qontract-reconcile 0.10.1rc551__py3-none-any.whl → 0.10.1rc552__py3-none-any.whl

{qontract_reconcile-0.10.1rc551.dist-info → qontract_reconcile-0.10.1rc552.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc551
+Version: 0.10.1rc552
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc551.dist-info → qontract_reconcile-0.10.1rc552.dist-info}/RECORD

@@ -70,7 +70,7 @@ reconcile/openshift_namespaces.py,sha256=DboMc6t0vXD54lL9ZP9P9fQnCRo2g_0z5FWubtW
 reconcile/openshift_network_policies.py,sha256=_qqv7yj17OM1J8KJPsFmzFZ85gzESJeBocC672z4_WU,4231
 reconcile/openshift_resourcequotas.py,sha256=yUi56PiOn3inMMfq_x_FEHmaW-reGipzoorjdar372g,2415
 reconcile/openshift_resources.py,sha256=kwsY5cko7udEKNlhL2oKiKv_5wzEw9wmmwROE016ng8,1400
-reconcile/openshift_resources_base.py,sha256=rlzHO9mIQ2RGtlma-KHjtzkWirge6nZy-NP6cXlXeo0,45952
+reconcile/openshift_resources_base.py,sha256=DpB7DD8SqVrlqaZ6Vvv6WdA92DLRUhKNksum82ZZo_8,46630
 reconcile/openshift_rolebindings.py,sha256=0sEKajdqVuBSzlagyPbLxtNXQdI2vyabmbIRifs0des,6629
 reconcile/openshift_routes.py,sha256=fXvuPSjcjVw1X3j2EQvUAdbOepmIFdKk-M3qP8QzPiw,1075
 reconcile/openshift_saas_deploy.py,sha256=NFiNrk7055vunzzJmI7cVBubFj6JPDlEpJqDwpG_t9g,12706
@@ -587,7 +587,7 @@ reconcile/utils/state.py,sha256=SAa6QLHu9lr0yqLCBy2AypNx1IPCJWlrRBrvlzAKsOU,1450
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/template.py,sha256=wTvRU4AnAV_o042tD4Mwls2dwWMuk7MKnde3MaCjaYg,331
 reconcile/utils/terraform_client.py,sha256=_jBriLBwU005bDxWlq7CRByOkVCfiH47oBzB0ArNAY8,31901
-reconcile/utils/terrascript_aws_client.py,sha256=j3DzUROG_oP2Q-YnG3Lc4DazTyQV7MRAVZIkU53FhBk,266379
+reconcile/utils/terrascript_aws_client.py,sha256=zrm3naWWuWyJ1qOXlHBQWWi7rg-YUOt84nh1un_PVBE,266588
 reconcile/utils/three_way_diff_strategy.py,sha256=nyqeQsLCoPI6e16k2CF3b9KNgQLU-rPf5RtfdUfVMwE,4468
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/unleash.py,sha256=1D56CsZfE3ShDtN3IErE1T2eeIwNmxhK-yYbCotJ99E,3601
@@ -674,8 +674,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=se-YG_YVCWRFrnCPvBVHDBT_59CkbIoEni-4SJa8_MU,2755
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc551.dist-info/METADATA,sha256=Mm2i-Eoh8kVXcJ4HCQOGg2RgVlMNzx8tLUXhYHkNXXU,2349
-qontract_reconcile-0.10.1rc551.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc551.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc551.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc551.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc552.dist-info/METADATA,sha256=_2z1g2jyE05bW9_2lkZsPw_OHN6ta7gTD4eZni-wgvw,2349
+qontract_reconcile-0.10.1rc552.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc552.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc552.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc552.dist-info/RECORD,,

reconcile/openshift_resources_base.py

@@ -288,27 +288,42 @@ class UnknownTemplateTypeError(Exception):
 
 
 @retry()
-def lookup_secret(path, key, version=None, tvars=None, settings=None):
+def lookup_secret(
+    path, key, version=None, tvars=None, settings=None, secret_reader=None
+):
     if tvars is not None:
-        path = process_jinja2_template(body=path, vars=tvars, settings=settings)
-        key = process_jinja2_template(body=key, vars=tvars, settings=settings)
+        path = process_jinja2_template(
+            body=path, vars=tvars, settings=settings, secret_reader=secret_reader
+        )
+        key = process_jinja2_template(
+            body=key, vars=tvars, settings=settings, secret_reader=secret_reader
+        )
         if version and not isinstance(version, int):
             version = process_jinja2_template(
-                body=version, vars=tvars, settings=settings
+                body=version, vars=tvars, settings=settings, secret_reader=secret_reader
             )
     secret = {"path": path, "field": key, "version": version}
     try:
-        secret_reader = SecretReader(settings)
+        if not secret_reader:
+            secret_reader = SecretReader(settings)
         return secret_reader.read(secret)
     except Exception as e:
         raise FetchSecretError(e)
 
 
-def lookup_github_file_content(repo, path, ref, tvars=None, settings=None):
+def lookup_github_file_content(
+    repo, path, ref, tvars=None, settings=None, secret_reader=None
+):
     if tvars is not None:
-        repo = process_jinja2_template(body=repo, vars=tvars, settings=settings)
-        path = process_jinja2_template(body=path, vars=tvars, settings=settings)
-        ref = process_jinja2_template(body=ref, vars=tvars, settings=settings)
+        repo = process_jinja2_template(
+            body=repo, vars=tvars, settings=settings, secret_reader=secret_reader
+        )
+        path = process_jinja2_template(
+            body=path, vars=tvars, settings=settings, secret_reader=secret_reader
+        )
+        ref = process_jinja2_template(
+            body=ref, vars=tvars, settings=settings, secret_reader=secret_reader
+        )
 
     gh = init_github()
     c = gh.get_repo(repo).get_contents(path, ref).decoded_content
@@ -435,15 +450,27 @@ def compile_jinja2_template(body, extra_curly: bool = False):
     return jinja_env.from_string(body)
 
 
-def process_jinja2_template(body, vars=None, extra_curly: bool = False, settings=None):
+def process_jinja2_template(
+    body, vars=None, extra_curly: bool = False, settings=None, secret_reader=None
+):
     if vars is None:
         vars = {}
     vars.update({
         "vault": lambda p, k, v=None: lookup_secret(
-            path=p, key=k, version=v, tvars=vars, settings=settings
+            path=p,
+            key=k,
+            version=v,
+            tvars=vars,
+            settings=settings,
+            secret_reader=secret_reader,
         ),
         "github": lambda u, p, r, v=None: lookup_github_file_content(
-            repo=u, path=p, ref=r, tvars=vars, settings=settings
+            repo=u,
+            path=p,
+            ref=r,
+            tvars=vars,
+            settings=settings,
+            secret_reader=secret_reader,
         ),
         "urlescape": lambda u, s="/", e=None: urlescape(string=u, safe=s, encoding=e),
         "urlunescape": lambda u, e=None: urlunescape(string=u, encoding=e),
@@ -459,10 +486,18 @@ def process_jinja2_template(body, vars=None, extra_curly: bool = False, settings
     return r
 
 
-def process_extracurlyjinja2_template(body, vars=None, env=None, settings=None):
+def process_extracurlyjinja2_template(
+    body, vars=None, env=None, settings=None, secret_reader=None
+):
     if vars is None:
         vars = {}
-    return process_jinja2_template(body, vars=vars, extra_curly=True, settings=settings)
+    return process_jinja2_template(
+        body,
+        vars=vars,
+        extra_curly=True,
+        settings=settings,
+        secret_reader=secret_reader,
+    )
 
 
 def check_alertmanager_config(data, path, alertmanager_config_key, decode_base64=False):

reconcile/utils/terrascript_aws_client.py

@@ -181,7 +181,7 @@ from reconcile.utils.password_validator import (
     PasswordPolicy,
     PasswordValidator,
 )
-from reconcile.utils.secret_reader import SecretReader
+from reconcile.utils.secret_reader import SecretReader, SecretReaderBase
 from reconcile.utils.terraform import safe_resource_id
 
 GH_BASE_URL = os.environ.get("GITHUB_API", "https://api.github.com")
@@ -368,13 +368,16 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
         accounts: Iterable[dict[str, Any]],
         settings: Optional[Mapping[str, Any]] = None,
         prefetch_resources_by_schemas: Optional[list[str]] = None,
+        secret_reader: Optional[SecretReaderBase] = None,
     ) -> None:
         self.integration = integration
         self.integration_prefix = integration_prefix
-        self.settings = settings
         self.thread_pool_size = thread_pool_size
         filtered_accounts = self.filter_disabled_accounts(accounts)
-        self.secret_reader = SecretReader(settings=settings)
+        if secret_reader:
+            self.secret_reader = secret_reader
+        else:
+            self.secret_reader = SecretReader(settings=settings)
         self.configs: dict[str, dict] = {}
         self.populate_configs(filtered_accounts)
         self.versions = {a["name"]: a["providerVersion"] for a in filtered_accounts}
@@ -601,7 +604,7 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             with self.gitlab_lock:
                 if not self.gitlab:
                     instance = queries.get_gitlab_instance()
-                    self.gitlab = GitLabApi(instance, settings=self.settings)
+                    self.gitlab = GitLabApi(instance, secret_reader=self.secret_reader)
         return self.gitlab
 
     def init_jenkins(self, instance: dict) -> JenkinsApi:
@@ -612,7 +615,7 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
                 if not self.jenkins_map.get(instance_name):
                     self.jenkins_map[instance_name] = (
                         JenkinsApi.init_jenkins_from_secret(
-                            SecretReader(self.settings), instance["token"]
+                            self.secret_reader, instance["token"]
                         )
                     )
         return self.jenkins_map[instance_name]
@@ -4745,7 +4748,9 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
         )
         account["assume_region"] = cluster["spec"]["region"]
         service_name = f"{namespace_info['name']}/{openshift_service}"
-        with AWSApi(1, [account], settings=self.settings, init_users=False) as awsapi:
+        with AWSApi(
+            1, [account], secret_reader=self.secret_reader, init_users=False
+        ) as awsapi:
             ips = awsapi.get_alb_network_interface_ips(account, service_name)
         if not ips:
             raise ValueError(
@@ -5176,7 +5181,9 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
 
         # Get the most recent AMI id
         aws_account = self.accounts[account]
-        with AWSApi(1, [aws_account], settings=self.settings, init_users=False) as aws:
+        with AWSApi(
+            1, [aws_account], secret_reader=self.secret_reader, init_users=False
+        ) as aws:
             return aws.get_image_id(account, region, tags)
 
     def _use_previous_image_id(self, filters: Iterable[Mapping[str, Any]]) -> bool:
@@ -5259,7 +5266,7 @@ class TerrascriptClient:  # pylint: disable=too-many-public-methods
             for c in cloudinit_configs:
                 raw = self.get_raw_values(c["content"])
                 content = orb.process_extracurlyjinja2_template(
-                    body=raw["content"], vars=vars, settings=self.settings
+                    body=raw["content"], vars=vars, secret_reader=self.secret_reader
                 )
                 # https://www.terraform.io/docs/language/expressions/strings.html#escape-sequences
                 content = content.replace("${", "$${")