qontract-reconcile 0.10.1rc601__py3-none-any.whl → 0.10.1rc603__py3-none-any.whl

{qontract_reconcile-0.10.1rc601.dist-info → qontract_reconcile-0.10.1rc603.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc601
+Version: 0.10.1rc603
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team
@@ -11,7 +11,7 @@ Classifier: Programming Language :: Python
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Requires-Python: >=3.11
-Requires-Dist: sretoolbox ~=2.5.1
+Requires-Dist: sretoolbox ~=2.5.2
 Requires-Dist: Click <9.0,>=7.0
 Requires-Dist: gql ==3.1.0
 Requires-Dist: toml <0.11.0,>=0.10.0

{qontract_reconcile-0.10.1rc601.dist-info → qontract_reconcile-0.10.1rc603.dist-info}/RECORD

@@ -451,7 +451,7 @@ reconcile/test/test_quay_repos.py,sha256=TdkcRF_a8PLp01Kti9eZZN-vGup2yPBT4Iba3k0
 reconcile/test/test_queries.py,sha256=SpH3RmNpBjEr_ne3VjAMCgKK8RE1z1zo7bypkT5uoO4,1946
 reconcile/test/test_repo_owners.py,sha256=uRYMLbMmh-9usF0TerabZTZV-Z1CS4I6ybT-LQqCLe8,1423
 reconcile/test/test_requests_sender.py,sha256=7fd9C2kEFS0-CYtlsif66N1kO9c44pzuBPAJKR9igqU,5385
-reconcile/test/test_saasherder.py,sha256=hCRwkmMSws8o-SCiaa68hdD2lDXzl21EZ_6v0CCG7vA,47064
+reconcile/test/test_saasherder.py,sha256=1_GyiXxxNqKSKE7PrtFJL7tUFg77d1oQPZzNBZW-DLQ,47042
 reconcile/test/test_saasherder_allowed_secret_paths.py,sha256=5NHQwNJO66at6HiyMZ5sVRTQDwxdvlOQo0KmkBWCw5Q,4853
 reconcile/test/test_secret_reader.py,sha256=kz7nzcPjvA08cytnvcA_PMA98AEyqJWsESkYeRn5xCk,4994
 reconcile/test/test_slack_base.py,sha256=gpbWOLNxMMX6fyAbs1JakhLTnwfedb3f7WpUae4tQZE,5060
@@ -675,8 +675,8 @@ reconcile/utils/runtime/runner.py,sha256=72cc-I6yXyPov8UCLHpyERRy1eiMLpGite2roO0
 reconcile/utils/runtime/sharding.py,sha256=roCdbnBklhTK_g34zbgQYqzpKPaNQ8J6Xd9XLO9-t6Q,16258
 reconcile/utils/saasherder/__init__.py,sha256=J3MBZBFa5YmhqYm08QsjBXz8mFcVOCiOCkyIcw41t7E,343
 reconcile/utils/saasherder/interfaces.py,sha256=XXY35h8VWQ66z3LBPxaoUAMkIW50264DQiecrzyV6oA,9076
-reconcile/utils/saasherder/models.py,sha256=PBv8DuAb6KUw_ayn5Ufiya20cCAelBv6Iv--x7hbpa4,5449
-reconcile/utils/saasherder/saasherder.py,sha256=72b0u-cIHg62R2uQCqlGcQfW5TbCxWDKf0dfmgVMUbY,85733
+reconcile/utils/saasherder/models.py,sha256=1DKXUmiTS_MejUfSpFCeuBLMTgR4ldv2N1tAz8qHAwc,5547
+reconcile/utils/saasherder/saasherder.py,sha256=h3qihKpL-UDUqi8V-i1mhfofXmydeGuHhG_Y9pVKJjk,86162
 reconcile/utils/terraform/__init__.py,sha256=zNbiyTWo35AT1sFTElL2j_AA0jJ_yWE_bfFn-nD2xik,250
 reconcile/utils/terraform/config.py,sha256=5UVrd563TMcvi4ooa5JvWVDW1I3bIWg484u79evfV_8,164
 reconcile/utils/terraform/config_client.py,sha256=py-Ree-QUYD6Hvng6bM40VgSuttteehIKNgwOSoJO1o,4706
@@ -704,8 +704,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=OvalpVRfY4pNmpMaWHHYqBjV68b1eGQjX8SCyTAXb1w,3501
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc601.dist-info/METADATA,sha256=xTaPAHRbNj68qwYjL7rWiII4D89lyuJWpmOg4fiBP_g,2349
-qontract_reconcile-0.10.1rc601.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-qontract_reconcile-0.10.1rc601.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
-qontract_reconcile-0.10.1rc601.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc601.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc603.dist-info/METADATA,sha256=KHZWVtIXDu8ZCJNsPliWFbsu58gjPsYV5hJQUzzyiL8,2349
+qontract_reconcile-0.10.1rc603.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+qontract_reconcile-0.10.1rc603.dist-info/entry_points.txt,sha256=rTjAv28I_CHLM8ID3OPqMI_suoQ9s7tFbim4aYjn9kk,376
+qontract_reconcile-0.10.1rc603.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc603.dist-info/RECORD,,

reconcile/test/test_saasherder.py

@@ -651,19 +651,17 @@ class TestGetContainerImagesDiffSaasFile(TestCase):
         self.get_commit_sha_patcher = patch.object(
             SaasHerder, "_get_commit_sha", autospec=True
         )
-        self.check_image_patcher = patch.object(
-            SaasHerder, "_check_image", autospec=True
-        )
+        self.get_image_patcher = patch.object(SaasHerder, "_get_image", autospec=True)
         self.initiate_gh = self.initiate_gh_patcher.start()
         self.get_commit_sha = self.get_commit_sha_patcher.start()
-        self.check_image = self.check_image_patcher.start()
+        self.get_image = self.get_image_patcher.start()
         self.maxDiff = None
 
     def tearDown(self) -> None:
         for p in (
             self.initiate_gh_patcher,
             self.get_commit_sha_patcher,
-            self.check_image_patcher,
+            self.get_image_patcher,
         ):
             p.stop()
 
@@ -680,7 +678,7 @@ class TestGetContainerImagesDiffSaasFile(TestCase):
         saasherder.state = MagicMock()
         saasherder.state.get.return_value = "asha"
         self.get_commit_sha.return_value = "abcd4242"
-        self.check_image.return_value = None
+        self.get_image.return_value = MagicMock()
         expected = [
             TriggerSpecContainerImage(
                 saas_file_name=self.saas_file.name,
@@ -717,7 +715,7 @@ class TestGetContainerImagesDiffSaasFile(TestCase):
         saasherder.state = MagicMock()
         saasherder.state.get.return_value = "asha"
         self.get_commit_sha.return_value = "abcd4242"
-        self.check_image.return_value = None
+        self.get_image.return_value = MagicMock()
         expected = [
             TriggerSpecContainerImage(
                 saas_file_name=self.saas_file.name,

reconcile/utils/saasherder/models.py

@@ -192,19 +192,21 @@ class ImageAuth:
     username: Optional[str] = None
     password: Optional[str] = None
     auth_server: Optional[str] = None
+    docker_config: Optional[dict[str, dict[str, dict[str, str]]]] = None
 
     def getDockerConfigJson(self) -> dict:
-        return {
-            "auths": {
-                self.auth_server: {
-                    "username": self.username,
-                    "password": self.password,
-                    "auth": base64.b64encode(
-                        f"{self.username}:{self.password}".encode()
-                    ).decode(),
+        if self.docker_config:
+            return self.docker_config
+        else:
+            return {
+                "auths": {
+                    self.auth_server: {
+                        "auth": base64.b64encode(
+                            f"{self.username}:{self.password}".encode()
+                        ).decode(),
+                    }
                 }
             }
-        }
 
 
 @dataclass

reconcile/utils/saasherder/saasherder.py

@@ -898,19 +898,20 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
         return False
 
     def _process_template(
-        self,
-        saas_file_name: str,
-        resource_template_name: str,
-        image_auth: ImageAuth,
-        url: str,
-        path: str,
-        provider: str,
-        hash_length: int,
-        target: SaasResourceTemplateTarget,
-        parameters: dict[str, str],
-        github: Github,
-        target_config_hash: str,
+        self, spec: TargetSpec
     ) -> tuple[list[Any], str, Optional[Promotion]]:
+        saas_file_name = spec.saas_file_name
+        resource_template_name = spec.resource_template_name
+        image_auth = spec.image_auth
+        url = spec.url
+        path = spec.path
+        provider = spec.provider
+        hash_length = spec.hash_length
+        target = spec.target
+        parameters = spec.parameters
+        github = spec.github
+        target_config_hash = spec.target_config_hash
+
         if provider == "openshift-template":
             environment_parameters = self._collect_parameters(
                 target.namespace.environment
@@ -997,25 +998,26 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                         + f"{str(e)}"
                     )
                     raise
-                try:
-                    image_uri = f"{registry_image}:{image_tag}"
-                    img = Image(
-                        url=image_uri,
-                        username=image_auth.username,
-                        password=image_auth.password,
-                        auth_server=image_auth.auth_server,
-                    )
-                    if need_repo_digest:
-                        consolidated_parameters["REPO_DIGEST"] = img.url_digest
-                    if need_image_digest:
-                        consolidated_parameters["IMAGE_DIGEST"] = img.digest
-                except (rqexc.ConnectionError, rqexc.HTTPError) as e:
-                    logging.error(
-                        f"[{saas_file_name}/{resource_template_name}] "
-                        + f"{html_url}: error generating REPO_DIGEST for "
-                        + f"{image_uri}: {str(e)}"
+
+                image_uri = f"{registry_image}:{image_tag}"
+                error_prefix = (
+                    f"[{saas_file_name}/{resource_template_name}] {html_url}:"
+                )
+                img = self._get_image(
+                    image=image_uri,
+                    image_patterns=spec.image_patterns,
+                    image_auth=image_auth,
+                    error_prefix=error_prefix,
+                )
+                if not img:
+                    raise Exception(
+                        f"[{error_prefix}: error generating REPO_DIGEST for {image_uri}"
                     )
-                    raise
+
+                if need_repo_digest:
+                    consolidated_parameters["REPO_DIGEST"] = img.url_digest
+                if need_image_digest:
+                    consolidated_parameters["IMAGE_DIGEST"] = img.digest
 
             oc = OCLocal("cluster", None, None, local=True)
             try:
@@ -1125,38 +1127,53 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
         return images
 
     @staticmethod
-    def _check_image(
+    def _get_image(
         image: str,
         image_patterns: Iterable[str],
         image_auth: ImageAuth,
         error_prefix: str,
-    ) -> bool:
-        error = False
+    ) -> Optional[Image]:
         if not image_patterns:
-            error = True
             logging.error(
                 f"{error_prefix} imagePatterns is empty (does not contain {image})"
             )
+            return None
         if image_patterns and not any(image.startswith(p) for p in image_patterns):
-            error = True
             logging.error(f"{error_prefix} Image is not in imagePatterns: {image}")
+            return None
+
+        # .dockerconfigjson
+        if image_auth.docker_config:
+            # we rely on the secret in vault being ordered
+            # https://peps.python.org/pep-0468/
+            for registry, auth in image_auth.docker_config["auths"].items():
+                if not image.startswith(registry):
+                    continue
+                username, password = (
+                    base64.b64decode(auth["auth"]).decode("utf-8").split(":")
+                )
+                with suppress(Exception):
+                    return Image(
+                        image,
+                        username=username,
+                        password=password,
+                        auth_server=image_auth.auth_server,
+                    )
+
+        # basic auth fallback for backwards compatibility
         try:
-            valid = Image(
+            return Image(
                 image,
                 username=image_auth.username,
                 password=image_auth.password,
                 auth_server=image_auth.auth_server,
             )
-            if not valid:
-                error = True
-                logging.error(f"{error_prefix} Image does not exist: {image}")
         except Exception as e:
-            error = True
             logging.error(
                 f"{error_prefix} Image is invalid: {image}. " + f"details: {str(e)}"
             )
 
-        return error
+        return None
 
     def _check_images(
         self,
@@ -1175,15 +1192,15 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
         self.images.update(images)
         if not images:
             return False  # no errors
-        errors = threaded.run(
-            self._check_image,
+        images = threaded.run(
+            self._get_image,
             images,
             self.available_thread_pool_size,
             image_patterns=image_patterns,
             image_auth=image_auth,
             error_prefix=error_prefix,
         )
-        return any(errors)
+        return None in images
 
     def _initiate_github(
         self, saas_file: SaasFile, base_url: Optional[str] = None
@@ -1216,20 +1233,24 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
             return ImageAuth()
 
         creds = self.secret_reader.read_all_secret(saas_file.authentication.image)
-        required_keys = ["user", "token"]
-        ok = all(k in creds.keys() for k in required_keys)
+        required_docker_config_keys = [".dockerconfigjson"]
+        required_keys_basic_auth = ["user", "token"]
+        ok = all(k in creds.keys() for k in required_keys_basic_auth) or all(
+            k in creds.keys() for k in required_docker_config_keys
+        )
         if not ok:
             logging.warning(
                 "the specified image authentication secret "
                 + f"found in path {saas_file.authentication.image.path} "
-                + f"does not contain all required keys: {required_keys}"
+                + f"does not contain all required keys: {required_docker_config_keys} or {required_keys_basic_auth}"
             )
             return ImageAuth()
 
         return ImageAuth(
-            username=creds["user"],
-            password=creds["token"],
+            username=creds.get("user"),
+            password=creds.get("token"),
             auth_server=creds.get("url"),
+            docker_config=json.loads(creds.get(".dockerconfigjson") or "{}"),
         )
 
     def populate_desired_state(self, ri: ResourceInventory) -> None:
@@ -1326,19 +1347,7 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
             return None
 
         try:
-            resources, html_url, promotion = self._process_template(
-                saas_file_name=spec.saas_file_name,
-                resource_template_name=spec.resource_template_name,
-                image_auth=spec.image_auth,
-                url=spec.url,
-                path=spec.path,
-                provider=spec.provider,
-                hash_length=spec.hash_length,
-                target=spec.target,
-                parameters=spec.parameters,
-                github=spec.github,
-                target_config_hash=spec.target_config_hash,
-            )
+            resources, html_url, promotion = self._process_template(spec)
         except Exception as e:
             # error log message send in _process_template. We log here debug to have a
             # safeguard in case something breaks there unexpectedly. We cannot just
@@ -1670,10 +1679,10 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                     image_uri = f"{image_registry}:{desired_image_tag}"
                     image_auth = self._initiate_image_auth(saas_file)
                     error_prefix = f"[{saas_file.name}/{rt.name}] {target.ref}:"
-                    error = self._check_image(
+                    image = self._get_image(
                         image_uri, saas_file.image_patterns, image_auth, error_prefix
                     )
-                    if error:
+                    if not image:
                         continue
 
                     trigger_spec = TriggerSpecContainerImage(