qontract-reconcile 0.10.2.dev159__py3-none-any.whl → 0.10.2.dev161__py3-none-any.whl

{qontract_reconcile-0.10.2.dev159.dist-info → qontract_reconcile-0.10.2.dev161.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev159
+Version: 0.10.2.dev161
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev159.dist-info → qontract_reconcile-0.10.2.dev161.dist-info}/RECORD

@@ -10,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=O0JX2N5kNRKs3u2xzu4NNrI6p0ag5JWy3MTsv
 reconcile/aws_support_cases_sos.py,sha256=PDhilxQ4TBxVnxUPIUdTbKEaNUI0wzPiEsB91oHT2fY,3384
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=O1wFp52EyF538c6txaWBs8eMtUIy19gyHZ6VzJ6QXS8,3512
 reconcile/checkpoint.py,sha256=_JhMxrye5BgkRMxWYuf7Upli6XayPINKSsuo3ynHTRc,5010
-reconcile/cli.py,sha256=hwqPcZVmazrhzq1esPBk5jNHSzpfr7o9EmuuMqiPxfg,108430
+reconcile/cli.py,sha256=xyVnxNyq3IPISWwFlB9j4HAFjowXYv3EdsEGIMFhTy0,108438
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=al7m8EgnnYx90rY1REryW3byN_ItfJfAzEeLtjbCfi0,4921
 reconcile/cluster_deployment_mapper.py,sha256=5gumAaRCcFXsabUJ1dnuUy9WrP_FEEM5JnOnE8ch9sE,2326
 reconcile/dashdotdb_base.py,sha256=83ZWIf5JJk3P_D69y2TmXRcQr6ELJGlv10OM0h7fJVs,4767
@@ -22,7 +22,7 @@ reconcile/database_access_manager.py,sha256=Z3aAmw2LsmMIIor-bOGzziVZdVNC82Gmw8oH
 reconcile/deadmanssnitch.py,sha256=n-5W-djUgwzpmdDM4eQIZpkkDmHY0vndt-42LJXI4Y8,7491
 reconcile/email_sender.py,sha256=38Wvl6WHqCwlqLx4oxVJOIeDmoJsyitD3g1F4jTkAj8,4246
 reconcile/gabi_authorized_users.py,sha256=Jwvo97nzUX3NIl2VHKuZlT0-I40qk2VnACbafe91T2o,4854
-reconcile/gcr_mirror.py,sha256=cdTd0CZU0qUsXJqe5k4dgpMQlyk__nyeGH0f_Cky3C0,8957
+reconcile/gcp_image_mirror.py,sha256=M5pimd0j13BBWCa8vX0fftWO0pHBfQCATIIpOGggDSA,10332
 reconcile/github_org.py,sha256=Wc5cZamatuWsW2ZJT2ib5ps8l3iY3RXHwNUxVJerqz0,14173
 reconcile/github_owners.py,sha256=viE1KJ-zaTxuZ5yItg2C263J0brn-Q-3hR_DkYDMbhY,3122
 reconcile/github_repo_invites.py,sha256=U9UCzNVwrZ7MqODtFah8ogH0NNY-XjBin7G9gqHtCUY,2690
@@ -152,7 +152,7 @@ reconcile/aws_account_manager/utils.py,sha256=iYPPOtbZ7FiKkz9v5f1YXRIHw5YFOtSavU
 reconcile/aws_ami_cleanup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/aws_ami_cleanup/integration.py,sha256=KG7g9NpbKmoaveDD3oi9SinqUE29NaM-4lGo-6YuHlM,9302
 reconcile/aws_cloudwatch_log_retention/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/aws_cloudwatch_log_retention/integration.py,sha256=qVggTjGwP_6xTCXo2o3brSPtjwArNhZiGPy8YiBrCMM,7779
+reconcile/aws_cloudwatch_log_retention/integration.py,sha256=QY5EtCpcMN0TgOQInIDW65wT1YksMBFkK8aNK5cg-XA,8107
 reconcile/aws_saml_idp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/aws_saml_idp/integration.py,sha256=Z2JtUx2YIbkn0KVrVa2CoAErPB8vTykOOkWD_ZPoB94,6511
 reconcile/aws_saml_roles/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -227,7 +227,7 @@ reconcile/glitchtip_project_alerts/integration.py,sha256=BgMx-NyV9mTuv7Sotb2OioC
 reconcile/glitchtip_project_dsn/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/glitchtip_project_dsn/integration.py,sha256=2iugub-kHYkHNK33n0v9_TeWonuxCPah_VkoTPvaajE,8077
 reconcile/gql_definitions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/introspection.json,sha256=myUuHC_BLY3xZ0nDjnaQsvYFNM5eTiE3bWgNgM3e5iI,2290863
+reconcile/gql_definitions/introspection.json,sha256=wNGZv8V6ivviCcwPLw34nzTR5fgwKRyE68Z93HbmBBs,2296576
 reconcile/gql_definitions/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/acs_instances.py,sha256=L91WW9LbhJbBSrECqShQpFtjoBOsmNIYLRpMbx1io5o,2181
 reconcile/gql_definitions/acs/acs_policies.py,sha256=bN5i4mks10Z23KJSj7jqp966Osq2dps4d-sPH9gjxEA,7008
@@ -246,6 +246,8 @@ reconcile/gql_definitions/aws_account_manager/__init__.py,sha256=47DEQpj8HBSa-_T
 reconcile/gql_definitions/aws_account_manager/aws_accounts.py,sha256=vF51KrY2gwX0J9vESiaRMPQqdAMEtz9f_tBq52bInp0,5148
 reconcile/gql_definitions/aws_ami_cleanup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/aws_ami_cleanup/aws_accounts.py,sha256=jIgOa888MYLLvVsn1ir3nbkhWLG5T6dBg7oDnp1q8BI,4108
+reconcile/gql_definitions/aws_cloudwatch_log_retention/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/aws_cloudwatch_log_retention/aws_accounts.py,sha256=Am6y5LZIBncH9u7vwU48WRksnwGljpoS-xbP7MJA8-4,4976
 reconcile/gql_definitions/aws_saml_idp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/aws_saml_idp/aws_accounts.py,sha256=pR9Qm6P9Roe4OJaDXvfm8AcfkSSAtriQdlwLwW7UdUU,2666
 reconcile/gql_definitions/aws_saml_roles/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -333,6 +335,7 @@ reconcile/gql_definitions/fragments/aws_infra_management_account.py,sha256=uAmAL
 reconcile/gql_definitions/fragments/aws_vpc.py,sha256=T2egTwi2Rb0IRBBmsyag8xKpu_m6GbIAy80fhZNZwk8,1434
 reconcile/gql_definitions/fragments/aws_vpc_request.py,sha256=o0qUsPrFXs8GAbtgMXQmIJxc1mw5skSIzCcidE857g8,2460
 reconcile/gql_definitions/fragments/aws_vpc_request_subnet.py,sha256=qaTFT8cGzEslw51nUeb45Nfnv6kFxUm4CWrRR3xfBvA,760
+reconcile/gql_definitions/fragments/container_image_mirror.py,sha256=qyfQlnKUCzFEPgUJ9VGmDYFmiGHR7VZ_YJNd4KeoolM,968
 reconcile/gql_definitions/fragments/deplopy_resources.py,sha256=0u3xYqL5NpMf149BJLfPhHqAOWu06aLULdNk_2Mulxg,1089
 reconcile/gql_definitions/fragments/disable.py,sha256=Ojw98OSxcovrtmw_aAyhaVHhIa1MSUbBfKX4i2IpI74,715
 reconcile/gql_definitions/fragments/email_service.py,sha256=0wKpICsg4pcMfr2lszvnqbuPX7wVYoJ5cYFU2uQkHbY,803
@@ -353,6 +356,9 @@ reconcile/gql_definitions/fragments/terraform_state.py,sha256=S5QuTR9YlvUObiU7he
 reconcile/gql_definitions/fragments/upgrade_policy.py,sha256=cVza8zfra1E3yBsHiS-hKbys17fvv572GFnKshJjluE,1246
 reconcile/gql_definitions/fragments/user.py,sha256=TZyFEs1fBg5PkvWdyCxFDZ_3aRhcQzusfhObXFiOU_0,1025
 reconcile/gql_definitions/fragments/vault_secret.py,sha256=8xoQJNx1jKw_1yradq1iLEYWzuOHra1bEHHU7WHKxqo,833
+reconcile/gql_definitions/gcp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/gcp/gcp_docker_repos.py,sha256=HvNaJxQYNPBTDmk26cOUY5_C5oBfau4bdfuI-L1Vcps,3338
+reconcile/gql_definitions/gcp/gcp_projects.py,sha256=7LslYFSN2r8vYhYdi4s-zOkIrqpqyt4ayxbPNMie9M4,2108
 reconcile/gql_definitions/gitlab_members/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/gitlab_members/gitlab_instances.py,sha256=oYPvfiOsPTGHXQeSfxXvBuvJFrwp0VtE2F0lVKFQMoU,2206
 reconcile/gql_definitions/gitlab_members/permissions.py,sha256=Qzj3Fpv7xj8v9eygeP312nHRNg8er8XMRBveynPIyQM,3302
@@ -575,6 +581,7 @@ reconcile/typed_queries/vault.py,sha256=lkRsmobykorof3fcrIPLz-NgvAiSOWSOZc_jXBln
 reconcile/typed_queries/app_interface_metrics_exporter/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/typed_queries/app_interface_metrics_exporter/onboarding_status.py,sha256=X-N1WJGOL6OR9940P0_K4-YJzkL5Vg4favhYrBxXD9A,327
 reconcile/typed_queries/app_interface_metrics_exporter/terraform_repo.py,sha256=r-nJ5CucAOE_cwxnbVp5lmAAfHBG8t1h2tVmhviVYls,290
+reconcile/typed_queries/aws_cloudwatch_log_retention/aws_accounts.py,sha256=WiQ84vEZp-oYvD4CVZaFDYcMBn-pkO3slwsHIQxvHks,296
 reconcile/typed_queries/cost_report/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/typed_queries/cost_report/app_names.py,sha256=HMEMIqAbMyVQfoQ5YXTXE4xDt7FaXBRz0QIHnsIZC1c,478
 reconcile/typed_queries/cost_report/cost_namespaces.py,sha256=1GUjWXQj7U2djVHBPYcd8Cy2-enKXf0-GaplLi8JZw4,1178
@@ -797,7 +804,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=UfwwRLS5Ya4_Nh1w5n1dvoYtchQvYE9yj1VANt2IKqI,3925
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev159.dist-info/METADATA,sha256=xiCIKDXtULyvmvHhV2FclCguppmcLFNhWWsIwmKbsyU,24627
-qontract_reconcile-0.10.2.dev159.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev159.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev159.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev161.dist-info/METADATA,sha256=8F0IJKYcSCyZq47ZOd2Bn6zFBeo2I83momD5TwvCTSg,24627
+qontract_reconcile-0.10.2.dev161.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev161.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev161.dist-info/RECORD,,

reconcile/aws_cloudwatch_log_retention/integration.py

@@ -5,13 +5,22 @@ from collections import defaultdict
 from collections.abc import Iterable
 from datetime import UTC, datetime, timedelta
 from enum import Enum
-from typing import TYPE_CHECKING
+from typing import (
+    TYPE_CHECKING,
+)
 
 from botocore.exceptions import ClientError
 from pydantic import BaseModel
 
 from reconcile import queries
-from reconcile.queries import get_aws_accounts
+from reconcile.gql_definitions.aws_cloudwatch_log_retention.aws_accounts import (
+    AWSAccountCleanupOptionCloudWatchV1,
+    AWSAccountV1,
+)
+from reconcile.typed_queries.aws_cloudwatch_log_retention.aws_accounts import (
+    get_aws_accounts,
+)
+from reconcile.utils import gql
 from reconcile.utils.aws_api import AWSApi
 
 if TYPE_CHECKING:
@@ -39,31 +48,33 @@ DEFAULT_AWS_CLOUDWATCH_CLEANUP_OPTION = AWSCloudwatchCleanupOption(
 
 
 def get_desired_cleanup_options_by_region(
-    account: dict,
+    account: AWSAccountV1,
 ) -> dict[str, list[AWSCloudwatchCleanupOption]]:
-    default_region = account["resourcesDefaultRegion"]
+    default_region = account.resources_default_region
     result = defaultdict(list)
-    if cleanup := account.get("cleanup"):
-        for cleanup_option in cleanup:
-            if cleanup_option["provider"] == "cloudwatch":
-                region = cleanup_option.get("region") or default_region
-                result[region].append(
-                    AWSCloudwatchCleanupOption(
-                        regex=re.compile(cleanup_option["regex"]),
-                        retention_in_days=cleanup_option["retention_in_days"],
-                        delete_empty_log_group=bool(
-                            cleanup_option["delete_empty_log_group"]
-                        ),
-                    )
+    for cleanup_option in account.cleanup or []:
+        if isinstance(cleanup_option, AWSAccountCleanupOptionCloudWatchV1):
+            region = cleanup_option.region or default_region
+            result[region].append(
+                AWSCloudwatchCleanupOption(
+                    regex=re.compile(cleanup_option.regex),
+                    retention_in_days=cleanup_option.retention_in_days,
+                    delete_empty_log_group=bool(cleanup_option.delete_empty_log_group),
                 )
+            )
     if not result:
         result[default_region].append(DEFAULT_AWS_CLOUDWATCH_CLEANUP_OPTION)
     return result
 
 
-def create_awsapi_client(accounts: list, thread_pool_size: int) -> AWSApi:
+def create_awsapi_client(accounts: list[AWSAccountV1], thread_pool_size: int) -> AWSApi:
     settings = queries.get_secret_reader_settings()
-    return AWSApi(thread_pool_size, accounts, settings=settings, init_users=False)
+    return AWSApi(
+        thread_pool_size,
+        [account.dict(by_alias=True) for account in accounts],
+        settings=settings,
+        init_users=False,
+    )
 
 
 def is_empty(log_group: LogGroupTypeDef) -> bool:
@@ -192,10 +203,10 @@ def _find_desired_cleanup_option(
 
 def _reconcile_log_groups(
     dry_run: bool,
-    aws_account: dict,
+    aws_account: AWSAccountV1,
     awsapi: AWSApi,
 ) -> None:
-    account_name = aws_account["name"]
+    account_name = aws_account.name
     desired_cleanup_options_by_region = get_desired_cleanup_options_by_region(
         aws_account
     )
@@ -230,12 +241,15 @@ def _reconcile_log_groups(
             )
 
 
-def get_active_aws_accounts() -> list[dict]:
+def get_active_aws_accounts() -> list[AWSAccountV1]:
     return [
-        a
-        for a in get_aws_accounts(cleanup=True)
-        if "aws-cloudwatch-log-retention"
-        not in (a.get("disable") or {}).get("integrations", [])
+        account
+        for account in get_aws_accounts(gql.get_api())
+        if not (
+            account.disable
+            and account.disable.integrations
+            and "aws-cloudwatch-log-retention" in account.disable.integrations
+        )
     ]
 
 

reconcile/cli.py

@@ -1849,15 +1849,13 @@ def quay_membership(ctx):
     run_integration(reconcile.quay_membership, ctx.obj)
 
 
-@integration.command(
-    short_help="Mirrors external images into Google Container Registry."
-)
+@integration.command(short_help="Mirrors external images into GCP Artifact Registry.")
 @click.pass_context
 @binary(["skopeo"])
-def gcr_mirror(ctx):
-    import reconcile.gcr_mirror
+def gcp_image_mirror(ctx):
+    import reconcile.gcp_image_mirror
 
-    run_integration(reconcile.gcr_mirror, ctx.obj)
+    run_integration(reconcile.gcp_image_mirror, ctx.obj)
 
 
 @integration.command(short_help="Mirrors external images into Quay.")

reconcile/gcp_image_mirror.py

@@ -0,0 +1,276 @@
+import base64
+import logging
+import os
+import re
+import tempfile
+import time
+from typing import Any, Self
+
+import requests
+from pydantic import BaseModel
+from sretoolbox.container import (
+    Image,
+    Skopeo,
+)
+from sretoolbox.container.image import ImageComparisonError
+from sretoolbox.container.skopeo import SkopeoCmdError
+
+import reconcile.gql_definitions.gcp.gcp_docker_repos as gql_gcp_repos
+import reconcile.gql_definitions.gcp.gcp_projects as gql_gcp_projects
+from reconcile import queries
+from reconcile.gql_definitions.fragments.container_image_mirror import (
+    ContainerImageMirror,
+)
+from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
+from reconcile.utils import gql
+from reconcile.utils.secret_reader import SecretReader
+
+QONTRACT_INTEGRATION = "gcp-image-mirror"
+REQUEST_TIMEOUT = 60
+GCR_SECRET_PREFIX = "gcr_"
+AR_SECRET_PREFIX = "ar_"
+
+
+class ImageSyncItem(BaseModel):
+    mirror: ContainerImageMirror
+    destination_url: str
+    org_name: str
+
+
+class SyncTask(BaseModel):
+    mirror_creds: str | None = None
+    source_url: str
+    dest_url: str
+    org_name: str
+
+
+class QuayMirror:
+    def __init__(self, dry_run: bool = False) -> None:
+        self.dry_run = dry_run
+        self.gqlapi = gql.get_api()
+        settings = queries.get_app_interface_settings()
+        self.secret_reader = SecretReader(settings=settings)
+        self.skopeo_cli = Skopeo(dry_run)
+        self.push_creds = self._get_push_creds()
+        self.session = requests.Session()
+
+    def __enter__(self) -> Self:
+        return self
+
+    def __exit__(self, exc_type: Any, exc_value: Any, traceback: Any) -> None:
+        self.session.close()
+
+    def run(self) -> None:
+        gql_result = gql_gcp_repos.query(query_func=self.gqlapi.query)
+        processed_repos = self.process_repos_to_sync(gql_result)
+        sync_tasks = self.process_sync_tasks(processed_repos)
+
+        for task in sync_tasks:
+            try:
+                dest_creds = self.push_creds[f"{GCR_SECRET_PREFIX}{task.org_name}"]
+                if "pkg.dev" in task.dest_url:
+                    dest_creds = self.push_creds[f"{AR_SECRET_PREFIX}{task.org_name}"]
+
+                self.skopeo_cli.copy(
+                    src_image=task.source_url,
+                    src_creds=task.mirror_creds,
+                    dst_image=task.dest_url,
+                    dest_creds=dest_creds,
+                )
+            except SkopeoCmdError as details:
+                logging.error("[%s]", details)
+
+    # processes the GQL repos to come up with a list of items that need to be synced
+    def process_repos_to_sync(
+        self, repos: gql_gcp_repos.GcpDockerReposQueryData
+    ) -> list[ImageSyncItem]:
+        summary = list[ImageSyncItem]()
+        if repos.apps:
+            for app in repos.apps:
+                if app.gcr_repos:
+                    for gcr_project in app.gcr_repos:
+                        for gcr_repo in gcr_project.items:
+                            if gcr_repo.mirror:
+                                project_name = gcr_project.project.name
+                                summary.append(
+                                    ImageSyncItem(
+                                        mirror=gcr_repo.mirror,
+                                        destination_url=f"gcr.io/{project_name}/{gcr_repo.name}",
+                                        org_name=project_name,
+                                    )
+                                )
+                if app.artifact_registry_mirrors:
+                    for ar_project in app.artifact_registry_mirrors:
+                        for ar_repo in ar_project.items:
+                            summary.append(
+                                ImageSyncItem(
+                                    mirror=ar_repo.mirror,
+                                    destination_url=ar_repo.image_url,
+                                    org_name=ar_project.project.name,
+                                )
+                            )
+
+        return summary
+
+    @staticmethod
+    def sync_tag(
+        tags: list[str] | None, tags_exclude: list[str] | None, candidate: str
+    ) -> bool:
+        if tags is not None:
+            # When tags is defined, we don't look at tags_exclude
+            return any(re.match(tag, candidate) for tag in tags)
+
+        if tags_exclude is not None:
+            return any(re.match(tag, candidate) for tag in tags_exclude)
+            for tag_exclude in tags_exclude:
+                if re.match(tag_exclude, candidate):
+                    return False
+            return True
+
+        # Both tags and tags_exclude are None, so
+        # tag must be synced
+        return True
+
+    # second layer of processing that matches up pull/push creds with each repo and determines what tags need to be synced
+    def process_sync_tasks(self, repos_to_sync: list[ImageSyncItem]) -> list[SyncTask]:
+        eight_hours = 28800  # 60 * 60 * 8
+        is_deep_sync = self._is_deep_sync(interval=eight_hours)
+
+        sync_tasks = list[SyncTask]()
+        for item in repos_to_sync:
+            image = Image(
+                f"{item.destination_url}",
+                session=self.session,
+                timeout=REQUEST_TIMEOUT,
+            )
+
+            mirror_url = item.mirror.url
+
+            username = None
+            password = None
+            mirror_creds = None
+            pull_credentials = item.mirror.pull_credentials
+            if pull_credentials:
+                raw_data = self.secret_reader.read_all(pull_credentials.dict())
+                username = raw_data["user"]
+                password = raw_data["token"]
+                mirror_creds = f"{username}:{password}"
+
+            image_mirror = Image(
+                mirror_url,
+                username=username,
+                password=password,
+                session=self.session,
+                timeout=REQUEST_TIMEOUT,
+            )
+
+            for tag in image_mirror:
+                if not self.sync_tag(
+                    tags=item.mirror.tags,
+                    tags_exclude=item.mirror.tags_exclude,
+                    candidate=tag,
+                ):
+                    continue
+
+                # the Image class allows you to fetch Image information at a specific tag with a get operator
+                upstream = image_mirror[tag]
+                downstream = image[tag]
+                if tag not in image:
+                    logging.debug(
+                        f"Image {image.image}: {downstream} and mirror {upstream} are out of sync"
+                    )
+                    sync_tasks.append(
+                        SyncTask(
+                            source_url=str(upstream),
+                            mirror_creds=mirror_creds,
+                            dest_url=str(downstream),
+                            org_name=item.org_name,
+                        )
+                    )
+                    continue
+
+                # Deep (slow) check only in non dry-run mode
+                if self.dry_run:
+                    logging.debug(
+                        f"Image {image.image}: {downstream} and mirror {upstream} are in sync"
+                    )
+                    continue
+
+                # Deep (slow) check only from time to time
+                if not is_deep_sync:
+                    logging.debug(
+                        f"Image {image.image}: {downstream} and mirror {upstream} are in sync"
+                    )
+                    continue
+
+                try:
+                    if downstream == upstream:
+                        logging.debug(
+                            f"Image {image.image}: {downstream} and mirror {upstream} are in sync",
+                        )
+                        continue
+                except ImageComparisonError as details:
+                    logging.error("[%s]", details)
+                    continue
+
+                logging.debug(
+                    f"Image {image.image}: {downstream} and mirror {upstream} are out of sync"
+                )
+                sync_tasks.append(
+                    SyncTask(
+                        source_url=str(upstream),
+                        mirror_creds=mirror_creds,
+                        dest_url=str(downstream),
+                        org_name=item.org_name,
+                    )
+                )
+
+        return sync_tasks
+
+    def _is_deep_sync(self, interval: int) -> bool:
+        control_file_name = "qontract-reconcile-gcp-image-mirror.timestamp"
+        control_file_path = os.path.join(tempfile.gettempdir(), control_file_name)
+        try:
+            with open(control_file_path, encoding="locale") as file_obj:
+                last_deep_sync = float(file_obj.read())
+        except FileNotFoundError:
+            self._record_timestamp(control_file_path)
+            return True
+
+        next_deep_sync = last_deep_sync + interval
+        if time.time() >= next_deep_sync:
+            self._record_timestamp(control_file_path)
+            return True
+
+        return False
+
+    def _decode_push_secret(self, secret: VaultSecret) -> str:
+        raw_data = self.secret_reader.read_all(secret.dict())
+        token = base64.b64decode(raw_data["token"]).decode()
+        return f"{raw_data['user']}:{token}"
+
+    @staticmethod
+    def _record_timestamp(path: str) -> None:
+        with open(path, "w", encoding="locale") as file_object:
+            file_object.write(str(time.time()))
+
+    def _get_push_creds(self) -> dict[str, str]:
+        result = gql_gcp_projects.query(query_func=self.gqlapi.query)
+
+        creds = dict[str, str]()
+        if result.gcp_projects:
+            for project_data in result.gcp_projects:
+                # support old pull secret for backwards compatibility (although they are both using artifact registry on the backend)
+                if project_data.gcr_push_credentials:
+                    creds[f"{GCR_SECRET_PREFIX}{project_data.name}"] = (
+                        self._decode_push_secret(project_data.gcr_push_credentials)
+                    )
+                creds[f"{AR_SECRET_PREFIX}{project_data.name}"] = (
+                    self._decode_push_secret(project_data.artifact_push_credentials)
+                )
+        return creds
+
+
+def run(dry_run: bool) -> None:
+    with QuayMirror(dry_run) as gcp_image_mirror:
+        gcp_image_mirror.run()

reconcile/gql_definitions/aws_cloudwatch_log_retention/aws_accounts.py

@@ -0,0 +1,158 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+
+DEFINITION = """
+query AWSAccountsCloudwatchLogRetentionCleanup {
+  accounts: awsaccounts_v1
+  {
+    path
+    name
+    uid
+    terraformUsername
+    consoleUrl
+    resourcesDefaultRegion
+    supportedDeploymentRegions
+    providerVersion
+    accountOwners {
+      name
+      email
+    }
+    automationToken {
+      path
+      field
+      version
+      format
+    }
+    garbageCollection
+    enableDeletion
+    deletionApprovals {
+      type
+      name
+      expiration
+    }
+    disable {
+      integrations
+    }
+    deleteKeys
+    premiumSupport
+    ecrs {
+      region
+    }
+    partition
+    cleanup {
+      provider
+      ... on AWSAccountCleanupOptionCloudWatch_v1 {
+        regex
+        retention_in_days
+        delete_empty_log_group
+        region
+      }
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class OwnerV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    email: str = Field(..., alias="email")
+
+
+class VaultSecretV1(ConfiguredBaseModel):
+    path: str = Field(..., alias="path")
+    field: str = Field(..., alias="field")
+    version: Optional[int] = Field(..., alias="version")
+    q_format: Optional[str] = Field(..., alias="format")
+
+
+class DeletionApprovalV1(ConfiguredBaseModel):
+    q_type: str = Field(..., alias="type")
+    name: str = Field(..., alias="name")
+    expiration: str = Field(..., alias="expiration")
+
+
+class DisableClusterAutomationsV1(ConfiguredBaseModel):
+    integrations: Optional[list[str]] = Field(..., alias="integrations")
+
+
+class AWSECRV1(ConfiguredBaseModel):
+    region: str = Field(..., alias="region")
+
+
+class AWSAccountCleanupOptionV1(ConfiguredBaseModel):
+    provider: str = Field(..., alias="provider")
+
+
+class AWSAccountCleanupOptionCloudWatchV1(AWSAccountCleanupOptionV1):
+    regex: str = Field(..., alias="regex")
+    retention_in_days: int = Field(..., alias="retention_in_days")
+    delete_empty_log_group: Optional[bool] = Field(..., alias="delete_empty_log_group")
+    region: Optional[str] = Field(..., alias="region")
+
+
+class AWSAccountV1(ConfiguredBaseModel):
+    path: str = Field(..., alias="path")
+    name: str = Field(..., alias="name")
+    uid: str = Field(..., alias="uid")
+    terraform_username: Optional[str] = Field(..., alias="terraformUsername")
+    console_url: str = Field(..., alias="consoleUrl")
+    resources_default_region: str = Field(..., alias="resourcesDefaultRegion")
+    supported_deployment_regions: Optional[list[str]] = Field(..., alias="supportedDeploymentRegions")
+    provider_version: str = Field(..., alias="providerVersion")
+    account_owners: list[OwnerV1] = Field(..., alias="accountOwners")
+    automation_token: VaultSecretV1 = Field(..., alias="automationToken")
+    garbage_collection: Optional[bool] = Field(..., alias="garbageCollection")
+    enable_deletion: Optional[bool] = Field(..., alias="enableDeletion")
+    deletion_approvals: Optional[list[DeletionApprovalV1]] = Field(..., alias="deletionApprovals")
+    disable: Optional[DisableClusterAutomationsV1] = Field(..., alias="disable")
+    delete_keys: Optional[list[str]] = Field(..., alias="deleteKeys")
+    premium_support: bool = Field(..., alias="premiumSupport")
+    ecrs: Optional[list[AWSECRV1]] = Field(..., alias="ecrs")
+    partition: Optional[str] = Field(..., alias="partition")
+    cleanup: Optional[list[Union[AWSAccountCleanupOptionCloudWatchV1, AWSAccountCleanupOptionV1]]] = Field(..., alias="cleanup")
+
+
+class AWSAccountsCloudwatchLogRetentionCleanupQueryData(ConfiguredBaseModel):
+    accounts: Optional[list[AWSAccountV1]] = Field(..., alias="accounts")
+
+
+def query(query_func: Callable, **kwargs: Any) -> AWSAccountsCloudwatchLogRetentionCleanupQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        AWSAccountsCloudwatchLogRetentionCleanupQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return AWSAccountsCloudwatchLogRetentionCleanupQueryData(**raw_data)