qontract-reconcile 0.10.1rc1164__py3-none-any.whl → 0.10.1rc1166__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {qontract_reconcile-0.10.1rc1164.dist-info → qontract_reconcile-0.10.1rc1166.dist-info}/METADATA +1 -1
- {qontract_reconcile-0.10.1rc1164.dist-info → qontract_reconcile-0.10.1rc1166.dist-info}/RECORD +9 -9
- reconcile/gitlab_fork_compliance.py +8 -3
- reconcile/queries.py +15 -14
- reconcile/terraform_resources.py +4 -2
- reconcile/utils/terrascript_aws_client.py +24 -40
- {qontract_reconcile-0.10.1rc1164.dist-info → qontract_reconcile-0.10.1rc1166.dist-info}/WHEEL +0 -0
- {qontract_reconcile-0.10.1rc1164.dist-info → qontract_reconcile-0.10.1rc1166.dist-info}/entry_points.txt +0 -0
- {qontract_reconcile-0.10.1rc1164.dist-info → qontract_reconcile-0.10.1rc1166.dist-info}/top_level.txt +0 -0
{qontract_reconcile-0.10.1rc1164.dist-info → qontract_reconcile-0.10.1rc1166.dist-info}/METADATA
RENAMED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: qontract-reconcile
|
|
3
|
-
Version: 0.10.
|
|
3
|
+
Version: 0.10.1rc1166
|
|
4
4
|
Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
|
|
5
5
|
Home-page: https://github.com/app-sre/qontract-reconcile
|
|
6
6
|
Author: Red Hat App-SRE Team
|
{qontract_reconcile-0.10.1rc1164.dist-info → qontract_reconcile-0.10.1rc1166.dist-info}/RECORD
RENAMED
|
@@ -29,7 +29,7 @@ reconcile/github_repo_invites.py,sha256=3GOBGZq1DKMIuyYsDxHqXDnMTWlJfeu248-m3ajf
|
|
|
29
29
|
reconcile/github_repo_permissions_validator.py,sha256=dcbXdUx6imjNchjp3pg9-z1i7lFEGOr_28GvsiwO5Xw,1734
|
|
30
30
|
reconcile/github_users.py,sha256=nfTq78QRONIfDVj-5O3bD6psllJjzWFnog-EJ1WqFPU,3672
|
|
31
31
|
reconcile/github_validator.py,sha256=cVTVxJIGR4a1Jz8wrdXEAb_CMpXUzvykVmUURX4cook,917
|
|
32
|
-
reconcile/gitlab_fork_compliance.py,sha256=
|
|
32
|
+
reconcile/gitlab_fork_compliance.py,sha256=c7UfqSAsW04c1bWJmXXaQDwtUcG4Kb6nCJAyRU2uAuw,4449
|
|
33
33
|
reconcile/gitlab_housekeeping.py,sha256=D0DOqC-xuMBMct04_MI8Lq32OAi_QMvvGLOz_E-77Dw,22482
|
|
34
34
|
reconcile/gitlab_labeler.py,sha256=4xJHmVX155fclrHqkR926sL1GH6RTN5XfZ8PnqNXbRA,4534
|
|
35
35
|
reconcile/gitlab_members.py,sha256=PrJE9OhDRdGG_gHM_77nQojLb4B18jtUu8DxgLsRS88,8417
|
|
@@ -94,7 +94,7 @@ reconcile/quay_mirror.py,sha256=mFp4Z5Nwl-DcFbbsJBOB8f9ldohFT-V67o868d5ux1s,1536
|
|
|
94
94
|
reconcile/quay_mirror_org.py,sha256=utrJpJaKCs7U6WX6DODdfCeB0EmX-lUC8Y5fkmpgFSs,10764
|
|
95
95
|
reconcile/quay_permissions.py,sha256=9KOutS1w4RFQqkvMSy54VtsKNx56-phzP6yI_rEW-B8,4244
|
|
96
96
|
reconcile/quay_repos.py,sha256=cuEYG0HUe0ut5yvLdEwOF5-CmccpXQHRb_wDazvDrvQ,6895
|
|
97
|
-
reconcile/queries.py,sha256=
|
|
97
|
+
reconcile/queries.py,sha256=04Xkm1wVg803ukZ_28Ud6AeiLJGVihl4f_UVoERv9uU,51509
|
|
98
98
|
reconcile/query_validator.py,sha256=MSh5pKLBksws4AqfuvT8nrIGucIbqX-IOzYyPYTLO7k,1491
|
|
99
99
|
reconcile/requests_sender.py,sha256=914iluuF4UVgG3VyxxtnHOu4yf6YKS2fIy6PViSsFTQ,3875
|
|
100
100
|
reconcile/resource_scraper.py,sha256=znXCHrU7YwPfKuxGBiUrV7T1tYtn4vlz9qmZlfy6Flg,2307
|
|
@@ -113,7 +113,7 @@ reconcile/terraform_cloudflare_dns.py,sha256=-aLEe2QnH5cJPu7HWqs-R9NmQ1NlFbcVUm0
|
|
|
113
113
|
reconcile/terraform_cloudflare_resources.py,sha256=pq8Ieo5NmB-dYQ9X2F0s6iEoINMzhiqGw2yQK4ovok4,14980
|
|
114
114
|
reconcile/terraform_cloudflare_users.py,sha256=iyTG5sj20Jg4J4qWJ144KVptfIHGOSfH8wQKxu0imq0,13942
|
|
115
115
|
reconcile/terraform_repo.py,sha256=TKqlodhQGoAtQ6nDm04TNlpx4wpgJ_n4atoUK5Rfd7o,16444
|
|
116
|
-
reconcile/terraform_resources.py,sha256=
|
|
116
|
+
reconcile/terraform_resources.py,sha256=jpBtp6vezq79jQ7rWdk49_mW-PIUFVzFK54ilVSEZFM,19564
|
|
117
117
|
reconcile/terraform_tgw_attachments.py,sha256=09svJG9pAiwWp4aY0xRoQRV90T4ZNwHG3r8flI-ZS_s,18810
|
|
118
118
|
reconcile/terraform_users.py,sha256=HqSm3ev3b8dZ9J6F_phDZB-FQsnlsdeKp9RPoY1cU94,10188
|
|
119
119
|
reconcile/terraform_vpc_peerings.py,sha256=VLSfuO7FvHN5McopRiKoKJDHCmIhYtlJEHv_hxV5kcM,27669
|
|
@@ -727,7 +727,7 @@ reconcile/utils/state.py,sha256=W0_awkLAPX18hNOF_60o73tkPxDUylqbzYNHfl_sDsk,1638
|
|
|
727
727
|
reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
|
|
728
728
|
reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
|
|
729
729
|
reconcile/utils/terraform_client.py,sha256=LjX2U2E0Dglt2S_KA5jWQ_dVC8sPn4FEAh0xW_d6JTk,35953
|
|
730
|
-
reconcile/utils/terrascript_aws_client.py,sha256=
|
|
730
|
+
reconcile/utils/terrascript_aws_client.py,sha256=9-3mmZtiIrpu_uZrPPtSWgf-elbAG6jeureCUzkWQO4,283459
|
|
731
731
|
reconcile/utils/three_way_diff_strategy.py,sha256=oQcHXd9LVhirJfoaOBoHUYuZVGfyL2voKr6KVI34zZE,4833
|
|
732
732
|
reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
|
|
733
733
|
reconcile/utils/vault.py,sha256=pi0PuyopvCq1gW0cldvy1-Ff6bqLUlCKC2MW0sifvSE,15043
|
|
@@ -880,8 +880,8 @@ tools/test/test_qontract_cli.py,sha256=iuzKbQ6ahinvjoQmQLBrG4shey0z-1rB6qCgS8T6d
|
|
|
880
880
|
tools/test/test_saas_promotion_state.py,sha256=dy4kkSSAQ7bC0Xp2CociETGN-2aABEfL6FU5D9Jl00Y,6056
|
|
881
881
|
tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
|
|
882
882
|
tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
|
|
883
|
-
qontract_reconcile-0.10.
|
|
884
|
-
qontract_reconcile-0.10.
|
|
885
|
-
qontract_reconcile-0.10.
|
|
886
|
-
qontract_reconcile-0.10.
|
|
887
|
-
qontract_reconcile-0.10.
|
|
883
|
+
qontract_reconcile-0.10.1rc1166.dist-info/METADATA,sha256=ru93sln6IVHsJ8rmuUw2C1jLSzNMey-obelfXbhXBvU,2213
|
|
884
|
+
qontract_reconcile-0.10.1rc1166.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
|
|
885
|
+
qontract_reconcile-0.10.1rc1166.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
|
|
886
|
+
qontract_reconcile-0.10.1rc1166.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
|
|
887
|
+
qontract_reconcile-0.10.1rc1166.dist-info/RECORD,,
|
|
@@ -5,8 +5,12 @@ from gitlab import GitlabGetError
|
|
|
5
5
|
from gitlab.const import MAINTAINER_ACCESS
|
|
6
6
|
|
|
7
7
|
from reconcile import queries
|
|
8
|
+
from reconcile.typed_queries.app_interface_vault_settings import (
|
|
9
|
+
get_app_interface_vault_settings,
|
|
10
|
+
)
|
|
8
11
|
from reconcile.utils.gitlab_api import GitLabApi
|
|
9
12
|
from reconcile.utils.mr.labels import BLOCKED_BOT_ACCESS
|
|
13
|
+
from reconcile.utils.secret_reader import create_secret_reader
|
|
10
14
|
|
|
11
15
|
LOG = logging.getLogger(__name__)
|
|
12
16
|
|
|
@@ -38,10 +42,11 @@ class GitlabForkCompliance:
|
|
|
38
42
|
self.maintainers_group = maintainers_group
|
|
39
43
|
|
|
40
44
|
self.instance = queries.get_gitlab_instance()
|
|
41
|
-
|
|
45
|
+
vault_settings = get_app_interface_vault_settings()
|
|
46
|
+
self.secret_reader = create_secret_reader(use_vault=vault_settings.vault)
|
|
42
47
|
|
|
43
48
|
self.gl_cli = GitLabApi(
|
|
44
|
-
self.instance, project_id=project_id,
|
|
49
|
+
self.instance, project_id=project_id, secret_reader=self.secret_reader
|
|
45
50
|
)
|
|
46
51
|
self.mr = self.gl_cli.get_merge_request(mr_id)
|
|
47
52
|
|
|
@@ -94,7 +99,7 @@ class GitlabForkCompliance:
|
|
|
94
99
|
self.src = GitLabApi(
|
|
95
100
|
self.instance,
|
|
96
101
|
project_id=self.mr.source_project_id,
|
|
97
|
-
|
|
102
|
+
secret_reader=self.secret_reader,
|
|
98
103
|
)
|
|
99
104
|
except GitlabGetError:
|
|
100
105
|
self.handle_error("access denied for user {bot}", MSG_ACCESS)
|
reconcile/queries.py
CHANGED
|
@@ -102,12 +102,11 @@ APP_INTERFACE_SETTINGS_QUERY = """
|
|
|
102
102
|
readTimeout
|
|
103
103
|
connectTimeout
|
|
104
104
|
}
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
name
|
|
105
|
+
terraformResourcesProviderExclusionsByProvisioner {
|
|
106
|
+
provisioner {
|
|
107
|
+
name
|
|
109
108
|
}
|
|
110
|
-
|
|
109
|
+
excludedProviders
|
|
111
110
|
}
|
|
112
111
|
}
|
|
113
112
|
}
|
|
@@ -2765,13 +2764,12 @@ def get_jenkins_configs():
|
|
|
2765
2764
|
|
|
2766
2765
|
TF_RESOURCES_PROVIDER_EXCLUSIONS_BY_PROVISIONER = """
|
|
2767
2766
|
{
|
|
2768
|
-
|
|
2769
|
-
|
|
2770
|
-
|
|
2771
|
-
|
|
2772
|
-
name
|
|
2767
|
+
tf_provider_exclusions_by_provisioner: app_interface_settings_v1 {
|
|
2768
|
+
terraformResourcesProviderExclusionsByProvisioner {
|
|
2769
|
+
provisioner {
|
|
2770
|
+
name
|
|
2773
2771
|
}
|
|
2774
|
-
|
|
2772
|
+
excludedProviders
|
|
2775
2773
|
}
|
|
2776
2774
|
}
|
|
2777
2775
|
}
|
|
@@ -2783,10 +2781,13 @@ def get_tf_resources_provider_exclusions_by_provisioner() -> (
|
|
|
2783
2781
|
):
|
|
2784
2782
|
gqlapi = gql.get_api()
|
|
2785
2783
|
settings = gqlapi.query(TF_RESOURCES_PROVIDER_EXCLUSIONS_BY_PROVISIONER)[
|
|
2786
|
-
"
|
|
2784
|
+
"tf_provider_exclusions_by_provisioner"
|
|
2787
2785
|
]
|
|
2788
|
-
if
|
|
2789
|
-
|
|
2786
|
+
if (
|
|
2787
|
+
len(settings) == 1
|
|
2788
|
+
and "terraformResourcesProviderExclusionsByProvisioner" in settings[0]
|
|
2789
|
+
):
|
|
2790
|
+
return settings[0]["terraformResourcesProviderExclusionsByProvisioner"]
|
|
2790
2791
|
return None
|
|
2791
2792
|
|
|
2792
2793
|
|
reconcile/terraform_resources.py
CHANGED
|
@@ -266,11 +266,13 @@ def setup(
|
|
|
266
266
|
ocm_map = None
|
|
267
267
|
tf_namespaces_dicts = [ns.dict(by_alias=True) for ns in tf_namespaces]
|
|
268
268
|
|
|
269
|
-
|
|
269
|
+
provider_exclusions_by_provisioner = (
|
|
270
|
+
settings.get("terraformResourcesProviderExclusionsByProvisioner") or []
|
|
271
|
+
)
|
|
270
272
|
ts.init_populate_specs(
|
|
271
273
|
tf_namespaces_dicts,
|
|
272
274
|
account_names,
|
|
273
|
-
|
|
275
|
+
provider_exclusions_by_provisioner=provider_exclusions_by_provisioner,
|
|
274
276
|
)
|
|
275
277
|
tf.populate_terraform_output_secrets(
|
|
276
278
|
resource_specs=ts.resource_spec_inventory, init_rds_replica_source=True
|
|
@@ -9,7 +9,7 @@ import string
|
|
|
9
9
|
import tempfile
|
|
10
10
|
from collections import Counter
|
|
11
11
|
from collections.abc import Iterable, Mapping, MutableMapping
|
|
12
|
-
from dataclasses import dataclass
|
|
12
|
+
from dataclasses import dataclass
|
|
13
13
|
from ipaddress import (
|
|
14
14
|
ip_address,
|
|
15
15
|
ip_network,
|
|
@@ -379,12 +379,6 @@ class ElasticSearchLogGroupInfo:
|
|
|
379
379
|
log_group_identifier: str
|
|
380
380
|
|
|
381
381
|
|
|
382
|
-
@dataclass
|
|
383
|
-
class Exclusion:
|
|
384
|
-
all: bool = False
|
|
385
|
-
provisioners: set[str] = field(default_factory=set)
|
|
386
|
-
|
|
387
|
-
|
|
388
382
|
class ProviderExcludedError(Exception):
|
|
389
383
|
def __init__(self, spec: ExternalResourceSpec) -> None:
|
|
390
384
|
super().__init__(
|
|
@@ -1549,49 +1543,38 @@ class TerrascriptClient: # pylint: disable=too-many-public-methods
|
|
|
1549
1543
|
for spec in specs:
|
|
1550
1544
|
self.populate_tf_resources(spec, ocm_map=ocm_map)
|
|
1551
1545
|
|
|
1552
|
-
def
|
|
1546
|
+
def _get_provisioner_provider_exclusions(
|
|
1553
1547
|
self,
|
|
1554
1548
|
spec: ExternalResourceSpec,
|
|
1555
|
-
|
|
1556
|
-
) ->
|
|
1557
|
-
|
|
1558
|
-
|
|
1559
|
-
|
|
1560
|
-
return e.all or spec.provisioner_name in e.provisioners
|
|
1549
|
+
provider_exclusions_by_provisioner_name: Mapping[str, Iterable[str]],
|
|
1550
|
+
) -> list[str]:
|
|
1551
|
+
return list(
|
|
1552
|
+
provider_exclusions_by_provisioner_name.get(spec.provisioner["name"], [])
|
|
1553
|
+
)
|
|
1561
1554
|
|
|
1562
1555
|
def _filter_specs_managed_by_erv2(
|
|
1563
1556
|
self,
|
|
1564
1557
|
specs: Iterable[ExternalResourceSpec],
|
|
1565
|
-
|
|
1558
|
+
provider_exclusions_by_provisioner_name: Mapping[str, Iterable[str]],
|
|
1566
1559
|
) -> list[ExternalResourceSpec]:
|
|
1567
|
-
filtered_specs = [
|
|
1568
|
-
|
|
1569
|
-
|
|
1560
|
+
filtered_specs: list[ExternalResourceSpec] = []
|
|
1561
|
+
for spec in specs:
|
|
1562
|
+
if spec.resource.get("managed_by_erv2"):
|
|
1563
|
+
continue
|
|
1570
1564
|
|
|
1571
|
-
|
|
1572
|
-
|
|
1565
|
+
if spec.provider in self._get_provisioner_provider_exclusions(
|
|
1566
|
+
spec, provider_exclusions_by_provisioner_name
|
|
1567
|
+
):
|
|
1573
1568
|
raise ProviderExcludedError(spec)
|
|
1574
1569
|
|
|
1570
|
+
filtered_specs.append(spec)
|
|
1575
1571
|
return filtered_specs
|
|
1576
1572
|
|
|
1577
|
-
def _get_provider_exclusions_query_dict(
|
|
1578
|
-
self, provider_exclusions: Iterable[Mapping[str, Any]]
|
|
1579
|
-
) -> dict[str, Exclusion]:
|
|
1580
|
-
return {
|
|
1581
|
-
item["provider"]: Exclusion(
|
|
1582
|
-
all=item.get("excludeAllProvisioners") or False,
|
|
1583
|
-
provisioners={
|
|
1584
|
-
p["name"] for p in (item.get("excludeProvisioners") or [])
|
|
1585
|
-
},
|
|
1586
|
-
)
|
|
1587
|
-
for item in provider_exclusions
|
|
1588
|
-
}
|
|
1589
|
-
|
|
1590
1573
|
def init_populate_specs(
|
|
1591
1574
|
self,
|
|
1592
1575
|
namespaces: Iterable[Mapping[str, Any]],
|
|
1593
1576
|
account_names: Iterable[str] | None,
|
|
1594
|
-
|
|
1577
|
+
provider_exclusions_by_provisioner: Iterable[Mapping[str, Any]] | None = None,
|
|
1595
1578
|
) -> None:
|
|
1596
1579
|
"""
|
|
1597
1580
|
Initiates resource specs from the definitions in app-interface
|
|
@@ -1603,14 +1586,15 @@ class TerrascriptClient: # pylint: disable=too-many-public-methods
|
|
|
1603
1586
|
self.resource_spec_inventory: ExternalResourceSpecInventory = {}
|
|
1604
1587
|
|
|
1605
1588
|
# Ensure provider exclusions are fetched
|
|
1606
|
-
if
|
|
1607
|
-
|
|
1589
|
+
if provider_exclusions_by_provisioner is None:
|
|
1590
|
+
provider_exclusions_by_provisioner = (
|
|
1608
1591
|
queries.get_tf_resources_provider_exclusions_by_provisioner() or []
|
|
1609
1592
|
)
|
|
1610
1593
|
|
|
1611
|
-
|
|
1612
|
-
|
|
1613
|
-
|
|
1594
|
+
provider_exclusions_by_provisioner_name = {
|
|
1595
|
+
p["provisioner"]["name"]: p["excludedProviders"]
|
|
1596
|
+
for p in provider_exclusions_by_provisioner or []
|
|
1597
|
+
}
|
|
1614
1598
|
|
|
1615
1599
|
for namespace_info in namespaces:
|
|
1616
1600
|
all_specs = get_external_resource_specs(
|
|
@@ -1618,7 +1602,7 @@ class TerrascriptClient: # pylint: disable=too-many-public-methods
|
|
|
1618
1602
|
provision_provider=PROVIDER_AWS,
|
|
1619
1603
|
)
|
|
1620
1604
|
specs = self._filter_specs_managed_by_erv2(
|
|
1621
|
-
all_specs,
|
|
1605
|
+
all_specs, provider_exclusions_by_provisioner_name
|
|
1622
1606
|
)
|
|
1623
1607
|
name_counter = Counter(spec.output_resource_name for spec in specs)
|
|
1624
1608
|
duplicates = [name for name, count in name_counter.items() if count > 1]
|
{qontract_reconcile-0.10.1rc1164.dist-info → qontract_reconcile-0.10.1rc1166.dist-info}/WHEEL
RENAMED
|
File without changes
|
|
File without changes
|
|
File without changes
|