qontract-reconcile 0.10.2.dev109__py3-none-any.whl → 0.10.2.dev111__py3-none-any.whl

{qontract_reconcile-0.10.2.dev109.dist-info → qontract_reconcile-0.10.2.dev111.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev109
+Version: 0.10.2.dev111
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev109.dist-info → qontract_reconcile-0.10.2.dev111.dist-info}/RECORD

@@ -10,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=q96mwr2KeEQ5bpNniGlgIMZTxiuLSodcYfX-t
 reconcile/aws_support_cases_sos.py,sha256=hl_9L53yQYRQxKs3IWrd69Cc60XK067g_bJRM9B0udo,2975
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=O1wFp52EyF538c6txaWBs8eMtUIy19gyHZ6VzJ6QXS8,3512
 reconcile/checkpoint.py,sha256=_JhMxrye5BgkRMxWYuf7Upli6XayPINKSsuo3ynHTRc,5010
-reconcile/cli.py,sha256=MRdXMNRMBk0e4kv-ctHyYtDD5kAKnT8j6_wiTlWkrQo,107736
+reconcile/cli.py,sha256=hwqPcZVmazrhzq1esPBk5jNHSzpfr7o9EmuuMqiPxfg,108430
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=MvGKBqH9PdHWdMjhLuptze-dk0Tifhp3-0SZdI-7Fmo,4862
 reconcile/cluster_deployment_mapper.py,sha256=5gumAaRCcFXsabUJ1dnuUy9WrP_FEEM5JnOnE8ch9sE,2326
 reconcile/dashdotdb_base.py,sha256=83ZWIf5JJk3P_D69y2TmXRcQr6ELJGlv10OM0h7fJVs,4767
@@ -139,6 +139,9 @@ reconcile/aus/version_gates/handler.py,sha256=S_isQPYHbG4DERiUEvQBZ6ngiFX3uMmATA
 reconcile/aus/version_gates/ingress_gate_handler.py,sha256=ZCtyggBzzcb0prtdbMpJsVkj5leYN-vS7srM9vbq9xo,1096
 reconcile/aus/version_gates/ocp_gate_handler.py,sha256=RW1ppDaCZXVegV9AzzqYXxDUu_Z_7d43Z5h2Pk_piKc,716
 reconcile/aus/version_gates/sts_version_gate_handler.py,sha256=swwwz0YyvrEBf_InqrRRBCt2QzHYNvvq8jz9aYwElh4,3663
+reconcile/automated_actions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/automated_actions/config/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/automated_actions/config/integration.py,sha256=cf1VxolcjlGP-xO7IIH5A00Qr4znNJTT7a_sU18ABig,10755
 reconcile/aws_account_manager/README.md,sha256=_XFM3GZNHUzv--e_navqJuaUWpjC6QrHfulreHynFf0,262
 reconcile/aws_account_manager/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/aws_account_manager/integration.py,sha256=WOE_mi45pvJW4TNKh4mCGSViJiElH--T4Wg0CLMYxpY,14988
@@ -224,7 +227,7 @@ reconcile/glitchtip_project_alerts/integration.py,sha256=BgMx-NyV9mTuv7Sotb2OioC
 reconcile/glitchtip_project_dsn/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/glitchtip_project_dsn/integration.py,sha256=2iugub-kHYkHNK33n0v9_TeWonuxCPah_VkoTPvaajE,8077
 reconcile/gql_definitions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/introspection.json,sha256=rgLJjGZJ-r-f_d74-1HNqf2X1EwNUjtB8gwbuMSfZEI,2249822
+reconcile/gql_definitions/introspection.json,sha256=Qzf2HgsfNMLNW7EBIpdB4MX-6DjIdXOHtjVzdiBmczQ,2280010
 reconcile/gql_definitions/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/acs_instances.py,sha256=L91WW9LbhJbBSrECqShQpFtjoBOsmNIYLRpMbx1io5o,2181
 reconcile/gql_definitions/acs/acs_policies.py,sha256=bN5i4mks10Z23KJSj7jqp966Osq2dps4d-sPH9gjxEA,7008
@@ -237,6 +240,8 @@ reconcile/gql_definitions/app_interface_metrics_exporter/onboarding_status.py,sh
 reconcile/gql_definitions/app_sre_tekton_access_revalidation/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/app_sre_tekton_access_revalidation/roles.py,sha256=8Y4NsS5T7tumDWxY5MuoV50MK2i-DsLYSpCRjb7KaLE,2353
 reconcile/gql_definitions/app_sre_tekton_access_revalidation/users.py,sha256=XdVxBxiyTR6Cy939EHNw__0k7iWrZWlhrgS5DakST0I,2504
+reconcile/gql_definitions/automated_actions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/automated_actions/instance.py,sha256=D50v0exLeK5hvjQKvxQ5V-6DnYZo_L6cX_Gaf3PGREs,5491
 reconcile/gql_definitions/aws_account_manager/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/aws_account_manager/aws_accounts.py,sha256=JdqtE3gMpeodymPJST-aFVkYP_MO--_CcwjF070R5Cs,4883
 reconcile/gql_definitions/aws_ami_cleanup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -630,7 +635,7 @@ reconcile/utils/parse_dhms_duration.py,sha256=TONpLnec5gHeF7k815YNJpQyDjXhkxZIcv
 reconcile/utils/password_validator.py,sha256=XwuWg-8CPlcuG7dl_oQ1G1h2gSVSnfMym_VkuprpWVg,2183
 reconcile/utils/prometheus.py,sha256=Ad0rwLbxRuuYjHwkwJloHEdK0bvy42h-p-HIT1DhDhs,3832
 reconcile/utils/promotion_state.py,sha256=McSgGj3oog83ThJCrMR2v8q6Xb_Pxij-HEe_RbDu8cg,3946
-reconcile/utils/promtool.py,sha256=qOWgRY9-HgfTAcQz8NnLfnZn2WtCAvRAr85YQRXvMSA,2831
+reconcile/utils/promtool.py,sha256=xmPBWEApkk0L2qZBAvTxakNXxfTz-tVLPFxGnpsxXnM,2831
 reconcile/utils/quay_api.py,sha256=uE_jxcdy3ViHtYFAfwDQuFDaO7Pr6AAPoVnmORbyHio,7822
 reconcile/utils/raw_github_api.py,sha256=2WKtE8ABYYB9UGOAh9N_kLkksBWL3320Z2_scteZddI,2805
 reconcile/utils/repo_owners.py,sha256=BHrAXxKyvn4qWJwFPWYGTtfgnLmYnWtYFEJGFeD__FE,6573
@@ -786,7 +791,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=UfwwRLS5Ya4_Nh1w5n1dvoYtchQvYE9yj1VANt2IKqI,3925
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev109.dist-info/METADATA,sha256=keuME2MAvfe3rMs380B66x0Hz4lTocctk1VCA_xcnFA,24566
-qontract_reconcile-0.10.2.dev109.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev109.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev109.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev111.dist-info/METADATA,sha256=Md2jyCPz6LwUfZ7bX6OjsZyLcD2I_z7JpH5SAKt_Zl0,24566
+qontract_reconcile-0.10.2.dev111.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev111.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev111.dist-info/RECORD,,

reconcile/automated_actions/config/integration.py

@@ -0,0 +1,300 @@
+import logging
+from collections.abc import (
+    Callable,
+    Generator,
+    Iterable,
+)
+from typing import Any
+
+import yaml
+from kubernetes.client import (  # type: ignore[attr-defined]
+    ApiClient,
+    V1ConfigMap,
+    V1ObjectMeta,
+)
+from pydantic import BaseModel
+
+import reconcile.openshift_base as ob
+from reconcile.gql_definitions.automated_actions.instance import (
+    AutomatedActionArgumentOpenshiftV1,
+    AutomatedActionArgumentV1,
+    AutomatedActionsInstanceV1,
+    PermissionAutomatedActionsV1,
+)
+from reconcile.gql_definitions.automated_actions.instance import query as instance_query
+from reconcile.utils import expiration, gql
+from reconcile.utils.defer import defer
+from reconcile.utils.disabled_integrations import integration_is_enabled
+from reconcile.utils.oc import OCCli
+from reconcile.utils.oc_map import init_oc_map_from_namespaces
+from reconcile.utils.openshift_resource import OpenshiftResource, ResourceInventory
+from reconcile.utils.runtime.integration import (
+    PydanticRunParams,
+    QontractReconcileIntegration,
+)
+from reconcile.utils.semver_helper import make_semver
+
+QONTRACT_INTEGRATION = "automated-actions-config"
+QONTRACT_INTEGRATION_VERSION = make_semver(0, 1, 0)
+
+
+class AutomatedActionsConfigIntegrationParams(PydanticRunParams):
+    thread_pool_size: int
+    use_jump_host: bool
+    internal: bool | None = None
+    configmap_name: str = "automated-actions-policy"
+
+
+class AutomatedActionsUser(BaseModel):
+    username: str
+    roles: set[str]
+
+
+class AutomatedActionsPolicy(BaseModel):
+    sub: str
+    obj: str
+    params: dict[str, str] = {}
+
+
+AutomatedActionRoles = dict[str, list[AutomatedActionsPolicy]]
+
+
+class AutomatedActionsConfigIntegration(
+    QontractReconcileIntegration[AutomatedActionsConfigIntegrationParams]
+):
+    """Manage LDAP groups based on App-Interface roles."""
+
+    @property
+    def name(self) -> str:
+        return QONTRACT_INTEGRATION
+
+    def get_early_exit_desired_state(
+        self, query_func: Callable | None = None
+    ) -> dict[str, Any]:
+        """Return the desired state for early exit."""
+        if not query_func:
+            query_func = gql.get_api().query
+        return {
+            "automated_actions_instances": [
+                c.dict() for c in self.get_automated_actions_instances(query_func)
+            ]
+        }
+
+    def get_automated_actions_instances(
+        self, query_func: Callable
+    ) -> Generator[AutomatedActionsInstanceV1, None, None]:
+        """Return all automated actions."""
+        data = instance_query(query_func, variables={})
+        for instance in data.automated_actions_instances_v1 or []:
+            if instance.deployment.delete:
+                continue
+            instance.permissions = list(
+                self.filter_permissions(instance.permissions or [])
+            )
+            yield instance
+
+    def is_enabled(self, argument: AutomatedActionArgumentV1) -> bool:
+        """Check if the integration is enabled for the given argument namespace."""
+        if isinstance(argument, AutomatedActionArgumentOpenshiftV1):
+            return (
+                integration_is_enabled("automated-actions", argument.namespace.cluster)
+                and not argument.namespace.delete
+            )
+        return True
+
+    def filter_permissions(
+        self, permissions: Iterable[PermissionAutomatedActionsV1]
+    ) -> Generator[PermissionAutomatedActionsV1, None, None]:
+        """Filter out expired roles and arguments (cluster.namespace) with disabled integrations."""
+        for permission in permissions:
+            # automated actions disabled for the cluster?
+            permission.arguments = [
+                arg for arg in permission.arguments or [] if self.is_enabled(arg)
+            ]
+            # remove expired roles
+            permission.roles = expiration.filter(permission.roles)
+            if not permission.roles:
+                continue
+            yield permission
+
+    def compile_users(
+        self, permissions: Iterable[PermissionAutomatedActionsV1]
+    ) -> list[AutomatedActionsUser]:
+        """Compile all automated actions roles."""
+        users: dict[str, AutomatedActionsUser] = {}
+        for permission in permissions:
+            for role in permission.roles or []:
+                for user in (role.users or []) + (role.bots or []):
+                    if not user.org_username:
+                        continue
+                    aa_user = users.setdefault(
+                        user.org_username,
+                        AutomatedActionsUser(username=user.org_username, roles=[]),
+                    )
+                    aa_user.roles.add(role.name)
+
+        return list(users.values())
+
+    def compile_roles(
+        self, permissions: Iterable[PermissionAutomatedActionsV1]
+    ) -> AutomatedActionRoles:
+        """Compile all automated actions policies."""
+        roles: AutomatedActionRoles = {}
+
+        for permission in permissions or []:
+            obj = permission.action.operation_id
+
+            parameters: list[dict[str, str]] = [] if permission.arguments else [{}]
+            for arg in permission.arguments or []:
+                match arg:
+                    case AutomatedActionArgumentOpenshiftV1():
+                        parameters.append({
+                            # all parameter values are regexes in the OPA policy
+                            # therefore, cluster and namespace must be fixed to the current strings
+                            "cluster": f"^{arg.namespace.cluster.name}$",
+                            "namespace": f"^{arg.namespace.name}$",
+                            "kind": arg.kind_pattern,
+                            "name": arg.name_pattern,
+                        })
+                    case _:
+                        raise NotImplementedError(
+                            f"Unsupported argument type: {arg.q_type}"
+                        )
+            for role in permission.roles or []:
+                aa_role = roles.setdefault(role.name, [])
+                aa_role.extend(
+                    AutomatedActionsPolicy(sub=role.name, obj=obj, params=params)
+                    for params in parameters
+                )
+        return roles
+
+    def build_policy_file(
+        self,
+        users: Iterable[AutomatedActionsUser],
+        roles: AutomatedActionRoles,
+    ) -> str:
+        """Build the automated actions casbin policy file."""
+        return yaml.dump(
+            {
+                "users": {user.username: sorted(user.roles) for user in users},
+                "roles": {
+                    role: [policy.dict() for policy in policies]
+                    for role, policies in roles.items()
+                },
+            },
+            sort_keys=True,
+        )
+
+    def build_desired_configmap(
+        self,
+        ri: ResourceInventory,
+        instance: AutomatedActionsInstanceV1,
+        name: str,
+        data: str,
+    ) -> None:
+        """Build the automated actions configmap."""
+        osr = OpenshiftResource(
+            body=ApiClient().sanitize_for_serialization(
+                V1ConfigMap(
+                    api_version="v1",
+                    kind="ConfigMap",
+                    metadata=V1ObjectMeta(name=name),
+                    data={"roles.yml": data},
+                )
+            ),
+            integration=QONTRACT_INTEGRATION,
+            integration_version=QONTRACT_INTEGRATION_VERSION,
+        ).annotate()
+        ri.initialize_resource_type(
+            cluster=instance.deployment.cluster.name,
+            namespace=instance.deployment.name,
+            resource_type=osr.kind,
+        )
+        ri.add_desired_resource(
+            cluster=instance.deployment.cluster.name,
+            namespace=instance.deployment.name,
+            resource=osr,
+        )
+
+    def fetch_current_configmap(
+        self,
+        ri: ResourceInventory,
+        instance: AutomatedActionsInstanceV1,
+        oc: OCCli,
+        name: str,
+    ) -> None:
+        """Fetch the current automated actions configmap."""
+        item = oc.get(
+            namespace=instance.deployment.name,
+            kind="ConfigMap",
+            name=name,
+            allow_not_found=True,
+        )
+        if not item:
+            return
+        osr = OpenshiftResource(
+            body=item,
+            integration=QONTRACT_INTEGRATION,
+            integration_version=QONTRACT_INTEGRATION_VERSION,
+        )
+        ri.add_current(
+            cluster=instance.deployment.cluster.name,
+            namespace=instance.deployment.name,
+            resource_type=osr.kind,
+            name=osr.name,
+            value=osr,
+        )
+
+    @defer
+    def run(self, dry_run: bool, defer: Callable | None = None) -> None:
+        """Run the integration."""
+        gql_api = gql.get_api()
+        instances = list(self.get_automated_actions_instances(gql_api.query))
+        if not instances:
+            logging.debug("No instances found.")
+            return
+
+        oc_map = init_oc_map_from_namespaces(
+            namespaces=[instance.deployment for instance in instances],
+            secret_reader=self.secret_reader,
+            integration=QONTRACT_INTEGRATION,
+            use_jump_host=self.params.use_jump_host,
+            thread_pool_size=self.params.thread_pool_size,
+            internal=self.params.internal,
+        )
+        if defer:
+            defer(oc_map.cleanup)
+        ri = ResourceInventory()
+
+        for instance in instances:
+            users = self.compile_users(instance.permissions or [])
+            policies = self.compile_roles(instance.permissions or [])
+            if not users and not policies:
+                logging.info(
+                    f"{instance.deployment.cluster.name}/{instance.deployment.name}: No enabled automated actions found. Skipping this instance!"
+                )
+                continue
+
+            self.build_desired_configmap(
+                ri=ri,
+                instance=instance,
+                name=self.params.configmap_name,
+                data=self.build_policy_file(users, policies),
+            )
+
+            oc = oc_map.get_cluster(instance.deployment.cluster.name)
+            if not oc.project_exists(instance.deployment.name):
+                logging.info(
+                    f"{instance.deployment.cluster.name}/{instance.deployment.name}: Namespace does not exist (yet). Skipping this instance!"
+                )
+                continue
+
+            self.fetch_current_configmap(
+                ri=ri,
+                instance=instance,
+                oc=oc,
+                name=self.params.configmap_name,
+            )
+
+        ob.publish_metrics(ri, QONTRACT_INTEGRATION)
+        ob.realize_data(dry_run, oc_map, ri, self.params.thread_pool_size)

reconcile/cli.py

@@ -3815,6 +3815,29 @@ def external_resources_secrets_sync(
     )
 
 
+@integration.command(short_help="Deploy the Automated Actions Config")
+@threaded()
+@internal()
+@use_jump_host()
+@click.pass_context
+def automated_actions_config(ctx, thread_pool_size, internal, use_jump_host):
+    from reconcile.automated_actions.config.integration import (
+        AutomatedActionsConfigIntegration,
+        AutomatedActionsConfigIntegrationParams,
+    )
+
+    run_class_integration(
+        integration=AutomatedActionsConfigIntegration(
+            AutomatedActionsConfigIntegrationParams(
+                thread_pool_size=thread_pool_size,
+                use_jump_host=use_jump_host,
+                internal=internal,
+            )
+        ),
+        ctx=ctx.obj,
+    )
+
+
 def get_integration_cli_meta() -> dict[str, IntegrationMeta]:
     """
     returns all integrations known to cli.py via click introspection

reconcile/gql_definitions/automated_actions/instance.py

@@ -0,0 +1,204 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+from reconcile.gql_definitions.fragments.oc_connection_cluster import OcConnectionCluster
+
+
+DEFINITION = """
+fragment CommonJumphostFields on ClusterJumpHost_v1 {
+  hostname
+  knownHosts
+  user
+  port
+  remotePort
+  identity {
+    ... VaultSecret
+  }
+}
+
+fragment OcConnectionCluster on Cluster_v1 {
+  name
+  serverUrl
+  internal
+  insecureSkipTLSVerify
+  jumpHost {
+    ...CommonJumphostFields
+  }
+  automationToken {
+    ...VaultSecret
+  }
+  clusterAdminAutomationToken {
+    ...VaultSecret
+  }
+  disable {
+    integrations
+  }
+}
+
+fragment VaultSecret on VaultSecret_v1 {
+    path
+    field
+    version
+    format
+}
+
+query AutomatedActionsInstances {
+  automated_actions_instances_v1 {
+    name
+    deployment {
+      name
+      clusterAdmin
+      delete
+      cluster {
+        ...OcConnectionCluster
+      }
+    }
+    permissions {
+      roles {
+        name
+        users {
+          org_username
+        }
+        bots {
+          org_username
+        }
+        expirationDate
+      }
+
+      action {
+        operationId
+        retries
+        maxOps
+      }
+
+      arguments {
+        type
+        ... on AutomatedActionArgumentOpenshift_v1 {
+          namespace {
+            name
+            delete
+            cluster {
+              name
+              disable {
+                integrations
+              }
+            }
+          }
+          kind_pattern
+          name_pattern
+        }
+      }
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class NamespaceV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    cluster_admin: Optional[bool] = Field(..., alias="clusterAdmin")
+    delete: Optional[bool] = Field(..., alias="delete")
+    cluster: OcConnectionCluster = Field(..., alias="cluster")
+
+
+class UserV1(ConfiguredBaseModel):
+    org_username: str = Field(..., alias="org_username")
+
+
+class BotV1(ConfiguredBaseModel):
+    org_username: Optional[str] = Field(..., alias="org_username")
+
+
+class RoleV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    users: list[UserV1] = Field(..., alias="users")
+    bots: list[BotV1] = Field(..., alias="bots")
+    expiration_date: Optional[str] = Field(..., alias="expirationDate")
+
+
+class AutomatedActionV1(ConfiguredBaseModel):
+    operation_id: str = Field(..., alias="operationId")
+    retries: int = Field(..., alias="retries")
+    max_ops: int = Field(..., alias="maxOps")
+
+
+class AutomatedActionArgumentV1(ConfiguredBaseModel):
+    q_type: str = Field(..., alias="type")
+
+
+class DisableClusterAutomationsV1(ConfiguredBaseModel):
+    integrations: Optional[list[str]] = Field(..., alias="integrations")
+
+
+class AutomatedActionArgumentOpenshiftV1_NamespaceV1_ClusterV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    disable: Optional[DisableClusterAutomationsV1] = Field(..., alias="disable")
+
+
+class AutomatedActionArgumentOpenshiftV1_NamespaceV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    delete: Optional[bool] = Field(..., alias="delete")
+    cluster: AutomatedActionArgumentOpenshiftV1_NamespaceV1_ClusterV1 = Field(..., alias="cluster")
+
+
+class AutomatedActionArgumentOpenshiftV1(AutomatedActionArgumentV1):
+    namespace: AutomatedActionArgumentOpenshiftV1_NamespaceV1 = Field(..., alias="namespace")
+    kind_pattern: str = Field(..., alias="kind_pattern")
+    name_pattern: str = Field(..., alias="name_pattern")
+
+
+class PermissionAutomatedActionsV1(ConfiguredBaseModel):
+    roles: Optional[list[RoleV1]] = Field(..., alias="roles")
+    action: AutomatedActionV1 = Field(..., alias="action")
+    arguments: Optional[list[Union[AutomatedActionArgumentOpenshiftV1, AutomatedActionArgumentV1]]] = Field(..., alias="arguments")
+
+
+class AutomatedActionsInstanceV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    deployment: NamespaceV1 = Field(..., alias="deployment")
+    permissions: Optional[list[PermissionAutomatedActionsV1]] = Field(..., alias="permissions")
+
+
+class AutomatedActionsInstancesQueryData(ConfiguredBaseModel):
+    automated_actions_instances_v1: Optional[list[AutomatedActionsInstanceV1]] = Field(..., alias="automated_actions_instances_v1")
+
+
+def query(query_func: Callable, **kwargs: Any) -> AutomatedActionsInstancesQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        AutomatedActionsInstancesQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return AutomatedActionsInstancesQueryData(**raw_data)