qontract-reconcile 0.10.2.dev203__py3-none-any.whl → 0.10.2.dev205__py3-none-any.whl

{qontract_reconcile-0.10.2.dev203.dist-info → qontract_reconcile-0.10.2.dev205.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev203
+Version: 0.10.2.dev205
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev203.dist-info → qontract_reconcile-0.10.2.dev205.dist-info}/RECORD

@@ -9,7 +9,7 @@ reconcile/aws_iam_password_reset.py,sha256=O0JX2N5kNRKs3u2xzu4NNrI6p0ag5JWy3MTsv
 reconcile/aws_support_cases_sos.py,sha256=PDhilxQ4TBxVnxUPIUdTbKEaNUI0wzPiEsB91oHT2fY,3384
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=O1wFp52EyF538c6txaWBs8eMtUIy19gyHZ6VzJ6QXS8,3512
 reconcile/checkpoint.py,sha256=_JhMxrye5BgkRMxWYuf7Upli6XayPINKSsuo3ynHTRc,5010
-reconcile/cli.py,sha256=-WTtuEtxDuHdZ-GIGtklu4p6r8YdR7QfRqdK6rHl2gY,108163
+reconcile/cli.py,sha256=e11ElvZwncpUcx3AwxajGLUfrLuAWm_4fOy_jPMm_oM,108741
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=al7m8EgnnYx90rY1REryW3byN_ItfJfAzEeLtjbCfi0,4921
 reconcile/cluster_deployment_mapper.py,sha256=5gumAaRCcFXsabUJ1dnuUy9WrP_FEEM5JnOnE8ch9sE,2326
 reconcile/dashdotdb_base.py,sha256=83ZWIf5JJk3P_D69y2TmXRcQr6ELJGlv10OM0h7fJVs,4767
@@ -72,6 +72,7 @@ reconcile/openshift_prometheus_rules.py,sha256=onowXab248zmHH8SbYDTc1W1bl7JiqRFU
 reconcile/openshift_resourcequotas.py,sha256=yUi56PiOn3inMMfq_x_FEHmaW-reGipzoorjdar372g,2415
 reconcile/openshift_resources.py,sha256=I2nO_C37mG3rfyGrd4cGwN3mVseVGuTAHAyhFzLyqF4,1518
 reconcile/openshift_resources_base.py,sha256=3HudPdM7EE0HNWUn1eu0O20Ij25fqGisaDBMVvTk1fk,41768
+reconcile/openshift_rhcs_certs.py,sha256=lP0GwKMRl8YBzxrwdbBOxrPqIPYNmu2KkZPGzWKyRVU,9859
 reconcile/openshift_rolebindings.py,sha256=9mlJ2FjWUoH-rsjtasreA_hV-K5Z_YR00qR_RR60OZM,6555
 reconcile/openshift_routes.py,sha256=fXvuPSjcjVw1X3j2EQvUAdbOepmIFdKk-M3qP8QzPiw,1075
 reconcile/openshift_saas_deploy.py,sha256=T1dvb9zajisaJNjbnR6-AZHU-itscHtr4oCqLj8KCK0,13037
@@ -226,7 +227,7 @@ reconcile/glitchtip_project_alerts/integration.py,sha256=BgMx-NyV9mTuv7Sotb2OioC
 reconcile/glitchtip_project_dsn/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/glitchtip_project_dsn/integration.py,sha256=2iugub-kHYkHNK33n0v9_TeWonuxCPah_VkoTPvaajE,8077
 reconcile/gql_definitions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/introspection.json,sha256=JiCvliRsiUfBN70aVfZ4JcW6qKXRtgHGiVmoWd7B_GI,2327754
+reconcile/gql_definitions/introspection.json,sha256=oYlYgYdUjLtUwu9mJA-bh1y6BTTlWgVhL07N-9_9Du0,2335501
 reconcile/gql_definitions/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/acs_instances.py,sha256=L91WW9LbhJbBSrECqShQpFtjoBOsmNIYLRpMbx1io5o,2181
 reconcile/gql_definitions/acs/acs_policies.py,sha256=Ygpfl2-VkYLSlJvHgp_dJBfb66K_Rwfdfpsa18w1v1s,4338
@@ -295,6 +296,7 @@ reconcile/gql_definitions/common/pipeline_providers.py,sha256=9rpsqPuvj82B4ki56x
 reconcile/gql_definitions/common/quay_instances.py,sha256=toBkdYYVTmEafezAHZKgaW-mQ29xEW6jeronzsAlNyI,1786
 reconcile/gql_definitions/common/quay_orgs.py,sha256=NhA8kqvVUDbrsryEvEL5mlIv5R3T4XNhSRXtfL_yptY,1788
 reconcile/gql_definitions/common/reserved_networks.py,sha256=yP9qSQCaSQcva-ZgTnZp09qH27ur5_qK080ToIs04MY,2560
+reconcile/gql_definitions/common/rhcs_provider_settings.py,sha256=88NwWT1kmbysze_w4YT6kiOYU2StDHHP6QRQXnPlpmQ,2057
 reconcile/gql_definitions/common/saas_files.py,sha256=d1L_S5LgCMa4QuAqZGQYTWb5L_nPCOxSEjU4O__OeBU,17728
 reconcile/gql_definitions/common/saas_target_namespaces.py,sha256=4VYP2VbwY8WVwtSFk2-jsUNhSmRD3X4FWKxetOKvmd0,2835
 reconcile/gql_definitions/common/saasherder_settings.py,sha256=nqQLcMwYxLseqq0BEcVvmrpIj2eQq0h8XDSpLN6GGCw,1793
@@ -401,6 +403,8 @@ reconcile/gql_definitions/openshift_serviceaccount_tokens/__init__.py,sha256=47D
 reconcile/gql_definitions/openshift_serviceaccount_tokens/tokens.py,sha256=FeraeQThHl2UbhTuCPDwm3ltczF_jfZn5E3Squ8-znw,3313
 reconcile/gql_definitions/quay_membership/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/quay_membership/quay_membership.py,sha256=MKBkrE-1YYelaAAxOdpqUwCo45kOVC8q29vXArqK_zM,3075
+reconcile/gql_definitions/rhcs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/rhcs/certs.py,sha256=8ba9GZVY70ppekuxrMjE4wm6WqcMW2IFawjhWvxHrmI,4677
 reconcile/gql_definitions/rhidp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/rhidp/organizations.py,sha256=dW9y3ewFu3E-DFrZAi_SEewHYR0MWYeOB52vwnVcq5E,2580
 reconcile/gql_definitions/service_dependencies/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -571,6 +575,7 @@ reconcile/typed_queries/pagerduty_instances.py,sha256=zxCNxMak4iikryePaRi71lTADV
 reconcile/typed_queries/quay.py,sha256=3IMy9jjHF2f9t47EXZOQVA3p0nFkWFhaFhxhvib-71o,644
 reconcile/typed_queries/repos.py,sha256=8A93dKDt6igT4ClqMjt7YUTsoP4qh1Wnm0W3xsMgj48,824
 reconcile/typed_queries/reserved_networks.py,sha256=XY9y3amtIQT0n06O0Toubqr_UmylJ2ELAv9-BJCK890,345
+reconcile/typed_queries/rhcs_provider_settings.py,sha256=fxD84CPCiH25_qc02p48LOIJHv39Wlc1VwOhs9ZVsKk,743
 reconcile/typed_queries/saas_files.py,sha256=SOE36sWPBcuaRmEaNxXCQZMQdJiUZX8_A92o42XwHQA,14141
 reconcile/typed_queries/slack.py,sha256=r30lspctHloyygPn8_DVybxPwUWwiBpvBRRXiTVcQYk,251
 reconcile/typed_queries/slo_documents.py,sha256=YMdox_-lBRqrdxamPhdnUlRTY_Ro35ptsupq7OaynUQ,362
@@ -658,6 +663,7 @@ reconcile/utils/quay_mirror.py,sha256=dpWCNv5lITwIk6Q9RkmqaQKHNk_JPy27UQEribJ7E-
 reconcile/utils/raw_github_api.py,sha256=2WKtE8ABYYB9UGOAh9N_kLkksBWL3320Z2_scteZddI,2805
 reconcile/utils/repo_owners.py,sha256=P0QX6F0oB8wYA08yiyzhYUiBtU57iIK_PsxbzKENbKM,6571
 reconcile/utils/rest_api_base.py,sha256=MT7tp6CQO2S5aKfVOzw_hipWg7wAGoOqkm4qurI1hEU,4342
+reconcile/utils/rhcsv2_certs.py,sha256=ZnlUlEI2k6UrljGarkm1ey0znMlQtjeZB7VEfCH1A64,2545
 reconcile/utils/ruamel.py,sha256=FzL4_L0FnMOUZmgThrZSMJs5MTdXwiy-E9MZWfk8bh8,397
 reconcile/utils/secret_reader.py,sha256=MaP56KZaAE35EyYbgAitdm6fUSxdzWeGFSOym9qiZkw,10206
 reconcile/utils/semver_helper.py,sha256=-WfPOMSA2v1h7hT3PwVf-Htg7wOsoKlQC1JdmDX2Ars,1268
@@ -809,7 +815,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=UfwwRLS5Ya4_Nh1w5n1dvoYtchQvYE9yj1VANt2IKqI,3925
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev203.dist-info/METADATA,sha256=jLhZJ7x1qlr15Wil2EAOm2Aq2kAZBKMRm6RgIQhGAoM,24555
-qontract_reconcile-0.10.2.dev203.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev203.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev203.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev205.dist-info/METADATA,sha256=Nk9aLZ_YnzuvFX0u_RJVWxJUztk3TT6ko7ANo6xbEgo,24555
+qontract_reconcile-0.10.2.dev205.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev205.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev205.dist-info/RECORD,,

reconcile/cli.py

@@ -1739,6 +1739,27 @@ def openshift_vault_secrets(
     )
 
 
+@integration.command(short_help="Manages OpenShift Secrets for RHCS certificates")
+@threaded()
+@binary(["oc", "ssh"])
+@binary_version("oc", ["version", "--client"], OC_VERSION_REGEX, OC_VERSIONS)
+@internal()
+@use_jump_host()
+@cluster_name
+@click.pass_context
+def openshift_rhcs_certs(ctx, thread_pool_size, internal, use_jump_host, cluster_name):
+    import reconcile.openshift_rhcs_certs
+
+    run_integration(
+        reconcile.openshift_rhcs_certs,
+        ctx.obj,
+        thread_pool_size,
+        internal,
+        use_jump_host,
+        cluster_name=cluster_name,
+    )
+
+
 @integration.command(short_help="Manages OpenShift Routes.")
 @threaded()
 @binary(["oc", "ssh"])

reconcile/gql_definitions/common/rhcs_provider_settings.py

@@ -0,0 +1,70 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+
+DEFINITION = """
+query RhcsProviderSettings {
+  settings: app_interface_settings_v1 {
+    rhcsProvider {
+      issuerUrl
+      vaultBasePath
+      caCertUrl
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class RhcsProviderSettingsV1(ConfiguredBaseModel):
+    issuer_url: str = Field(..., alias="issuerUrl")
+    vault_base_path: str = Field(..., alias="vaultBasePath")
+    ca_cert_url: str = Field(..., alias="caCertUrl")
+
+
+class AppInterfaceSettingsV1(ConfiguredBaseModel):
+    rhcs_provider: Optional[RhcsProviderSettingsV1] = Field(..., alias="rhcsProvider")
+
+
+class RhcsProviderSettingsQueryData(ConfiguredBaseModel):
+    settings: Optional[list[AppInterfaceSettingsV1]] = Field(..., alias="settings")
+
+
+def query(query_func: Callable, **kwargs: Any) -> RhcsProviderSettingsQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        RhcsProviderSettingsQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return RhcsProviderSettingsQueryData(**raw_data)

reconcile/gql_definitions/introspection.json

@@ -4362,6 +4362,18 @@
                             },
                             "isDeprecated": false,
                             "deprecationReason": null
+                        },
+                        {
+                            "name": "rhcsProvider",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "OBJECT",
+                                "name": "RhcsProviderSettings_v1",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
                         }
                     ],
                     "inputFields": null,
@@ -24806,6 +24818,11 @@
                             "name": "NamespaceOpenshiftResourceResourceTemplate_v1",
                             "ofType": null
                         },
+                        {
+                            "kind": "OBJECT",
+                            "name": "NamespaceOpenshiftResourceRhcsCert_v1",
+                            "ofType": null
+                        },
                         {
                             "kind": "OBJECT",
                             "name": "NamespaceOpenshiftResourceRoute_v1",
@@ -26558,6 +26575,65 @@
                     "enumValues": null,
                     "possibleTypes": null
                 },
+                {
+                    "kind": "OBJECT",
+                    "name": "RhcsProviderSettings_v1",
+                    "description": null,
+                    "fields": [
+                        {
+                            "name": "issuerUrl",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "NON_NULL",
+                                "name": null,
+                                "ofType": {
+                                    "kind": "SCALAR",
+                                    "name": "String",
+                                    "ofType": null
+                                }
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
+                        {
+                            "name": "vaultBasePath",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "NON_NULL",
+                                "name": null,
+                                "ofType": {
+                                    "kind": "SCALAR",
+                                    "name": "String",
+                                    "ofType": null
+                                }
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
+                        {
+                            "name": "caCertUrl",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "NON_NULL",
+                                "name": null,
+                                "ofType": {
+                                    "kind": "SCALAR",
+                                    "name": "String",
+                                    "ofType": null
+                                }
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        }
+                    ],
+                    "inputFields": null,
+                    "interfaces": [],
+                    "enumValues": null,
+                    "possibleTypes": null
+                },
                 {
                     "kind": "OBJECT",
                     "name": "AppInterfaceEmail_v1",
@@ -40971,6 +41047,111 @@
                     "enumValues": null,
                     "possibleTypes": null
                 },
+                {
+                    "kind": "OBJECT",
+                    "name": "NamespaceOpenshiftResourceRhcsCert_v1",
+                    "description": null,
+                    "fields": [
+                        {
+                            "name": "provider",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "NON_NULL",
+                                "name": null,
+                                "ofType": {
+                                    "kind": "SCALAR",
+                                    "name": "String",
+                                    "ofType": null
+                                }
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
+                        {
+                            "name": "secret_name",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "NON_NULL",
+                                "name": null,
+                                "ofType": {
+                                    "kind": "SCALAR",
+                                    "name": "String",
+                                    "ofType": null
+                                }
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
+                        {
+                            "name": "service_account_name",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "NON_NULL",
+                                "name": null,
+                                "ofType": {
+                                    "kind": "SCALAR",
+                                    "name": "String",
+                                    "ofType": null
+                                }
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
+                        {
+                            "name": "service_account_password",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "NON_NULL",
+                                "name": null,
+                                "ofType": {
+                                    "kind": "OBJECT",
+                                    "name": "VaultSecret_v1",
+                                    "ofType": null
+                                }
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
+                        {
+                            "name": "auto_renew_threshold_days",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "Int",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
+                        {
+                            "name": "annotations",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "JSON",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        }
+                    ],
+                    "inputFields": null,
+                    "interfaces": [
+                        {
+                            "kind": "INTERFACE",
+                            "name": "NamespaceOpenshiftResource_v1",
+                            "ofType": null
+                        }
+                    ],
+                    "enumValues": null,
+                    "possibleTypes": null
+                },
                 {
                     "kind": "OBJECT",
                     "name": "NamespaceOpenshiftResourceRoute_v1",

reconcile/gql_definitions/rhcs/certs.py

@@ -0,0 +1,158 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+from reconcile.gql_definitions.fragments.jumphost_common_fields import CommonJumphostFields
+from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
+
+
+DEFINITION = """
+fragment CommonJumphostFields on ClusterJumpHost_v1 {
+  hostname
+  knownHosts
+  user
+  port
+  remotePort
+  identity {
+    ... VaultSecret
+  }
+}
+
+fragment VaultSecret on VaultSecret_v1 {
+    path
+    field
+    version
+    format
+}
+
+query RhcsCerts {
+  namespaces: namespaces_v1 {
+    name
+    delete
+    clusterAdmin
+    openshiftResources {
+      provider
+      ... on NamespaceOpenshiftResourceRhcsCert_v1 {
+        secret_name
+        service_account_name
+        service_account_password {
+          ... on VaultSecret_v1 {
+            path
+            field
+            version
+          }
+        }
+        auto_renew_threshold_days
+        annotations
+      }
+    }
+    cluster {
+      name
+      serverUrl
+      insecureSkipTLSVerify
+      jumpHost {
+        ... CommonJumphostFields
+      }
+      automationToken {
+        ... VaultSecret
+      }
+      clusterAdminAutomationToken {
+        ... VaultSecret
+      }
+      internal
+      disable {
+        integrations
+      }
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class NamespaceOpenshiftResourceV1(ConfiguredBaseModel):
+    provider: str = Field(..., alias="provider")
+
+
+class VaultSecretV1(ConfiguredBaseModel):
+    ...
+
+
+class VaultSecretV1_VaultSecretV1(VaultSecretV1):
+    path: str = Field(..., alias="path")
+    field: str = Field(..., alias="field")
+    version: Optional[int] = Field(..., alias="version")
+
+
+class NamespaceOpenshiftResourceRhcsCertV1(NamespaceOpenshiftResourceV1):
+    secret_name: str = Field(..., alias="secret_name")
+    service_account_name: str = Field(..., alias="service_account_name")
+    service_account_password: Union[VaultSecretV1_VaultSecretV1, VaultSecretV1] = Field(..., alias="service_account_password")
+    auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
+    annotations: Optional[Json] = Field(..., alias="annotations")
+
+
+class DisableClusterAutomationsV1(ConfiguredBaseModel):
+    integrations: Optional[list[str]] = Field(..., alias="integrations")
+
+
+class ClusterV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    server_url: str = Field(..., alias="serverUrl")
+    insecure_skip_tls_verify: Optional[bool] = Field(..., alias="insecureSkipTLSVerify")
+    jump_host: Optional[CommonJumphostFields] = Field(..., alias="jumpHost")
+    automation_token: Optional[VaultSecret] = Field(..., alias="automationToken")
+    cluster_admin_automation_token: Optional[VaultSecret] = Field(..., alias="clusterAdminAutomationToken")
+    internal: Optional[bool] = Field(..., alias="internal")
+    disable: Optional[DisableClusterAutomationsV1] = Field(..., alias="disable")
+
+
+class NamespaceV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    delete: Optional[bool] = Field(..., alias="delete")
+    cluster_admin: Optional[bool] = Field(..., alias="clusterAdmin")
+    openshift_resources: Optional[list[Union[NamespaceOpenshiftResourceRhcsCertV1, NamespaceOpenshiftResourceV1]]] = Field(..., alias="openshiftResources")
+    cluster: ClusterV1 = Field(..., alias="cluster")
+
+
+class RhcsCertsQueryData(ConfiguredBaseModel):
+    namespaces: Optional[list[NamespaceV1]] = Field(..., alias="namespaces")
+
+
+def query(query_func: Callable, **kwargs: Any) -> RhcsCertsQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        RhcsCertsQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return RhcsCertsQueryData(**raw_data)

reconcile/openshift_rhcs_certs.py

@@ -0,0 +1,283 @@
+import logging
+import sys
+import time
+from collections.abc import Callable, Iterable, Mapping
+from typing import Any
+
+import reconcile.openshift_base as ob
+import reconcile.openshift_resources_base as orb
+from reconcile.gql_definitions.common.rhcs_provider_settings import (
+    RhcsProviderSettingsV1,
+)
+from reconcile.gql_definitions.rhcs.certs import (
+    NamespaceOpenshiftResourceRhcsCertV1,
+    NamespaceV1,
+)
+from reconcile.gql_definitions.rhcs.certs import (
+    query as rhcs_certs_query,
+)
+from reconcile.status import ExitCodes
+from reconcile.typed_queries.app_interface_vault_settings import (
+    get_app_interface_vault_settings,
+)
+from reconcile.typed_queries.rhcs_provider_settings import get_rhcs_provider_settings
+from reconcile.utils import gql, metrics
+from reconcile.utils.disabled_integrations import integration_is_enabled
+from reconcile.utils.metrics import GaugeMetric, normalize_integration_name
+from reconcile.utils.oc_map import init_oc_map_from_namespaces
+from reconcile.utils.openshift_resource import OpenshiftResource as OR
+from reconcile.utils.openshift_resource import (
+    ResourceInventory,
+    base64_encode_secret_field_value,
+)
+from reconcile.utils.rhcsv2_certs import RhcsV2Cert, generate_cert
+from reconcile.utils.runtime.integration import DesiredStateShardConfig
+from reconcile.utils.secret_reader import create_secret_reader
+from reconcile.utils.semver_helper import make_semver
+from reconcile.utils.vault import SecretNotFound, _VaultClient
+
+QONTRACT_INTEGRATION = "openshift-rhcs-certs"
+QONTRACT_INTEGRATION_VERSION = make_semver(1, 9, 3)
+PROVIDERS = ["rhcs-cert"]
+
+
+def desired_state_shard_config() -> DesiredStateShardConfig:
+    return DesiredStateShardConfig(
+        shard_arg_name="cluster_name",
+        shard_path_selectors={
+            "state.*.shard",
+        },
+        sharded_run_review=lambda proposal: len(proposal.proposed_shards) <= 2,
+    )
+
+
+class OpenshiftRhcsCertExpiration(GaugeMetric):
+    """Expiration timestamp of RHCS certificate stored in Vault."""
+
+    integration: str = normalize_integration_name(QONTRACT_INTEGRATION)
+    cert_name: str
+    cluster: str
+    namespace: str
+
+    @classmethod
+    def name(cls) -> str:
+        return "qontract_reconcile_rhcs_cert_expiration_timestamp"
+
+
+def get_namespaces_with_rhcs_certs(
+    query_func: Callable, cluster_name: Iterable[str] | None = None
+) -> list[NamespaceV1]:
+    return [
+        ns
+        for ns in rhcs_certs_query(query_func=query_func).namespaces or []
+        if integration_is_enabled(QONTRACT_INTEGRATION, ns.cluster)
+        and not bool(ns.delete)
+        and (not cluster_name or ns.cluster.name in cluster_name)
+        and any(
+            isinstance(r, NamespaceOpenshiftResourceRhcsCertV1)
+            for r in ns.openshift_resources or []
+        )
+    ]
+
+
+def construct_rhcs_cert_oc_secret(
+    secret_name: str, cert: Mapping[str, Any], annotations: Mapping[str, str]
+) -> OR:
+    body: dict[str, Any] = {
+        "apiVersion": "v1",
+        "kind": "Secret",
+        "type": "kubernetes.io/tls",
+        "metadata": {"name": secret_name, "annotations": annotations},
+    }
+    for k, v in cert.items():
+        v = base64_encode_secret_field_value(v)
+        body.setdefault("data", {})[k] = v
+    return OR(body, QONTRACT_INTEGRATION, QONTRACT_INTEGRATION_VERSION)
+
+
+def cert_expires_within_threshold(
+    ns: NamespaceV1,
+    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    vault_cert_secret: Mapping[str, Any],
+) -> bool:
+    auto_renew_threshold_days = cert_resource.auto_renew_threshold_days or 7
+    expires_in = int(vault_cert_secret["expiration_timestamp"]) - time.time()
+    threshold_in_seconds = 60 * 60 * 24 * auto_renew_threshold_days
+    if expires_in < threshold_in_seconds:
+        logging.info(
+            f"Existing cert expires within threshold: cluster='{ns.cluster.name}', namespace='{ns.name}', secret='{cert_resource.secret_name}', threshold='{auto_renew_threshold_days} days'"
+        )
+        return True
+    return False
+
+
+def get_vault_cert_secret(
+    ns: NamespaceV1,
+    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    vault: _VaultClient,
+    vault_base_path: str,
+) -> dict | None:
+    vault_cert_secret = None
+    try:
+        vault_cert_secret = vault.read_all({
+            "path": f"{vault_base_path}/{ns.cluster.name}/{ns.name}/{cert_resource.secret_name}"
+        })
+    except SecretNotFound:
+        logging.info(
+            f"No existing cert found for cluster='{ns.cluster.name}', namespace='{ns.name}', secret='{cert_resource.secret_name}''"
+        )
+    return vault_cert_secret
+
+
+def generate_vault_cert_secret(
+    dry_run: bool,
+    ns: NamespaceV1,
+    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    vault: _VaultClient,
+    vault_base_path: str,
+    issuer_url: str,
+    ca_cert_url: str,
+) -> dict:
+    logging.info(
+        f"Creating cert with service account credentials for '{cert_resource.service_account_name}'. cluster='{ns.cluster.name}', namespace='{ns.name}', secret='{cert_resource.secret_name}'"
+    )
+    sa_password = vault.read(cert_resource.service_account_password.dict())
+    if dry_run:
+        rhcs_cert = RhcsV2Cert(
+            certificate="PLACEHOLDER_CERT",
+            private_key="PLACEHOLDER_PRIVATE_KEY",
+            ca_cert="PLACEHOLDER_CA_CERT",
+            expiration_timestamp=int(time.time()),
+        )
+    else:
+        try:
+            rhcs_cert = generate_cert(
+                issuer_url, cert_resource.service_account_name, sa_password, ca_cert_url
+            )
+        except ValueError as e:
+            raise Exception(
+                f"Certificate generation failed using service account '{cert_resource.service_account_name}': {e}"
+            ) from None
+        logging.info(
+            f"Writing cert details to Vault at {vault_base_path}/{ns.cluster.name}/{ns.name}/{cert_resource.secret_name}"
+        )
+        vault.write(
+            secret={
+                "data": rhcs_cert.dict(by_alias=True),
+                "path": f"{vault_base_path}/{ns.cluster.name}/{ns.name}/{cert_resource.secret_name}",
+            },
+            decode_base64=False,
+        )
+    return rhcs_cert.dict(by_alias=True)
+
+
+def fetch_openshift_resource_for_cert_resource(
+    dry_run: bool,
+    ns: NamespaceV1,
+    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    vault: _VaultClient,
+    rhcs_settings: RhcsProviderSettingsV1,
+) -> OR:
+    vault_base_path = f"{rhcs_settings.vault_base_path}/{QONTRACT_INTEGRATION}"
+    vault_cert_secret = get_vault_cert_secret(ns, cert_resource, vault, vault_base_path)
+    if vault_cert_secret is None or cert_expires_within_threshold(
+        ns, cert_resource, vault_cert_secret
+    ):
+        vault_cert_secret = generate_vault_cert_secret(
+            dry_run,
+            ns,
+            cert_resource,
+            vault,
+            vault_base_path,
+            rhcs_settings.issuer_url,
+            rhcs_settings.ca_cert_url,
+        )
+
+    if not dry_run:
+        metrics.set_gauge(
+            OpenshiftRhcsCertExpiration(
+                cert_name=cert_resource.secret_name,
+                namespace=ns.name,
+                cluster=ns.cluster.name,
+            ),
+            int(vault_cert_secret["expiration_timestamp"]),
+        )
+
+    return construct_rhcs_cert_oc_secret(
+        secret_name=cert_resource.secret_name,
+        cert=vault_cert_secret,
+        annotations=cert_resource.annotations or {},
+    )
+
+
+def fetch_desired_state(
+    dry_run: bool,
+    namespaces: list[NamespaceV1],
+    ri: ResourceInventory,
+    query_func: Callable,
+) -> None:
+    vault = _VaultClient()
+    cert_provider = get_rhcs_provider_settings(query_func=query_func)
+
+    for ns in namespaces:
+        for cert_resource in ns.openshift_resources or []:
+            if isinstance(cert_resource, NamespaceOpenshiftResourceRhcsCertV1):
+                ri.add_desired_resource(
+                    cluster=ns.cluster.name,
+                    namespace=ns.name,
+                    resource=fetch_openshift_resource_for_cert_resource(
+                        dry_run,
+                        ns,
+                        cert_resource,
+                        vault,
+                        cert_provider,
+                    ),
+                )
+
+
+def run(
+    dry_run: bool,
+    thread_pool_size: int = 10,
+    internal: bool | None = None,
+    use_jump_host: bool = True,
+    cluster_name: Iterable[str] | None = None,
+) -> None:
+    gql_api = gql.get_api()
+    vault_settings = get_app_interface_vault_settings()
+    secret_reader = create_secret_reader(use_vault=vault_settings.vault)
+    namespaces = get_namespaces_with_rhcs_certs(gql_api.query, cluster_name)
+    if not namespaces:
+        logging.debug(
+            f"No rhcs-cert definitions found in app-interface for {cluster_name}"
+        )
+        sys.exit(ExitCodes.SUCCESS)
+    oc_map = init_oc_map_from_namespaces(
+        namespaces=namespaces,
+        integration=QONTRACT_INTEGRATION,
+        secret_reader=secret_reader,
+        internal=internal,
+        use_jump_host=use_jump_host,
+        thread_pool_size=thread_pool_size,
+    )
+    ri = ResourceInventory()
+    state_specs = ob.init_specs_to_fetch(
+        ri,
+        oc_map,
+        namespaces=[ns.dict(by_alias=True) for ns in namespaces],
+        override_managed_types=["Secret"],
+    )
+    for spec in state_specs:
+        if isinstance(spec, ob.CurrentStateSpec):
+            orb.fetch_current_state(
+                spec.oc,
+                ri,
+                spec.cluster,
+                spec.namespace,
+                spec.kind,
+                spec.resource_names,
+            )
+    fetch_desired_state(dry_run, namespaces, ri, gql_api.query)
+    ob.realize_data(dry_run, oc_map, ri, thread_pool_size)
+    ob.publish_metrics(ri, QONTRACT_INTEGRATION)
+    if ri.has_error_registered():
+        sys.exit(1)

reconcile/typed_queries/rhcs_provider_settings.py

@@ -0,0 +1,21 @@
+from collections.abc import Callable
+
+from reconcile.gql_definitions.common.rhcs_provider_settings import (
+    RhcsProviderSettingsV1,
+    query,
+)
+from reconcile.utils import gql
+from reconcile.utils.exceptions import AppInterfaceSettingsError
+
+
+def get_rhcs_provider_settings(
+    query_func: Callable | None = None,
+) -> RhcsProviderSettingsV1:
+    """Returns App Interface Settings and raises err if none are found"""
+    if not query_func:
+        query_func = gql.get_api().query
+    data = query(query_func)
+    if data.settings and len(data.settings) == 1:
+        if data.settings[0].rhcs_provider:
+            return data.settings[0].rhcs_provider
+    raise AppInterfaceSettingsError("RHCS provider settings not uniquely defined.")

reconcile/utils/rhcsv2_certs.py

@@ -0,0 +1,76 @@
+import re
+from datetime import UTC, datetime
+
+import requests
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.x509.oid import NameOID
+from pydantic import BaseModel, Field
+
+
+class RhcsV2Cert(BaseModel):
+    certificate: str = Field(alias="tls.crt")
+    private_key: str = Field(alias="tls.key")
+    ca_cert: str = Field(alias="ca.crt")
+    expiration_timestamp: int
+
+    class Config:
+        allow_population_by_field_name = True
+
+
+def generate_cert(issuer_url: str, uid: str, pwd: str, ca_url: str) -> RhcsV2Cert:
+    private_key = rsa.generate_private_key(65537, 4096)
+    csr = (
+        x509.CertificateSigningRequestBuilder()
+        .subject_name(
+            x509.Name([
+                x509.NameAttribute(NameOID.USER_ID, uid),
+            ])
+        )
+        .sign(private_key, hashes.SHA256())
+    )
+    data = {
+        "uid": uid,
+        "pwd": pwd,
+        "cert_request_type": "pkcs10",
+        "cert_request": csr.public_bytes(serialization.Encoding.PEM).decode(),
+        "profileId": "caDirAppUserCert",
+        "renewal": "false",
+        "xmlOutput": "false",
+    }
+    response = requests.post(issuer_url, data=data)
+    response.raise_for_status()
+
+    cert_pem = re.search(
+        r'outputList\.outputVal="(-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----(?:\\n|\r?\n)?)";',
+        response.text,
+        re.DOTALL,
+    )
+    if not cert_pem:
+        raise ValueError("Could not extract certificate PEM from response")
+    cert_expiry = re.search(r"Not\s+After:\s+(.*?UTC)(?:\\n|\r?\n)?", response.text)
+    if not cert_expiry:
+        raise ValueError("Could not extract expiration date from response")
+    # Weekday, Month Day, Year HH:MM:SS PM/AM Timezone
+    dt_expiry = datetime.strptime(cert_expiry.group(1), "%A, %B %d, %Y %I:%M:%S %p %Z")
+    dt_expiry = dt_expiry.replace(tzinfo=UTC)
+    private_key_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption(),
+    ).decode()
+
+    response = requests.get(ca_url)
+    response.raise_for_status()
+    ca_pem = response.text
+
+    return RhcsV2Cert(
+        private_key=private_key_pem,
+        certificate=cert_pem.group(1)
+        .encode()
+        .decode("unicode_escape")
+        .replace("\\/", "/"),
+        ca_cert=ca_pem,
+        expiration_timestamp=int(dt_expiry.timestamp()),
+    )