qontract-reconcile 0.10.2.dev297__py3-none-any.whl → 0.10.2.dev299__py3-none-any.whl

{qontract_reconcile-0.10.2.dev297.dist-info → qontract_reconcile-0.10.2.dev299.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev297
+Version: 0.10.2.dev299
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev297.dist-info → qontract_reconcile-0.10.2.dev299.dist-info}/RECORD

@@ -66,7 +66,7 @@ reconcile/openshift_prometheus_rules.py,sha256=FVVx1D7KCUnNZh7NwVNbD6t4lXKRSO7ph
 reconcile/openshift_resourcequotas.py,sha256=0CSuCre3T2ON42Ku1UDhTRugfmUNBx8PILpxIQaAzJU,2882
 reconcile/openshift_resources.py,sha256=YnhDxCvsp0muxEmULiqWhoar9EzxohTrnbY-U7oS5Hc,1603
 reconcile/openshift_resources_base.py,sha256=2oOURMtVDsPDG--lPN7c8ar0FPziCm695J2lV3VnVjk,43036
-reconcile/openshift_rhcs_certs.py,sha256=RUIEetvirJ-38VV3_Zen6Chi2vPgPaEdRMNXGR1JhSM,10325
+reconcile/openshift_rhcs_certs.py,sha256=tuEz6Wzw5jrHM7fAOSS5d5pDV5SDY0uhjWrlYtCCSYk,10547
 reconcile/openshift_rolebindings.py,sha256=Mani4fSG6v55cPlAaQ1bmSBza_mFkNtMhdJFjTMGX0o,7250
 reconcile/openshift_routes.py,sha256=xnA34f32xDdkfV2MXIC1QURFJioQUsXT8AZBiY7iSP0,1298
 reconcile/openshift_saas_deploy.py,sha256=0_C9OoLGfzoAJ4M2UyCVC9HeHa5w-jP7l0_RxJMRO4k,13131
@@ -213,7 +213,7 @@ reconcile/glitchtip_project_alerts/integration.py,sha256=d3PMy-mQSbSZdIGAVaZCA2U
 reconcile/glitchtip_project_dsn/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/glitchtip_project_dsn/integration.py,sha256=3GgcqUM6hWhLpo9Yx5Xr9vrdexF-WNevVCNL9bJ0Upc,8162
 reconcile/gql_definitions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/introspection.json,sha256=Aak1w7K7K1fhgZoZNN2gQ2TV3Jwh0X2GhqfpqRLwWp4,2359202
+reconcile/gql_definitions/introspection.json,sha256=jJN4kUVnrBkb39pHZ0lwt_0ZuIyrhjyzsL17pQuGwXo,2358826
 reconcile/gql_definitions/acs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/acs/acs_instances.py,sha256=L91WW9LbhJbBSrECqShQpFtjoBOsmNIYLRpMbx1io5o,2181
 reconcile/gql_definitions/acs/acs_policies.py,sha256=Ygpfl2-VkYLSlJvHgp_dJBfb66K_Rwfdfpsa18w1v1s,4338
@@ -386,7 +386,7 @@ reconcile/gql_definitions/openshift_serviceaccount_tokens/tokens.py,sha256=Ferae
 reconcile/gql_definitions/quay_membership/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/quay_membership/quay_membership.py,sha256=MKBkrE-1YYelaAAxOdpqUwCo45kOVC8q29vXArqK_zM,3075
 reconcile/gql_definitions/rhcs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/gql_definitions/rhcs/certs.py,sha256=8ba9GZVY70ppekuxrMjE4wm6WqcMW2IFawjhWvxHrmI,4677
+reconcile/gql_definitions/rhcs/certs.py,sha256=UXTPcX6A7wJzGOgNMymlJi1KTaBDkelwexCTc0KpJU8,6792
 reconcile/gql_definitions/rhidp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/rhidp/organizations.py,sha256=dW9y3ewFu3E-DFrZAi_SEewHYR0MWYeOB52vwnVcq5E,2580
 reconcile/gql_definitions/service_dependencies/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -426,7 +426,7 @@ reconcile/gql_definitions/terraform_repo/__init__.py,sha256=47DEQpj8HBSa-_TImW-5
 reconcile/gql_definitions/terraform_repo/terraform_repo.py,sha256=9cDKdP9ziBh9J_mw2Gi6GUOP4mFxMABY_D62qSeMtJI,3881
 reconcile/gql_definitions/terraform_resources/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/terraform_resources/database_access_manager.py,sha256=yv0_YC-LmhaKD_gyGG3le1w5BtypBjlsO894-Zgdg4U,4813
-reconcile/gql_definitions/terraform_resources/terraform_resources_namespaces.py,sha256=EKqXL8Bx6NXqsVI4nfyQpKq8B_uHQl0L7QWnerBQTy0,44668
+reconcile/gql_definitions/terraform_resources/terraform_resources_namespaces.py,sha256=j1xemQQIjR4O80Ni4RbJhDOWzk9iYcGinO79jZ3kZow,44688
 reconcile/gql_definitions/terraform_tgw_attachments/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/terraform_tgw_attachments/aws_accounts.py,sha256=r6RacQX243Rrtm_6wobSLJZlObehqzkV-seyCVCqiv8,2596
 reconcile/gql_definitions/unleash_feature_toggles/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -658,7 +658,7 @@ reconcile/utils/sqs_gateway.py,sha256=XNIf3PY4UCPNufP2Ul0UJj3fKlt5larBba-VTT-41F
 reconcile/utils/state.py,sha256=vCHYIfrWLfPyIWEHSaADWlc4OqhwcOiqM3Egqvw-lfo,16372
 reconcile/utils/structs.py,sha256=LcbLEg8WxfRqM6nW7NhcWN0YeqF7SQzxOgntmLs1SgY,352
 reconcile/utils/terraform_client.py,sha256=GoLbfs4d4YItNCeV3NZnrth4sD8ziNYgY2IszruRDpg,37303
-reconcile/utils/terrascript_aws_client.py,sha256=jVzh5PmphbCAN7Pog_PFYHoHj7lmQGb6Q4FwT_c8pF8,295634
+reconcile/utils/terrascript_aws_client.py,sha256=o5-K61gEbQN48IRfdHVDfgt0sW-sYN9WYho4ZZ7j7io,295917
 reconcile/utils/three_way_diff_strategy.py,sha256=oQcHXd9LVhirJfoaOBoHUYuZVGfyL2voKr6KVI34zZE,4833
 reconcile/utils/throughput.py,sha256=iP4UWAe2LVhDo69mPPmgo9nQ7RxHD6_GS8MZe-aSiuM,344
 reconcile/utils/vault.py,sha256=6V15LByFghp-U3k0N4lum6V7qt2EAlRfcAxjy5e-FAU,15146
@@ -796,7 +796,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=uQv2QJAmUXP1g2GPIH30WTlvL9soY6m9lefpZEVDM5w,3965
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=zEDbGr18ZeHNQwW8pUsr2JRjuXIPz--WAGJxZo9sv_Y,894
-qontract_reconcile-0.10.2.dev297.dist-info/METADATA,sha256=iGF5qMFr_OjJTe4VrXqoImqpXd6uvpYs0wXPJhdp1q0,24916
-qontract_reconcile-0.10.2.dev297.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-qontract_reconcile-0.10.2.dev297.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev297.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev299.dist-info/METADATA,sha256=54Nao8mXsCO6eAMPlZPwsMC2JeDlPEBuT1Xgnk40mJk,24916
+qontract_reconcile-0.10.2.dev299.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+qontract_reconcile-0.10.2.dev299.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev299.dist-info/RECORD,,

reconcile/gql_definitions/introspection.json

@@ -47157,13 +47157,9 @@
                             "description": null,
                             "args": [],
                             "type": {
-                                "kind": "NON_NULL",
-                                "name": null,
-                                "ofType": {
-                                    "kind": "SCALAR",
-                                    "name": "String",
-                                    "ofType": null
-                                }
+                                "kind": "SCALAR",
+                                "name": "String",
+                                "ofType": null
                             },
                             "isDeprecated": false,
                             "deprecationReason": null
@@ -47173,13 +47169,9 @@
                             "description": null,
                             "args": [],
                             "type": {
-                                "kind": "NON_NULL",
-                                "name": null,
-                                "ofType": {
-                                    "kind": "SCALAR",
-                                    "name": "String",
-                                    "ofType": null
-                                }
+                                "kind": "SCALAR",
+                                "name": "String",
+                                "ofType": null
                             },
                             "isDeprecated": false,
                             "deprecationReason": null

reconcile/gql_definitions/rhcs/certs.py

@@ -61,6 +61,24 @@ query RhcsCerts {
         annotations
       }
     }
+    sharedResources {
+      openshiftResources {
+        provider
+        ... on NamespaceOpenshiftResourceRhcsCert_v1 {
+          secret_name
+          service_account_name
+          service_account_password {
+            ... on VaultSecret_v1 {
+              path
+              field
+              version
+            }
+          }
+          auto_renew_threshold_days
+          annotations
+        }
+      }
+    }
     cluster {
       name
       serverUrl
@@ -112,6 +130,32 @@ class NamespaceOpenshiftResourceRhcsCertV1(NamespaceOpenshiftResourceV1):
     annotations: Optional[Json] = Field(..., alias="annotations")
 
 
+class SharedResourcesV1_NamespaceOpenshiftResourceV1(ConfiguredBaseModel):
+    provider: str = Field(..., alias="provider")
+
+
+class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1(ConfiguredBaseModel):
+    ...
+
+
+class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1_VaultSecretV1(SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1):
+    path: str = Field(..., alias="path")
+    field: str = Field(..., alias="field")
+    version: Optional[int] = Field(..., alias="version")
+
+
+class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1(SharedResourcesV1_NamespaceOpenshiftResourceV1):
+    secret_name: str = Field(..., alias="secret_name")
+    service_account_name: str = Field(..., alias="service_account_name")
+    service_account_password: Union[SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1_VaultSecretV1, SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1] = Field(..., alias="service_account_password")
+    auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
+    annotations: Optional[Json] = Field(..., alias="annotations")
+
+
+class SharedResourcesV1(ConfiguredBaseModel):
+    openshift_resources: list[Union[SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1, SharedResourcesV1_NamespaceOpenshiftResourceV1]] = Field(..., alias="openshiftResources")
+
+
 class DisableClusterAutomationsV1(ConfiguredBaseModel):
     integrations: Optional[list[str]] = Field(..., alias="integrations")
 
@@ -132,6 +176,7 @@ class NamespaceV1(ConfiguredBaseModel):
     delete: Optional[bool] = Field(..., alias="delete")
     cluster_admin: Optional[bool] = Field(..., alias="clusterAdmin")
     openshift_resources: Optional[list[Union[NamespaceOpenshiftResourceRhcsCertV1, NamespaceOpenshiftResourceV1]]] = Field(..., alias="openshiftResources")
+    shared_resources: Optional[list[SharedResourcesV1]] = Field(..., alias="sharedResources")
     cluster: ClusterV1 = Field(..., alias="cluster")
 
 

reconcile/gql_definitions/terraform_resources/terraform_resources_namespaces.py

@@ -817,8 +817,8 @@ class NamespaceTerraformResourceS3CloudFrontPublicKeyV1(NamespaceTerraformResour
 
 class NamespaceTerraformResourceALBMutualAuthenticationV1(ConfiguredBaseModel):
     mode: str = Field(..., alias="mode")
-    ca_cert_bundle_s3_bucket_name: str = Field(..., alias="ca_cert_bundle_s3_bucket_name")
-    ca_cert_bundle_s3_bucket_key: str = Field(..., alias="ca_cert_bundle_s3_bucket_key")
+    ca_cert_bundle_s3_bucket_name: Optional[str] = Field(..., alias="ca_cert_bundle_s3_bucket_name")
+    ca_cert_bundle_s3_bucket_key: Optional[str] = Field(..., alias="ca_cert_bundle_s3_bucket_key")
 
 
 class NamespaceTerraformResourceALBTargetHealthcheckV1(ConfiguredBaseModel):

reconcile/openshift_rhcs_certs.py

@@ -2,7 +2,7 @@ import logging
 import sys
 import time
 from collections.abc import Callable, Iterable, Mapping
-from typing import Any
+from typing import Any, cast
 
 import reconcile.openshift_base as ob
 import reconcile.openshift_resources_base as orb
@@ -67,20 +67,25 @@ class OpenshiftRhcsCertExpiration(GaugeMetric):
         return "qontract_reconcile_rhcs_cert_expiration_timestamp"
 
 
+def _is_rhcs_cert(obj: Any) -> bool:
+    return getattr(obj, "provider", None) == "rhcs-cert"
+
+
 def get_namespaces_with_rhcs_certs(
-    query_func: Callable, cluster_name: Iterable[str] | None = None
+    query_func: Callable,
+    cluster_name: Iterable[str] | None = None,
 ) -> list[NamespaceV1]:
-    return [
-        ns
-        for ns in rhcs_certs_query(query_func=query_func).namespaces or []
-        if integration_is_enabled(QONTRACT_INTEGRATION, ns.cluster)
-        and not bool(ns.delete)
-        and (not cluster_name or ns.cluster.name in cluster_name)
-        and any(
-            isinstance(r, NamespaceOpenshiftResourceRhcsCertV1)
-            for r in ns.openshift_resources or []
-        )
-    ]
+    result: list[NamespaceV1] = []
+    for ns in rhcs_certs_query(query_func=query_func).namespaces or []:
+        ob.aggregate_shared_resources_typed(cast("Any", ns))  # mypy: ignore[arg-type]
+        if (
+            integration_is_enabled(QONTRACT_INTEGRATION, ns.cluster)
+            and not bool(ns.delete)
+            and (not cluster_name or ns.cluster.name in cluster_name)
+            and any(_is_rhcs_cert(r) for r in ns.openshift_resources or [])
+        ):
+            result.append(ns)
+    return result
 
 
 def construct_rhcs_cert_oc_secret(
@@ -224,17 +229,16 @@ def fetch_desired_state(
 ) -> None:
     vault = VaultClient()
     cert_provider = get_rhcs_provider_settings(query_func=query_func)
-
     for ns in namespaces:
         for cert_resource in ns.openshift_resources or []:
-            if isinstance(cert_resource, NamespaceOpenshiftResourceRhcsCertV1):
+            if _is_rhcs_cert(cert_resource):
                 ri.add_desired_resource(
                     cluster=ns.cluster.name,
                     namespace=ns.name,
                     resource=fetch_openshift_resource_for_cert_resource(
                         dry_run,
                         ns,
-                        cert_resource,
+                        cast("NamespaceOpenshiftResourceRhcsCertV1", cert_resource),
                         vault,
                         cert_provider,
                     ),

reconcile/utils/terrascript_aws_client.py

@@ -5563,22 +5563,27 @@ class TerrascriptClient:
 
         # mutual authentication section
         if mutual_authentication := resource.get("mutual_authentication"):
-            trust_store_values = {
-                "ca_certificates_bundle_s3_bucket": mutual_authentication[
-                    "ca_cert_bundle_s3_bucket_name"
-                ],
-                "ca_certificates_bundle_s3_key": mutual_authentication[
-                    "ca_cert_bundle_s3_bucket_key"
-                ],
-            }
-            trust_store = aws_lb_trust_store(
-                f"{identifier}-trust-store", **trust_store_values
-            )
-            tf_resources.append(trust_store)
-            values["mutual_authentication"] = {
-                "mode": mutual_authentication["mode"],
-                "trust_store_arn": f"${{{trust_store.arn}}}",
-            }
+            if mutual_authentication["mode"] in {"off", "passthrough"}:
+                values["mutual_authentication"] = {
+                    "mode": mutual_authentication["mode"],
+                }
+            else:
+                trust_store_values = {
+                    "ca_certificates_bundle_s3_bucket": mutual_authentication[
+                        "ca_cert_bundle_s3_bucket_name"
+                    ],
+                    "ca_certificates_bundle_s3_key": mutual_authentication[
+                        "ca_cert_bundle_s3_bucket_key"
+                    ],
+                }
+                trust_store = aws_lb_trust_store(
+                    f"{identifier}-trust-store", **trust_store_values
+                )
+                tf_resources.append(trust_store)
+                values["mutual_authentication"] = {
+                    "mode": mutual_authentication["mode"],
+                    "trust_store_arn": f"${{{trust_store.arn}}}",
+                }
 
         forward_identifier = f"{identifier}-forward"
         forward_lbl_tf_resource = aws_lb_listener(forward_identifier, **values)