@david.fauth Its a bit long. Here is the version that works fine and finds the APOC procedure when run in the browser:
WITH [{ name:"RiptideTraining", namespace:"riptide-training", cluster:"kubernetes-ctc-core-nonprod", memberships:[ { name:"henry", type:"User", role:"admin" }, { name:"svcacct-1", type:"ServiceAccount", role:"admin", namespace:"sa-namespace" }, { name : "OSFI_K8S_CSG_ADMIN", role : "admin", type : "Group" },{ name : "system:authenticated", role : "view", type : "SystemGroup" } ] },
{ name:"RiptideTraining", namespace:"riptide-training", cluster:"kubernetes-ctc-core-nonprod", memberships:[ { name:"henry", type:"User", role:"admin" }, { name:"svcacct-1", type:"ServiceAccount", role:"developer", namespace:"sa-namespace" } ] }
] AS events
UNWIND events AS event
call apoc.cypher.doIt("
WITH $event as event, randomUUID() AS uuid
MERGE (namespace:PlatformsContainersNamespace {Name:event.namespace,Cluster:event.cluster})
MERGE (cluster:PlatformsContainersCluster {Name:event.cluster})
MERGE (namespace)-[:CreatedIn]-(cluster)
FOREACH (perm in event.memberships |
FOREACH ( _ IN case when perm.type = 'User' then [1] else [] end |
MERGE (who:AccountUser {Name:perm.name})
MERGE (who)-[r:hasAccess]-(namespace)
ON CREATE set r.Runid = uuid, r.Role = perm.role
ON MATCH set r.Runid = uuid, r.Role = perm.role
)
FOREACH ( _ IN case when perm.type = 'ServiceAccount' then [1] else [] end |
MERGE (who:PlatformsContainersServiceAccount {Name:perm.name,Namespace:perm.namespace,Cluster:event.cluster})
MERGE (who)-[r:hasAccess]-(namespace)
ON CREATE set r.Runid = uuid, r.Role = perm.role
ON MATCH set r.Runid = uuid, r.Role = perm.role
MERGE (createnamespace:PlatformsContainersNamespace {Name:perm.namespace,Cluster:event.cluster})
MERGE (who)-[r2:createdIn]-(createnamespace)
)
FOREACH ( _ IN case when perm.type = 'Group' then [1] else [] end |
MERGE (who:SecurityADGroup {Name:perm.name})
MERGE (who)-[r:hasAccess]-(namespace)
ON CREATE set r.Runid = uuid, r.Role = perm.role
ON MATCH set r.Runid = uuid, r.Role = perm.role
)
FOREACH ( _ IN case when perm.type = 'SystemGroup' then [1] else [] end |
MERGE (who:PlatformsContainersSystemGroup {Name:perm.name,Cluster:event.cluster})
MERGE (who)-[r:hasAccess]-(namespace)
ON CREATE set r.Runid = uuid, r.Role = perm.role
ON MATCH set r.Runid = uuid, r.Role = perm.role
)
)
WITH namespace, uuid
MATCH ()-[rd1:hasAccess]-(namespace) WHERE rd1.Runid <> uuid DELETE rd1
",{event:event}) yield value
return value
Here is how that was configure in the neo4j.config file to obtain the data from a kafka topic rather than hard coded for the browser testing:
streams.sink.topic.cypher.platforms.kubernetes.rolebindings=call apoc.cypher.doIt(" WITH $event as event, randomUUID() AS uuid MERGE (namespace:PlatformsContainersNamespace {Name:event.namespace,Cluster:event.cluster}) MERGE (cluster:PlatformsContainersCluster {Name:event.cluster}) MERGE (namespace)-[:CreatedIn]-(cluster) FOREACH (perm in event.memberships | FOREACH ( _ IN case when perm.type = 'User' then [1] else [] end | MERGE (who:AccountUser {Name:perm.name}) MERGE (who)-[r:hasAccess]-(namespace) ON CREATE set r.Runid = uuid, r.Role = perm.role ON MATCH set r.Runid = uuid, r.Role = perm.role ) FOREACH ( _ IN case when perm.type = 'ServiceAccount' then [1] else [] end | MERGE (who:PlatformsContainersServiceAccount {Name:perm.name,Namespace:perm.namespace,Cluster:event.cluster}) MERGE (who)-[r:hasAccess]-(namespace) ON CREATE set r.Runid = uuid, r.Role = perm.role ON MATCH set r.Runid = uuid, r.Role = perm.role MERGE (createnamespace:PlatformsContainersNamespace {Name:perm.namespace,Cluster:event.cluster}) MERGE (who)-[r2:createdIn]-(createnamespace) ) FOREACH ( _ IN case when perm.type = 'Group' then [1] else [] end | MERGE (who:SecurityADGroup {Name:perm.name}) MERGE (who)-[r:hasAccess]-(namespace) ON CREATE set r.Runid = uuid, r.Role = perm.role ON MATCH set r.Runid = uuid, r.Role = perm.role ) FOREACH ( _ IN case when perm.type = 'SystemGroup' then [1] else [] end | MERGE (who:PlatformsContainersSystemGroup {Name:perm.name,Cluster:event.cluster}) MERGE (who)-[r:hasAccess]-(namespace) ON CREATE set r.Runid = uuid, r.Role = perm.role ON MATCH set r.Runid = uuid, r.Role = perm.role ) ) WITH namespace, uuid MATCH ()-[rd1:hasAccess]-(namespace) WHERE rd1.Runid <> uuid DELETE rd1 ",{event:event}) yield value return value