qontract-reconcile 0.10.2.dev27__py3-none-any.whl → 0.10.2.dev29__py3-none-any.whl

{qontract_reconcile-0.10.2.dev27.dist-info → qontract_reconcile-0.10.2.dev29.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev27
+Version: 0.10.2.dev29
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev27.dist-info → qontract_reconcile-0.10.2.dev29.dist-info}/RECORD

@@ -10,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=q96mwr2KeEQ5bpNniGlgIMZTxiuLSodcYfX-t
 reconcile/aws_support_cases_sos.py,sha256=hl_9L53yQYRQxKs3IWrd69Cc60XK067g_bJRM9B0udo,2975
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=O1wFp52EyF538c6txaWBs8eMtUIy19gyHZ6VzJ6QXS8,3512
 reconcile/checkpoint.py,sha256=_JhMxrye5BgkRMxWYuf7Upli6XayPINKSsuo3ynHTRc,5010
-reconcile/cli.py,sha256=BCfKBc5BRq-9Y5WYe8sUoz9ufOsB1WwMvylx6mBf6CQ,107806
+reconcile/cli.py,sha256=vHCmBcriMEqwVDj_7wujQFbrYa4b6yiiFTYCByWkbwg,107407
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=MvGKBqH9PdHWdMjhLuptze-dk0Tifhp3-0SZdI-7Fmo,4862
 reconcile/cluster_deployment_mapper.py,sha256=5gumAaRCcFXsabUJ1dnuUy9WrP_FEEM5JnOnE8ch9sE,2326
 reconcile/dashdotdb_base.py,sha256=83ZWIf5JJk3P_D69y2TmXRcQr6ELJGlv10OM0h7fJVs,4767
@@ -46,7 +46,7 @@ reconcile/jenkins_roles.py,sha256=HadmoNhgOoKMFZJmCe_Gdg0_a9k_1MuOXidtr801nUU,45
 reconcile/jenkins_webhooks.py,sha256=dzMT1ywXjeAo5sHj-ittW06Ed3beAUPjnc_oCAtD-Rg,2150
 reconcile/jenkins_webhooks_cleaner.py,sha256=JsN_NVPfZJwv1JtSzZXDIHUqGiefL-DRffFnDGau9aY,1539
 reconcile/jenkins_worker_fleets.py,sha256=L2wEXpd4xuEHrXGss4iH788nG8UlLSYduZe1EY2IVw4,5377
-reconcile/jira_permissions_validator.py,sha256=uuwzizb16jTWGctDB0cG0t9l3trDxZuK2SJA-9w7tfA,14872
+reconcile/jira_permissions_validator.py,sha256=DCKUyaqwUcIN4BuNtdREQW44K9yFxa1RUuA8a-dzXFE,13336
 reconcile/jira_watcher.py,sha256=L_UL2MKm2SoIGNsCLThm28pnqCkoFc154JWsD6bURug,3593
 reconcile/ldap_users.py,sha256=7hdO5CAPl-VNBvDRmKHg13LoblHXXPt7YEKNGomAoGg,3158
 reconcile/mr_client_gateway.py,sha256=WhjMd-sIXDFCV8-rt8CEjurJ5OYB1pOD0K3o0tZRXQg,1885
@@ -225,6 +225,9 @@ reconcile/gql_definitions/advanced_upgrade_service/aus_clusters.py,sha256=RpOrRY
 reconcile/gql_definitions/advanced_upgrade_service/aus_organization.py,sha256=zU-WJ9CASV1Ok-1jUro6K426v3ug5YNR1XoXmV7SwQ8,3364
 reconcile/gql_definitions/app_interface_metrics_exporter/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/app_interface_metrics_exporter/onboarding_status.py,sha256=uVEEqU6YYmKsNTo6EWlFnoVmqha2rvBDx-wiD64VmG0,1679
+reconcile/gql_definitions/app_sre_tekton_access_revalidation/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/app_sre_tekton_access_revalidation/roles.py,sha256=8Y4NsS5T7tumDWxY5MuoV50MK2i-DsLYSpCRjb7KaLE,2353
+reconcile/gql_definitions/app_sre_tekton_access_revalidation/users.py,sha256=XdVxBxiyTR6Cy939EHNw__0k7iWrZWlhrgS5DakST0I,2504
 reconcile/gql_definitions/aws_account_manager/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/aws_account_manager/aws_accounts.py,sha256=JdqtE3gMpeodymPJST-aFVkYP_MO--_CcwjF070R5Cs,4883
 reconcile/gql_definitions/aws_ami_cleanup/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -272,7 +275,7 @@ reconcile/gql_definitions/common/ocm_env_telemeter.py,sha256=jW0Q9WazDQVOxh4u0LM
 reconcile/gql_definitions/common/ocm_environments.py,sha256=6-_4Bf6-wBWykNBxVAFYnDkgM8sSoATKdabakDR9ENs,2018
 reconcile/gql_definitions/common/pagerduty_instances.py,sha256=CqHMNyI0O1knfzLJoDMmsa5cbVEppng6ae4OMYsvJFQ,2059
 reconcile/gql_definitions/common/pgp_reencryption_settings.py,sha256=NPLmO6J-zSu5B9QiYbDezLHY3TuOO9ihRBV-Zr84R9w,2259
-reconcile/gql_definitions/common/pipeline_providers.py,sha256=JJgmmghqLIwjKOdcWYHPnf4PDgAq4GF7046i0ozrqgI,9127
+reconcile/gql_definitions/common/pipeline_providers.py,sha256=9rpsqPuvj82B4ki56xHlBde0yvGFOdXMH0RDQkBRVx8,9394
 reconcile/gql_definitions/common/quay_instances.py,sha256=toBkdYYVTmEafezAHZKgaW-mQ29xEW6jeronzsAlNyI,1786
 reconcile/gql_definitions/common/quay_orgs.py,sha256=NhA8kqvVUDbrsryEvEL5mlIv5R3T4XNhSRXtfL_yptY,1788
 reconcile/gql_definitions/common/reserved_networks.py,sha256=yP9qSQCaSQcva-ZgTnZp09qH27ur5_qK080ToIs04MY,2560
@@ -681,15 +684,17 @@ reconcile/utils/merge_request_manager/parser.py,sha256=5pGoz8Q6EuYXlUc1z-D0FahdR
 reconcile/utils/mr/README.md,sha256=i9sCLkDFhSxAUtpa_I1_TxhR5vPOLcowuwn2VEWO41w,5794
 reconcile/utils/mr/__init__.py,sha256=hcfHDIIIsJT4C0BnzDnyeZEfZdamrqHzMLcBzIT1ibI,2578
 reconcile/utils/mr/app_interface_reporter.py,sha256=6Kpg93V9FvcOke9Jimkva359MQ-ZyBIkUpf8QIA6-to,1793
+reconcile/utils/mr/app_sre_tekton_access_report.py,sha256=zSO_-d_5KA-wcb0uAx4WWIj_LjIKqozHS-I2leTOzRU,1508
 reconcile/utils/mr/aws_access.py,sha256=9MMpYD24j2lLr_hLeMSh_OsJ07waalrlNpz-JlOsKAM,2575
 reconcile/utils/mr/base.py,sha256=O8BWr6dibeQ22FDE9y56r6DK3UnC-5IhRXT7IWGrnxk,8069
 reconcile/utils/mr/clusters_updates.py,sha256=pcusPAwRUkvyk_-bixsRNTzSvpTLypJ1kflq5UEVgcM,2271
-reconcile/utils/mr/glitchtip_access_reporter.py,sha256=i5vo9jjBifX5wIcLwEMH5_VFVg-NY-pBKe0HysSw4CQ,5031
+reconcile/utils/mr/glitchtip_access_reporter.py,sha256=cTkOtzdgeKPaqro0VS2hDuAClQiN4nZATh-mplQC-AI,1369
 reconcile/utils/mr/labels.py,sha256=9QRTRjZAtq45zELd9SwavaraczMjwjn5no3RK1YxFTg,825
 reconcile/utils/mr/notificator.py,sha256=f8IcGQ1_iBsXJFnhPsWQ7UE3NfigaOrXcVieJPplYrY,2955
 reconcile/utils/mr/ocm_update_recommended_version.py,sha256=p_aVP0TGrlKk9WBwgQnYWqUDsED_Hg6G5Bqj0UvtRwA,1536
 reconcile/utils/mr/ocm_upgrade_scheduler_org_updates.py,sha256=5EncHGr4QRnZgHedRfCwMYZ9CaijYzHGj7-M6lhtQRo,3004
 reconcile/utils/mr/promote_qontract.py,sha256=wgvX2CBlcZaihKJSXJ0zcEK8NGaEP2_DUQDz0STzGes,7158
+reconcile/utils/mr/update_access_report_base.py,sha256=0vhF-eZTIjl7keBAOb2bO7LrlRAiticuUGh5EmI5MWc,4357
 reconcile/utils/mr/user_maintenance.py,sha256=ZlR1Id_r2BUXsoerJW-0Ioh5bcbwlnQxBBhSs-ri9Dk,5099
 reconcile/utils/ocm/__init__.py,sha256=Y-bp8GomMpyCo0tFW6kJ78-ZG1UIupYRtBzbMWU0kwM,798
 reconcile/utils/ocm/addons.py,sha256=_LDdJ-gapM3s5exKlIUt-MlXZTAUoHezbYBU0QmvfWQ,7335
@@ -737,9 +742,11 @@ reconcile/utils/unleash/server.py,sha256=907gDh9Ee8UxLqusnfpzE-7LUnttB38D4xhVJ0v
 tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tools/app_interface_metrics_exporter.py,sha256=f1qwTmQfEcs98uBVRyBa0k7GQXdiSwd7w1hDVjhdGcQ,2303
 tools/app_interface_reporter.py,sha256=gR2EgHmgSIxzK5xxDW1SduFU6OkPaf2LlAQjhV3NYIg,17623
-tools/glitchtip_access_reporter.py,sha256=oPBnk_YoDuljU3v0FaChzOwwnk4vap1xEE67QEjzdqs,2948
+tools/app_sre_tekton_access_reporter.py,sha256=o9prLUgQpwO3msRWc2as1xT1y9OB3znkpgvLr0Ys8_M,3146
+tools/app_sre_tekton_access_revalidation.py,sha256=66nHEaY-bIqxIhpcmwN8AvQZu6ZXenfkg4Fut0pVZRM,2726
+tools/glitchtip_access_reporter.py,sha256=o01A6b88t3Wie6tj_tJWWVo2J01LxQ_a9giGm4UzEaU,2901
 tools/glitchtip_access_revalidation.py,sha256=8kbBJk04mkq28kWoRDDkfCGIF3GRg3pJrFAh1sW0dbk,2821
-tools/qontract_cli.py,sha256=T637u3EVpodta2SSIjMa-3doLqXci1AEDt3Bspng4mE,145561
+tools/qontract_cli.py,sha256=76jUbYqgF_ViudSg4rAJCBCLrrQV5aR0nMSlZwH3MWU,147170
 tools/sd_app_sre_alert_report.py,sha256=jQpJdXVID68bSNtJNOGDh0-ei1CfEUS4Itr4MAaBNFA,5062
 tools/template_validation.py,sha256=qpKYaTgk0GOPGa2Ct5_5sKdwIHtCAKIBGzsMPuJU5fw,3371
 tools/cli_commands/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -766,7 +773,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=UfwwRLS5Ya4_Nh1w5n1dvoYtchQvYE9yj1VANt2IKqI,3925
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev27.dist-info/METADATA,sha256=Nr3x_-2IN6jO8C6UVvoDJmObBt8_Y6OZ54Ok0UsHikA,24665
-qontract_reconcile-0.10.2.dev27.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev27.dist-info/entry_points.txt,sha256=JniHZPadNOILPyfSl0LF2YSp3Db7K2_W2CN7i9f3Gos,540
-qontract_reconcile-0.10.2.dev27.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev29.dist-info/METADATA,sha256=a6JAveCgr6HyV2-o-zIa88NmQXGd8ljE9r-SChKfa6o,24665
+qontract_reconcile-0.10.2.dev29.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev29.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev29.dist-info/RECORD,,

{qontract_reconcile-0.10.2.dev27.dist-info → qontract_reconcile-0.10.2.dev29.dist-info}/entry_points.txt

@@ -1,6 +1,8 @@
 [console_scripts]
 app-interface-metrics-exporter = tools.app_interface_metrics_exporter:main
 app-interface-reporter = tools.app_interface_reporter:main
+app-sre-tekton-access-reporter = tools.app_sre_tekton_access_reporter:main
+app-sre-tekton-access-revalidation = tools.app_sre_tekton_access_revalidation:main
 glitchtip-access-reporter = tools.glitchtip_access_reporter:main
 glitchtip-access-revalidation = tools.glitchtip_access_revalidation:main
 qontract-cli = tools.qontract_cli:root

reconcile/cli.py

@@ -1162,28 +1162,15 @@ def jenkins_webhooks_cleaner(ctx):
     "--jira-board-name", help="The Jira board to act on.", default=None, multiple=True
 )
 @click.option("--board-check-interval", help="Check interval in minutes", default=120)
-@enable_extended_early_exit
-@extended_early_exit_cache_ttl_seconds
-@log_cached_log_output
 @click.pass_context
-def jira_permissions_validator(
-    ctx,
-    jira_board_name,
-    board_check_interval,
-    enable_extended_early_exit,
-    extended_early_exit_cache_ttl_seconds,
-    log_cached_log_output,
-):
+def jira_permissions_validator(ctx, jira_board_name, board_check_interval):
     import reconcile.jira_permissions_validator
 
     run_integration(
         reconcile.jira_permissions_validator,
         ctx.obj,
         jira_board_name=jira_board_name,
-        board_check_interval=board_check_interval,
-        enable_extended_early_exit=enable_extended_early_exit,
-        extended_early_exit_cache_ttl_seconds=extended_early_exit_cache_ttl_seconds,
-        log_cached_log_output=log_cached_log_output,
+        board_check_interval_sec=board_check_interval * 60,
     )
 
 

reconcile/gql_definitions/app_sre_tekton_access_revalidation/roles.py

@@ -0,0 +1,86 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+
+DEFINITION = """
+query AppSRETektonAccessRevalidationRoles {
+  roles: roles_v1 {
+    path
+    access {
+      role
+      namespace {
+        path
+      }
+    }
+    users {
+      org_username
+      path
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class NamespaceV1(ConfiguredBaseModel):
+    path: str = Field(..., alias="path")
+
+
+class AccessV1(ConfiguredBaseModel):
+    role: Optional[str] = Field(..., alias="role")
+    namespace: Optional[NamespaceV1] = Field(..., alias="namespace")
+
+
+class UserV1(ConfiguredBaseModel):
+    org_username: str = Field(..., alias="org_username")
+    path: str = Field(..., alias="path")
+
+
+class RoleV1(ConfiguredBaseModel):
+    path: str = Field(..., alias="path")
+    access: Optional[list[AccessV1]] = Field(..., alias="access")
+    users: list[UserV1] = Field(..., alias="users")
+
+
+class AppSRETektonAccessRevalidationRolesQueryData(ConfiguredBaseModel):
+    roles: Optional[list[RoleV1]] = Field(..., alias="roles")
+
+
+def query(query_func: Callable, **kwargs: Any) -> AppSRETektonAccessRevalidationRolesQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        AppSRETektonAccessRevalidationRolesQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return AppSRETektonAccessRevalidationRolesQueryData(**raw_data)

reconcile/gql_definitions/app_sre_tekton_access_revalidation/users.py

@@ -0,0 +1,92 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+
+DEFINITION = """
+query AppSRETektonAccessRevalidationUsers {
+  users: users_v1 {
+    name
+    org_username
+    roles {
+      access {
+        role
+        namespace {
+          name
+          cluster {
+            name
+          }
+        }
+      }
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class ClusterV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+
+
+class NamespaceV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    cluster: ClusterV1 = Field(..., alias="cluster")
+
+
+class AccessV1(ConfiguredBaseModel):
+    role: Optional[str] = Field(..., alias="role")
+    namespace: Optional[NamespaceV1] = Field(..., alias="namespace")
+
+
+class RoleV1(ConfiguredBaseModel):
+    access: Optional[list[AccessV1]] = Field(..., alias="access")
+
+
+class UserV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    org_username: str = Field(..., alias="org_username")
+    roles: Optional[list[RoleV1]] = Field(..., alias="roles")
+
+
+class AppSRETektonAccessRevalidationUsersQueryData(ConfiguredBaseModel):
+    users: Optional[list[UserV1]] = Field(..., alias="users")
+
+
+def query(query_func: Callable, **kwargs: Any) -> AppSRETektonAccessRevalidationUsersQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        AppSRETektonAccessRevalidationUsersQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return AppSRETektonAccessRevalidationUsersQueryData(**raw_data)

reconcile/gql_definitions/common/pipeline_providers.py

@@ -95,7 +95,12 @@ query PipelineProviders {
       }
       namespace {
         name
+        path
         clusterAdmin
+        app {
+          name
+          path
+        }
         cluster {
           name
           serverUrl
@@ -193,6 +198,11 @@ class PipelinesProviderTektonProviderDefaultsV1(ConfiguredBaseModel):
     deploy_resources: Optional[DeployResourcesV1] = Field(..., alias="deployResources")
 
 
+class AppV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    path: str = Field(..., alias="path")
+
+
 class DisableClusterAutomationsV1(ConfiguredBaseModel):
     integrations: Optional[list[str]] = Field(..., alias="integrations")
 
@@ -210,7 +220,9 @@ class ClusterV1(ConfiguredBaseModel):
 
 class NamespaceV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
+    path: str = Field(..., alias="path")
     cluster_admin: Optional[bool] = Field(..., alias="clusterAdmin")
+    app: AppV1 = Field(..., alias="app")
     cluster: ClusterV1 = Field(..., alias="cluster")
 
 

reconcile/jira_permissions_validator.py

@@ -1,4 +1,5 @@
 import logging
+import random
 import sys
 import time
 from collections.abc import Callable, Iterable
@@ -23,16 +24,11 @@ from reconcile.typed_queries.jiralert_settings import get_jiralert_settings
 from reconcile.utils import gql, metrics
 from reconcile.utils.defer import defer
 from reconcile.utils.disabled_integrations import integration_is_enabled
-from reconcile.utils.extended_early_exit import (
-    ExtendedEarlyExitRunnerResult,
-    extended_early_exit_run,
-)
 from reconcile.utils.jira_client import JiraClient, JiraWatcherSettings
 from reconcile.utils.runtime.integration import DesiredStateShardConfig
 from reconcile.utils.secret_reader import SecretReaderBase, create_secret_reader
 from reconcile.utils.semver_helper import make_semver
 from reconcile.utils.state import State, init_state
-from reconcile.utils.unleash import get_feature_toggle_state
 
 QONTRACT_INTEGRATION = "jira-permissions-validator"
 QONTRACT_INTEGRATION_VERSION = make_semver(1, 2, 0)
@@ -70,7 +66,7 @@ class ValidationError(IntFlag):
 
 class RunnerParams(TypedDict):
     boards: list[JiraBoardV1]
-    board_check_interval: int
+    board_check_interval_sec: int
     dry_run: bool
 
 
@@ -206,7 +202,7 @@ def validate_boards(
     jira_boards: Iterable[JiraBoardV1],
     default_issue_type: str,
     default_reopen_state: str,
-    board_check_interval: int,
+    board_check_interval_sec: int,
     dry_run: bool,
     state: State,
     jira_client_class: type[JiraClient] = JiraClient,
@@ -214,8 +210,8 @@ def validate_boards(
     error = False
     jira_clients: dict[str, JiraClient] = {}
     for board in jira_boards:
-        last_successful_run = state.get(board.name, 0)
-        if not dry_run and time.time() <= last_successful_run + board_check_interval:
+        next_run_time = state.get(board.name, 0)
+        if not dry_run and time.time() <= next_run_time:
             logging.debug(f"[{board.name}] Skipping board")
             continue
 
@@ -243,8 +239,13 @@ def validate_boards(
                     # no errors
                     logging.debug(f"[{board.name}] is valid")
                     if not dry_run:
-                        # remember time of the last successful run
-                        state[board.name] = time.time()
+                        # set the run time for the next check
+                        state[board.name] = (
+                            time.time()
+                            + board_check_interval_sec
+                            # add some randomness to avoid all boards checking at the same time
+                            + random.randint(0, 3600)
+                        )
                 case ValidationError.PERMISSION_ERROR:
                     # we don't have all the permissions, but we can create jira tickets
                     metrics_container.set_gauge(
@@ -290,57 +291,15 @@ def export_boards(boards: list[JiraBoardV1]) -> list[dict]:
     return [board.dict() for board in boards]
 
 
+@defer
 def run(
     dry_run: bool,
     jira_board_name: list[str] | None = None,
-    board_check_interval: int = 3600,
-    enable_extended_early_exit: bool = False,
-    extended_early_exit_cache_ttl_seconds: int = 3600,
-    log_cached_log_output: bool = False,
+    board_check_interval_sec: int = 3600,
+    defer: Callable | None = None,
 ) -> None:
     gql_api = gql.get_api()
     boards = get_jira_boards(query_func=gql_api.query, jira_board_names=jira_board_name)
-    runner_params: RunnerParams = {
-        "boards": boards,
-        "dry_run": dry_run,
-        "board_check_interval": board_check_interval,
-    }
-    if enable_extended_early_exit and get_feature_toggle_state(
-        "jira-permissions-validator-extended-early-exit",
-        default=True,
-    ):
-        vault_settings = get_app_interface_vault_settings()
-        secret_reader = create_secret_reader(use_vault=vault_settings.vault)
-
-        cache_source = CacheSource(
-            boards=export_boards(boards),
-        )
-        extended_early_exit_run(
-            integration=QONTRACT_INTEGRATION,
-            integration_version=QONTRACT_INTEGRATION_VERSION,
-            # don't use `dry_run` in the cache key because this is a read-only integration
-            dry_run=False,
-            cache_source=cache_source,
-            shard="_".join(set(jira_board_name)) if jira_board_name else "",
-            ttl_seconds=extended_early_exit_cache_ttl_seconds,
-            logger=logging.getLogger(),
-            runner=runner,
-            runner_params=runner_params,
-            secret_reader=secret_reader,
-            log_cached_log_output=log_cached_log_output,
-        )
-    else:
-        runner(**runner_params)
-
-
-@defer
-def runner(
-    boards: list[JiraBoardV1],
-    dry_run: bool,
-    board_check_interval: int,
-    defer: Callable | None = None,
-) -> ExtendedEarlyExitRunnerResult:
-    gql_api = gql.get_api()
     settings = get_jira_settings(gql_api=gql_api)
     jiralert_settings = get_jiralert_settings(query_func=gql_api.query)
     vault_settings = get_app_interface_vault_settings()
@@ -357,7 +316,7 @@ def runner(
             jira_boards=boards,
             default_issue_type=jiralert_settings.default_issue_type,
             default_reopen_state=jiralert_settings.default_reopen_state,
-            board_check_interval=board_check_interval,
+            board_check_interval_sec=board_check_interval_sec,
             dry_run=dry_run,
             state=state,
         )
@@ -365,8 +324,6 @@ def runner(
     if error:
         sys.exit(ExitCodes.ERROR)
 
-    return ExtendedEarlyExitRunnerResult(payload=export_boards(boards), applied_count=0)
-
 
 def early_exit_desired_state(
     *args: Any, jira_board_name: list[str] | None = None, **kwargs: Any

reconcile/utils/mr/app_sre_tekton_access_report.py

@@ -0,0 +1,45 @@
+from pydantic import BaseModel
+
+from reconcile.utils.mr.update_access_report_base import UpdateAccessReportBase
+
+
+class UpdateAppSRETektonAccessReport(UpdateAccessReportBase):
+    name = "app_sre_tekton_access_report_mr"
+    short_description = "AppSRE Tekton Access Report"
+    template = """
+| Username | Name | Apps with pipeline namespace access |
+| -------- | ---- | ----------------------------------- |
+{% for user in users|sort -%}
+| {{ user.org_username }} | {{ user.name }} |{% for app in user.apps %} {{app}}{% if not loop.last%},{% endif %}{% endfor %} |
+{% endfor %}
+""".strip()
+
+
+# User model
+class AppSRETektonAccessReportUserModel(BaseModel):
+    org_username: str
+    name: str
+    apps: set[str]
+
+    def __lt__(self, other: object) -> bool:
+        if not isinstance(other, AppSRETektonAccessReportUserModel):
+            raise NotImplementedError(
+                "Cannot compare to non AppSRETektonAccessReportUser objects."
+            )
+        return self.org_username < other.org_username
+
+
+# Mutable User class
+class AppSRETektonAccessReportUser:
+    def __init__(self, name: str, org_username: str, apps: set):
+        self._org_username = org_username
+        self._name = name
+        self._apps = apps
+
+    def add_app(self, app: str) -> None:
+        self._apps.add(app)
+
+    def generate_model(self) -> AppSRETektonAccessReportUserModel:
+        return AppSRETektonAccessReportUserModel(
+            name=self._name, org_username=self._org_username, apps=self._apps
+        )

reconcile/utils/mr/glitchtip_access_reporter.py

@@ -1,17 +1,12 @@
-import logging
-from collections.abc import Sequence
-from datetime import UTC, date
-from datetime import datetime as dt
-from pathlib import Path
-
-from jinja2 import Template
 from pydantic import BaseModel
 
-from reconcile.utils.gitlab_api import GitLabApi
-from reconcile.utils.mr.base import MergeRequestBase
-from reconcile.utils.mr.labels import AUTO_MERGE
+from reconcile.utils.mr.update_access_report_base import UpdateAccessReportBase
+
 
-CURRENT_USERS_TABLE_TEMPLATE = """
+class UpdateGlitchtipAccessReport(UpdateAccessReportBase):
+    name = "glitchtip_access_report_mr"
+    short_description = "glitchtip access report"
+    template = """
 | Username | Name | Organizations and Access Levels |
 | -------- | ---- | ------------------------------- |
 {% for user in users|sort -%}
@@ -43,92 +38,3 @@ class GlitchtipAccessReportUser(BaseModel):
                 "Cannot compare to non GlitchtipAccessReportUser objects."
             )
         return self.username < other.username
-
-
-class UpdateGlitchtipAccessReport(MergeRequestBase):
-    name = "glitchtip_access_report_mr"
-
-    def __init__(
-        self,
-        users: Sequence[GlitchtipAccessReportUser],
-        glitchtip_access_revalidation_workbook: Path,
-        dry_run: bool = True,
-    ):
-        super().__init__()
-        self.labels = [AUTO_MERGE]
-        self._users = users
-        self._glitchtip_access_revalidation_workbook = str(
-            glitchtip_access_revalidation_workbook
-        )
-        self._isodate = dt.now(tz=UTC).isoformat()
-        self._dry_run = dry_run
-
-    @property
-    def title(self) -> str:
-        return f"[{self.name}] reports for {self._isodate}"
-
-    @property
-    def description(self) -> str:
-        return f"glitchtip access report for {self._isodate}"
-
-    def _render_current_users_table(self) -> str:
-        template = Template(CURRENT_USERS_TABLE_TEMPLATE, keep_trailing_newline=True)
-        return template.render(users=self._users)
-
-    def _render_tracking_table_row(self, old_number_of_users: int) -> str:
-        # | Date Reviewed | Number of Current Users | +/- Red Hat Users |
-        return f"| {date.today()} | {len(self._users)} | {len(self._users) - old_number_of_users} |\n"
-
-    def _update_workbook(self, workbook_md: str) -> str:
-        new_workbook_md = ""
-        number_of_skipped_lines = 0
-        skip = False
-        for line in workbook_md.splitlines():
-            if "<!-- current users table: start -->" in line:
-                # do not copy the old current users table
-                skip = True
-                # insert the new table including the marker
-                new_workbook_md += line + "\n"
-                new_workbook_md += self._render_current_users_table()
-            elif "<!-- current users table: end -->" in line:
-                skip = False
-                # insert the marker
-                new_workbook_md += line + "\n"
-            elif "<!-- tracking table: next row -->" in line:
-                # insert the new row including the marker
-                new_workbook_md += self._render_tracking_table_row(
-                    old_number_of_users=number_of_skipped_lines - 2
-                    if number_of_skipped_lines > 0
-                    else 0
-                )
-                new_workbook_md += line + "\n"
-            elif not skip:
-                new_workbook_md += line + "\n"
-            else:
-                # count the number of skipped current users table lines
-                # this number minus the table header is the old number of users
-                number_of_skipped_lines += 1
-
-        return new_workbook_md
-
-    def process(self, gitlab_cli: GitLabApi) -> None:
-        workbook_md = gitlab_cli.project.files.get(
-            file_path=self._glitchtip_access_revalidation_workbook, ref=self.branch
-        )
-        workbook_md = self._update_workbook(workbook_md.decode().decode("utf-8"))
-
-        if not self._dry_run:
-            logging.info(
-                f"updating glitchtip access report: {self._glitchtip_access_revalidation_workbook}"
-            )
-            gitlab_cli.update_file(
-                branch_name=self.branch,
-                file_path=self._glitchtip_access_revalidation_workbook,
-                commit_message="update glitchtip access report",
-                content=workbook_md,
-            )
-        else:
-            logging.info(
-                f"dry-run: not updating glitchtip access report: {self._glitchtip_access_revalidation_workbook}"
-            )
-            logging.info(workbook_md)

reconcile/utils/mr/update_access_report_base.py

@@ -0,0 +1,122 @@
+import logging
+from abc import abstractmethod
+from collections.abc import Sequence
+from datetime import UTC, date
+from datetime import datetime as dt
+from pathlib import Path
+from typing import TypeVar
+
+from jinja2 import Template
+from pydantic import BaseModel
+
+from reconcile.utils.gitlab_api import GitLabApi
+from reconcile.utils.mr.base import MergeRequestBase
+from reconcile.utils.mr.labels import AUTO_MERGE
+
+AccessReportUser = TypeVar("AccessReportUser", bound=BaseModel)
+
+
+class UpdateAccessReportBase(MergeRequestBase):
+    def __init__(
+        self,
+        users: Sequence[AccessReportUser],
+        workbook_path: Path,
+        dry_run: bool = True,
+    ):
+        super().__init__()
+        self.labels = [AUTO_MERGE]
+        self._users = users
+        self._workbook_file_name = str(workbook_path)
+        self._isodate = dt.now(tz=UTC).isoformat()
+        self._dry_run = dry_run
+
+    @property
+    @abstractmethod
+    def short_description(self) -> str:
+        """
+        Short Description of the Merge Request (without dates). It will be used to
+        build the Merge Request description as seen in the UI.
+
+        :return: Merge Request description as seen in the Gitlab Web UI without date.
+        :rtype: str
+        """
+
+    @property
+    @abstractmethod
+    def template(self) -> str:
+        """
+        Jinja2 template to generate the report main table.
+
+        :return: report jinja2 template.
+        :rtype: str
+        """
+
+    @property
+    def title(self) -> str:
+        return f"[{self.name}] reports for {self._isodate}"
+
+    @property
+    def description(self) -> str:
+        return f"{self.short_description} for {self._isodate}"
+
+    def _render_current_users_table(self) -> str:
+        template = Template(self.template, keep_trailing_newline=True)
+        return template.render(users=self._users)
+
+    def _render_tracking_table_row(self, old_number_of_users: int) -> str:
+        # | Date Reviewed | Number of Current Users | +/- Red Hat Users |
+        return f"| {date.today()} | {len(self._users)} | {len(self._users) - old_number_of_users} |\n"
+
+    def _update_workbook(self, workbook_md: str) -> str:
+        new_workbook_md = ""
+        number_of_skipped_lines = 0
+        skip = False
+        for line in workbook_md.splitlines():
+            if "<!-- current users table: start -->" in line:
+                # do not copy the old current users table
+                skip = True
+                # insert the new table including the marker
+                new_workbook_md += line + "\n"
+                new_workbook_md += self._render_current_users_table()
+            elif "<!-- current users table: end -->" in line:
+                skip = False
+                # insert the marker
+                new_workbook_md += line + "\n"
+            elif "<!-- tracking table: next row -->" in line:
+                # insert the new row including the marker
+                new_workbook_md += self._render_tracking_table_row(
+                    old_number_of_users=number_of_skipped_lines - 2
+                    if number_of_skipped_lines > 0
+                    else 0
+                )
+                new_workbook_md += line + "\n"
+            elif not skip:
+                new_workbook_md += line + "\n"
+            else:
+                # count the number of skipped current users table lines
+                # this number minus the table header is the old number of users
+                number_of_skipped_lines += 1
+
+        return new_workbook_md
+
+    def process(self, gitlab_cli: GitLabApi) -> None:
+        workbook_md = gitlab_cli.project.files.get(
+            file_path=self._workbook_file_name, ref=self.branch
+        )
+        workbook_md = self._update_workbook(workbook_md.decode().decode("utf-8"))
+
+        if not self._dry_run:
+            logging.info(
+                f"updating {self.short_description}: {self._workbook_file_name}"
+            )
+            gitlab_cli.update_file(
+                branch_name=self.branch,
+                file_path=self._workbook_file_name,
+                commit_message=f"update {self.short_description}",
+                content=workbook_md,
+            )
+        else:
+            logging.info(
+                f"dry-run: not updating {self.short_description}: {self._workbook_file_name}"
+            )
+            logging.info(workbook_md)

tools/app_sre_tekton_access_reporter.py

@@ -0,0 +1,99 @@
+import logging
+from collections import defaultdict
+from pathlib import Path
+
+import click
+
+from reconcile import mr_client_gateway
+from reconcile.cli import (
+    config_file,
+    dry_run,
+    gitlab_project_id,
+    log_level,
+)
+from reconcile.gql_definitions.app_sre_tekton_access_revalidation.users import (
+    query as users_query,
+)
+from reconcile.typed_queries.tekton_pipeline_providers import (
+    get_tekton_pipeline_providers,
+)
+from reconcile.utils import gql
+from reconcile.utils.mr.app_sre_tekton_access_report import (
+    AppSRETektonAccessReportUser,
+    UpdateAppSRETektonAccessReport,
+)
+from reconcile.utils.runtime.environment import init_env
+
+
+@click.command()
+@config_file
+@dry_run
+@log_level
+@gitlab_project_id
+@click.option(
+    "--workbook-path",
+    help="path to AppSRE Tekton access revalidation workbook markdown file",
+    default="docs/app-sre/tekton/access-revalidation-workbook.md",
+)
+def main(
+    configfile: str,
+    dry_run: bool,
+    log_level: str,
+    gitlab_project_id: int,
+    workbook_path: str,
+) -> None:
+    """Update AppSRE Tekton access report.
+
+    This script updates the AppSRE Tekton access report (markdown file) with the latest
+    access information.
+    """
+
+    init_env(log_level=log_level, config_file=configfile)
+
+    # pipeline providers namespaces dict, containing the all the pipelines namespaces
+    # the (cluster_name, namespace_name) tuple to app_name correspondence.
+    pp_namespaces_apps = {
+        (p.namespace.cluster.name, p.namespace.name): p.namespace.app.name
+        for p in get_tekton_pipeline_providers()
+    }
+
+    report_users: dict[str, AppSRETektonAccessReportUser] = {}
+    users = users_query(query_func=gql.get_api().query).users or []
+    for u in users:
+        namespace_roles = defaultdict(set)
+        for r in u.roles or []:
+            if r.access is None:
+                continue
+
+            for a in r.access:
+                if a.namespace is None:
+                    continue
+
+                namespace_tuple = (a.namespace.cluster.name, a.namespace.name)
+                namespace_roles[namespace_tuple].add(a.role)
+
+        for namespace_tuple, roles in namespace_roles.items():
+            if pp_app := pp_namespaces_apps.get(namespace_tuple):
+                if "tekton-trigger-access" in roles or "view" in roles:
+                    if ru := report_users.get(u.org_username):
+                        ru.add_app(pp_app)
+                    else:
+                        report_users[u.org_username] = AppSRETektonAccessReportUser(
+                            name=u.name, org_username=u.org_username, apps={pp_app}
+                        )
+
+    mr = UpdateAppSRETektonAccessReport(
+        users=[u.generate_model() for u in report_users.values()],
+        workbook_path=Path(workbook_path),
+        dry_run=dry_run,
+    )
+    with mr_client_gateway.init(
+        gitlab_project_id=gitlab_project_id, sqs_or_gitlab="gitlab"
+    ) as mr_cli:
+        result = mr.submit(cli=mr_cli)
+        if result:
+            logging.info(["created_mr", result.web_url])
+
+
+if __name__ == "__main__":
+    main()  # pylint: disable=no-value-for-parameter

tools/app_sre_tekton_access_revalidation.py

@@ -0,0 +1,90 @@
+import logging
+from pathlib import Path
+
+import click
+
+from reconcile import mr_client_gateway
+from reconcile.cli import (
+    config_file,
+    dry_run,
+    gitlab_project_id,
+    log_level,
+)
+from reconcile.typed_queries.tekton_pipeline_providers import (
+    get_tekton_pipeline_providers,
+)
+from reconcile.utils.mr.labels import AUTO_MERGE
+from reconcile.utils.mr.notificator import (
+    CreateAppInterfaceNotificator,
+    Notification,
+)
+from reconcile.utils.runtime.environment import init_env
+
+EMAIL_BODY = """Hello app-interface service owner,
+
+Access to all Tekton pipelines namespaces must be revalidated regularly. This ensures
+that the access is still valid and is needed to safeguard against unauthorized access.
+
+Please review, within one week, that all your app-interface roles that grant access to
+those namespaces are assigned to the appropriate users. In order to help you identifying
+those roles and users, please take a look into the app-interface documentation:
+https://gitlab.cee.redhat.com/service/app-interface/-/blob/master/docs/app-sre/tekton/access-revalidation.md
+
+If you have questions about this, please post a question in the #sd-app-sre Slack channel.
+
+Thank you,
+
+The AppSRE team
+"""
+
+
+@click.command()
+@config_file
+@dry_run
+@log_level
+@gitlab_project_id
+@click.option(
+    "--email-dir",
+    help="app-interface dir to store new AppSRE Tekton revalidation emails",
+    default="data/app-interface/emails/app-sre-tekton",
+)
+def main(
+    configfile: str,
+    dry_run: bool,
+    log_level: str,
+    gitlab_project_id: int,
+    email_dir: str,
+) -> None:
+    """Revalidate Glitchtip access.
+
+    This script sends an email (via MR) to all app-interface service owners (apps)
+    that have a pipelines provider associated to the application. The email asks the
+    service owners to revalidate the access to the pipelines providers namespaces.
+    """
+    init_env(log_level=log_level, config_file=configfile)
+
+    apps = {p.namespace.app.path for p in get_tekton_pipeline_providers()}
+    notification = Notification(
+        notification_type="Action Required",
+        short_description="AppSRE Tekton Access Revalidation",
+        description=EMAIL_BODY,
+        services=list(apps),
+        recipients=[],
+    )
+    mr = CreateAppInterfaceNotificator(
+        notification,
+        labels=[AUTO_MERGE],
+        email_base_path=Path(email_dir),
+        dry_run=dry_run,
+    )
+
+    with mr_client_gateway.init(
+        gitlab_project_id=gitlab_project_id, sqs_or_gitlab="gitlab"
+    ) as mr_cli:
+        result = mr.submit(cli=mr_cli)
+        if result:
+            logging.info(["created_mr", result.web_url])
+
+
+if __name__ == "__main__":
+    main()  # pylint: disable=no-value-for-parameter

tools/glitchtip_access_reporter.py

@@ -77,9 +77,7 @@ def main(
 
     mr = UpdateGlitchtipAccessReport(
         users=list(users.values()),
-        glitchtip_access_revalidation_workbook=Path(
-            glitchtip_access_revalidation_workbook_path
-        ),
+        workbook_path=Path(glitchtip_access_revalidation_workbook_path),
         dry_run=dry_run,
     )
     with mr_client_gateway.init(

tools/qontract_cli.py

@@ -75,6 +75,9 @@ from reconcile.cli import (
 from reconcile.gql_definitions.advanced_upgrade_service.aus_clusters import (
     query as aus_clusters_query,
 )
+from reconcile.gql_definitions.app_sre_tekton_access_revalidation.roles import (
+    query as app_sre_tekton_access_revalidation_roles_query,
+)
 from reconcile.gql_definitions.common.app_interface_vault_settings import (
     AppInterfaceSettingsV1,
 )
@@ -96,6 +99,9 @@ from reconcile.typed_queries.clusters import get_clusters
 from reconcile.typed_queries.saas_files import get_saas_files
 from reconcile.typed_queries.slo_documents import get_slo_documents
 from reconcile.typed_queries.status_board import get_status_board
+from reconcile.typed_queries.tekton_pipeline_providers import (
+    get_tekton_pipeline_providers,
+)
 from reconcile.utils import (
     amtool,
     config,
@@ -4460,5 +4466,49 @@ You can view the source of this Markdown to extract the JSON data.
         print_output(ctx.obj["options"], results, columns)
 
 
+@get.command(help="Get all app tekton pipelines providers roles and users")
+@click.argument("app-name")
+@click.pass_context
+def tekton_roles_and_users(ctx, app_name):
+    pp_namespaces = {
+        p.namespace.path
+        for p in get_tekton_pipeline_providers()
+        if p.namespace.app.name == app_name
+    }
+
+    roles = (
+        app_sre_tekton_access_revalidation_roles_query(
+            query_func=gql.get_api().query
+        ).roles
+        or []
+    )
+    columns = ["namespace_path", "role_path", "users"]
+    results = []
+    for r in roles:
+        if r.access is None:
+            continue
+
+        seen = False  # to avoid printing a namespace more than once
+        for a in r.access:
+            if a.namespace is None:
+                continue
+            if a.namespace.path in pp_namespaces:
+                if not seen:
+                    seen = True
+
+                    if ctx.obj["options"]["output"] == "table":
+                        users = ", ".join([u.org_username for u in r.users])
+                    else:
+                        users = [u.path for u in r.users]
+
+                    results.append({
+                        "namespace_path": a.namespace.path,
+                        "role_path": r.path,
+                        "users": users,
+                    })
+
+    print_output(ctx.obj["options"], results, columns)
+
+
 if __name__ == "__main__":
     root()  # pylint: disable=no-value-for-parameter