qontract-reconcile 0.10.2.dev297__py3-none-any.whl → 0.10.2.dev298__py3-none-any.whl

{qontract_reconcile-0.10.2.dev297.dist-info → qontract_reconcile-0.10.2.dev298.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev297
+Version: 0.10.2.dev298
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev297.dist-info → qontract_reconcile-0.10.2.dev298.dist-info}/RECORD

@@ -66,7 +66,7 @@ reconcile/openshift_prometheus_rules.py,sha256=FVVx1D7KCUnNZh7NwVNbD6t4lXKRSO7ph
 reconcile/openshift_resourcequotas.py,sha256=0CSuCre3T2ON42Ku1UDhTRugfmUNBx8PILpxIQaAzJU,2882
 reconcile/openshift_resources.py,sha256=YnhDxCvsp0muxEmULiqWhoar9EzxohTrnbY-U7oS5Hc,1603
 reconcile/openshift_resources_base.py,sha256=2oOURMtVDsPDG--lPN7c8ar0FPziCm695J2lV3VnVjk,43036
-reconcile/openshift_rhcs_certs.py,sha256=RUIEetvirJ-38VV3_Zen6Chi2vPgPaEdRMNXGR1JhSM,10325
+reconcile/openshift_rhcs_certs.py,sha256=tuEz6Wzw5jrHM7fAOSS5d5pDV5SDY0uhjWrlYtCCSYk,10547
 reconcile/openshift_rolebindings.py,sha256=Mani4fSG6v55cPlAaQ1bmSBza_mFkNtMhdJFjTMGX0o,7250
 reconcile/openshift_routes.py,sha256=xnA34f32xDdkfV2MXIC1QURFJioQUsXT8AZBiY7iSP0,1298
 reconcile/openshift_saas_deploy.py,sha256=0_C9OoLGfzoAJ4M2UyCVC9HeHa5w-jP7l0_RxJMRO4k,13131
@@ -386,7 +386,7 @@ reconcile/gql_definitions/openshift_serviceaccount_tokens/tokens.py,sha256=Ferae
 reconcile/gql_definitions/quay_membership/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/quay_membership/quay_membership.py,sha256=MKBkrE-1YYelaAAxOdpqUwCo45kOVC8q29vXArqK_zM,3075
 reconcile/gql_definitions/rhcs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/rhcs/certs.py,sha256=8ba9GZVY70ppekuxrMjE4wm6WqcMW2IFawjhWvxHrmI,4677
+reconcile/gql_definitions/rhcs/certs.py,sha256=UXTPcX6A7wJzGOgNMymlJi1KTaBDkelwexCTc0KpJU8,6792
 reconcile/gql_definitions/rhidp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/rhidp/organizations.py,sha256=dW9y3ewFu3E-DFrZAi_SEewHYR0MWYeOB52vwnVcq5E,2580
 reconcile/gql_definitions/service_dependencies/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -796,7 +796,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=uQv2QJAmUXP1g2GPIH30WTlvL9soY6m9lefpZEVDM5w,3965
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev297.dist-info/METADATA,sha256=iGF5qMFr_OjJTe4VrXqoImqpXd6uvpYs0wXPJhdp1q0,24916
-qontract_reconcile-0.10.2.dev297.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev297.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev297.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev298.dist-info/METADATA,sha256=gruuhkwrqSh_2pDHyY0JBlIRMju96xZrOUm2bP1qoVA,24916
+qontract_reconcile-0.10.2.dev298.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev298.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev298.dist-info/RECORD,,

reconcile/gql_definitions/rhcs/certs.py

@@ -61,6 +61,24 @@ query RhcsCerts {
         annotations
       }
     }
+    sharedResources {
+      openshiftResources {
+        provider
+        ... on NamespaceOpenshiftResourceRhcsCert_v1 {
+          secret_name
+          service_account_name
+          service_account_password {
+            ... on VaultSecret_v1 {
+              path
+              field
+              version
+            }
+          }
+          auto_renew_threshold_days
+          annotations
+        }
+      }
+    }
     cluster {
       name
       serverUrl
@@ -112,6 +130,32 @@ class NamespaceOpenshiftResourceRhcsCertV1(NamespaceOpenshiftResourceV1):
     annotations: Optional[Json] = Field(..., alias="annotations")
 
 
+class SharedResourcesV1_NamespaceOpenshiftResourceV1(ConfiguredBaseModel):
+    provider: str = Field(..., alias="provider")
+
+
+class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1(ConfiguredBaseModel):
+    ...
+
+
+class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1_VaultSecretV1(SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1):
+    path: str = Field(..., alias="path")
+    field: str = Field(..., alias="field")
+    version: Optional[int] = Field(..., alias="version")
+
+
+class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1(SharedResourcesV1_NamespaceOpenshiftResourceV1):
+    secret_name: str = Field(..., alias="secret_name")
+    service_account_name: str = Field(..., alias="service_account_name")
+    service_account_password: Union[SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1_VaultSecretV1, SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1] = Field(..., alias="service_account_password")
+    auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
+    annotations: Optional[Json] = Field(..., alias="annotations")
+
+
+class SharedResourcesV1(ConfiguredBaseModel):
+    openshift_resources: list[Union[SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1, SharedResourcesV1_NamespaceOpenshiftResourceV1]] = Field(..., alias="openshiftResources")
+
+
 class DisableClusterAutomationsV1(ConfiguredBaseModel):
     integrations: Optional[list[str]] = Field(..., alias="integrations")
 
@@ -132,6 +176,7 @@ class NamespaceV1(ConfiguredBaseModel):
     delete: Optional[bool] = Field(..., alias="delete")
     cluster_admin: Optional[bool] = Field(..., alias="clusterAdmin")
     openshift_resources: Optional[list[Union[NamespaceOpenshiftResourceRhcsCertV1, NamespaceOpenshiftResourceV1]]] = Field(..., alias="openshiftResources")
+    shared_resources: Optional[list[SharedResourcesV1]] = Field(..., alias="sharedResources")
     cluster: ClusterV1 = Field(..., alias="cluster")
 
 

reconcile/openshift_rhcs_certs.py

@@ -2,7 +2,7 @@ import logging
 import sys
 import time
 from collections.abc import Callable, Iterable, Mapping
-from typing import Any
+from typing import Any, cast
 
 import reconcile.openshift_base as ob
 import reconcile.openshift_resources_base as orb
@@ -67,20 +67,25 @@ class OpenshiftRhcsCertExpiration(GaugeMetric):
         return "qontract_reconcile_rhcs_cert_expiration_timestamp"
 
 
+def _is_rhcs_cert(obj: Any) -> bool:
+    return getattr(obj, "provider", None) == "rhcs-cert"
+
+
 def get_namespaces_with_rhcs_certs(
-    query_func: Callable, cluster_name: Iterable[str] | None = None
+    query_func: Callable,
+    cluster_name: Iterable[str] | None = None,
 ) -> list[NamespaceV1]:
-    return [
-        ns
-        for ns in rhcs_certs_query(query_func=query_func).namespaces or []
-        if integration_is_enabled(QONTRACT_INTEGRATION, ns.cluster)
-        and not bool(ns.delete)
-        and (not cluster_name or ns.cluster.name in cluster_name)
-        and any(
-            isinstance(r, NamespaceOpenshiftResourceRhcsCertV1)
-            for r in ns.openshift_resources or []
-        )
-    ]
+    result: list[NamespaceV1] = []
+    for ns in rhcs_certs_query(query_func=query_func).namespaces or []:
+        ob.aggregate_shared_resources_typed(cast("Any", ns))  # mypy: ignore[arg-type]
+        if (
+            integration_is_enabled(QONTRACT_INTEGRATION, ns.cluster)
+            and not bool(ns.delete)
+            and (not cluster_name or ns.cluster.name in cluster_name)
+            and any(_is_rhcs_cert(r) for r in ns.openshift_resources or [])
+        ):
+            result.append(ns)
+    return result
 
 
 def construct_rhcs_cert_oc_secret(
@@ -224,17 +229,16 @@ def fetch_desired_state(
 ) -> None:
     vault = VaultClient()
     cert_provider = get_rhcs_provider_settings(query_func=query_func)
-
     for ns in namespaces:
         for cert_resource in ns.openshift_resources or []:
-            if isinstance(cert_resource, NamespaceOpenshiftResourceRhcsCertV1):
+            if _is_rhcs_cert(cert_resource):
                 ri.add_desired_resource(
                     cluster=ns.cluster.name,
                     namespace=ns.name,
                     resource=fetch_openshift_resource_for_cert_resource(
                         dry_run,
                         ns,
-                        cert_resource,
+                        cast("NamespaceOpenshiftResourceRhcsCertV1", cert_resource),
                         vault,
                         cert_provider,
                     ),