qontract-reconcile 0.10.1rc792__py3-none-any.whl → 0.10.1rc796__py3-none-any.whl

{qontract_reconcile-0.10.1rc792.dist-info → qontract_reconcile-0.10.1rc796.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc792
+Version: 0.10.1rc796
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team
@@ -46,7 +46,6 @@ Requires-Dist: kubernetes ~=24.0
 Requires-Dist: websocket-client <0.55.0,>=0.35
 Requires-Dist: sshtunnel >=0.4.0
 Requires-Dist: croniter <1.1.0,>=1.0.15
-Requires-Dist: transity-statuspageio <0.1,>=0.0.3
 Requires-Dist: pydantic ~=1.10.6
 Requires-Dist: MarkupSafe ==2.1.1
 Requires-Dist: filetype ~=1.2.0

{qontract_reconcile-0.10.1rc792.dist-info → qontract_reconcile-0.10.1rc796.dist-info}/RECORD

@@ -10,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=uMjslj9XkN1UFJ3k-CuHlTz4MeyXMk6gK1BkWfg6Kt4,99967
+reconcile/cli.py,sha256=IQEXC-Fg-c-9h3j_9JewMYMqgSLkJKT8ChWAHXmtt3k,100436
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=a5aPLVxyqPSbjdB0Ty-uliOtxwvEbbEljHJKxdK3-Zk,4813
@@ -62,7 +62,7 @@ reconcile/ocm_groups.py,sha256=CluPyvmwE5JOZS2HQSReC1sD8L1ChhnJlAg8lcwdtxc,3395
 reconcile/ocm_machine_pools.py,sha256=oY4oLPm5Y_ajBV8KFg2LuBQvsZl-CxTjSxEyxg4b2OI,16634
 reconcile/ocm_update_recommended_version.py,sha256=IYkfLXIprOW1jguZeELcGP1iBPuj-b53R-FTqKulMl8,4204
 reconcile/ocm_upgrade_scheduler_org_updater.py,sha256=49Ss6sp9_n5F9914gXb-uEap4Vm2t-KPTJRFFViJMIo,4184
-reconcile/openshift_base.py,sha256=AYTXEfQaU91PRpNJKunf0PILL_zAJMq6jySYfGHzcNg,49702
+reconcile/openshift_base.py,sha256=mE_NuKgEFsZDeA3kUo4iMsvIF1wN5yemUHeuE0M9fbY,49735
 reconcile/openshift_cluster_bots.py,sha256=eRPYZqWMKFNxLlSN0QG97V5t1iIESQ0BbGaiaQP5VB0,10940
 reconcile/openshift_clusterrolebindings.py,sha256=QfSy1Ik8eEY5XObc1Q4xyhqyErZenJmbPv_u9wcDNNo,5864
 reconcile/openshift_groups.py,sha256=fqBQ6ITDOArkC_zOjskmMigdCUDq3wntLZ0NcppXaFc,9414
@@ -86,7 +86,7 @@ reconcile/openshift_saas_deploy_trigger_upstream_jobs.py,sha256=etfBGj7GDXTOhNHK
 reconcile/openshift_serviceaccount_tokens.py,sha256=kc8o6tYDpzYTuX7BGIuZjGR1rC4tAB1tfN-ijCS0AgA,6005
 reconcile/openshift_tekton_resources.py,sha256=u17OOKPWp9k8WgPXA9RcrMoANYPocNEf-smD7rKRVgE,16278
 reconcile/openshift_upgrade_watcher.py,sha256=y1DoU--iX5QqDkYGP8YrHv2nH7rbiT9fRwcJ9i3Zp2o,6609
-reconcile/openshift_users.py,sha256=k6Vt-X_1nx0aAodnKvs916g2jLOxA03Mmk7Cf_x6K08,5293
+reconcile/openshift_users.py,sha256=1mhxHvkspSz8dn8zL7PpAG_QZ2rSbYzBuvZ66zWxyL4,5339
 reconcile/openshift_vault_secrets.py,sha256=9rTqV6wzCQx2Oh712E_Xj8wMG7u8Oh-pY8DWjlv4mZw,1660
 reconcile/quay_base.py,sha256=WlrTGlpK2Ma9HxXqTRJ_W-7g6e6RM3RlN1vq1ANMP_I,1889
 reconcile/quay_membership.py,sha256=LKrHwHQDhsBQEP7rUKanks8KTX63qa_93CyHRVwdjfo,6291
@@ -121,7 +121,7 @@ reconcile/vault_replication.py,sha256=79GZ_kCimPoQcxkdhkWTQxPOAa46E0mNhf05s_Mk5s
 reconcile/vpc_peerings_validator.py,sha256=Kv22HJVlTW9l9GB2eXwjPWqdDbr_VuvQBNPttox6s5o,7177
 reconcile/aus/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/aus/advanced_upgrade_service.py,sha256=MPqcWpq1QeYzBsB8rtTlo102h_cR_q83oOYtWAncuAk,22391
-reconcile/aus/aus_label_source.py,sha256=qoP8Fgxuu1tCuhG6ixCWve7Ll-KD6a79E2uLAmC0ifw,4184
+reconcile/aus/aus_label_source.py,sha256=QG3XuKy5tAyJo9ABPHANrDpECxpkzm2LT5C9Xsu42oI,4183
 reconcile/aus/base.py,sha256=n53ZtW5MpBitN745mymFxcq7LT5X8si8U0-l8hH6AEc,49878
 reconcile/aus/cluster_version_data.py,sha256=j4UyEBi5mQuvPq5Lo7a_L_0blxvH790wJV07uAiikFU,7126
 reconcile/aus/healthchecks.py,sha256=S8_KPn_zFiOo_wf5XlVmz-I3tUDYAim3EGSqiSPMvLQ,2707
@@ -168,6 +168,8 @@ reconcile/change_owners/diff.py,sha256=puiyo0dyLxBvbSKUJGIxAsgqs6Omrc_75TEUXk40X
 reconcile/change_owners/implicit_ownership.py,sha256=6BehZvx4IjrphmOt_LLLk9_02Fl5BY5jd00Wuz_PBZk,4234
 reconcile/change_owners/self_service_roles.py,sha256=4_Dr6ZyRInKLKXCRYaCKLQsoH1USsH-NN72LvnwYsaA,9662
 reconcile/change_owners/tester.py,sha256=8XGCIa0SIDkhHBDnN8-XCx4OreOmGRU_6N-1MrBuziY,9005
+reconcile/cluster_auth_rhidp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/cluster_auth_rhidp/integration.py,sha256=KIAiP_XFjsOA2OE8oFJa8lD0T1a7EwOmhct2xbj7tr8,9560
 reconcile/cna/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/cna/client.py,sha256=t9gJDrKf4ApBlgu8c4QUbmzrYoSo1QPsnAGfucva2_U,1562
 reconcile/cna/integration.py,sha256=gSxQAsgErvV2wF4Xnr96kgvX0z0lH_Ez5jH2GFNNSqI,5164
@@ -220,6 +222,8 @@ reconcile/gql_definitions/change_owners/__init__.py,sha256=47DEQpj8HBSa-_TImW-5J
 reconcile/gql_definitions/change_owners/queries/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/change_owners/queries/change_types.py,sha256=9S2YRNnSAvutjzuubZIQQe35yd8V2rGKvWSUI6yl11Q,5017
 reconcile/gql_definitions/change_owners/queries/self_service_roles.py,sha256=gU5qQ_zncXqM41WW_c2NYEZBuXlI9Xwm08D9HF6dP7g,4627
+reconcile/gql_definitions/cluster_auth_rhidp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/cluster_auth_rhidp/clusters.py,sha256=FTSj4nFD4OY6tjqTEuhAYWx3phckAiANbuVTWOHlo4Q,3267
 reconcile/gql_definitions/cna/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/cna/queries/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/cna/queries/cna_provisioners.py,sha256=YJOO6vo_q2a4z4Dgx6IN3zTmUDFgSZftqPNLf_U5yzU,2993
@@ -234,7 +238,7 @@ reconcile/gql_definitions/common/app_interface_state_settings.py,sha256=VXIK0Hmy
 reconcile/gql_definitions/common/app_interface_vault_settings.py,sha256=w8quvdG0cSq71ZyJokPPp7MyMpoDb6-HLQ3o9JHVGRQ,1771
 reconcile/gql_definitions/common/aws_vpcs.py,sha256=Dss9dQ3xagnz3Ltg1e9mtG2PAmQGBbUzKCmmzvuN28s,1892
 reconcile/gql_definitions/common/clusters.py,sha256=eJIbMQltj-Sc7h_QVIeFkbRy1b_QJIkHATfbagxM-yU,21527
-reconcile/gql_definitions/common/clusters_minimal.py,sha256=yZpjS9qWyusCEiWtD8wzf0tak298uQyxiN4lC6KNo4s,4475
+reconcile/gql_definitions/common/clusters_minimal.py,sha256=JYrJV_aStmryiiGKyiXhj47qpF_8KilCqy-d9CofBCo,4635
 reconcile/gql_definitions/common/clusters_with_dms.py,sha256=GJ53P8tgMLh1NfVkaV9_AmaqF9pNUqJZcDkcKzKzUy0,2242
 reconcile/gql_definitions/common/clusters_with_peering.py,sha256=6mv1m8lc9UDzMWXatkTbYHwBaXoHIIC62qXULsfQN5Y,11822
 reconcile/gql_definitions/common/github_orgs.py,sha256=rZ0pDAA2_9hF9N-ykRZIxPtEmczTSjuA_k3nkp0k1W0,2039
@@ -317,7 +321,6 @@ reconcile/gql_definitions/ocm_labels/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeu
 reconcile/gql_definitions/ocm_labels/clusters.py,sha256=MIVR5c8JxEOjsdGNpB737QyHGkjmHCycY6MAYNclPck,2916
 reconcile/gql_definitions/ocm_labels/organizations.py,sha256=mmYB5C5Fp_nPzwBDKdKG4qWiLre2VkZ26U_2O-jRKC4,2001
 reconcile/gql_definitions/ocm_oidc_idp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/ocm_subscription_labels/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/openshift_cluster_bots/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/openshift_cluster_bots/clusters.py,sha256=68meUg2Wgh91gplbPHAIlRWjnGg2RDrwtWd93QK6qRE,3672
 reconcile/gql_definitions/openshift_groups/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -384,8 +387,7 @@ reconcile/ocm/types.py,sha256=ibJYvzfAZyyMFkcF1bP8u3rkXciYJRplt_7Z1pKHFh0,2484
 reconcile/ocm_internal_notifications/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/ocm_internal_notifications/integration.py,sha256=Gw2oB1Oe1Vvbj-fN_undhkQ2y5tCVhUfW5DenKu9ybM,4395
 reconcile/ocm_labels/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/ocm_labels/integration.py,sha256=SqIgCYhlHEeoH2YXJ8kWIxCo9S3fzzAlZGxt9KCnJ1s,14792
-reconcile/ocm_labels/label_sources.py,sha256=z5Rg5uMTfRkTi3QbEQK1P82LLciWrSnp65XBEpZf2-o,1877
+reconcile/ocm_labels/integration.py,sha256=JmqjY_8QI8lgnCgXroiEfj58wkd98fOe5mTiKvkLeOQ,14946
 reconcile/oum/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/oum/base.py,sha256=gw5qDx3VKtIk-VW_g0j5iPdM4qAweqy0YROHJhKHt0M,13596
 reconcile/oum/labelset.py,sha256=MTOMEyBMbge3JOq0mOKWja-kV3cs0ZId9Ozxv7FJ9Kw,2185
@@ -429,7 +431,7 @@ reconcile/skupper_network/models.py,sha256=DNTI7HZv-rqY42GIIxyRuvroHLvdH6rJerjIq
 reconcile/skupper_network/reconciler.py,sha256=XS-1oKBr_1l3dYUAVqUH6gCHg1G5ZuOfY_7fgGVAiFA,9996
 reconcile/skupper_network/site_controller.py,sha256=A3K-62BjJ5HiFVydV0ouGoD1NwrO7XhAH15BHAcS9fk,1550
 reconcile/statuspage/__init__.py,sha256=o9vR6sp3ARDQFZrbCEShelTxjF1XgfLaElK_QVt_248,261
-reconcile/statuspage/atlassian.py,sha256=IxtGHd4GXYlJ2Qt3k-MfylM-SIYS7DYaCpjtQvPAmbY,13758
+reconcile/statuspage/atlassian.py,sha256=1W9wQyO0B0qcw5Zrke8h7Rv9xhpXLyMezM7N-5XE8Dg,13665
 reconcile/statuspage/integration.py,sha256=---tzyl381RddAkIhXb7n3ySjUhuX7FBBI152SYsRfk,3654
 reconcile/statuspage/page.py,sha256=cJH2sDA8jiAmSdaDitQqNjkyDq_UP2w3s7eauCi-yt4,3740
 reconcile/statuspage/state.py,sha256=HD9EOoKm_nEqCMLIwW809En3cq5VhyzKJPUbsh-bae8,1617
@@ -727,6 +729,7 @@ reconcile/utils/ocm/base.py,sha256=KPS1CgiALlq7INdgTDpN7MmtZ6uQMSWcUDjeGHmp5Z4,1
 reconcile/utils/ocm/cluster_groups.py,sha256=F8oqVqN_4QUnGL0K61zZhoYIzJeP57EcmZpwmoV0mr4,1751
 reconcile/utils/ocm/clusters.py,sha256=Nw9m-jgN3GHHCh6w9UOBbMV4rtS24_-Ep09jAWQ-_fE,7653
 reconcile/utils/ocm/identity_providers.py,sha256=dKed09N8iWmn39tI_MpwgVe47x23eLsknGbjMUxtwr4,2175
+reconcile/utils/ocm/label_sources.py,sha256=z5Rg5uMTfRkTi3QbEQK1P82LLciWrSnp65XBEpZf2-o,1877
 reconcile/utils/ocm/labels.py,sha256=pRzTE506hKAgVbBNO51IBlGOuCbJmTYDMsL0pWBEwp8,5945
 reconcile/utils/ocm/ocm.py,sha256=axXuTUpJR-fqhDo6OiDzEygOsR9OCX8ZV1I_Q2vWJQc,36712
 reconcile/utils/ocm/products.py,sha256=835Wr354wrP4hDhBi6dVMy1ru_G3-C-wCJyjki43KuA,25961
@@ -750,7 +753,7 @@ reconcile/utils/runtime/sharding.py,sha256=roCdbnBklhTK_g34zbgQYqzpKPaNQ8J6Xd9XL
 reconcile/utils/saasherder/__init__.py,sha256=J3MBZBFa5YmhqYm08QsjBXz8mFcVOCiOCkyIcw41t7E,343
 reconcile/utils/saasherder/interfaces.py,sha256=XXY35h8VWQ66z3LBPxaoUAMkIW50264DQiecrzyV6oA,9076
 reconcile/utils/saasherder/models.py,sha256=1DKXUmiTS_MejUfSpFCeuBLMTgR4ldv2N1tAz8qHAwc,5547
-reconcile/utils/saasherder/saasherder.py,sha256=OoDilZnlv_nVDzDkOSXpSozFWp6-ZpEcsXTgqAI8e40,86305
+reconcile/utils/saasherder/saasherder.py,sha256=Z6indeXBLzo_1w9Utc8Uj27wSe4J0OwBqykYYAqPpnI,86416
 reconcile/utils/terraform/__init__.py,sha256=zNbiyTWo35AT1sFTElL2j_AA0jJ_yWE_bfFn-nD2xik,250
 reconcile/utils/terraform/config.py,sha256=5UVrd563TMcvi4ooa5JvWVDW1I3bIWg484u79evfV_8,164
 reconcile/utils/terraform/config_client.py,sha256=py-Ree-QUYD6Hvng6bM40VgSuttteehIKNgwOSoJO1o,4706
@@ -767,7 +770,7 @@ tools/app_interface_metrics_exporter.py,sha256=zkwkxdAUAxjdc-pzx2_oJXG25fo0Fnyd5
 tools/app_interface_reporter.py,sha256=upA-J-n-HXHKVDINRuMR7vTt-iJvQORKUVi9D3leQto,17738
 tools/glitchtip_access_reporter.py,sha256=oPBnk_YoDuljU3v0FaChzOwwnk4vap1xEE67QEjzdqs,2948
 tools/glitchtip_access_revalidation.py,sha256=8kbBJk04mkq28kWoRDDkfCGIF3GRg3pJrFAh1sW0dbk,2821
-tools/qontract_cli.py,sha256=ilm3Ezw86rgFKLBgL-FV0xSRLHaFHfG0CKmYZfDe1VU,116022
+tools/qontract_cli.py,sha256=shVGUSDTqa8KO1H6P6YD4fpygQSzZuGxB-5MdhTtzUs,113982
 tools/sd_app_sre_alert_report.py,sha256=e9vAdyenUz2f5c8-z-5WY0wv-SJ9aePKDH2r4IwB6pc,5063
 tools/template_validation.py,sha256=-U-lTGeLaci8yWPEblCJeev2DOlY1jM9QOOh-O1zts8,3376
 tools/cli_commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -785,8 +788,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=w2l4BHB09k1d-BGJ1jBUNCqDv7zkqYrMHojQXg-21kQ,4155
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc792.dist-info/METADATA,sha256=ubnMxzBVaqBUITyyF1R5bgCW_Eckk_tfSLomJ9VWdSg,2364
-qontract_reconcile-0.10.1rc792.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc792.dist-info/entry_points.txt,sha256=rIxI5zWtHNlfpDeq1a7pZXAPoqf7HG32KMTN3MeWK_8,429
-qontract_reconcile-0.10.1rc792.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc792.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc796.dist-info/METADATA,sha256=GQarCBXsn_w6KRkt0BIseHFItIEHlKjlJUE4UqBfGdQ,2314
+qontract_reconcile-0.10.1rc796.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc796.dist-info/entry_points.txt,sha256=rIxI5zWtHNlfpDeq1a7pZXAPoqf7HG32KMTN3MeWK_8,429
+qontract_reconcile-0.10.1rc796.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc796.dist-info/RECORD,,

reconcile/aus/aus_label_source.py

@@ -16,7 +16,7 @@ from reconcile.gql_definitions.advanced_upgrade_service.aus_organization import
     query as aus_organizations_query,
 )
 from reconcile.gql_definitions.fragments.aus_organization import AUSOCMOrganization
-from reconcile.ocm_labels.label_sources import (
+from reconcile.utils.ocm.label_sources import (
     ClusterRef,
     LabelSource,
     LabelState,

reconcile/cli.py

@@ -2918,6 +2918,22 @@ def rhidp_sso_client(
     )
 
 
+@integration.command(
+    short_help="Manages the OCM subscription labels for clusters with RHIDP authentication. Part of RHIDP."
+)
+@click.pass_context
+def cluster_auth_rhidp(ctx):
+    from reconcile.cluster_auth_rhidp.integration import (
+        ClusterAuthRhidpIntegration,
+        ClusterAuthRhidpIntegrationParams,
+    )
+
+    run_class_integration(
+        integration=ClusterAuthRhidpIntegration(ClusterAuthRhidpIntegrationParams()),
+        ctx=ctx.obj,
+    )
+
+
 @integration.command(
     short_help="Automatically provide dedicated Dynatrace tokens to management clusters"
 )

reconcile/cluster_auth_rhidp/integration.py

@@ -0,0 +1,257 @@
+import logging
+from collections.abc import Callable, Iterable
+from typing import Any
+
+from deepdiff import DeepHash
+
+from reconcile.gql_definitions.cluster_auth_rhidp.clusters import (
+    ClusterAuthRHIDPV1,
+    ClusterV1,
+)
+from reconcile.gql_definitions.cluster_auth_rhidp.clusters import query as cluster_query
+from reconcile.gql_definitions.common.ocm_environments import (
+    query as ocm_environment_query,
+)
+from reconcile.gql_definitions.fragments.ocm_environment import OCMEnvironment
+from reconcile.rhidp.common import (
+    AUTH_NAME_LABEL_KEY,
+    ISSUER_LABEL_KEY,
+    RHIDP_NAMESPACE_LABEL_KEY,
+    STATUS_LABEL_KEY,
+    StatusValue,
+)
+from reconcile.utils import gql
+from reconcile.utils.defer import defer
+from reconcile.utils.differ import diff_mappings
+from reconcile.utils.disabled_integrations import integration_is_enabled
+from reconcile.utils.ocm.clusters import discover_clusters_for_organizations
+from reconcile.utils.ocm.label_sources import ClusterRef, LabelState
+from reconcile.utils.ocm.labels import add_label, delete_label, update_label
+from reconcile.utils.ocm_base_client import (
+    OCMAPIClientConfigurationProtocol,
+    OCMBaseClient,
+    init_ocm_base_client,
+)
+from reconcile.utils.runtime.integration import (
+    PydanticRunParams,
+    QontractReconcileIntegration,
+)
+from reconcile.utils.secret_reader import SecretReaderBase
+from reconcile.utils.semver_helper import make_semver
+
+QONTRACT_INTEGRATION = "cluster-auth-rhidp"
+QONTRACT_INTEGRATION_VERSION = make_semver(1, 0, 0)
+
+
+class ClusterAuthRhidpIntegrationParams(PydanticRunParams):
+    pass
+
+
+class ManagedLabelConflictError(Exception):
+    pass
+
+
+OcmApis = dict[str, OCMBaseClient]
+
+
+class ClusterAuthRhidpIntegration(
+    QontractReconcileIntegration[ClusterAuthRhidpIntegrationParams]
+):
+    """Manages the OCM subscription labels for clusters with RHIDP authentication."""
+
+    @property
+    def name(self) -> str:
+        return QONTRACT_INTEGRATION
+
+    def get_early_exit_desired_state(
+        self, query_func: Callable | None = None
+    ) -> dict[str, Any]:
+        """Return the desired state for early exit."""
+        if not query_func:
+            query_func = gql.get_api().query
+
+        desired = {
+            "subs_labels": self.fetch_desired_state(self.get_clusters(query_func)),
+        }
+        # to figure out wheter to run a PR check of to exit early, a hash value
+        # of the desired state is sufficient
+        return {"hash": DeepHash(desired).get(desired)}
+
+    def get_clusters(self, query_func: Callable) -> list[ClusterV1]:
+        data = cluster_query(query_func)
+        return [
+            c
+            for c in data.clusters or []
+            if integration_is_enabled(self.name, c)
+            # ocm is mandatory
+            and c.ocm
+            and c.spec
+            and c.spec.q_id
+        ]
+
+    def get_environments(self, query_func: Callable) -> list[OCMEnvironment]:
+        return ocm_environment_query(query_func).environments
+
+    def fetch_desired_state(self, clusters: Iterable[ClusterV1]) -> LabelState:
+        """Fetches the desired state of subscription labels for the given clusters."""
+        states: LabelState = {}
+
+        for cluster in clusters:
+            assert cluster.ocm and cluster.spec and cluster.spec.q_id  # make mypy happy
+            label = {}
+            if auth := next(
+                (
+                    a
+                    for a in cluster.auth
+                    if isinstance(a, ClusterAuthRHIDPV1) and a.service == "rhidp"
+                ),
+                None,
+            ):
+                label = {
+                    STATUS_LABEL_KEY: auth.status or StatusValue.ENABLED.value,
+                    AUTH_NAME_LABEL_KEY: auth.name,
+                }
+                if auth.issuer:
+                    label[ISSUER_LABEL_KEY] = auth.issuer
+            cluster_ref = ClusterRef(
+                cluster_id=cluster.spec.q_id,
+                org_id=cluster.ocm.org_id,
+                ocm_env=cluster.ocm.environment.name,
+                name=cluster.name,
+                label_container_href=None,
+            )
+            states[cluster_ref] = label
+
+        return states
+
+    def fetch_current_state(
+        self,
+        ocm_apis: OcmApis,
+        clusters: Iterable[ClusterV1],
+        managed_label_prefixes: Iterable[str],
+    ) -> LabelState:
+        """Fetches the current state of subscription labels for the given clusters.
+
+        If a cluster can't be found in OCM, the resulting dict will not contain a
+        state for it, not even an empty one.
+        """
+        cluster_ids = {c.spec.q_id for c in clusters if c.spec and c.spec.q_id}
+        states: LabelState = {}
+        for env_name, ocm_api in ocm_apis.items():
+            for cluster_details in discover_clusters_for_organizations(
+                ocm_api=ocm_api,
+                organization_ids=list({
+                    c.ocm.org_id
+                    for c in clusters
+                    if c.ocm and c.ocm.environment.name == env_name
+                }),
+            ):
+                if cluster_details.ocm_cluster.id not in cluster_ids:
+                    # there might be more clusters in an organization than we care about
+                    continue
+
+                filtered_labels = {
+                    label: value
+                    for label, value in cluster_details.subscription_labels.get_values_dict().items()
+                    if label.startswith(tuple(managed_label_prefixes))
+                }
+                states[
+                    ClusterRef(
+                        cluster_id=cluster_details.ocm_cluster.id,
+                        org_id=cluster_details.organization_id,
+                        ocm_env=env_name,
+                        name=cluster_details.ocm_cluster.name,
+                        label_container_href=f"{cluster_details.ocm_cluster.subscription.href}/labels",
+                    )
+                ] = filtered_labels
+        return states
+
+    def init_ocm_apis(
+        self,
+        environments: Iterable[OCMEnvironment],
+        init_ocm_base_client: Callable[
+            [OCMAPIClientConfigurationProtocol, SecretReaderBase], OCMBaseClient
+        ] = init_ocm_base_client,
+    ) -> OcmApis:
+        """Initialize OCM clients for each OCM environment."""
+        return {
+            env.name: init_ocm_base_client(env, self.secret_reader)
+            for env in environments
+        }
+
+    def reconcile(
+        self,
+        dry_run: bool,
+        ocm_apis: OcmApis,
+        current_state: LabelState,
+        desired_state: LabelState,
+    ) -> None:
+        # we iterate via the current state because it refers to the clusters we can act on
+        for label_owner_ref, current_labels in current_state.items():
+            ocm_api = ocm_apis[label_owner_ref.ocm_env]
+            desired_labels = desired_state.get(label_owner_ref, {})
+            if current_labels == desired_labels:
+                continue
+
+            diff_result = diff_mappings(current_labels, desired_labels)
+
+            for label_to_add, value in diff_result.add.items():
+                logging.info([
+                    "create_label",
+                    *label_owner_ref.identity_labels(),
+                    f"{label_to_add}={value}",
+                ])
+                if not dry_run:
+                    add_label(
+                        ocm_api=ocm_api,
+                        label_container_href=label_owner_ref.required_label_container_href(),
+                        label=label_to_add,
+                        value=value,
+                    )
+            for label_to_rm, value in diff_result.delete.items():
+                logging.info([
+                    "delete_label",
+                    *label_owner_ref.identity_labels(),
+                    f"{label_to_rm}={value}",
+                ])
+                if not dry_run:
+                    delete_label(
+                        ocm_api=ocm_api,
+                        label_container_href=label_owner_ref.required_label_container_href(),
+                        label=label_to_rm,
+                    )
+            for label_to_update, diff_pair in diff_result.change.items():
+                value = diff_pair.desired
+                logging.info([
+                    "update_label",
+                    *label_owner_ref.identity_labels(),
+                    f"{label_to_update}={value}",
+                ])
+                if not dry_run:
+                    update_label(
+                        ocm_api=ocm_api,
+                        label_container_href=label_owner_ref.required_label_container_href(),
+                        label=label_to_update,
+                        value=value,
+                    )
+
+    @defer
+    def run(self, dry_run: bool, defer: Callable | None = None) -> None:
+        """Run the integration."""
+        gql_api = gql.get_api()
+        clusters = self.get_clusters(gql_api.query)
+        environments = self.get_environments(gql_api.query)
+        ocm_apis = self.init_ocm_apis(environments, init_ocm_base_client)
+        if defer:
+            defer(lambda: [ocm_api.close() for ocm_api in ocm_apis.values()])  # type: ignore
+
+        current_state = self.fetch_current_state(
+            ocm_apis, clusters, managed_label_prefixes=[RHIDP_NAMESPACE_LABEL_KEY]
+        )
+        desired_state = self.fetch_desired_state(clusters)
+        self.reconcile(
+            dry_run=dry_run,
+            ocm_apis=ocm_apis,
+            current_state=current_state,
+            desired_state=desired_state,
+        )

reconcile/gql_definitions/cluster_auth_rhidp/clusters.py

@@ -0,0 +1,127 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+from reconcile.gql_definitions.fragments.ocm_environment import OCMEnvironment
+
+
+DEFINITION = """
+fragment OCMEnvironment on OpenShiftClusterManagerEnvironment_v1 {
+    name
+    labels
+    url
+    accessTokenClientId
+    accessTokenUrl
+    accessTokenClientSecret {
+        ... VaultSecret
+    }
+}
+
+fragment VaultSecret on VaultSecret_v1 {
+    path
+    field
+    version
+    format
+}
+
+query ClusterAuthRhidp {
+  clusters: clusters_v1 {
+    name
+    spec {
+      id
+    }
+    ocm {
+      environment {
+        ...OCMEnvironment
+      }
+      orgId
+    }
+    disable {
+      integrations
+    }
+    auth {
+      service
+      ... on ClusterAuthRHIDP_v1 {
+        name
+        status
+        issuer
+      }
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class ClusterSpecV1(ConfiguredBaseModel):
+    q_id: Optional[str] = Field(..., alias="id")
+
+
+class OpenShiftClusterManagerV1(ConfiguredBaseModel):
+    environment: OCMEnvironment = Field(..., alias="environment")
+    org_id: str = Field(..., alias="orgId")
+
+
+class DisableClusterAutomationsV1(ConfiguredBaseModel):
+    integrations: Optional[list[str]] = Field(..., alias="integrations")
+
+
+class ClusterAuthV1(ConfiguredBaseModel):
+    service: str = Field(..., alias="service")
+
+
+class ClusterAuthRHIDPV1(ClusterAuthV1):
+    name: str = Field(..., alias="name")
+    status: Optional[str] = Field(..., alias="status")
+    issuer: Optional[str] = Field(..., alias="issuer")
+
+
+class ClusterV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    spec: Optional[ClusterSpecV1] = Field(..., alias="spec")
+    ocm: Optional[OpenShiftClusterManagerV1] = Field(..., alias="ocm")
+    disable: Optional[DisableClusterAutomationsV1] = Field(..., alias="disable")
+    auth: list[Union[ClusterAuthRHIDPV1, ClusterAuthV1]] = Field(..., alias="auth")
+
+
+class ClusterAuthRhidpQueryData(ConfiguredBaseModel):
+    clusters: Optional[list[ClusterV1]] = Field(..., alias="clusters")
+
+
+def query(query_func: Callable, **kwargs: Any) -> ClusterAuthRhidpQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        ClusterAuthRhidpQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return ClusterAuthRhidpQueryData(**raw_data)

reconcile/gql_definitions/common/clusters_minimal.py

@@ -80,6 +80,9 @@ query ClustersMinimal($name: String) {
       ... on ClusterAuthOIDC_v1 {
         name
       }
+      ... on ClusterAuthRHIDP_v1 {
+        name
+      }
     }
   }
 }
@@ -121,6 +124,10 @@ class ClusterAuthOIDCV1(ClusterAuthV1):
     name: str = Field(..., alias="name")
 
 
+class ClusterAuthRHIDPV1(ClusterAuthV1):
+    name: str = Field(..., alias="name")
+
+
 class ClusterV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     server_url: str = Field(..., alias="serverUrl")
@@ -136,7 +143,7 @@ class ClusterV1(ConfiguredBaseModel):
     cluster_admin_automation_token: Optional[VaultSecret] = Field(..., alias="clusterAdminAutomationToken")
     internal: Optional[bool] = Field(..., alias="internal")
     disable: Optional[DisableClusterAutomationsV1] = Field(..., alias="disable")
-    auth: list[Union[ClusterAuthGithubOrgTeamV1, ClusterAuthGithubOrgV1, ClusterAuthOIDCV1, ClusterAuthV1]] = Field(..., alias="auth")
+    auth: list[Union[ClusterAuthGithubOrgTeamV1, ClusterAuthGithubOrgV1, ClusterAuthOIDCV1, ClusterAuthRHIDPV1, ClusterAuthV1]] = Field(..., alias="auth")
 
 
 class ClustersMinimalQueryData(ConfiguredBaseModel):

reconcile/ocm_labels/integration.py

@@ -27,17 +27,18 @@ from reconcile.gql_definitions.ocm_labels.organizations import OpenShiftClusterM
 from reconcile.gql_definitions.ocm_labels.organizations import (
     query as organization_query,
 )
-from reconcile.ocm_labels.label_sources import (
-    ClusterRef,
-    LabelSource,
-    LabelState,
-    OrgRef,
-)
 from reconcile.utils import gql
+from reconcile.utils.defer import defer
 from reconcile.utils.differ import diff_mappings
 from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.helpers import flatten
 from reconcile.utils.ocm.clusters import discover_clusters_for_organizations
+from reconcile.utils.ocm.label_sources import (
+    ClusterRef,
+    LabelSource,
+    LabelState,
+    OrgRef,
+)
 from reconcile.utils.ocm.labels import (
     add_label,
     build_organization_labels_href,
@@ -138,14 +139,16 @@ class OcmLabelsIntegration(QontractReconcileIntegration[OcmLabelsIntegrationPara
         # of the desired state is sufficient
         return {"hash": DeepHash(desired).get(desired)}
 
-    def run(self, dry_run: bool) -> None:
+    @defer
+    def run(self, dry_run: bool, defer: Callable | None = None) -> None:
         gqlapi = gql.get_api()
-        self.get_early_exit_desired_state()
         clusters = self.get_clusters(gqlapi.query)
         organizations = self.get_organizations(gqlapi.query)
         environments = self.get_environments(gqlapi.query)
 
         self.ocm_apis = self.init_ocm_apis(environments, init_ocm_base_client)
+        if defer:
+            defer(lambda: [ocm_api.close() for ocm_api in self.ocm_apis.values()])  # type: ignore
 
         # organization labels
         orgs_current_state, orgs_desired_state = self.fetch_organization_label_states(

reconcile/openshift_base.py

@@ -1313,6 +1313,7 @@ def determine_user_keys_for_access(
         "github-org": "github_username",
         "github-org-team": "github_username",
         "oidc": "org_username",
+        "rhidp": "org_username",
     }
     user_keys: list[str] = []
 

reconcile/openshift_users.py

@@ -18,6 +18,7 @@ from reconcile import (
 )
 from reconcile.gql_definitions.common.clusters_minimal import (
     ClusterAuthOIDCV1,
+    ClusterAuthRHIDPV1,
     ClusterV1,
 )
 from reconcile.typed_queries.app_interface_vault_settings import (
@@ -51,7 +52,7 @@ def get_cluster_users(
     identity_prefixes = ["github"]
 
     for auth in cluster_info.auth:
-        if isinstance(auth, ClusterAuthOIDCV1):
+        if isinstance(auth, (ClusterAuthOIDCV1, ClusterAuthRHIDPV1)):
             identity_prefixes.append(auth.name)
 
     for u in oc.get_users():

reconcile/statuspage/atlassian.py

@@ -7,7 +7,6 @@ from typing import (
 )
 
 import requests
-import statuspageio  # type: ignore
 from pydantic import BaseModel
 from requests import Response
 from sretoolbox.utils import retry
@@ -49,14 +48,9 @@ class AtlassianAPI(Protocol):
     def delete_component(self, id: str) -> None: ...
 
 
-class LegacyLibAtlassianAPI:
+class AtlassianRESTAPI:
     """
-    This API class wraps the statuspageio python library for basic component operations.
-    This class is named Legacy for a couple reasons:
-    * the underlying library is not maintained anymore
-    * the library has no type annotated
-    * the library does not support pagination which becomes important for this API
-    Therefore this lib will be replaced by a think wrapper based on uplink in an upcoming PR.
+    This API class wraps the statuspageio REST API for basic component operations.
     """
 
     def __init__(self, page_id: str, api_url: str, token: str):
@@ -64,9 +58,6 @@ class LegacyLibAtlassianAPI:
         self.api_url = api_url
         self.token = token
         self.auth_headers = {"Authorization": f"OAuth {self.token}"}
-        self._client = statuspageio.Client(
-            api_key=self.token, page_id=self.page_id, organization_id="unset"
-        )
 
     @retry(max_attempts=10)
     def _do_get(self, url: str, params: dict[str, Any]) -> Response:
@@ -96,14 +87,22 @@ class LegacyLibAtlassianAPI:
         return all_components
 
     def update_component(self, id: str, data: dict[str, Any]) -> None:
-        self._client.components.update(id, **data)
+        url = f"{self.api_url}/v1/pages/{self.page_id}/components/{id}"
+        requests.patch(
+            url, json={"component": data}, headers=self.auth_headers
+        ).raise_for_status()
 
     def create_component(self, data: dict[str, Any]) -> str:
-        result = self._client.components.create(**data)
-        return result["id"]
+        url = f"{self.api_url}/v1/pages/{self.page_id}/components"
+        response = requests.post(
+            url, json={"component": data}, headers=self.auth_headers
+        )
+        response.raise_for_status()
+        return response.json()["id"]
 
     def delete_component(self, id: str) -> None:
-        self._client.components.delete(id)
+        url = f"{self.api_url}/v1/pages/{self.page_id}/components/{id}"
+        requests.delete(url, headers=self.auth_headers).raise_for_status()
 
 
 class AtlassianStatusPageProvider(StatusPageProvider):
@@ -364,7 +363,7 @@ def init_provider_for_page(
     """
     return AtlassianStatusPageProvider(
         page_name=page.name,
-        api=LegacyLibAtlassianAPI(
+        api=AtlassianRESTAPI(
             page_id=page.page_id,
             api_url=page.api_url,
             token=token,

reconcile/utils/saasherder/saasherder.py

@@ -95,6 +95,7 @@ TARGET_CONFIG_HASH = "target_config_hash"
 
 
 UNIQUE_SAAS_FILE_ENV_COMBO_LEN = 56
+REQUEST_TIMEOUT = 60
 
 
 def is_commit_sha(ref: str) -> bool:
@@ -1159,6 +1160,7 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                         username=username,
                         password=password,
                         auth_server=image_auth.auth_server,
+                        timeout=REQUEST_TIMEOUT,
                     )
 
         # basic auth fallback for backwards compatibility
@@ -1168,6 +1170,7 @@ class SaasHerder:  # pylint: disable=too-many-public-methods
                 username=image_auth.username,
                 password=image_auth.password,
                 auth_server=image_auth.auth_server,
+                timeout=REQUEST_TIMEOUT,
             )
         except Exception as e:
             logging.error(

tools/qontract_cli.py

@@ -32,7 +32,6 @@ from rich.console import (
 )
 from rich.table import Table
 from rich.tree import Tree
-from sretoolbox.utils import threaded
 
 import reconcile.aus.base as aus
 import reconcile.openshift_base as ob
@@ -1197,69 +1196,6 @@ def clusters_aws_account_ids(ctx):
     print_output(ctx.obj["options"], results, columns)
 
 
-@get.command()
-@click.pass_context
-def terraform_users_credentials(ctx) -> None:
-    credentials = []
-    state = init_state(integration="account-notifier")
-
-    skip_accounts, appsre_pgp_key, _ = tfu.get_reencrypt_settings()
-
-    if skip_accounts:
-        accounts, working_dirs, _, aws_api = tfu.setup(
-            False,
-            1,
-            skip_accounts,
-            account_name=None,
-            appsre_pgp_key=appsre_pgp_key,
-        )
-
-        tf = Terraform(
-            tfu.QONTRACT_INTEGRATION,
-            tfu.QONTRACT_INTEGRATION_VERSION,
-            tfu.QONTRACT_TF_PREFIX,
-            accounts,
-            working_dirs,
-            10,
-            aws_api,
-            init_users=True,
-        )
-        for account, output in tf.outputs.items():
-            if account in skip_accounts:
-                user_passwords = tf.format_output(output, tf.OUTPUT_TYPE_PASSWORDS)
-                console_urls = tf.format_output(output, tf.OUTPUT_TYPE_CONSOLEURLS)
-                for user_name, enc_password in user_passwords.items():
-                    item = {
-                        "account": account,
-                        "console_url": console_urls[account],
-                        "user_name": user_name,
-                        "encrypted_password": enc_password,
-                    }
-                    credentials.append(item)
-
-    secrets = state.ls()
-
-    def _get_secret(secret_key: str):
-        if secret_key.startswith("/output/"):
-            secret_data = state.get(secret_key[1:])
-            if secret_data["account"] not in skip_accounts:
-                return secret_data
-        return None
-
-    secret_result = threaded.run(
-        _get_secret,
-        secrets,
-        10,
-    )
-
-    for secret in secret_result:
-        if secret and secret["account"] not in skip_accounts:
-            credentials.append(secret)
-
-    columns = ["account", "console_url", "user_name", "encrypted_password"]
-    print_output(ctx.obj["options"], credentials, columns)
-
-
 @root.command()
 @click.argument("account_name")
 @click.pass_context