qontract-reconcile 0.10.1rc1201__py3-none-any.whl → 0.10.2.dev1__py3-none-any.whl

reconcile/test/test_openshift_cluster_bots.py

@@ -1,240 +0,0 @@
-import base64
-from collections.abc import Callable
-from subprocess import CalledProcessError
-from typing import Any
-from unittest.mock import MagicMock
-from urllib.error import URLError
-
-import pytest
-from pytest_mock import MockerFixture
-
-import reconcile.openshift_cluster_bots as ocb
-from reconcile.gql_definitions.openshift_cluster_bots.clusters import (
-    ClusterV1,
-    VaultSecret,
-)
-
-
-def vault_secret(path: str, field: str) -> VaultSecret:
-    return VaultSecret(path=path, field=field, version=None, format=None)
-
-
-def vault_secret_dict(path: str, field: str) -> dict[str, str | None]:
-    return vault_secret(path=path, field=field).dict(by_alias=True)
-
-
-@pytest.fixture
-def secret() -> VaultSecret:
-    return vault_secret(path="app-sre/bot", field="token")
-
-
-@pytest.fixture
-def admin_secret() -> VaultSecret:
-    return vault_secret(path="app-sre/admin-bot", field="token")
-
-
-@pytest.fixture
-def cluster(
-    gql_class_factory: Callable[..., ClusterV1],
-) -> Callable[..., ClusterV1]:
-    def builder(
-        server_url: str = "",
-        secret: dict | None = None,
-        admin: bool | None = None,
-        admin_secret: dict | None = None,
-        ocm: bool = True,
-    ) -> ClusterV1:
-        ocm_data = {
-            "name": "ocm-production",
-            "environment": {
-                "name": "ocm-production",
-                "url": "https://api.openshift.com",
-                "accessTokenClientId": "ocm-client-id",
-                "accessTokenUrl": "https://sso.com/openid/token",
-                "accessTokenClientSecret": vault_secret_dict(
-                    path="ocm/creds", field="client_secret"
-                ),
-            },
-            "orgId": "ocm-org-id",
-            "accessTokenClientId": "ocm-client-id",
-            "accessTokenUrl": "https://sso.com/openid/token",
-            "accessTokenClientSecret": vault_secret_dict(
-                path="ocm/creds", field="client_secret"
-            ),
-        }
-        return gql_class_factory(
-            ClusterV1,
-            {
-                "name": "cluster",
-                "serverUrl": server_url,
-                "ocm": ocm_data if ocm else None,
-                "automationToken": secret,
-                "clusterAdmin": admin,
-                "clusterAdminAutomationToken": admin_secret,
-                "disable": None,
-            },
-        )
-
-    return builder
-
-
-def test_cluster_misses_bot_tokens(
-    cluster: Callable, secret: VaultSecret, admin_secret: VaultSecret
-) -> None:
-    assert ocb.cluster_misses_bot_tokens(cluster())
-    assert not ocb.cluster_misses_bot_tokens(cluster(secret=secret))
-    assert ocb.cluster_misses_bot_tokens(cluster(secret=secret, admin=True))
-    assert not ocb.cluster_misses_bot_tokens(
-        cluster(secret=secret, admin=True, admin_secret=admin_secret)
-    )
-
-
-def test_cluster_is_reachable(mocker: MockerFixture, cluster: Callable) -> None:
-    assert not ocb.cluster_is_reachable(cluster(server_url=""))
-    urlopen_mock = mocker.patch(
-        "reconcile.openshift_cluster_bots.urllib.request.urlopen", autospec=True
-    )
-    c = cluster(server_url="https://my.api")
-    urlopen_mock.return_value.getcode.return_value = 200
-    assert ocb.cluster_is_reachable(c)
-
-    urlopen_mock.return_value.getcode.return_value = 404
-    assert not ocb.cluster_is_reachable(c)
-
-    urlopen_mock.return_value = None
-    assert not ocb.cluster_is_reachable(c)
-
-    urlopen_mock.side_effect = URLError(reason="something")
-    assert not ocb.cluster_is_reachable(c)
-
-
-def test_oc(mocker: MockerFixture) -> None:
-    run_mock = mocker.patch(
-        "reconcile.openshift_cluster_bots.subprocess.run", autospec=True
-    )
-    ret_mock = run_mock.return_value
-
-    args: list = ["kc", "ns", ["cmd", "attr"]]
-    run_args: list = [
-        "oc",
-        "--kubeconfig",
-        "kc",
-        "-n",
-        "ns",
-        "-o",
-        "json",
-        "cmd",
-        "attr",
-    ]
-    run_kwargs = {"input": None, "check": True, "capture_output": True}
-    ret_mock.stdout = None
-    assert ocb.oc(*args) is None
-    run_mock.assert_called_once_with(run_args, **run_kwargs)
-
-    ret_mock.stdout = b"{}"
-    assert ocb.oc(*args) == {}
-
-    ret_mock.stdout = b""
-    assert ocb.oc(*args) is None
-
-    run_mock.side_effect = CalledProcessError(returncode=4, cmd="oc")
-    with pytest.raises(CalledProcessError):
-        ocb.oc(*args)
-
-
-def test_retrieve_token(mocker: MockerFixture) -> None:
-    oc_mock = mocker.patch("reconcile.openshift_cluster_bots.oc", autospec=True)
-    # avoid waiting during retries
-    mocker.patch("sretoolbox.utils.retry.time.sleep")
-
-    oc_mock.return_value = {}
-    with pytest.raises(ocb.TokenNotReadyException):
-        ocb.retrieve_token("kc", "ns", "sa")
-    assert oc_mock.call_count == 3
-
-    oc_mock.return_value = {"data": {"token": base64.b64encode(b"Got It!")}}
-    assert ocb.retrieve_token("kc", "ns", "sa") == "Got It!"
-
-
-@pytest.fixture
-def integ_params() -> dict[str, Any]:
-    return {
-        "gitlab_project_id": "000",
-        "vault_creds_path": "/vault/path",
-        "dedicated_admin_ns": "dedicated-admin-ns",
-        "dedicated_admin_sa": "dedicated-admin-sa",
-        "cluster_admin_ns": "cluster-admin-ns",
-        "cluster_admin_sa": "cluster-admin-sa",
-        "dry_run": False,
-    }
-
-
-class Mocks:
-    def __init__(self, oc: MagicMock, vault: MagicMock, submit_mr: MagicMock) -> None:
-        self.oc = oc
-        self.vault = vault
-        self.submit_mr = submit_mr
-
-
-def _setup_mocks(mocker: MockerFixture, filtered_clusters: list[ClusterV1]) -> Mocks:
-    mocker.patch("reconcile.openshift_cluster_bots.gql")
-    mocker.patch("reconcile.openshift_cluster_bots.clusters_gql")
-    filter_clusters = mocker.patch(
-        "reconcile.openshift_cluster_bots.filter_clusters", autospec=True
-    )
-    filter_clusters.return_value = filtered_clusters
-    # avoid waiting during retries
-    mocker.patch("sretoolbox.utils.retry.time.sleep")
-    ocm_map = mocker.patch("reconcile.openshift_cluster_bots.OCMMap", autospec=True)
-    get_ocm_map = mocker.patch(
-        "reconcile.openshift_cluster_bots.get_ocm_map", autospec=True
-    )
-    get_ocm_map.return_value = ocm_map
-    mocker.patch("reconcile.openshift_cluster_bots.tempfile", autospec=True)
-    oc = mocker.patch("reconcile.openshift_cluster_bots.oc", autospec=True)
-    vault = mocker.patch("reconcile.openshift_cluster_bots.VaultClient")
-    submit_mr = mocker.patch(
-        "reconcile.openshift_cluster_bots.submit_mr", autospec=True
-    )
-    return Mocks(oc, vault, submit_mr)
-
-
-def test_run_nothing_to_do(mocker: MockerFixture, integ_params: dict[str, Any]) -> None:
-    _setup_mocks(mocker, filtered_clusters=[])
-    with pytest.raises(SystemExit):
-        ocb.run(**integ_params)
-
-
-def test_run_dry_run(
-    mocker: MockerFixture, integ_params: dict[str, Any], cluster: Callable
-) -> None:
-    integ_params["dry_run"] = True
-    mocks = _setup_mocks(mocker, filtered_clusters=[cluster(server_url="https://api")])
-    ocb.run(**integ_params)
-    mocks.oc.assert_not_called()
-    mocks.vault.assert_not_called()
-    mocks.submit_mr.assert_not_called()
-
-
-def test_run_no_cluster_admin(
-    mocker: MockerFixture, integ_params: dict[str, Any], cluster: Callable
-) -> None:
-    mocks = _setup_mocks(mocker, filtered_clusters=[cluster(server_url="https://api")])
-    mocks.oc.return_value = {"data": {"token": base64.b64encode(b"mytoken")}}
-    ocb.run(**integ_params)
-    assert mocks.oc.call_count == 3
-    mocks.vault.assert_called_once()
-    mocks.submit_mr.assert_called_once()
-
-
-def test_run_cluster_admin(
-    mocker: MockerFixture, integ_params: dict[str, Any], cluster: Callable
-) -> None:
-    mocks = _setup_mocks(
-        mocker, filtered_clusters=[cluster(server_url="https://api", admin=True)]
-    )
-    mocks.oc.return_value = {"data": {"token": base64.b64encode(b"mytoken")}}
-    ocb.run(**integ_params)
-    assert mocks.oc.call_count == 8
-    mocks.vault.assert_called_once()
-    mocks.submit_mr.assert_called_once()

reconcile/test/test_openshift_namespace_labels.py

@@ -1,344 +0,0 @@
-from dataclasses import dataclass
-from unittest import TestCase
-from unittest.mock import (
-    Mock,
-    call,
-    create_autospec,
-    patch,
-)
-
-from reconcile import openshift_namespace_labels
-from reconcile.gql_definitions.common.app_interface_vault_settings import (
-    AppInterfaceSettingsV1,
-)
-from reconcile.gql_definitions.common.namespaces import NamespaceV1
-from reconcile.openshift_namespace_labels import state_key
-from reconcile.test.fixtures import Fixtures
-from reconcile.utils.oc_map import OCMap
-from reconcile.utils.secret_reader import SecretReaderBase
-
-fxt = Fixtures("openshift_namespace_labels")
-
-
-def load_namespace(name: str) -> NamespaceV1:
-    content = fxt.get_anymarkup(name)
-    return NamespaceV1(**content)
-
-
-@dataclass
-class NS:
-    """
-    Simple utility class holding test information about current,
-    desired and managed labels for a single cluster/namespace. It allows to
-    simplify the test data creation.
-    Some methods are there to convert this data into GQL, State or OC outputs.
-    """
-
-    cluster: str
-    name: str
-    current: dict[str, str] | None
-    managed: list[str] | None
-    desired: dict[str, str]
-    exists: bool = True
-
-    def data(self):
-        """Get typed namespace data"""
-        namespace = load_namespace(f"{self.name}.yml")
-        namespace.name = self.name
-        namespace.cluster.name = self.cluster
-        if self.desired is not None:
-            namespace.labels = self.desired
-        return namespace
-
-    def oc_get_all(self):
-        """Get this namespace as an output of oc get namespace"""
-        if not self.exists:
-            return None
-        d = {"metadata": {"name": self.name}}
-        if self.current:
-            d["metadata"]["labels"] = self.current
-        return d
-
-    def state_key(self):
-        """Get the managed state key for this namespace"""
-        return state_key(self.cluster, self.name)
-
-
-# Some shortcuts
-c1, c2 = "cluster1", "cluster2"
-k1v1, k2v2, k3v3, k1v2 = {"k1": "v1"}, {"k2": "v2"}, {"k3": "v3"}, {"k1": "v2"}
-k1v1_k2v2, k2v3_k3v3 = {"k1": "v1", "k2": "v2"}, {"k2": "v3", "k3": "v3"}
-k1, k2, k1_k2, k2_k3 = ["k1"], ["k2"], ["k1", "k2"], ["k2", "k3"]
-k1_k2_k3 = ["k1", "k2", "k3"]
-
-
-def run_integration(
-    dry_run=False,
-    thread_pool_size=1,
-    internal=None,
-    use_jump_host=True,
-    raise_errors=True,
-):
-    """Calls the integration with sensible overridable defaults"""
-    openshift_namespace_labels.run(
-        dry_run=dry_run,
-        thread_pool_size=thread_pool_size,
-        internal=internal,
-        use_jump_host=use_jump_host,
-        raise_errors=raise_errors,
-    )
-
-
-class TestOpenshiftNamespaceLabels(TestCase):
-    """
-    This test case class runs the full openshift-namespace-labels integration
-    in several cases. For this we mock OC, State and GQL queries, patching them
-    with functions that use the individual tests data from self.test_ns.
-    This allows to code teh mock logic only once.
-    """
-
-    def _get_namespaces(self):
-        """Mock get_namespaces() by returning our test data"""
-        return [ns.data() for ns in self.test_ns]
-
-    def _oc_map_clusters(self):
-        """Mock OCMap.clusters() by listing clusters in our test data"""
-        return list({ns.cluster for ns in self.test_ns if ns.exists})
-
-    def _oc_map_get(self, cluster):
-        """Mock OCMap.get() by getting namespaces from our test data"""
-        oc = self.oc_clients.setdefault(cluster, Mock(name=f"oc_{cluster}"))
-        ns = [
-            ns.oc_get_all()
-            for ns in self.test_ns
-            if ns.exists and ns.cluster == cluster
-        ]
-        oc.get_all.return_value = {"items": ns}
-        return oc
-
-    def _state_ls(self):
-        """Mock State.ls() by getting state keys from our test data"""
-        return [f"/{ns.state_key()}" for ns in self.test_ns if ns.managed is not None]
-
-    def _ns_from_key(self, key):
-        """Get a namespace from test data, matching the provided state key"""
-        for ns in self.test_ns:
-            if key == ns.state_key():
-                return ns
-        return None
-
-    def _state_get(self, key, default):
-        """Mock State.get() by getting managed state from our test data"""
-        ns = self._ns_from_key(key)
-        if ns is not None:
-            return ns.managed
-        return default
-
-    # We could avoid implementing this method.
-    # We just ensure it is called with correct parameters
-    def _state_add(self, key, value=None, force=False):
-        """Mock State.add() by updating our test data"""
-        ns = self._ns_from_key(key)
-        self.assertIsNotNone(ns)
-        ns.managed = value
-
-    def setUp(self):
-        """Setup GQL, State and Openshift mocks, using self.test_ns data"""
-        self.test_ns = []
-        self.oc_clients = {}
-
-        module = "reconcile.openshift_namespace_labels"
-
-        self.queries_patcher = patch("reconcile.queries")
-        self.queries = self.queries_patcher.start()
-
-        self.namespaces_patcher = patch(f"{module}.get_namespaces")
-        self.namespaces = self.namespaces_patcher.start()
-        self.namespaces.side_effect = self._get_namespaces
-
-        vault_settings = AppInterfaceSettingsV1(vault=False)
-        self.get_vault_settings_patcher = patch(
-            f"{module}.get_app_interface_vault_settings"
-        )
-        self.get_vault_settings = self.get_vault_settings_patcher.start()
-        self.get_vault_settings.side_effect = [vault_settings]
-
-        self.create_secret_reader_patcher = patch(f"{module}.create_secret_reader")
-        self.create_secret_reader = self.create_secret_reader_patcher.start()
-        self.create_secret_reader.side_effect = [create_autospec(spec=SecretReaderBase)]
-
-        self.oc_map = create_autospec(spec=OCMap)
-        self.oc_map.clusters.side_effect = self._oc_map_clusters
-        self.oc_map.get.side_effect = self._oc_map_get
-        self.init_oc_map_patcher = patch(f"{module}.init_oc_map_from_namespaces")
-        self.init_oc_map = self.init_oc_map_patcher.start()
-        self.init_oc_map.side_effect = [self.oc_map]
-        self.state_patcher = patch(f"{module}.init_state")
-        self.state = self.state_patcher.start().return_value
-        self.state.ls.side_effect = self._state_ls
-        self.state.get.side_effect = self._state_get
-        self.state.add.side_effect = self._state_add
-
-    def tearDown(self) -> None:
-        """cleanup patches created in self.setUp"""
-        self.init_oc_map_patcher.stop()
-        self.queries_patcher.stop()
-        self.state_patcher.stop()
-        self.create_secret_reader_patcher.stop()
-        self.namespaces_patcher.stop()
-
-    def test_no_change(self):
-        """No label change: nothing should be done"""
-        self.test_ns = [
-            NS(c1, "namespace", k1v1, k1, k1v1),
-        ]
-        run_integration()
-        self.state.add.assert_not_called()
-        for oc in self.oc_clients.values():
-            oc.label.assert_not_called()
-
-    def test_update(self):
-        """single label value change"""
-        self.test_ns = [
-            NS(c1, "namespace", k1v1, k1, k1v2),
-        ]
-        run_integration()
-        # no change in the managed key store: we have the same keys than before
-        self.state.add.assert_not_called()
-        oc = self.oc_clients[c1]
-        oc.label.assert_called_once_with(
-            None, "Namespace", "namespace", k1v2, overwrite=True
-        )
-
-    def test_add(self):
-        """addition of a label"""
-        self.test_ns = [
-            NS(c1, "namespace", k1v1, k1, k1v1_k2v2),
-        ]
-        run_integration()
-        self.state.add.assert_called_once_with(
-            state_key(c1, "namespace"), k1_k2, force=True
-        )
-        oc = self.oc_clients[c1]
-        oc.label.assert_called_once_with(
-            None, "Namespace", "namespace", k2v2, overwrite=True
-        )
-
-    def test_add_from_none(self):
-        """addition of a label from none on the current namespace"""
-        self.test_ns = [
-            NS(c1, "namespace", {}, None, k1v1),
-        ]
-        run_integration()
-        self.state.add.assert_called_once_with(
-            state_key(c1, "namespace"), k1, force=True
-        )
-        oc = self.oc_clients[c1]
-        oc.label.assert_called_once_with(
-            None, "Namespace", "namespace", k1v1, overwrite=True
-        )
-
-    def test_remove_step1(self):
-        """removal of a label step 1: remove label"""
-        self.test_ns = [
-            NS(c1, "namespace", k1v1_k2v2, k1_k2, k1v1),
-        ]
-        run_integration()
-        self.state.add.assert_not_called()
-        oc = self.oc_clients[c1]
-        oc.label.assert_called_once_with(
-            None, "Namespace", "namespace", {"k2": None}, overwrite=True
-        )
-
-    def test_remove_step2(self):
-        """removal of a label step 2: remove key from managed state"""
-        self.test_ns = [
-            NS(c1, "namespace", k1v1, k1_k2, k1v1),
-        ]
-        run_integration()
-        self.state.add.assert_called_once_with(
-            state_key(c1, "namespace"), k1, force=True
-        )
-        oc = self.oc_clients[c1]
-        oc.label.assert_not_called()
-
-    def test_remove_add_modify_step1(self):
-        """Remove, add and modify labels all at once, step 1 (removals are in
-        two steps)"""
-        self.test_ns = [
-            NS(c1, "namespace", k1v1_k2v2, k1_k2, k2v3_k3v3),
-        ]
-        run_integration()
-        self.state.add.assert_called_once_with(
-            state_key(c1, "namespace"), k1_k2_k3, force=True
-        )
-        oc = self.oc_clients[c1]
-        labels = {"k1": None, "k2": "v3", "k3": "v3"}
-        oc.label.assert_called_once_with(
-            None, "Namespace", "namespace", labels, overwrite=True
-        )
-
-    def test_remove_add_modify_step2(self):
-        """Remove, add and modify labels all at once, step 2 (removals are in
-        two steps)"""
-        self.test_ns = [
-            NS(c1, "namespace", k2v3_k3v3, k1_k2_k3, k2v3_k3v3),
-        ]
-        run_integration()
-        self.state.add.assert_called_once_with(
-            state_key(c1, "namespace"), k2_k3, force=True
-        )
-        oc = self.oc_clients[c1]
-        oc.label.assert_not_called()
-
-    def test_namespace_not_exists(self):
-        """namespace does not exist (yet)"""
-        self.test_ns = [
-            NS(c1, "namespace", None, None, k1v1, exists=False),
-        ]
-        run_integration()
-        self.state.add.assert_not_called()
-        self.assertNotIn(c1, self.oc_clients.keys())
-
-    def test_duplicate_namespace(self):
-        """Namespace declared several times in a single cluster: ignored"""
-        self.test_ns = [
-            NS(c1, "namespace", k1v1, k1, k1v1),
-            NS(c1, "namespace", k1v1, k1, k2v2),
-            NS(c1, "namespace", k1v1, k1, k1v2),
-        ]
-        run_integration()
-        self.state.add.assert_not_called()
-        for oc in self.oc_clients.values():
-            oc.label.assert_not_called()
-
-    def test_multi_cluster(self):
-        """Namespace declared in several clusters. All get updated"""
-        self.test_ns = [
-            NS(c1, "namespace", k1v1, k1, k1v1_k2v2),
-            NS(c2, "namespace", k1v1, k1, k1v1_k2v2),
-        ]
-        run_integration()
-        self.assertEqual(self.state.add.call_count, 2)
-        calls = [
-            call(state_key(c1, "namespace"), k1_k2, force=True),
-            call(state_key(c2, "namespace"), k1_k2, force=True),
-        ]
-        self.state.add.assert_has_calls(calls)
-
-        self.assertIn(c1, self.oc_clients)
-        self.assertIn(c2, self.oc_clients)
-        for oc in self.oc_clients.values():
-            oc.label.assert_called_once_with(
-                None, "Namespace", "namespace", k2v2, overwrite=True
-            )
-
-    def test_dry_run(self):
-        """Ensures nothing is done in dry_run mode"""
-        self.test_ns = [
-            NS(c1, "namespace", k1v1_k2v2, k1_k2, k2v3_k3v3),
-        ]
-        run_integration(dry_run=True)
-        self.state.add.assert_not_called()
-        oc = self.oc_clients[c1]
-        oc.label.assert_not_called()