qontract-reconcile 0.10.1rc1111__py3-none-any.whl → 0.10.1rc1113__py3-none-any.whl

{qontract_reconcile-0.10.1rc1111.dist-info → qontract_reconcile-0.10.1rc1113.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc1111
+Version: 0.10.1rc1113
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc1111.dist-info → qontract_reconcile-0.10.1rc1113.dist-info}/RECORD

@@ -676,14 +676,13 @@ reconcile/utils/extended_early_exit.py,sha256=QSktrmfw37zSRMNk930tDbQsVeKxaPPPD4
 reconcile/utils/external_resource_spec.py,sha256=bhH_xneFwATdFumTPkiQmcVKYI0gcaWuqV6FpFdf_P0,7006
 reconcile/utils/external_resources.py,sha256=GC4wYuSXwk2ifr3aDEwnEiumaYqWhzgKK-hXp6pXemA,7516
 reconcile/utils/filtering.py,sha256=S4PbMHuFr3ED0P2Q_ea5CAaB7FimI62B-F5YTaKrphA,402
-reconcile/utils/git.py,sha256=JkpbUO10oBTtNHZ1IhjyG6dTOUizc7I5H0vm7NvDVNw,1409
-reconcile/utils/git_secrets.py,sha256=y1rEhwA8DyDpBSAEuhMS7Y2X3mpxT2zQ4zyDFkhLe_g,1936
+reconcile/utils/git.py,sha256=wzVIYAeKlMGW538U1mkJWUI6h_mFRUY4lawh2AR8hw4,2345
 reconcile/utils/github_api.py,sha256=R8OvqyPdnRqvP-Efnv9RvIcbBlb4M0KC4RlbnJMD0Tg,2426
 reconcile/utils/gitlab_api.py,sha256=C1nsHQKKybsmFdaG9vsItBjJm69ym4VWbqbKfAEf7oY,29305
 reconcile/utils/gpg.py,sha256=EKG7_fdMv8BMlV5yUdPiqoTx-KrzmVSEAl2sLkaKwWI,1123
 reconcile/utils/gql.py,sha256=C0thIm_k9MBldfqwHzyqtYZk9sIvMdm9IbbnXLGwjD8,14158
 reconcile/utils/grouping.py,sha256=vr9SFHZ7bqmHYrvYcEZt-Er3-yQYfAAdq5sHLZVmXPY,456
-reconcile/utils/helm.py,sha256=cbvmmdjtfPfHhD5SPqf922P6IKO4Ll9FYiCAIRfQtTk,3830
+reconcile/utils/helm.py,sha256=hr4J_9mBZwbc1FDNfFh4QKAj0h3eLxyTN2Y3UxIRp8U,3893
 reconcile/utils/helpers.py,sha256=k9svgFFZG7H5FvHYY0g5jJyvgvh2UDZxf0Ib221teag,1179
 reconcile/utils/imap_client.py,sha256=h8YDiCSCvroErhpH_-KGYI7Y2WU2Q2oSpuxDFbOkSbY,1989
 reconcile/utils/instrumented_wrappers.py,sha256=eVwMoa6FCrYxLv3RML3WpZF9qKVfCTjMxphgVXG03OM,1073
@@ -819,7 +818,7 @@ reconcile/utils/runtime/sharding.py,sha256=r0ieUtNed7NvknSw6qQrCkKpVXE1shuHGnfFc
 reconcile/utils/saasherder/__init__.py,sha256=3U8plqMAPRE1kjwZ5YnIsYsggTf4_gS7flRUEuXVBAs,343
 reconcile/utils/saasherder/interfaces.py,sha256=C2wrw34OXypshVocAsPrVZsSHptgw4g9u7Haa2wulZQ,9087
 reconcile/utils/saasherder/models.py,sha256=z8ln03zi2a8cu716NcNUDHp8Dv1VcVbhqdWVxCl7x9A,10148
-reconcile/utils/saasherder/saasherder.py,sha256=dG7Qw4lMkU-3YMKZDNnXBdJQV9kdfVe984R_8iwR_eU,85333
+reconcile/utils/saasherder/saasherder.py,sha256=t7dqcXj9FFULROG_gUmdoSNQOLKfhdlquzwxw710yOA,85358
 reconcile/utils/terraform/__init__.py,sha256=zNbiyTWo35AT1sFTElL2j_AA0jJ_yWE_bfFn-nD2xik,250
 reconcile/utils/terraform/config.py,sha256=5UVrd563TMcvi4ooa5JvWVDW1I3bIWg484u79evfV_8,164
 reconcile/utils/terraform/config_client.py,sha256=gRL1rQ0AqvShei_rcGqC3HDYGskOFKE1nPrJyJE9yno,4676
@@ -870,8 +869,8 @@ tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jr
 tools/test/test_saas_promotion_state.py,sha256=dy4kkSSAQ7bC0Xp2CociETGN-2aABEfL6FU5D9Jl00Y,6056
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc1111.dist-info/METADATA,sha256=MRxULyQA4iDeQKW4d2ofSRt-E4W28UKdZFgCRYKINCs,2213
-qontract_reconcile-0.10.1rc1111.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
-qontract_reconcile-0.10.1rc1111.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc1111.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc1111.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc1113.dist-info/METADATA,sha256=LJxCt1WmYLBNl5XvtV_mNedg6BB6ETu4q7Ojm8WUfaE,2213
+qontract_reconcile-0.10.1rc1113.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
+qontract_reconcile-0.10.1rc1113.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc1113.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc1113.dist-info/RECORD,,

reconcile/utils/git.py

@@ -19,11 +19,45 @@ def clone(repo_url, wd, depth=None, verify=True):
         raise GitError(f"git clone failed: {repo_url}")
 
 
-def checkout(commit, wd):
-    cmd = ["git", "checkout", commit]
-    result = subprocess.run(cmd, cwd=wd, capture_output=True, check=False)
+def rev_parse(ref: str, wd: str) -> str:
+    cmd = ["git", "rev-parse", ref]
+    result = subprocess.run(cmd, cwd=wd, capture_output=True, text=True, check=True)
+    return result.stdout.strip()
+
+
+def is_current_ref(ref: str, wd: str) -> bool:
+    return rev_parse("HEAD", wd) == rev_parse(ref, wd)
+
+
+def fetch(
+    ref: str,
+    wd: str,
+    remote: str = "origin",
+    depth: int | None = None,
+    verify: bool = True,
+):
+    cmd = ["git"]
+    if not verify:
+        cmd += ["-c", "http.sslVerify=false"]
+    cmd += ["fetch", remote, ref]
+    if depth:
+        cmd += ["--depth", str(depth)]
+    result = subprocess.run(cmd, cwd=wd, capture_output=True, text=True, check=False)
+    if result.returncode != 0:
+        raise GitError(f"git fetch failed for {ref}: {result.stderr}")
+
+
+def checkout(
+    ref: str,
+    wd: str,
+    verify: bool = True,
+):
+    if not is_current_ref(ref, wd):
+        fetch(ref, wd, depth=1, verify=verify)
+    cmd = ["git", "checkout", ref]
+    result = subprocess.run(cmd, cwd=wd, capture_output=True, text=True, check=False)
     if result.returncode != 0:
-        raise GitError(f"git checkout failed: {commit}")
+        raise GitError(f"git checkout failed for {ref}: {result.stderr}")
 
 
 def is_file_in_git_repo(file_path):

reconcile/utils/helm.py

@@ -108,12 +108,14 @@ def template(
 def template_all(
     url: str,
     path: str,
+    ref: str,
     namespace: str,
     values: Mapping[str, Any],
     ssl_verify: bool = True,
 ) -> Iterable[Mapping[str, Any]]:
     with tempfile.TemporaryDirectory() as wd:
         git.clone(url, wd, depth=1, verify=ssl_verify)
+        git.checkout(ref, wd, verify=ssl_verify)
         return yaml.safe_load_all(
             do_template(values=values, path=f"{wd}{path}", namespace=namespace)
         )

reconcile/utils/saasherder/saasherder.py

@@ -979,6 +979,7 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
             resources = helm.template_all(
                 url=url,
                 path=path,
+                ref=ref,
                 namespace=spec.target.namespace.name,
                 values=consolidated_parameters,
                 ssl_verify=ssl_verify,

reconcile/utils/git_secrets.py

@@ -1,63 +0,0 @@
-import logging
-import os
-import subprocess
-import tempfile
-
-import requests
-from sretoolbox.utils import retry
-
-from reconcile.utils import git
-
-
-@retry()
-def scan_history(repo_url, existing_keys):
-    logging.info(f"scanning {repo_url}")
-    if requests.get(repo_url, timeout=60).status_code == 404:
-        logging.info(f"not found {repo_url}")
-        return []
-
-    with tempfile.TemporaryDirectory() as wd:
-        git.clone(repo_url, wd)
-        subprocess.run(["git", "secrets", "--install"], check=False, cwd=wd)
-        result = subprocess.run(
-            ["git", "secrets", "--scan-history"],
-            capture_output=True,
-            check=False,
-            cwd=wd,
-        )
-        if result.returncode == 0:
-            return []
-        logging.info(f"found suspects in {repo_url}")
-        suspected_files = get_suspected_files(result.stderr.decode("utf-8"))
-        leaked_keys = get_leaked_keys(wd, suspected_files, existing_keys)
-        if leaked_keys:
-            logging.info(f"found suspected leaked keys: {leaked_keys}")
-        return leaked_keys
-
-
-def get_suspected_files(error):
-    suspects = []
-    for e in error.split("\n"):
-        if not e:
-            break
-        if e.startswith("warning"):
-            continue
-        commit_path_split = e.split(" ")[0].split(":")
-        commit, path = commit_path_split[0], commit_path_split[1]
-
-        suspects.append((commit, path))
-    return set(suspects)
-
-
-def get_leaked_keys(repo_wd, suspected_files, existing_keys):
-    all_leaked_keys = []
-    for s in suspected_files:
-        commit, file_relative_path = s[0], s[1]
-        git.checkout(commit, repo_wd)
-        file_path = os.path.join(repo_wd, file_relative_path)
-        with open(file_path, encoding="locale") as f:
-            content = f.read()
-        leaked_keys = [key for key in existing_keys if key in content]
-        all_leaked_keys.extend(leaked_keys)
-
-    return all_leaked_keys