qontract-reconcile 0.10.1rc416__py3-none-any.whl → 0.10.1rc418__py3-none-any.whl

{qontract_reconcile-0.10.1rc416.dist-info → qontract_reconcile-0.10.1rc418.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc416
+Version: 0.10.1rc418
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc416.dist-info → qontract_reconcile-0.10.1rc418.dist-info}/RECORD

@@ -1,5 +1,5 @@
 reconcile/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/acs_rbac.py,sha256=OggKBiNGOGQJBsE3jJXwt0NT7zsTebdgDNKllE8cQMs,23537
+reconcile/acs_rbac.py,sha256=Jr9qIR1VjH16xpADZqjkigqsDW7iDnMD9nn7GxU4z0Y,23828
 reconcile/aws_ami_share.py,sha256=yLNSjtepxk4UL5f4Ix9oRp17jy9OXza0MIr71mhuqEA,3665
 reconcile/aws_ecr_image_pull_secrets.py,sha256=TGEc_0nv8oxV2HqA8VdcM4HHP-B1YqmNOOU6FPwVFTY,2328
 reconcile/aws_garbage_collector.py,sha256=ddwU8IKTueAJc0TzymcREr7hcoVui9kOGvdH1B2EcuM,450
@@ -53,7 +53,7 @@ reconcile/ocm_addons.py,sha256=qqAyqRBRbdZQvAcjb-QlSVyRAyQBZk6iVlgnI4jyi7s,3353
 reconcile/ocm_addons_upgrade_tests_trigger.py,sha256=oATZneNJSLkUAcba1sCHJr8qJztbsi1SAeEraoRUWq4,4057
 reconcile/ocm_aws_infrastructure_access.py,sha256=sz2ybcuj76nxpDJYvvLWVjPA6wprjbegbnenIljo9cU,7044
 reconcile/ocm_clusters.py,sha256=0NBZ5_6ikf_yEMpHjznXucXTtCC5tNFwLxIMGUaz7r0,13447
-reconcile/ocm_external_configuration_labels.py,sha256=sgotkG0SdQeTkc3rQgZEgKonG490T2RVw2ypnyJj47U,3269
+reconcile/ocm_external_configuration_labels.py,sha256=imEpDv1RBpCSj8tHDv0R76hmNCFtcUzVNgS1yOVl8vs,3870
 reconcile/ocm_github_idp.py,sha256=IlSpoUlUhYOahqWee6azJiN-N5EZNxNAWh-lrPXTfEc,3946
 reconcile/ocm_groups.py,sha256=_kiMUndKc6as6cbbvXxVnq8V_Lj7X5lxMJVCuRWuUFE,2888
 reconcile/ocm_machine_pools.py,sha256=YGIokK6cWhakPB4pj3h4F6w9Rn12kqsXf4TT4mdj1w8,15218
@@ -90,7 +90,7 @@ reconcile/quay_mirror.py,sha256=l2-RwdJrny3lqoIzc40uQhGAdTO0PYBwFfGC_K1s_I0,1423
 reconcile/quay_mirror_org.py,sha256=E1OdRe-ppxTkNCwu20iVRhEdG1fPDBroLY02NgiMN7c,10381
 reconcile/quay_permissions.py,sha256=_3PCWjNWoU7VHlYgHzUevvL_jJmEMsWfXV_nzjeiyhU,4099
 reconcile/quay_repos.py,sha256=7609RBVQihis96FNOOe-i9tCTYwcTVy4WpKAL6HpnkU,7031
-reconcile/queries.py,sha256=F91Nx33NQU0OB6zj74XyYI7oUlNUzHDw3jTDoJr_Bak,49165
+reconcile/queries.py,sha256=FfDCztWcbrw6kDMIFGwOS7q67tWEQPJuVfyXyBKn_9o,49206
 reconcile/query_validator.py,sha256=oLEZIAsQCzxmmZ7b9dSw-OKuEjpI1dbVu4XfCfjpmi8,1503
 reconcile/requests_sender.py,sha256=914iluuF4UVgG3VyxxtnHOu4yf6YKS2fIy6PViSsFTQ,3875
 reconcile/resource_scraper.py,sha256=vo1N9vLJCYWvXlTwFRIpEuWjx_39ZV9zxJlpoPq4g3U,2330
@@ -636,8 +636,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=dmEcNwZltP1rd_4DbxIYakO
 tools/test/test_qontract_cli.py,sha256=awwTHEc2DWlykuqGIYM0WOBoSL0KRnOraCLk3C7izis,1401
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc416.dist-info/METADATA,sha256=sP59I2h_LN6XLUyHK5C5UqzPQh1WqPsj6zA_thA0Lhk,2347
-qontract_reconcile-0.10.1rc416.dist-info/WHEEL,sha256=Xo9-1PvkuimrydujYJAjF7pCkriuXBpUPEjma1nZyJ0,92
-qontract_reconcile-0.10.1rc416.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc416.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc416.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc418.dist-info/METADATA,sha256=bYR73yjW15cE_wXs6HuU9pT1haQ-xRZBBOnXU4whpII,2347
+qontract_reconcile-0.10.1rc418.dist-info/WHEEL,sha256=Xo9-1PvkuimrydujYJAjF7pCkriuXBpUPEjma1nZyJ0,92
+qontract_reconcile-0.10.1rc418.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc418.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc418.dist-info/RECORD,,

reconcile/acs_rbac.py

@@ -353,6 +353,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
         role: AcsRole,
         acs: AcsApi,
         access_scope_id: str,
+        admin_access_scope_id: str,
         groups: list[Group],
         dry_run: bool,
     ) -> None:
@@ -383,9 +384,11 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
             acs.delete_role(role.name)
         logging.info("Deleted role: %s", role.name)
 
-        if not dry_run:
-            acs.delete_access_scope(access_scope_id)
-        logging.info("Deleted access scope: %s", role.access_scope.name)
+        # do not attempt deletion of system default 'Unrestricted' scope referenced by a custom role
+        if access_scope_id != admin_access_scope_id:
+            if not dry_run:
+                acs.delete_access_scope(access_scope_id)
+            logging.info("Deleted access scope: %s", role.access_scope.name)
 
     def delete_rbac(
         self,
@@ -416,6 +419,7 @@ class AcsRbacIntegration(QontractReconcileIntegration[NoParams]):
                     role=role,
                     acs=acs,
                     access_scope_id=access_scope_id_map[role.access_scope.name],
+                    admin_access_scope_id=access_scope_id_map[DEFAULT_ADMIN_SCOPE_NAME],
                     groups=role_group_mappings[role.name],
                     dry_run=dry_run,
                 )

reconcile/ocm_external_configuration_labels.py

@@ -12,6 +12,13 @@ from reconcile.utils.ocm import OCMMap
 QONTRACT_INTEGRATION = "ocm-external-configuration-labels"
 
 
+def get_allowed_labels_for_cluster(cluster: dict[str, Any]) -> set[str]:
+    allowed_labels = cluster.get("ocm", {}).get(
+        "allowedClusterExternalConfigLabels", []
+    )
+    return set(allowed_labels)
+
+
 def fetch_current_state(clusters):
     settings = queries.get_app_interface_settings()
     ocm_map = OCMMap(
@@ -21,9 +28,12 @@ def fetch_current_state(clusters):
     current_state = []
     for cluster in clusters:
         cluster_name = cluster["name"]
+        allowed_labels = get_allowed_labels_for_cluster(cluster)
         ocm = ocm_map.get(cluster_name)
         labels = ocm.get_external_configuration_labels(cluster_name)
         for key, value in labels.items():
+            if key not in allowed_labels:
+                continue
             item = {"label": {"key": key, "value": value}, "cluster": cluster_name}
             current_state.append(item)
 
@@ -34,8 +44,13 @@ def fetch_desired_state(clusters):
     desired_state = []
     for cluster in clusters:
         cluster_name = cluster["name"]
+        allowed_labels = get_allowed_labels_for_cluster(cluster)
         labels = json.loads(cluster["externalConfiguration"]["labels"])
         for key, value in labels.items():
+            if key not in allowed_labels:
+                raise ValueError(
+                    f"Unsupported external configuration label '{key}' in cluster '{cluster_name}'"
+                )
             item = {"label": {"key": key, "value": value}, "cluster": cluster_name}
             desired_state.append(item)
 

reconcile/queries.py

@@ -697,6 +697,7 @@ CLUSTERS_QUERY = """
         format
         version
       }
+      allowedClusterExternalConfigLabels
       blockedVersions
       inheritVersionData {
         name