qontract-reconcile 0.10.2.dev204__py3-none-any.whl → 0.10.2.dev205__py3-none-any.whl

{qontract_reconcile-0.10.2.dev204.dist-info → qontract_reconcile-0.10.2.dev205.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev204
+Version: 0.10.2.dev205
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev204.dist-info → qontract_reconcile-0.10.2.dev205.dist-info}/RECORD

@@ -72,7 +72,7 @@ reconcile/openshift_prometheus_rules.py,sha256=onowXab248zmHH8SbYDTc1W1bl7JiqRFU
 reconcile/openshift_resourcequotas.py,sha256=yUi56PiOn3inMMfq_x_FEHmaW-reGipzoorjdar372g,2415
 reconcile/openshift_resources.py,sha256=I2nO_C37mG3rfyGrd4cGwN3mVseVGuTAHAyhFzLyqF4,1518
 reconcile/openshift_resources_base.py,sha256=3HudPdM7EE0HNWUn1eu0O20Ij25fqGisaDBMVvTk1fk,41768
-reconcile/openshift_rhcs_certs.py,sha256=snLx33sX2cj2TPGRgrEGDV6Ofm17IougnxT0T-5FNoA,9448
+reconcile/openshift_rhcs_certs.py,sha256=lP0GwKMRl8YBzxrwdbBOxrPqIPYNmu2KkZPGzWKyRVU,9859
 reconcile/openshift_rolebindings.py,sha256=9mlJ2FjWUoH-rsjtasreA_hV-K5Z_YR00qR_RR60OZM,6555
 reconcile/openshift_routes.py,sha256=fXvuPSjcjVw1X3j2EQvUAdbOepmIFdKk-M3qP8QzPiw,1075
 reconcile/openshift_saas_deploy.py,sha256=T1dvb9zajisaJNjbnR6-AZHU-itscHtr4oCqLj8KCK0,13037
@@ -227,7 +227,7 @@ reconcile/glitchtip_project_alerts/integration.py,sha256=BgMx-NyV9mTuv7Sotb2OioC
 reconcile/glitchtip_project_dsn/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/glitchtip_project_dsn/integration.py,sha256=2iugub-kHYkHNK33n0v9_TeWonuxCPah_VkoTPvaajE,8077
 reconcile/gql_definitions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/introspection.json,sha256=Go8Ep6qN2COkqnWsqQLfiGDS1TbQFyK_fp5TiM0ghpo,2334795
+reconcile/gql_definitions/introspection.json,sha256=oYlYgYdUjLtUwu9mJA-bh1y6BTTlWgVhL07N-9_9Du0,2335501
 reconcile/gql_definitions/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/acs_instances.py,sha256=L91WW9LbhJbBSrECqShQpFtjoBOsmNIYLRpMbx1io5o,2181
 reconcile/gql_definitions/acs/acs_policies.py,sha256=Ygpfl2-VkYLSlJvHgp_dJBfb66K_Rwfdfpsa18w1v1s,4338
@@ -296,7 +296,7 @@ reconcile/gql_definitions/common/pipeline_providers.py,sha256=9rpsqPuvj82B4ki56x
 reconcile/gql_definitions/common/quay_instances.py,sha256=toBkdYYVTmEafezAHZKgaW-mQ29xEW6jeronzsAlNyI,1786
 reconcile/gql_definitions/common/quay_orgs.py,sha256=NhA8kqvVUDbrsryEvEL5mlIv5R3T4XNhSRXtfL_yptY,1788
 reconcile/gql_definitions/common/reserved_networks.py,sha256=yP9qSQCaSQcva-ZgTnZp09qH27ur5_qK080ToIs04MY,2560
-reconcile/gql_definitions/common/rhcs_provider_settings.py,sha256=x3OmYjMCr9EzfkmLmbdx9zEKzqE9IczE8lcyzf_v9JU,1969
+reconcile/gql_definitions/common/rhcs_provider_settings.py,sha256=88NwWT1kmbysze_w4YT6kiOYU2StDHHP6QRQXnPlpmQ,2057
 reconcile/gql_definitions/common/saas_files.py,sha256=d1L_S5LgCMa4QuAqZGQYTWb5L_nPCOxSEjU4O__OeBU,17728
 reconcile/gql_definitions/common/saas_target_namespaces.py,sha256=4VYP2VbwY8WVwtSFk2-jsUNhSmRD3X4FWKxetOKvmd0,2835
 reconcile/gql_definitions/common/saasherder_settings.py,sha256=nqQLcMwYxLseqq0BEcVvmrpIj2eQq0h8XDSpLN6GGCw,1793
@@ -663,7 +663,7 @@ reconcile/utils/quay_mirror.py,sha256=dpWCNv5lITwIk6Q9RkmqaQKHNk_JPy27UQEribJ7E-
 reconcile/utils/raw_github_api.py,sha256=2WKtE8ABYYB9UGOAh9N_kLkksBWL3320Z2_scteZddI,2805
 reconcile/utils/repo_owners.py,sha256=P0QX6F0oB8wYA08yiyzhYUiBtU57iIK_PsxbzKENbKM,6571
 reconcile/utils/rest_api_base.py,sha256=MT7tp6CQO2S5aKfVOzw_hipWg7wAGoOqkm4qurI1hEU,4342
-reconcile/utils/rhcsv2_certs.py,sha256=nS0NJGI7pzEvVd0F84_KQ9hsxmslz-Db7Y2Pt-1E0x8,2248
+reconcile/utils/rhcsv2_certs.py,sha256=ZnlUlEI2k6UrljGarkm1ey0znMlQtjeZB7VEfCH1A64,2545
 reconcile/utils/ruamel.py,sha256=FzL4_L0FnMOUZmgThrZSMJs5MTdXwiy-E9MZWfk8bh8,397
 reconcile/utils/secret_reader.py,sha256=MaP56KZaAE35EyYbgAitdm6fUSxdzWeGFSOym9qiZkw,10206
 reconcile/utils/semver_helper.py,sha256=-WfPOMSA2v1h7hT3PwVf-Htg7wOsoKlQC1JdmDX2Ars,1268
@@ -815,7 +815,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=UfwwRLS5Ya4_Nh1w5n1dvoYtchQvYE9yj1VANt2IKqI,3925
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev204.dist-info/METADATA,sha256=oPtlkzclWzhdxuM8i4TJB0ykd-vcRwVOk2orPS4I_Zw,24555
-qontract_reconcile-0.10.2.dev204.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev204.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev204.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev205.dist-info/METADATA,sha256=Nk9aLZ_YnzuvFX0u_RJVWxJUztk3TT6ko7ANo6xbEgo,24555
+qontract_reconcile-0.10.2.dev205.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev205.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev205.dist-info/RECORD,,

reconcile/gql_definitions/common/rhcs_provider_settings.py

@@ -22,8 +22,9 @@ DEFINITION = """
 query RhcsProviderSettings {
   settings: app_interface_settings_v1 {
     rhcsProvider {
-      url
+      issuerUrl
       vaultBasePath
+      caCertUrl
     }
   }
 }
@@ -37,8 +38,9 @@ class ConfiguredBaseModel(BaseModel):
 
 
 class RhcsProviderSettingsV1(ConfiguredBaseModel):
-    url: str = Field(..., alias="url")
+    issuer_url: str = Field(..., alias="issuerUrl")
     vault_base_path: str = Field(..., alias="vaultBasePath")
+    ca_cert_url: str = Field(..., alias="caCertUrl")
 
 
 class AppInterfaceSettingsV1(ConfiguredBaseModel):

reconcile/gql_definitions/introspection.json

@@ -26581,7 +26581,7 @@
                     "description": null,
                     "fields": [
                         {
-                            "name": "url",
+                            "name": "issuerUrl",
                             "description": null,
                             "args": [],
                             "type": {
@@ -26611,6 +26611,22 @@
                             },
                             "isDeprecated": false,
                             "deprecationReason": null
+                        },
+                        {
+                            "name": "caCertUrl",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "NON_NULL",
+                                "name": null,
+                                "ofType": {
+                                    "kind": "SCALAR",
+                                    "name": "String",
+                                    "ofType": null
+                                }
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
                         }
                     ],
                     "inputFields": null,

reconcile/openshift_rhcs_certs.py

@@ -6,6 +6,9 @@ from typing import Any
 
 import reconcile.openshift_base as ob
 import reconcile.openshift_resources_base as orb
+from reconcile.gql_definitions.common.rhcs_provider_settings import (
+    RhcsProviderSettingsV1,
+)
 from reconcile.gql_definitions.rhcs.certs import (
     NamespaceOpenshiftResourceRhcsCertV1,
     NamespaceV1,
@@ -13,6 +16,7 @@ from reconcile.gql_definitions.rhcs.certs import (
 from reconcile.gql_definitions.rhcs.certs import (
     query as rhcs_certs_query,
 )
+from reconcile.status import ExitCodes
 from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
@@ -82,7 +86,7 @@ def construct_rhcs_cert_oc_secret(
     body: dict[str, Any] = {
         "apiVersion": "v1",
         "kind": "Secret",
-        "type": "Opaque",
+        "type": "kubernetes.io/tls",
         "metadata": {"name": secret_name, "annotations": annotations},
     }
     for k, v in cert.items():
@@ -120,7 +124,7 @@ def get_vault_cert_secret(
         })
     except SecretNotFound:
         logging.info(
-            f"No existing cert found for cluster='{ns.cluster.name}', namespace='{ns.name}', secret='{cert_resource.secret_name}', threshold='{cert_resource.auto_renew_threshold_days} days'"
+            f"No existing cert found for cluster='{ns.cluster.name}', namespace='{ns.name}', secret='{cert_resource.secret_name}''"
         )
     return vault_cert_secret
 
@@ -131,7 +135,8 @@ def generate_vault_cert_secret(
     cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
     vault: _VaultClient,
     vault_base_path: str,
-    cert_provider_url: str,
+    issuer_url: str,
+    ca_cert_url: str,
 ) -> dict:
     logging.info(
         f"Creating cert with service account credentials for '{cert_resource.service_account_name}'. cluster='{ns.cluster.name}', namespace='{ns.name}', secret='{cert_resource.secret_name}'"
@@ -141,14 +146,13 @@ def generate_vault_cert_secret(
         rhcs_cert = RhcsV2Cert(
             certificate="PLACEHOLDER_CERT",
             private_key="PLACEHOLDER_PRIVATE_KEY",
+            ca_cert="PLACEHOLDER_CA_CERT",
             expiration_timestamp=int(time.time()),
         )
     else:
         try:
             rhcs_cert = generate_cert(
-                cert_provider_url,
-                cert_resource.service_account_name,
-                sa_password,
+                issuer_url, cert_resource.service_account_name, sa_password, ca_cert_url
             )
         except ValueError as e:
             raise Exception(
@@ -159,12 +163,12 @@ def generate_vault_cert_secret(
         )
         vault.write(
             secret={
-                "data": rhcs_cert.dict(),
+                "data": rhcs_cert.dict(by_alias=True),
                 "path": f"{vault_base_path}/{ns.cluster.name}/{ns.name}/{cert_resource.secret_name}",
             },
             decode_base64=False,
         )
-    return rhcs_cert.dict()
+    return rhcs_cert.dict(by_alias=True)
 
 
 def fetch_openshift_resource_for_cert_resource(
@@ -172,15 +176,21 @@ def fetch_openshift_resource_for_cert_resource(
     ns: NamespaceV1,
     cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
     vault: _VaultClient,
-    vault_base_path: str,
-    cert_provider_url: str,
+    rhcs_settings: RhcsProviderSettingsV1,
 ) -> OR:
+    vault_base_path = f"{rhcs_settings.vault_base_path}/{QONTRACT_INTEGRATION}"
     vault_cert_secret = get_vault_cert_secret(ns, cert_resource, vault, vault_base_path)
     if vault_cert_secret is None or cert_expires_within_threshold(
         ns, cert_resource, vault_cert_secret
     ):
         vault_cert_secret = generate_vault_cert_secret(
-            dry_run, ns, cert_resource, vault, vault_base_path, cert_provider_url
+            dry_run,
+            ns,
+            cert_resource,
+            vault,
+            vault_base_path,
+            rhcs_settings.issuer_url,
+            rhcs_settings.ca_cert_url,
         )
 
     if not dry_run:
@@ -220,8 +230,7 @@ def fetch_desired_state(
                         ns,
                         cert_resource,
                         vault,
-                        f"{cert_provider.vault_base_path}/{QONTRACT_INTEGRATION}",
-                        cert_provider.url,
+                        cert_provider,
                     ),
                 )
 
@@ -237,6 +246,11 @@ def run(
     vault_settings = get_app_interface_vault_settings()
     secret_reader = create_secret_reader(use_vault=vault_settings.vault)
     namespaces = get_namespaces_with_rhcs_certs(gql_api.query, cluster_name)
+    if not namespaces:
+        logging.debug(
+            f"No rhcs-cert definitions found in app-interface for {cluster_name}"
+        )
+        sys.exit(ExitCodes.SUCCESS)
     oc_map = init_oc_map_from_namespaces(
         namespaces=namespaces,
         integration=QONTRACT_INTEGRATION,

reconcile/utils/rhcsv2_certs.py

@@ -6,16 +6,20 @@ from cryptography import x509
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.x509.oid import NameOID
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 
 
 class RhcsV2Cert(BaseModel):
-    certificate: str
-    private_key: str
+    certificate: str = Field(alias="tls.crt")
+    private_key: str = Field(alias="tls.key")
+    ca_cert: str = Field(alias="ca.crt")
     expiration_timestamp: int
 
+    class Config:
+        allow_population_by_field_name = True
 
-def generate_cert(url: str, uid: str, pwd: str) -> RhcsV2Cert:
+
+def generate_cert(issuer_url: str, uid: str, pwd: str, ca_url: str) -> RhcsV2Cert:
     private_key = rsa.generate_private_key(65537, 4096)
     csr = (
         x509.CertificateSigningRequestBuilder()
@@ -35,8 +39,9 @@ def generate_cert(url: str, uid: str, pwd: str) -> RhcsV2Cert:
         "renewal": "false",
         "xmlOutput": "false",
     }
-    response = requests.post(url, data=data, verify=False)
+    response = requests.post(issuer_url, data=data)
     response.raise_for_status()
+
     cert_pem = re.search(
         r'outputList\.outputVal="(-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----(?:\\n|\r?\n)?)";',
         response.text,
@@ -56,11 +61,16 @@ def generate_cert(url: str, uid: str, pwd: str) -> RhcsV2Cert:
         encryption_algorithm=serialization.NoEncryption(),
     ).decode()
 
+    response = requests.get(ca_url)
+    response.raise_for_status()
+    ca_pem = response.text
+
     return RhcsV2Cert(
         private_key=private_key_pem,
         certificate=cert_pem.group(1)
         .encode()
         .decode("unicode_escape")
         .replace("\\/", "/"),
+        ca_cert=ca_pem,
         expiration_timestamp=int(dt_expiry.timestamp()),
     )