qontract-reconcile 0.10.1rc972__py3-none-any.whl → 0.10.1rc974__py3-none-any.whl

{qontract_reconcile-0.10.1rc972.dist-info → qontract_reconcile-0.10.1rc974.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc972
+Version: 0.10.1rc974
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc972.dist-info → qontract_reconcile-0.10.1rc974.dist-info}/RECORD

@@ -83,7 +83,7 @@ reconcile/openshift_saas_deploy_trigger_configs.py,sha256=eUejMGWuaQabZTLuvPLLvR
 reconcile/openshift_saas_deploy_trigger_images.py,sha256=iUsiBGJf-CyFw7tSLWo59rXmSvsVnN6TTaAObbsVpNg,936
 reconcile/openshift_saas_deploy_trigger_moving_commits.py,sha256=fpanSH-EGH15C9me--0VSpcpaw9BY4RTb8_mPtsSZGc,942
 reconcile/openshift_saas_deploy_trigger_upstream_jobs.py,sha256=0CjfeVQE0QrRrOVuTxkXvBUdKNtYLYuX4mZRB48PQ9g,940
-reconcile/openshift_serviceaccount_tokens.py,sha256=9zNSMEHwcaGWy4H-OLkk0zLw80CYTBnLVEZKB_xq6Ew,7331
+reconcile/openshift_serviceaccount_tokens.py,sha256=ha3I7gk5C0Y-gD5_h-jvSheM2JamCx4KuihHpsaipUU,8840
 reconcile/openshift_tekton_resources.py,sha256=jKH5nw84aeYkgikxjQnjSOSF3m2kk3lp2BaPd3FfTew,16220
 reconcile/openshift_upgrade_watcher.py,sha256=9IB321hlRZZhzdaR9G3zoWAhVv0-KzNiEqx73p3-wmk,6539
 reconcile/openshift_users.py,sha256=63mar-swgidz8f10TCPJcofbMN9FETq-HuVFpi8dUL4,5293
@@ -316,7 +316,7 @@ reconcile/gql_definitions/glitchtip/glitchtip_project.py,sha256=AojrkCDGbVjY0TOk
 reconcile/gql_definitions/glitchtip_project_alerts/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/glitchtip_project_alerts/glitchtip_project.py,sha256=Pv6RcuIzpNmGc43eEq64nnKG0Dr7H0wjy5Xg1_oRltM,5197
 reconcile/gql_definitions/integrations/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/integrations/integrations.py,sha256=LfpgVbCCCk20ohwP5pDea5fwxMFGrcgE6J_WHBuGqek,11595
+reconcile/gql_definitions/integrations/integrations.py,sha256=HosEgRUlAkxLNoj2cnq3mrTdWDn9UvbNmtz6OcweIYk,11668
 reconcile/gql_definitions/jenkins_configs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/jenkins_configs/jenkins_configs.py,sha256=0nMkH0G-AjQwu53fqHykth6X6jjbHdW2hBp5n7N-r24,2766
 reconcile/gql_definitions/jenkins_configs/jenkins_instances.py,sha256=b3gYVzQavxeLe4jSM5ZxrO77Vvs7kOljVOXEkTO943U,2165
@@ -530,7 +530,7 @@ reconcile/test/test_openshift_resources_base.py,sha256=LtlR9x3o7KkSEw0JN0fZhinFe
 reconcile/test/test_openshift_saas_deploy.py,sha256=3QXMrN9dXIiR0JktVDNQ7yJSexMTjZLb1tbRrB3-7uU,5991
 reconcile/test/test_openshift_saas_deploy_change_tester.py,sha256=1yVe54Hx9YdVjn6qdnKge5Sa_s732c-8uZqCnuT1gGI,12871
 reconcile/test/test_openshift_saas_deploy_trigger_cleaner.py,sha256=UQx1iJ21rsMa2whG-rtUIuTXbUzc0Ngr7jRLKXZCCCI,2838
-reconcile/test/test_openshift_serviceaccount_tokens.py,sha256=btaI8Au5XdZXXHtQfFPA8bGSTrXReC8ywJKUjaIQc-A,7341
+reconcile/test/test_openshift_serviceaccount_tokens.py,sha256=tpCJMJw2nkaJQjTPCajd_0CZ1yivdV2qWJFCytPuyDo,8923
 reconcile/test/test_openshift_tekton_resources.py,sha256=RtRWsdm51S13OSkENC9nY_rOH0QELSCaO5tjF0XqIDI,11222
 reconcile/test/test_openshift_upgrade_watcher.py,sha256=0GDQ_YFHIX8DbkbDYSuLv9uZeeg4NwP1vlOqvSaZvN4,7183
 reconcile/test/test_prometheus_rules_tester.py,sha256=cgVkPM3KcAw69bOkJ6iR2Lfog_WgblyoqVRtXv4ly7o,5685
@@ -820,7 +820,7 @@ tools/app_interface_metrics_exporter.py,sha256=zkwkxdAUAxjdc-pzx2_oJXG25fo0Fnyd5
 tools/app_interface_reporter.py,sha256=uy9eRHf6EdvD8ZY2WYdroGXm18DOdnqVZyxaWN3Bm_0,17724
 tools/glitchtip_access_reporter.py,sha256=oPBnk_YoDuljU3v0FaChzOwwnk4vap1xEE67QEjzdqs,2948
 tools/glitchtip_access_revalidation.py,sha256=8kbBJk04mkq28kWoRDDkfCGIF3GRg3pJrFAh1sW0dbk,2821
-tools/qontract_cli.py,sha256=XPna9b9Khpj81uJJBL6KIHhIPYoDKeMi5jBuNTNGGrM,124486
+tools/qontract_cli.py,sha256=S5oiRXYf_k47ovhoB4RIF7ysgqzaBp3CooTqBKg21mg,126061
 tools/sd_app_sre_alert_report.py,sha256=e9vAdyenUz2f5c8-z-5WY0wv-SJ9aePKDH2r4IwB6pc,5063
 tools/template_validation.py,sha256=qpKYaTgk0GOPGa2Ct5_5sKdwIHtCAKIBGzsMPuJU5fw,3371
 tools/cli_commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -851,8 +851,8 @@ tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jr
 tools/test/test_saas_promotion_state.py,sha256=dy4kkSSAQ7bC0Xp2CociETGN-2aABEfL6FU5D9Jl00Y,6056
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc972.dist-info/METADATA,sha256=xWOaHmFbbnZOTavYlu2Vm9acmJ3tUubkXEJ37diSsT8,2262
-qontract_reconcile-0.10.1rc972.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc972.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc972.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc972.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc974.dist-info/METADATA,sha256=94eluuqiBo17X4lkF_9R7aWCwxh250QExPnHgaFnazU,2262
+qontract_reconcile-0.10.1rc974.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc974.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc974.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc974.dist-info/RECORD,,

reconcile/gql_definitions/integrations/integrations.py

@@ -72,6 +72,7 @@ query Integrations {
         }
         cluster {
           name
+          labels
           serverUrl
           insecureSkipTLSVerify
           jumpHost {
@@ -210,6 +211,7 @@ class EnvironmentV1(ConfiguredBaseModel):
 
 class ClusterV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
+    labels: Optional[Json] = Field(..., alias="labels")
     server_url: str = Field(..., alias="serverUrl")
     insecure_skip_tls_verify: Optional[bool] = Field(..., alias="insecureSkipTLSVerify")
     jump_host: Optional[CommonJumphostFields] = Field(..., alias="jumpHost")

reconcile/openshift_serviceaccount_tokens.py

@@ -1,4 +1,5 @@
 import logging
+import random
 import sys
 from collections.abc import Callable, Iterable
 
@@ -35,6 +36,31 @@ def construct_sa_token_oc_resource(name: str, sa_token: str) -> OR:
     )
 
 
+def service_account_token_request(name: str) -> OR:
+    """Create a service account token secret for a given service account."""
+    body = {
+        "apiVersion": "v1",
+        "kind": "Secret",
+        "type": "kubernetes.io/service-account-token",
+        "metadata": {
+            # service-account-name-<random-number>
+            "name": f"{name}-token-{random.randrange(99999):05d}",
+            "annotations": {
+                "kubernetes.io/service-account.name": name,
+            },
+        },
+    }
+    return OR(
+        body,
+        # We are marking this token secret as "unmanaged" because we just want to create it
+        # and not manage it in the future.
+        # Openshift will delete this token secret automatically if the service account is deleted.
+        f"{QONTRACT_INTEGRATION}-unmanaged",
+        QONTRACT_INTEGRATION_VERSION,
+        error_details=name,
+    )
+
+
 def get_tokens_for_service_account(
     service_account: str, tokens: list[dict]
 ) -> list[dict]:
@@ -79,6 +105,21 @@ def fetch_desired_state(
                 sa_tokens = get_tokens_for_service_account(
                     sat.service_account_name, namespace_secrets
                 )
+                if not sa_tokens:
+                    # OpenShfit 4.16+ does not automatically create service account tokens anymore so we need to create them manually.
+                    logging.info(
+                        f"[{sat.namespace.cluster.name}/{sat.namespace.name}] Creating token for service account: {sat.service_account_name}"
+                    )
+                    # Be aware: The secret won't be created by OpenShift as long as the service account doesn't exist.
+                    ri.add_desired_resource(
+                        cluster=sat.namespace.cluster.name,
+                        namespace=sat.namespace.name,
+                        resource=service_account_token_request(
+                            sat.service_account_name
+                        ),
+                    )
+                    continue
+
                 sa_tokens.sort(key=lambda t: t["metadata"]["name"])
                 # take the first token found
                 sa_token = sa_tokens[0]["data"]["token"]
@@ -87,11 +128,6 @@ def fetch_desired_state(
                     f"[{sat.namespace.cluster.name}/{sat.namespace.name}] Token not found for service account: {sat.service_account_name}"
                 )
                 raise
-            except IndexError:
-                logging.error(
-                    f"[{sat.namespace.cluster.name}/{sat.namespace.name}] 0 Secret found for service account: {sat.service_account_name}"
-                )
-                raise
 
             oc_resource = construct_sa_token_oc_resource(
                 name=(

reconcile/test/test_openshift_serviceaccount_tokens.py

@@ -7,11 +7,13 @@ from pytest_mock import MockerFixture
 
 from reconcile.gql_definitions.openshift_serviceaccount_tokens.tokens import NamespaceV1
 from reconcile.openshift_serviceaccount_tokens import (
+    QONTRACT_INTEGRATION,
     canonicalize_namespaces,
     construct_sa_token_oc_resource,
     fetch_desired_state,
     get_namespaces_with_serviceaccount_tokens,
     get_tokens_for_service_account,
+    service_account_token_request,
     write_outputs_to_vault,
 )
 from reconcile.test.fixtures import Fixtures
@@ -50,7 +52,19 @@ def namespaces(query_func: Callable) -> list[NamespaceV1]:
 def ri(namespaces: list[NamespaceV1]) -> ResourceInventory:
     _ri = ResourceInventory()
     _ri.initialize_resource_type(
-        cluster="cluster", namespace="namespace", resource_type="Secret"
+        cluster="cluster",
+        namespace="namespace",
+        resource_type="Secret",
+    )
+    _ri.initialize_resource_type(
+        cluster="another-cluster",
+        namespace="platform-changelog-stage",
+        resource_type="Secret",
+    )
+    _ri.initialize_resource_type(
+        cluster="another-cluster",
+        namespace="with-openshift-serviceaccount-tokens",
+        resource_type="Secret",
     )
     for ns in namespaces:
         _ri.initialize_resource_type(
@@ -226,3 +240,41 @@ def test_openshift_serviceaccount_tokens__fetch_desired_state(
             "desired"
         ]
     )
+
+
+def test_openshift_serviceaccount_tokens__fetch_desired_state_create_token(
+    mocker: MockerFixture, namespaces: list[NamespaceV1], ri: ResourceInventory
+) -> None:
+    oc_map = mocker.create_autospec(OC_Map)
+    oc = mocker.create_autospec(OCCli)
+    oc_map.get.return_value = oc
+    oc.get_items.return_value = []
+
+    fetch_desired_state(
+        namespaces=[namespaces[0]],
+        ri=ri,
+        oc_map=oc_map,
+    )
+
+    assert (
+        len(
+            ri._clusters["cluster"]["with-openshift-serviceaccount-tokens"]["Secret"][
+                "desired"
+            ].keys()
+        )
+        == 1
+    )
+    r = list(
+        ri._clusters["cluster"]["with-openshift-serviceaccount-tokens"]["Secret"][
+            "desired"
+        ].values()
+    )[0]
+    assert r.body["type"] == "kubernetes.io/service-account-token"
+
+
+def test_openshift_serviceaccount_tokens__service_account_token_request() -> None:
+    resource = service_account_token_request("grafana")
+    assert resource.name.startswith("grafana-")
+    assert resource.body["type"] == "kubernetes.io/service-account-token"
+    assert resource.kind == "Secret"
+    assert resource.integration != QONTRACT_INTEGRATION

tools/qontract_cli.py

@@ -71,6 +71,7 @@ from reconcile.gql_definitions.common.app_interface_vault_settings import (
     AppInterfaceSettingsV1,
 )
 from reconcile.gql_definitions.fragments.aus_organization import AUSOCMOrganization
+from reconcile.gql_definitions.integrations import integrations as integrations_gql
 from reconcile.gql_definitions.maintenance import maintenances as maintenances_gql
 from reconcile.jenkins_job_builder import init_jjb
 from reconcile.slack_base import slackapi_from_queries
@@ -2728,6 +2729,49 @@ def systems_and_tools(ctx):
     print_output(ctx.obj["options"], inventory.data, inventory.columns)
 
 
+@get.command(short_help="get integration logs")
+@click.argument("integration_name")
+@click.option(
+    "--environment_name", default="production", help="environment to get logs from"
+)
+@click.pass_context
+def logs(ctx, integration_name: str, environment_name: str):
+    integrations = [
+        i
+        for i in integrations_gql.query(query_func=gql.get_api().query).integrations
+        or []
+        if i.name == integration_name
+    ]
+    if not integrations:
+        print("integration not found")
+        return
+    integration = integrations[0]
+    vault_settings = get_app_interface_vault_settings()
+    secret_reader = create_secret_reader(use_vault=vault_settings.vault)
+    managed = integration.managed
+    if not managed:
+        print("integration is not managed")
+        return
+    namespaces = [
+        m.namespace
+        for m in managed
+        if m.namespace.cluster.labels
+        and m.namespace.cluster.labels.get("environment") == environment_name
+    ]
+    if not namespaces:
+        print(f"no managed {environment_name} namespace found")
+        return
+    namespace = namespaces[0]
+    cluster = namespaces[0].cluster
+    if not cluster.automation_token:
+        print("cluster automation token not found")
+        return
+    token = secret_reader.read_secret(cluster.automation_token)
+
+    command = f"oc --server {cluster.server_url} --token {token} --namespace {namespace.name} logs -c int -l app=qontract-reconcile-{integration.name}"
+    print(command)
+
+
 @get.command
 @click.pass_context
 def jenkins_jobs(ctx):