qontract-reconcile 0.10.2.dev361__py3-none-any.whl → 0.10.2.dev474__py3-none-any.whl

reconcile/change_owners/change_log_tracking.py

@@ -155,7 +155,8 @@ class ChangeLogIntegration(QontractReconcileIntegration[ChangeLogIntegrationPara
             changes = aggregate_resource_changes(
                 bundle_changes=aggregate_file_moves(parse_bundle_changes(diff)),
                 content_store={
-                    c.path: c.dict(by_alias=True) for c in namespaces + jenkins_configs
+                    c.path: c.model_dump(by_alias=True)
+                    for c in namespaces + jenkins_configs
                 },
                 supported_schemas={
                     "/openshift/namespace-1.yml",
@@ -239,4 +240,4 @@ class ChangeLogIntegration(QontractReconcileIntegration[ChangeLogIntegrationPara
             change_log.items, key=lambda i: i.merged_at, reverse=True
         )
         if not dry_run:
-            integration_state.add(BUNDLE_DIFFS_OBJ, change_log.dict(), force=True)
+            integration_state.add(BUNDLE_DIFFS_OBJ, change_log.model_dump(), force=True)

reconcile/change_owners/change_owners.py

@@ -23,6 +23,7 @@ from reconcile.change_owners.changes import (
 )
 from reconcile.change_owners.decision import (
     ChangeDecision,
+    ChangeResponsibles,
     DecisionCommand,
     apply_decisions_to_changes,
     get_approver_decisions_from_mr_comments,
@@ -115,6 +116,77 @@ def manage_conditional_label(
     return set(new_labels)
 
 
+def build_status_message(
+    self_serviceable: bool,
+    authoritative: bool,
+    change_admitted: bool,
+    approver_reachability: set[str],
+    supported_commands: list[str],
+) -> str:
+    """
+    Build a user-friendly status message based on the MR state.
+    """
+    approver_section = _build_approver_contact_section(approver_reachability)
+
+    # Check if changes are not admitted (security gate - takes priority)
+    if not change_admitted:
+        return f"""## ⏸️ Approval Required
+Your changes need `/ok-to-test` approval from a listed approver before review can begin.
+
+{approver_section}"""
+
+    commands_text = (
+        f"**Available commands:** {' '.join(f'`{cmd}`' for cmd in supported_commands)}"
+    )
+
+    code_warning = ""
+    if not authoritative:
+        code_warning = "⚠️ **Code changes outside of data and resources detected** - please review carefully\n\n"
+
+    if self_serviceable:
+        return f"""## ✅ Ready for Review
+Get `/lgtm` approval from the listed approvers below.
+
+{code_warning}{approver_section}
+
+{commands_text}"""
+
+    return f"""## 🔍 AppSRE Review Required
+**What happens next:**
+* AppSRE will review via their [review queue](https://gitlab.cee.redhat.com/service/app-interface-output/-/blob/master/app-interface-review-queue.md)
+* Please don't ping directly unless this is **urgent**
+* See [etiquette guide](https://gitlab.cee.redhat.com/service/app-interface#app-interface-etiquette) for more info
+
+{code_warning}{approver_section}
+
+{commands_text}"""
+
+
+def _build_approver_contact_section(approver_reachability: set[str]) -> str:
+    """Build the approver contact information section."""
+    if not approver_reachability:
+        return ""
+
+    return "**Reach out to approvers:**\n" + "\n".join([
+        f"* {ar}" for ar in approver_reachability
+    ])
+
+
+def _format_change_responsible(cr: ChangeResponsibles) -> str:
+    """
+    Format a ChangeResponsibles object.
+    """
+    usernames = [
+        f"@{a.org_username}"
+        if (a.tag_on_merge_requests or len(cr.approvers) == 1)
+        else a.org_username
+        for a in cr.approvers
+    ]
+
+    usernames_text = " ".join(usernames)
+    return f"<details><summary>{cr.context}</summary>{usernames_text}</details>"
+
+
 def write_coverage_report_to_mr(
     self_serviceable: bool,
     change_decisions: list[ChangeDecision],
@@ -135,14 +207,11 @@ def write_coverage_report_to_mr(
         startswith=change_coverage_report_header,
     )
 
-    # add new report comment
+    # Build change coverage table
     results = []
     approver_reachability = set()
     for d in change_decisions:
-        approvers = [
-            f"{cr.context} - {' '.join([f'@{a.org_username}' if a.tag_on_merge_requests else a.org_username for a in cr.approvers])}"
-            for cr in d.change_responsibles
-        ]
+        approvers = [_format_change_responsible(cr) for cr in d.change_responsibles]
         if d.coverable_by_fragment_decisions:
             approvers.append(
                 "automatically approved if all sub-properties are approved"
@@ -164,41 +233,33 @@ def write_coverage_report_to_mr(
             item["status"] = "hold"
         elif d.is_approved():
             item["status"] = "approved"
-        item["approvers"] = approvers
+        item["approvers"] = "".join(approvers)
         results.append(item)
+
     coverage_report = format_table(
         results, ["file", "change", "status", "approvers"], table_format="github"
     )
 
-    self_serviceability_hint = "All changes require an `/lgtm` from a listed approver "
-    if not self_serviceable:
-        self_serviceability_hint += (
-            "but <b>not all changes are self-serviceable and require AppSRE approval</b>."
-            "The AppSRE Interrupt Catcher (IC) will review your Merge Request (MR) as it comes up in their "
-            "<a href='https://gitlab.cee.redhat.com/service/app-interface-output/-/blob/master/app-interface-review-queue.md'>queue</a>, "
-            "please do not ping them directly unless this is <b>urgent</b>."
-            "\nPlease see https://gitlab.cee.redhat.com/service/app-interface#app-interface-etiquette for more information. Thank you :)"
-        )
-    if not authoritative:
-        self_serviceability_hint += "\n\nchanges outside of data and resources detected - <b>PAY EXTRA ATTENTION WHILE REVIEWING</b>\n\n"
-
-    if not change_admitted:
-        self_serviceability_hint += "\n\nchanges are not admitted. Please request `/good-to-test` from one of the approvers.\n\n"
-
-    approver_reachability_hint = "Reach out to approvers for reviews"
-    if approver_reachability:
-        approver_reachability_hint += " on\n" + "\n".join([
-            f"* {ar}" for ar in approver_reachability or []
-        ])
-    gl.add_comment_to_merge_request(
-        merge_request,
-        f"{change_coverage_report_header}<br/>"
-        f"{self_serviceability_hint}\n"
-        f"{coverage_report}\n\n"
-        f"{approver_reachability_hint}\n\n"
-        + f"Supported commands: {' '.join([f'`{d.value}`' for d in DecisionCommand])} ",
+    # Build user-friendly status message
+    supported_commands = [d.value for d in DecisionCommand]
+    status_message = build_status_message(
+        self_serviceable=self_serviceable,
+        authoritative=authoritative,
+        change_admitted=change_admitted,
+        approver_reachability=approver_reachability,
+        supported_commands=supported_commands,
     )
 
+    # Create the full comment
+    full_comment = f"""{change_coverage_report_header}
+
+{status_message}
+
+## 📋 Change Summary
+{coverage_report}"""
+
+    gl.add_comment_to_merge_request(merge_request, full_comment)
+
 
 def write_coverage_report_to_stdout(change_decisions: list[ChangeDecision]) -> None:
     results = []
@@ -261,22 +322,22 @@ def init_gitlab(gitlab_project_id: str) -> GitLabApi:
 
 
 def is_coverage_admitted(
-    coverage: ChangeTypeContext, mr_author: str, good_to_test_approvers: set[str]
+    coverage: ChangeTypeContext, mr_author: str, ok_to_test_approvers: set[str]
 ) -> bool:
     return any(
-        a.org_username == mr_author or a.org_username in good_to_test_approvers
+        a.org_username == mr_author or a.org_username in ok_to_test_approvers
         for a in coverage.approvers
     )
 
 
 def is_change_admitted(
-    changes: list[BundleFileChange], mr_author: str, good_to_test_approvers: set[str]
+    changes: list[BundleFileChange], mr_author: str, ok_to_test_approvers: set[str]
 ) -> bool:
     # Checks if mr authors are allowed to do the changes in the merge request.
     # If a change type is restrictive and the author is not an approver,
     # this is not admitted.
     # A change might be admitted if a user that has the restrictive change
-    # type is an approver or an approver adds an /good-to-test comment.
+    # type is an approver or an approver adds an /ok-to-test comment.
 
     restrictive_coverages = [
         c
@@ -290,7 +351,7 @@ def is_change_admitted(
     change_types_approved = {
         c.origin
         for c in restrictive_coverages
-        if is_coverage_admitted(c, mr_author, good_to_test_approvers)
+        if is_coverage_admitted(c, mr_author, ok_to_test_approvers)
     }
     return change_types_to_approve == change_types_approved
 
@@ -381,17 +442,22 @@ def run(
             merge_request = gl.get_merge_request(gitlab_merge_request_id)
 
             comments = gl.get_merge_request_comments(merge_request)
-            good_to_test_approvers = {
-                c.username for c in comments if c.body.strip() == "/good-to-test"
+            ok_to_test_approvers = {
+                c.username for c in comments if c.body.strip() == "/ok-to-test"
             }
 
             change_admitted = is_change_admitted(
                 changes,
                 gl.get_merge_request_author_username(merge_request),
-                good_to_test_approvers,
+                ok_to_test_approvers,
             )
             approver_decisions = get_approver_decisions_from_mr_comments(
-                gl.get_merge_request_comments(merge_request, include_description=True)
+                gl.get_merge_request_comments(
+                    merge_request,
+                    include_description=True,
+                    include_approvals=True,
+                    approval_body=DecisionCommand.APPROVED.value,
+                )
             )
             change_decisions = apply_decisions_to_changes(
                 changes,

reconcile/change_owners/decision.py

@@ -20,7 +20,7 @@ class DecisionCommand(Enum):
     CANCEL_APPROVED = "/lgtm cancel"
     HOLD = "/hold"
     CANCEL_HOLD = "/hold cancel"
-    GOOD_TO_TEST = "/good-to-test"
+    OK_TO_TEST = "/ok-to-test"
 
 
 @dataclass

reconcile/change_owners/diff.py

@@ -251,8 +251,6 @@ def deepdiff_path_to_jsonpath(deep_diff_path: str) -> jsonpath_ng.JSONPath:
             case int():
                 return jsonpath_ng.Index(element)
             case str():
-                if "." in element:
-                    return jsonpath_ng.Fields(f"'{element}'")
                 return jsonpath_ng.Fields(element)
 
     path_parts = [build_jsonpath_part(p) for p in parse_path(deep_diff_path)]

reconcile/checkpoint.py

@@ -26,6 +26,7 @@ from jira import Issue
 
 from reconcile.utils.constants import PROJ_ROOT
 from reconcile.utils.jira_client import JiraClient
+from reconcile.utils.secret_reader import SecretReaderBase
 
 DEFAULT_CHECKPOINT_LABELS = ("sre-checkpoint",)
 
@@ -118,8 +119,8 @@ def file_ticket(
 def report_invalid_metadata(
     app: Mapping[str, Any],
     path: str,
-    board: Mapping[str, str | Mapping],
-    settings: Mapping[str, Any],
+    board: Mapping[str, Any],
+    secret_reader: SecretReaderBase,
     parent: str,
     dry_run: bool = False,
 ) -> None:
@@ -150,7 +151,14 @@ def report_invalid_metadata(
             path=path,
         )
     else:
-        jira = JiraClient(board, settings)
+        jira = JiraClient.create(
+            project_name=board["name"],
+            token=secret_reader.read_secret(board["server"]["token"]),
+            email=secret_reader.read_secret(board["server"]["email"])
+            if board["server"]["email"]
+            else None,
+            server_url=board["server"]["server_url"],
+        )
         do_cut = partial(
             file_ticket,  # type: ignore
             jira=jira,

reconcile/cli.py

@@ -50,10 +50,10 @@ from reconcile.utils.unleash import get_feature_toggle_state
 TERRAFORM_VERSION = ["1.6.6"]
 TERRAFORM_VERSION_REGEX = r"^Terraform\sv([\d]+\.[\d]+\.[\d]+)$"
 
-OC_VERSIONS = ["4.16.2", "4.12.46", "4.10.15"]
-OC_VERSION_REGEX = r"^Client\sVersion:\s([\d]+\.[\d]+\.[\d]+)$"
+OC_VERSIONS = ["4.19.0", "4.16.2"]
+OC_VERSION_REGEX = r"^Client\sVersion:\s([\d]+\.[\d]+\.[\d]+)"
 
-HELM_VERSIONS = ["3.11.1"]
+HELM_VERSIONS = ["3.19.2"]
 HELM_VERSION_REGEX = r"^version.BuildInfo{Version:\"v([\d]+\.[\d]+\.[\d]+)\".*$"
 
 
@@ -1028,7 +1028,7 @@ def aws_account_manager(
     "--state-tmpl-resource",
     help="Resource name of the state template-collection template in the app-interface.",
     required=True,
-    default="/terraform-init/terraform-state.yml",
+    default="/terraform-init/terraform-state.yml.j2",
 )
 @click.option(
     "--template-collection-root-path",
@@ -1036,12 +1036,26 @@ def aws_account_manager(
     required=True,
     default="data/templating/collections/terraform-init",
 )
+@click.option(
+    "--cloudformation-template-resource",
+    help="Resource name of the CloudFormation template to create the S3 bucket",
+    required=True,
+    default="/terraform-init/terraform-state-s3-bucket.yaml",
+)
+@click.option(
+    "--cloudformation-import-template-resource",
+    help="Resource name of the CloudFormation template to import existing S3 bucket",
+    required=True,
+    default="/terraform-init/terraform-state-s3-bucket-import.yaml",
+)
 @click.pass_context
 def terraform_init(
     ctx: click.Context,
     account_name: str | None,
     state_tmpl_resource: str,
     template_collection_root_path: str,
+    cloudformation_template_resource: str,
+    cloudformation_import_template_resource: str,
 ) -> None:
     from reconcile.terraform_init.integration import (
         TerraformInitIntegration,
@@ -1054,6 +1068,8 @@ def terraform_init(
                 account_name=account_name,
                 state_tmpl_resource=state_tmpl_resource,
                 template_collection_root_path=template_collection_root_path,
+                cloudformation_template_resource=cloudformation_template_resource,
+                cloudformation_import_template_resource=cloudformation_import_template_resource,
             )
         ),
         ctx=ctx,
@@ -1135,9 +1151,17 @@ def jenkins_webhooks_cleaner(ctx: click.Context) -> None:
     "--jira-board-name", help="The Jira board to act on.", default=None, multiple=True
 )
 @click.option("--board-check-interval", help="Check interval in minutes", default=120)
+@click.option(
+    "--use-cache/--no-use-cache",
+    default=True,
+    help="Use cached results for validation.",
+)
 @click.pass_context
 def jira_permissions_validator(
-    ctx: click.Context, jira_board_name: Iterable[str] | None, board_check_interval: int
+    ctx: click.Context,
+    jira_board_name: Iterable[str] | None,
+    board_check_interval: int,
+    use_cache: bool,
 ) -> None:
     import reconcile.jira_permissions_validator
 
@@ -1146,6 +1170,7 @@ def jira_permissions_validator(
         ctx,
         jira_board_name=jira_board_name,
         board_check_interval_sec=board_check_interval * 60,
+        use_cache=use_cache,
     )
 
 
@@ -1270,14 +1295,14 @@ def aws_ami_cleanup(ctx: click.Context, thread_pool_size: int) -> None:
     run_integration(reconcile.aws_ami_cleanup.integration, ctx, thread_pool_size)
 
 
-@integration.command(short_help="Set up retention period for Cloudwatch logs.")
-@threaded()
+@integration.command(short_help="Set up retention period and tags for Cloudwatch logs.")
 @click.pass_context
-def aws_cloudwatch_log_retention(ctx: click.Context, thread_pool_size: int) -> None:
+def aws_cloudwatch_log_retention(ctx: click.Context) -> None:
     import reconcile.aws_cloudwatch_log_retention.integration
 
     run_integration(
-        reconcile.aws_cloudwatch_log_retention.integration, ctx, thread_pool_size
+        reconcile.aws_cloudwatch_log_retention.integration,
+        ctx,
     )
 
 
@@ -2830,6 +2855,36 @@ def ocm_addons_upgrade_scheduler_org(
     default=bool(os.environ.get("IGNORE_STS_CLUSTERS")),
     help="Ignore STS clusters",
 )
+@click.option(
+    "--job-controller-cluster",
+    help="The cluster holding the job-controller namepsace",
+    required=False,
+    envvar="JOB_CONTROLLER_CLUSTER",
+)
+@click.option(
+    "--job-controller-namespace",
+    help="The namespace used for ROSA jobs",
+    required=False,
+    envvar="JOB_CONTROLLER_NAMESPACE",
+)
+@click.option(
+    "--rosa-job-service-account",
+    help="The service-account used for ROSA jobs",
+    required=False,
+    envvar="ROSA_JOB_SERVICE_ACCOUNT",
+)
+@click.option(
+    "--rosa-job-image",
+    help="The container image to use to run ROSA cli command jobs",
+    required=False,
+    envvar="ROSA_JOB_IMAGE",
+)
+@click.option(
+    "--rosa-role",
+    help="The role to assume in the ROSA cluster account",
+    required=False,
+    envvar="ROSA_ROLE",
+)
 @click.pass_context
 def advanced_upgrade_scheduler(
     ctx: click.Context,
@@ -2837,9 +2892,21 @@ def advanced_upgrade_scheduler(
     org_id: Iterable[str],
     exclude_org_id: Iterable[str],
     ignore_sts_clusters: bool,
+    job_controller_cluster: str | None,
+    job_controller_namespace: str | None,
+    rosa_job_service_account: str | None,
+    rosa_role: str | None,
+    rosa_job_image: str | None,
 ) -> None:
-    from reconcile.aus.advanced_upgrade_service import AdvancedUpgradeServiceIntegration
-    from reconcile.aus.base import AdvancedUpgradeSchedulerBaseIntegrationParams
+    from reconcile.aus.advanced_upgrade_service import (
+        QONTRACT_INTEGRATION,
+        QONTRACT_INTEGRATION_VERSION,
+        AdvancedUpgradeServiceIntegration,
+    )
+    from reconcile.aus.base import (
+        AdvancedUpgradeSchedulerBaseIntegrationParams,
+        RosaRoleUpgradeHandlerParams,
+    )
 
     run_class_integration(
         integration=AdvancedUpgradeServiceIntegration(
@@ -2848,6 +2915,22 @@ def advanced_upgrade_scheduler(
                 ocm_organization_ids=set(org_id),
                 excluded_ocm_organization_ids=set(exclude_org_id),
                 ignore_sts_clusters=ignore_sts_clusters,
+                rosa_role_upgrade_handler_params=RosaRoleUpgradeHandlerParams(
+                    job_controller_cluster=job_controller_cluster,
+                    job_controller_namespace=job_controller_namespace,
+                    rosa_job_service_account=rosa_job_service_account,
+                    rosa_role=rosa_role,
+                    rosa_job_image=rosa_job_image,
+                    integration_name=QONTRACT_INTEGRATION,
+                    integration_version=QONTRACT_INTEGRATION_VERSION,
+                )
+                if all([
+                    job_controller_cluster,
+                    job_controller_namespace,
+                    rosa_job_service_account,
+                    rosa_role,
+                ])
+                else None,
             )
         ),
         ctx=ctx,

reconcile/dashdotdb_dora.py

@@ -4,7 +4,6 @@ from collections import defaultdict
 from collections.abc import Iterable, Mapping
 from dataclasses import dataclass
 from datetime import (
-    UTC,
     datetime,
     timedelta,
 )
@@ -31,6 +30,7 @@ from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
 from reconcile.typed_queries.saas_files import get_saas_files
+from reconcile.utils.datetime_util import ensure_utc, utc_now
 from reconcile.utils.github_api import GithubRepositoryApi
 from reconcile.utils.gitlab_api import GitLabApi
 from reconcile.utils.secret_reader import create_secret_reader
@@ -159,15 +159,8 @@ class Commit:
     date: datetime
 
     def lttc(self, finish_timestamp: datetime) -> int:
-        commit_date_tzaware = self.date
-        finish_timestamp_tzaware = finish_timestamp
-
-        if commit_date_tzaware.tzinfo is None:
-            commit_date_tzaware = commit_date_tzaware.replace(tzinfo=UTC)
-
-        if finish_timestamp_tzaware.tzinfo is None:
-            finish_timestamp_tzaware = finish_timestamp_tzaware.replace(tzinfo=UTC)
-
+        commit_date_tzaware = ensure_utc(self.date)
+        finish_timestamp_tzaware = ensure_utc(finish_timestamp)
         return int((finish_timestamp_tzaware - commit_date_tzaware).total_seconds())
 
 
@@ -277,7 +270,7 @@ class DashdotdbDORA(DashdotdbBase):
         # from the DB for a unique (app_name, env_name) multiple times.
         app_envs = {s.app_env for s in saastargets}
 
-        since_default = datetime.now() - timedelta(days=90)
+        since_default = utc_now() - timedelta(days=90)
         app_env_since_list: list[tuple[AppEnv, datetime]] = threaded.run(
             func=functools.partial(self.get_latest_with_default, since_default),
             iterable=app_envs,
@@ -473,7 +466,7 @@ class DashdotdbDORA(DashdotdbBase):
         ]
 
     def _github_compare_commits(self, rc: RepoChanges, repo: str) -> list[Commit]:
-        if not rc.repo_url:
+        if not rc.repo_url or not rc.ref_from or not rc.ref_to:
             return []
 
         return [

reconcile/dashdotdb_slo.py

@@ -119,4 +119,4 @@ def run(
 
 
 def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:
-    return {doc.name: doc.dict() for doc in get_slo_documents()}
+    return {doc.name: doc.model_dump() for doc in get_slo_documents()}