qontract-reconcile 0.10.2.dev394__py3-none-any.whl → 0.10.2.dev427__py3-none-any.whl

reconcile/openshift_namespaces.py

@@ -1,25 +1,27 @@
 import logging
-import sys
+from collections import defaultdict
 from collections.abc import (
     Callable,
     Iterable,
-    Mapping,
     Sequence,
 )
+from dataclasses import dataclass
+from enum import StrEnum
 from typing import Any
 
 from sretoolbox.utils import threaded
 
 import reconcile.openshift_base as ob
 from reconcile.gql_definitions.common.namespaces_minimal import NamespaceV1
-from reconcile.status import ExitCodes
 from reconcile.typed_queries.app_interface_vault_settings import (
     get_app_interface_vault_settings,
 )
 from reconcile.typed_queries.namespaces_minimal import get_namespaces_minimal
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
 from reconcile.utils.defer import defer
-from reconcile.utils.oc_filters import filter_namespaces_by_cluster_and_namespace
+from reconcile.utils.oc_filters import (
+    filter_namespaces_by_cluster_and_namespace,
+)
 from reconcile.utils.oc_map import (
     OCLogMsg,
     OCMap,
@@ -30,113 +32,112 @@ from reconcile.utils.sharding import is_in_shard
 
 QONTRACT_INTEGRATION = "openshift-namespaces"
 
-NS_STATE_PRESENT = "present"
-NS_STATE_ABSENT = "absent"
-
-NS_ACTION_CREATE = "create"
-NS_ACTION_DELETE = "delete"
 
+class Action(StrEnum):
+    CREATE = "create"
+    DELETE = "delete"
 
-DUPLICATES_LOG_MSG = "Found multiple definitions for the namespace {key}"
 
+@dataclass(frozen=True)
+class DesiredState:
+    cluster: str
+    namespace: str
+    delete: bool
 
-def get_desired_state(namespaces: Iterable[NamespaceV1]) -> list[dict[str, str]]:
-    desired_state: list[dict[str, str]] = []
-    for ns in namespaces:
-        state = NS_STATE_PRESENT
-        if ns.delete:
-            state = NS_STATE_ABSENT
 
-        desired_state.append({
-            "cluster": ns.cluster.name,
-            "namespace": ns.name,
-            "desired_state": state,
-        })
+class NamespaceDuplicateError(Exception):
+    pass
 
-    return desired_state
 
+def get_namespaces(
+    cluster_name: Sequence[str] | None,
+    namespace_name: Sequence[str] | None,
+) -> tuple[list[NamespaceV1], list[NamespaceDuplicateError]]:
+    all_namespaces = get_namespaces_minimal()
 
-def get_shard_namespaces(
-    namespaces: Iterable[NamespaceV1],
-) -> tuple[list[NamespaceV1], bool]:
-    # Structure holding duplicates by namespace key
-    duplicates: dict[str, list[NamespaceV1]] = {}
-    # namespace filtered list without duplicates
-    filtered_ns: dict[str, NamespaceV1] = {}
-
-    err = False
-    for ns in namespaces:
-        key = f"{ns.cluster.name}/{ns.name}"
+    namespaces_by_shard_key = defaultdict(list)
 
+    for namespace in all_namespaces:
+        key = f"{namespace.cluster.name}/{namespace.name}"
         if is_in_shard(key):
-            if key not in filtered_ns:
-                filtered_ns[key] = ns
-            else:
-                # Duplicated NS
-                dupe_list_by_key = duplicates.setdefault(key, [])
-                dupe_list_by_key.append(ns)
-
-    for key, dupe_list in duplicates.items():
-        dupe_list.append(filtered_ns[key])
-        delete_flags = (
-            [ns.delete for ns in dupe_list_by_key] if dupe_list_by_key else []
-        )
+            namespaces_by_shard_key[key].append(namespace)
 
-        if len(set(delete_flags)) > 1:
-            # If true only some definitions in list have the delete flag.
-            # this case will generate an error
-            err = True
-            # Remove the namespace found from the filtered list
-            del filtered_ns[key]
-            logging.error(DUPLICATES_LOG_MSG.format(key=key))
+    managed_namespaces = []
+    duplicate_errors = []
+
+    for key, namespaces in namespaces_by_shard_key.items():
+        if len(namespaces) == 1:
+            namespace = namespaces[0]
+            if not namespace.managed_by_external:
+                managed_namespaces.append(namespace)
         else:
-            # If all namespaces have the same delete option
-            # The action will be performaed
-            logging.debug(DUPLICATES_LOG_MSG.format(key=key))
+            msg = f"Found multiple definitions for the namespace {key}"
+            duplicate_errors.append(NamespaceDuplicateError(msg))
+            logging.error(msg)
+
+    namespaces = filter_namespaces_by_cluster_and_namespace(
+        namespaces=managed_namespaces,
+        cluster_names=cluster_name,
+        namespace_names=namespace_name,
+    )
+
+    return namespaces, duplicate_errors
+
 
-    return list(filtered_ns.values()), err
+def build_desired_state(
+    namespaces: Iterable[NamespaceV1],
+) -> list[DesiredState]:
+    return [
+        DesiredState(
+            cluster=namespace.cluster.name,
+            namespace=namespace.name,
+            delete=namespace.delete or False,
+        )
+        for namespace in namespaces
+    ]
 
 
-def manage_namespaces(spec: Mapping[str, str], oc_map: OCMap, dry_run: bool) -> None:
-    cluster = spec["cluster"]
-    namespace = spec["namespace"]
-    desired_state = spec["desired_state"]
+def manage_namespace(
+    desired_state: DesiredState,
+    oc_map: OCMap,
+    dry_run: bool,
+) -> None:
+    namespace = desired_state.namespace
 
-    oc = oc_map.get(cluster)
+    oc = oc_map.get(desired_state.cluster)
     if isinstance(oc, OCLogMsg):
         logging.log(level=oc.log_level, msg=oc.message)
-        return None
+        return
 
-    act = {NS_ACTION_CREATE: oc.new_project, NS_ACTION_DELETE: oc.delete_project}
+    current_delete = not oc.project_exists(namespace)
 
-    exists = oc.project_exists(namespace)
-    action = None
-    if not exists and desired_state == NS_STATE_PRESENT:
-        if namespace.startswith("openshift-"):
-            raise ValueError('cannot request a project starting with "openshift-"')
-        action = NS_ACTION_CREATE
-    elif exists and desired_state == NS_STATE_ABSENT:
-        action = NS_ACTION_DELETE
+    if desired_state.delete == current_delete:
+        return
 
-    if action:
-        logging.info([action, cluster, namespace])
-        if not dry_run:
-            act[action](namespace)
+    action = Action.DELETE if desired_state.delete else Action.CREATE
 
+    if namespace.startswith("openshift-"):
+        raise ValueError(f'cannot {action} a project starting with "openshift-"')
 
-def check_results(
-    desired_state: Iterable[Mapping[str, str]], results: Iterable[Any]
-) -> bool:
-    err = False
+    logging.info([str(action), desired_state.cluster, namespace])
+    if not dry_run:
+        match action:
+            case Action.CREATE:
+                oc.new_project(namespace)
+            case Action.DELETE:
+                oc.delete_project(namespace)
+
+
+def build_runtime_errors(
+    desired_state: Iterable[DesiredState],
+    results: Iterable[Any],
+) -> list[Exception]:
+    exceptions = []
     for s, e in zip(desired_state, results, strict=False):
         if isinstance(e, Exception):
-            err = True
-            msg = (
-                f"cluster: {s['cluster']}, namespace: {s['namespace']}, "
-                f"exception: {e!s}"
-            )
-            logging.error(msg)
-    return err
+            e.add_note(f"cluster: {s.cluster}, namespace: {s.namespace}")
+            exceptions.append(e)
+    return exceptions
 
 
 @defer
@@ -149,15 +150,8 @@ def run(
     namespace_name: Sequence[str] | None = None,
     defer: Callable | None = None,
 ) -> None:
-    all_namespaces = get_namespaces_minimal()
-    shard_namespaces, duplicates = get_shard_namespaces(all_namespaces)
-    namespaces = filter_namespaces_by_cluster_and_namespace(
-        namespaces=shard_namespaces,
-        cluster_names=cluster_name,
-        namespace_names=namespace_name,
-    )
-
-    desired_state = get_desired_state(namespaces)
+    namespaces, duplicate_errors = get_namespaces(cluster_name, namespace_name)
+    desired_state = build_desired_state(namespaces)
 
     vault_settings = get_app_interface_vault_settings()
     secret_reader = create_secret_reader(use_vault=vault_settings.vault)
@@ -171,16 +165,17 @@ def run(
         thread_pool_size=thread_pool_size,
         init_projects=True,
     )
-
     if defer:
         defer(oc_map.cleanup)
 
     ob.publish_cluster_desired_metrics_from_state(
-        desired_state, QONTRACT_INTEGRATION, "Namespace"
+        state=({"cluster": s.cluster} for s in desired_state),
+        integration=QONTRACT_INTEGRATION,
+        kind="Namespace",
     )
 
     results = threaded.run(
-        manage_namespaces,
+        manage_namespace,
         desired_state,
         thread_pool_size,
         return_exceptions=True,
@@ -188,6 +183,7 @@ def run(
         oc_map=oc_map,
     )
 
-    err = check_results(desired_state=desired_state, results=results)
-    if err or duplicates:
-        sys.exit(ExitCodes.ERROR)
+    runtime_errors = build_runtime_errors(desired_state, results)
+    errors = runtime_errors + duplicate_errors
+    if errors:
+        raise ExceptionGroup("Reconcile errors occurred", errors)

reconcile/openshift_resources_base.py

@@ -806,7 +806,11 @@ def fetch_data(
         init_api_resources=init_api_resources,
     )
     state_specs = ob.init_specs_to_fetch(
-        ri, oc_map, namespaces=namespaces, override_managed_types=overrides
+        ri,
+        oc_map,
+        namespaces=namespaces,
+        override_managed_types=overrides,
+        cluster_scope_resource_validation=True,
     )
     threaded.run(fetch_states, state_specs, thread_pool_size, ri=ri, settings=settings)
 
@@ -861,7 +865,7 @@ def canonicalize_namespaces(
             elif providers[0] == "route":
                 override = ["Route"]
             elif providers[0] == "prometheus-rule":
-                override = ["PrometheusRule"]
+                override = ["PrometheusRule.monitoring.coreos.com"]
 
             namespace_info["openshiftResources"] = ors
             canonicalized_namespaces.append(namespace_info)

reconcile/openshift_rhcs_certs.py

@@ -2,7 +2,7 @@ import logging
 import sys
 import time
 from collections.abc import Callable, Iterable, Mapping
-from typing import Any, cast
+from typing import Any
 
 import reconcile.openshift_base as ob
 import reconcile.openshift_resources_base as orb
@@ -10,8 +10,8 @@ from reconcile.gql_definitions.common.rhcs_provider_settings import (
     RhcsProviderSettingsV1,
 )
 from reconcile.gql_definitions.rhcs.certs import (
-    NamespaceOpenshiftResourceRhcsCertV1,
     NamespaceV1,
+    OpenshiftResourceRhcsCert,
 )
 from reconcile.gql_definitions.rhcs.certs import (
     query as rhcs_certs_query,
@@ -40,7 +40,6 @@ from reconcile.utils.vault import SecretNotFoundError, VaultClient
 
 QONTRACT_INTEGRATION = "openshift-rhcs-certs"
 QONTRACT_INTEGRATION_VERSION = make_semver(1, 9, 3)
-PROVIDERS = ["rhcs-cert"]
 
 
 def desired_state_shard_config() -> DesiredStateShardConfig:
@@ -67,22 +66,18 @@ class OpenshiftRhcsCertExpiration(GaugeMetric):
         return "qontract_reconcile_rhcs_cert_expiration_timestamp"
 
 
-def _is_rhcs_cert(obj: Any) -> bool:
-    return getattr(obj, "provider", None) == "rhcs-cert"
-
-
 def get_namespaces_with_rhcs_certs(
     query_func: Callable,
     cluster_name: Iterable[str] | None = None,
 ) -> list[NamespaceV1]:
     result: list[NamespaceV1] = []
     for ns in rhcs_certs_query(query_func=query_func).namespaces or []:
-        ob.aggregate_shared_resources_typed(cast("Any", ns))  # mypy: ignore[arg-type]
+        ob.aggregate_shared_resources_typed(ns)
         if (
             integration_is_enabled(QONTRACT_INTEGRATION, ns.cluster)
             and not bool(ns.delete)
             and (not cluster_name or ns.cluster.name in cluster_name)
-            and any(_is_rhcs_cert(r) for r in ns.openshift_resources or [])
+            and ns.openshift_resources
         ):
             result.append(ns)
     return result
@@ -105,7 +100,7 @@ def construct_rhcs_cert_oc_secret(
 
 def cert_expires_within_threshold(
     ns: NamespaceV1,
-    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    cert_resource: OpenshiftResourceRhcsCert,
     vault_cert_secret: Mapping[str, Any],
 ) -> bool:
     auto_renew_threshold_days = cert_resource.auto_renew_threshold_days or 7
@@ -121,7 +116,7 @@ def cert_expires_within_threshold(
 
 def get_vault_cert_secret(
     ns: NamespaceV1,
-    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    cert_resource: OpenshiftResourceRhcsCert,
     vault: VaultClient,
     vault_base_path: str,
 ) -> dict | None:
@@ -140,7 +135,7 @@ def get_vault_cert_secret(
 def generate_vault_cert_secret(
     dry_run: bool,
     ns: NamespaceV1,
-    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    cert_resource: OpenshiftResourceRhcsCert,
     vault: VaultClient,
     vault_base_path: str,
     issuer_url: str,
@@ -149,7 +144,7 @@ def generate_vault_cert_secret(
     logging.info(
         f"Creating cert with service account credentials for '{cert_resource.service_account_name}'. cluster='{ns.cluster.name}', namespace='{ns.name}', secret='{cert_resource.secret_name}'"
     )
-    sa_password = vault.read(cert_resource.service_account_password.dict())
+    sa_password = vault.read(cert_resource.service_account_password.model_dump())
     if dry_run:
         rhcs_cert = RhcsV2Cert(
             certificate="PLACEHOLDER_CERT",
@@ -171,18 +166,18 @@ def generate_vault_cert_secret(
         )
         vault.write(
             secret={
-                "data": rhcs_cert.dict(by_alias=True),
+                "data": rhcs_cert.model_dump(by_alias=True),
                 "path": f"{vault_base_path}/{ns.cluster.name}/{ns.name}/{cert_resource.secret_name}",
             },
             decode_base64=False,
         )
-    return rhcs_cert.dict(by_alias=True)
+    return rhcs_cert.model_dump(by_alias=True)
 
 
 def fetch_openshift_resource_for_cert_resource(
     dry_run: bool,
     ns: NamespaceV1,
-    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    cert_resource: OpenshiftResourceRhcsCert,
     vault: VaultClient,
     rhcs_settings: RhcsProviderSettingsV1,
 ) -> OR:
@@ -231,18 +226,13 @@ def fetch_desired_state(
     cert_provider = get_rhcs_provider_settings(query_func=query_func)
     for ns in namespaces:
         for cert_resource in ns.openshift_resources or []:
-            if _is_rhcs_cert(cert_resource):
-                ri.add_desired_resource(
-                    cluster=ns.cluster.name,
-                    namespace=ns.name,
-                    resource=fetch_openshift_resource_for_cert_resource(
-                        dry_run,
-                        ns,
-                        cast("NamespaceOpenshiftResourceRhcsCertV1", cert_resource),
-                        vault,
-                        cert_provider,
-                    ),
-                )
+            ri.add_desired_resource(
+                cluster=ns.cluster.name,
+                namespace=ns.name,
+                resource=fetch_openshift_resource_for_cert_resource(
+                    dry_run, ns, cert_resource, vault, cert_provider
+                ),
+            )
 
 
 @defer
@@ -277,7 +267,7 @@ def run(
     state_specs = ob.init_specs_to_fetch(
         ri,
         oc_map,
-        namespaces=[ns.dict(by_alias=True) for ns in namespaces],
+        namespaces=[ns.model_dump(by_alias=True) for ns in namespaces],
         override_managed_types=["Secret"],
     )
     for spec in state_specs:
@@ -295,3 +285,11 @@ def run(
     ob.publish_metrics(ri, QONTRACT_INTEGRATION)
     if ri.has_error_registered():
         sys.exit(1)
+
+
+def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:
+    if not (query_func := kwargs.get("query_func")):
+        query_func = gql.get_api().query
+
+    cluster_name = kwargs.get("cluster_name")
+    return {"namespace": get_namespaces_with_rhcs_certs(query_func, cluster_name)}

reconcile/openshift_rolebindings.py

@@ -33,14 +33,11 @@ QONTRACT_INTEGRATION = "openshift-rolebindings"
 QONTRACT_INTEGRATION_VERSION = make_semver(0, 3, 0)
 
 
-class OCResource(BaseModel):
+class OCResource(BaseModel, arbitrary_types_allowed=True):
     resource: OR
     resource_name: str
     privileged: bool
 
-    class Config:
-        arbitrary_types_allowed = True
-
 
 @dataclass
 class ServiceAccountSpec:
@@ -61,7 +58,7 @@ class ServiceAccountSpec:
         ]
 
 
-class RoleBindingSpec(BaseModel):
+class RoleBindingSpec(BaseModel, validate_by_alias=True, arbitrary_types_allowed=True):
     role_name: str
     role_kind: str
     namespace: NamespaceV1
@@ -70,9 +67,6 @@ class RoleBindingSpec(BaseModel):
     usernames: set[str]
     openshift_service_accounts: list[ServiceAccountSpec]
 
-    class Config:
-        arbitrary_types_allowed = True
-
     def get_users_desired_state(self) -> list[dict[str, str]]:
         return [
             {"cluster": self.cluster.name, "user": username}
@@ -93,7 +87,9 @@ class RoleBindingSpec(BaseModel):
         if not (access.role or access.cluster_role):
             return None
         privileged = access.namespace.cluster_admin or False
-        auth_dict = [auth.dict(by_alias=True) for auth in access.namespace.cluster.auth]
+        auth_dict = [
+            auth.model_dump(by_alias=True) for auth in access.namespace.cluster.auth
+        ]
         usernames = RoleBindingSpec.get_usernames_from_users(
             users,
             ob.determine_user_keys_for_access(
@@ -290,7 +286,7 @@ def is_valid_namespace(namespace: NamespaceV1 | CommonNamespaceV1) -> bool:
     return (
         bool(namespace.managed_roles)
         and is_in_shard(f"{namespace.cluster.name}/{namespace.name}")
-        and not ob.is_namespace_deleted(namespace.dict(by_alias=True))
+        and not ob.is_namespace_deleted(namespace.model_dump(by_alias=True))
     )
 
 
@@ -304,7 +300,7 @@ def run(
     defer: Callable | None = None,
 ) -> None:
     namespaces = [
-        namespace.dict(by_alias=True, exclude={"openshift_resources"})
+        namespace.model_dump(by_alias=True, exclude={"openshift_resources"})
         for namespace in get_namespaces()
         if is_valid_namespace(namespace)
     ]

reconcile/openshift_saas_deploy.py

@@ -150,7 +150,7 @@ def run(
                     + "when using slack notifications"
                 )
             slack = slackapi_from_slack_workspace(
-                saas_file.slack.dict(by_alias=True),
+                saas_file.slack.model_dump(by_alias=True),
                 secret_reader,
                 QONTRACT_INTEGRATION,
                 init_usergroups=False,
@@ -224,7 +224,7 @@ def run(
         default=False,
     )
     ri, oc_map = ob.fetch_current_state(
-        namespaces=[ns.dict(by_alias=True) for ns in saasherder.namespaces],
+        namespaces=[ns.model_dump(by_alias=True) for ns in saasherder.namespaces],
         thread_pool_size=thread_pool_size,
         integration=QONTRACT_INTEGRATION,
         integration_version=QONTRACT_INTEGRATION_VERSION,
@@ -319,14 +319,13 @@ def run(
         openshift_saas_deploy_trigger_upstream_jobs.QONTRACT_INTEGRATION,
         openshift_saas_deploy_trigger_images.QONTRACT_INTEGRATION,
     ]
-    scan = (
+    if (
         not dry_run
         and len(saas_files) == 1
         and trigger_integration
         and trigger_integration in allowed_integration
         and trigger_reason
-    )
-    if scan:
+    ):
         saas_file = saas_files[0]
         owners = saas_file.app.service_owners or []
         emails = " ".join([o.email for o in owners])

reconcile/openshift_saas_deploy_change_tester.py

@@ -34,7 +34,7 @@ class Definition(BaseModel):
 class State(BaseModel):
     saas_file_path: str
     saas_file_name: str
-    saas_file_deploy_resources: DeployResourcesV1 | None
+    saas_file_deploy_resources: DeployResourcesV1 | None = None
     resource_template_name: str
     cluster: str
     namespace: str
@@ -44,10 +44,10 @@ class State(BaseModel):
     parameters: dict[str, Any]
     secret_parameters: dict[str, VaultSecret]
     saas_file_definitions: Definition
-    upstream: SaasResourceTemplateTargetUpstreamV1 | None
-    disable: bool | None
-    delete: bool | None
-    target_path: str | None
+    upstream: SaasResourceTemplateTargetUpstreamV1 | None = None
+    disable: bool | None = None
+    delete: bool | None = None
+    target_path: str | None = None
 
 
 def osd_run_wrapper(
@@ -213,11 +213,13 @@ def run(
     saas_file_list = SaasFileList()
     desired_saas_file_state = collect_state(saas_file_list.saas_files)
     # compare dicts against dicts which is much faster than comparing BaseModel objects
-    comparison_saas_file_state_dicts = [s.dict() for s in comparison_saas_file_state]
+    comparison_saas_file_state_dicts = [
+        s.model_dump() for s in comparison_saas_file_state
+    ]
     saas_file_state_diffs = [
         s
         for s in desired_saas_file_state
-        if s.dict() not in comparison_saas_file_state_dicts
+        if s.model_dump() not in comparison_saas_file_state_dicts
     ]
     if not saas_file_state_diffs:
         return

reconcile/openshift_serviceaccount_tokens.py

@@ -177,7 +177,7 @@ def canonicalize_namespaces(namespaces: Iterable[NamespaceV1]) -> list[Namespace
             key = f"{sat.namespace.cluster.name}/{sat.namespace.name}"
             if key not in canonicalized_namespaces:
                 canonicalized_namespaces[key] = NamespaceV1(
-                    **sat.namespace.dict(by_alias=True),
+                    **sat.namespace.model_dump(by_alias=True),
                     sharedResources=None,
                     openshiftServiceAccountTokens=None,
                 )
@@ -217,7 +217,7 @@ def run(
         get_namespaces_with_serviceaccount_tokens(gql_api.query)
     )
     ri, oc_map = ob.fetch_current_state(
-        namespaces=[ns.dict(by_alias=True) for ns in namespaces],
+        namespaces=[ns.model_dump(by_alias=True) for ns in namespaces],
         thread_pool_size=thread_pool_size,
         integration=QONTRACT_INTEGRATION,
         integration_version=QONTRACT_INTEGRATION_VERSION,

reconcile/openshift_upgrade_watcher.py

@@ -185,7 +185,7 @@ def run(
     if defer:
         defer(oc_map.cleanup)
 
-    cluster_like_objects = [cluster.dict(by_alias=True) for cluster in clusters]
+    cluster_like_objects = [cluster.model_dump(by_alias=True) for cluster in clusters]
     ocm_map = OCMMap(
         clusters=cluster_like_objects,
         integration=QONTRACT_INTEGRATION,

reconcile/oum/labelset.py

@@ -1,4 +1,5 @@
 from collections import defaultdict
+from typing import Annotated
 
 from pydantic import BaseModel
 
@@ -22,9 +23,10 @@ class _GroupMappingLabelset(BaseModel):
     the sre-capabilities.user-mgmt.$provider prefix.
     """
 
-    authz_roles: dict[str, CSV] | None = sre_capability_labels.labelset_groupfield(
-        group_prefix="authz."
-    )
+    authz_roles: Annotated[
+        dict[str, CSV] | None,
+        sre_capability_labels.labelset_groupfield(group_prefix="authz."),
+    ]
 
 
 def build_cluster_config_from_labels(

reconcile/oum/models.py

@@ -56,7 +56,7 @@ class ClusterUserManagementSpec(BaseModel):
     errors: list[ClusterError] = Field(default_factory=list)
 
 
-class ClusterRoleReconcileResult(BaseModel):
+class ClusterRoleReconcileResult(BaseModel, arbitrary_types_allowed=True):
     """
     Holds the result of a cluster role reconciliation.
     """
@@ -64,6 +64,3 @@ class ClusterRoleReconcileResult(BaseModel):
     users_added: int = 0
     users_removed: int = 0
     error: Exception | None = None
-
-    class Config:
-        arbitrary_types_allowed = True

reconcile/prometheus_rules_tester/integration.py

@@ -56,7 +56,7 @@ class Test(BaseModel):
     rule_path: str
     rule: dict
     rule_length: int
-    tests: list[TestContent] | None
+    tests: list[TestContent] | None = None
     result: CommandExecutionResult | None = None
     promtool_version: str
 
@@ -76,7 +76,7 @@ def fetch_rule_and_tests(
     openshift_resource = orb.fetch_openshift_resource(
         resource=rule.resource,
         parent=rule.namespace,
-        settings=vault_settings.dict(by_alias=True),
+        settings=vault_settings.model_dump(by_alias=True),
     )
 
     rule_body = openshift_resource.body
@@ -96,7 +96,7 @@ def fetch_rule_and_tests(
             test_raw_yaml = process_extracurlyjinja2_template(
                 body=test_raw_yaml,
                 vars=variables,
-                settings=vault_settings.dict(by_alias=True),
+                settings=vault_settings.model_dump(by_alias=True),
             )
 
         test_yaml_spec = yaml.safe_load(test_raw_yaml)