merging in with the
+        specification from Adjutant/ColdFront"""
+        resourcequotas = self._openshift_get_resourcequotas(project_id)
+        moc_quota = {}
+        for rq in resourcequotas:
+            name, spec = rq["metadata"]["name"], rq["spec"]
+            logger.info(f"processing resourcequota: {project_id}:{name}")
+            scope_list = spec.get("scopes", [""])
+            for quota_name, quota_value in spec.get("hard", {}).items():
+                for scope_item in scope_list:
+                    moc_quota_name = f"{scope_item}:{quota_name}"
+                    moc_quota.setdefault(moc_quota_name, quota_value)
+        return moc_quota
 
     def get_quota(self, project_id):
-        url = f"{self.auth_url}/projects/{project_id}/quota"
-        r = self.session.get(url)
-        return self.check_response(r)
+        quota_from_project = self._get_moc_quota_from_resourcequotas(project_id)
+
+        quota = {}
+        for quota_name, quota_value in quota_from_project.items():
+            if quota_value:
+                quota[quota_name] = quota_value
+
+        quota_object = {
+            "Version": "0.9",
+            "Kind": "MocQuota",
+            "ProjectName": project_id,
+            "Quota": quota,
+        }
+        return quota_object
 
     def create_project_defaults(self, project_id):
         pass
@@ -297,3 +341,48 @@ def _openshift_useridentitymapping_exists(self, user_name, id_user):
             for identity in user.get("identities", [])
         )
 
+    def _openshift_get_project(self, project_name):
+        api = self.get_resource_api(API_PROJECT, "Project")
+        return clean_openshift_metadata(api.get(name=project_name).to_dict())
+
+    def _openshift_get_resourcequotas(self, project_id):
+        """Returns a list of all of the resourcequota objects"""
+        # Raise a NotFound error if the project doesn't exist
+        self._openshift_get_project(project_id)
+        api = self.get_resource_api(API_CORE, "ResourceQuota")
+        res = clean_openshift_metadata(api.get(namespace=project_id).to_dict())
+
+        return res["items"]
+    
+    def _wait_for_quota_to_settle(self, project_id, resource_quota):
+        """Wait for quota on resourcequotas to settle.
+
+        When creating a new resourcequota that sets a quota on resourcequota objects, we need to
+        wait for OpenShift to calculate the quota usage before we attempt to create any new
+        resourcequota objects.
+        """
+
+        if "resourcequotas" in resource_quota["spec"]["hard"]:
+            logger.info("waiting for resourcequota quota")
+
+            api = self.get_resource_api(API_CORE, "ResourceQuota")
+            while True:
+                resp = clean_openshift_metadata(
+                    api.get(
+                        namespace=project_id, name=resource_quota["metadata"]["name"]
+                    ).to_dict()
+                )
+                if "resourcequotas" in resp["status"].get("used", {}):
+                    break
+                time.sleep(0.1)
+    
+    def _openshift_create_resourcequota(self, project_id, quota_def):
+        api = self.get_resource_api(API_CORE, "ResourceQuota")
+        res = api.create(namespace=project_id, body=quota_def).to_dict()
+        self._wait_for_quota_to_settle(project_id, res)
+    
+    def _openshift_delete_resourcequota(self, project_id, resourcequota_name):
+        """In an openshift namespace {project_id) delete a specified resourcequota"""
+        api = self.get_resource_api(API_CORE, "ResourceQuota")
+        return api.delete(namespace=project_id, name=resourcequota_name).to_dict()
+    

src/coldfront_plugin_cloud/tests/unit/openshift/test_quota.py

@@ -0,0 +1,101 @@
+from unittest import mock
+
+from coldfront_plugin_cloud.tests import base
+from coldfront_plugin_cloud.openshift import OpenShiftResourceAllocator
+
+
+class TestOpenshiftQuota(base.TestBase):
+    def setUp(self) -> None:
+        mock_resource = mock.Mock()
+        mock_allocation = mock.Mock()
+        self.allocator = OpenShiftResourceAllocator(mock_resource, mock_allocation)
+        self.allocator.id_provider = "fake_idp"
+        self.allocator.k8_client = mock.Mock()
+
+    @mock.patch("coldfront_plugin_cloud.openshift.OpenShiftResourceAllocator._openshift_get_project", mock.Mock())
+    def test_get_resourcequotas(self):
+        fake_quota = mock.Mock(spec=["to_dict"])
+        fake_quota.to_dict.return_value = {"items": []}
+        self.allocator.k8_client.resources.get.return_value.get.return_value = fake_quota
+        res = self.allocator._openshift_get_resourcequotas("fake-project")
+        self.allocator.k8_client.resources.get.return_value.get.assert_called()
+        assert res == []
+
+
+    def test_delete_quota(self):
+        fake_quota = mock.Mock(spec=["to_dict"])
+        fake_quota.to_dict.return_value = {}
+        self.allocator.k8_client.resources.get.return_value.delete.return_value = fake_quota
+        res = self.allocator._openshift_delete_resourcequota("test-project", "test-quota")
+        self.allocator.k8_client.resources.get.return_value.delete.assert_called()
+        assert res == {}
+
+
+    @mock.patch("coldfront_plugin_cloud.openshift.OpenShiftResourceAllocator._openshift_get_resourcequotas")
+    def test_delete_moc_quota(self, fake_get_resourcequotas):
+        fake_get_resourcequotas.return_value = [{"metadata": {"name": "fake-quota"}}]
+        self.allocator.delete_moc_quotas("test-project")
+        self.allocator.k8_client.resources.get.return_value.delete.assert_any_call(
+            namespace="test-project", name="fake-quota"
+        )
+
+
+    @mock.patch("coldfront_plugin_cloud.openshift.OpenShiftResourceAllocator._wait_for_quota_to_settle")
+    def test_create_shift_quotas(self, fake_wait_quota):
+        quotadefs = {
+            "metadata": {"name": "fake-project-project"},
+            "spec": {"hard": {"configmaps": "1", "cpu": "1", "resourcequotas": "1"}},
+        }
+
+        self.allocator.k8_client.resources.get.return_value.create.return_value = mock.Mock()
+
+        self.allocator._openshift_create_resourcequota("fake-project", quotadefs)
+
+        self.allocator.k8_client.resources.get.return_value.create.assert_called_with(
+            namespace="fake-project",
+            body={
+                "metadata": {"name": "fake-project-project"},
+                "spec": {"hard": {"configmaps": "1", "cpu": "1", "resourcequotas": "1"}},
+            },
+        )
+
+        fake_wait_quota.assert_called()
+
+
+    def test_wait_for_quota_to_settle(self):
+        fake_quota = mock.Mock(spec=["to_dict"])
+        fake_quota.to_dict.return_value = {
+            "metadata": {"name": "fake-quota"},
+            "spec": {"hard": {"resourcequotas": "1"}},
+            "status": {"used": {"resourcequotas": "1"}},
+        }
+        self.allocator.k8_client.resources.get.return_value.get.return_value = fake_quota
+
+        self.allocator._wait_for_quota_to_settle("fake-project", fake_quota.to_dict())
+
+        self.allocator.k8_client.resources.get.return_value.get.assert_called_with(
+            namespace="fake-project",
+            name="fake-quota",
+        )
+
+    @mock.patch("coldfront_plugin_cloud.openshift.OpenShiftResourceAllocator._get_moc_quota_from_resourcequotas")
+    def test_get_moc_quota(self, fake_get_quota):
+        fake_get_quota.return_value = {
+            ":services": {"value": "2"},
+            ":configmaps": {"value": None},
+            ":cpu": {"value": "1000"},
+        }
+        res = self.allocator.get_quota("fake-project")
+        assert res == {
+            "Version": "0.9",
+            "Kind": "MocQuota",
+            "ProjectName": "fake-project",
+            "Quota": {
+                ":services": {"value": "2"},
+                ":configmaps": {"value": None},
+                ":cpu": {"value": "1000"},
+            },
+        }
+
+
+