qontract-reconcile 0.10.2.dev414__py3-none-any.whl → 0.10.2.dev456__py3-none-any.whl

reconcile/gql_definitions/vpc_peerings_validator/vpc_peerings_validator_peered_cluster_fragment.py

@@ -34,6 +34,7 @@ class ClusterSpecV1(ConfiguredBaseModel):
 
 class VpcPeeringsValidatorPeeredCluster(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
+    allowed_to_bypass_public_peering_restriction: Optional[bool] = Field(..., alias="allowedToBypassPublicPeeringRestriction")
     network: Optional[ClusterNetworkV1] = Field(..., alias="network")
     spec: Optional[ClusterSpecV1] = Field(..., alias="spec")
     internal: Optional[bool] = Field(..., alias="internal")

reconcile/ocm_machine_pools.py

@@ -7,7 +7,7 @@ from collections.abc import Iterable, Mapping
 from enum import Enum
 from typing import Any, Self
 
-from pydantic import BaseModel, Field, model_validator
+from pydantic import BaseModel, Field, SerializeAsAny, model_validator
 
 from reconcile import queries
 from reconcile.gql_definitions.common.clusters import (
@@ -107,7 +107,7 @@ class AbstractPool(ABC, BaseModel):
     labels: Mapping[str, str] | None = None
     cluster: str
     cluster_type: ClusterType = Field(..., exclude=True)
-    autoscaling: AbstractAutoscaling | None = None
+    autoscaling: SerializeAsAny[AbstractAutoscaling] | None = None
 
     @model_validator(mode="before")
     @classmethod
@@ -170,7 +170,10 @@ class MachinePool(AbstractPool):
         ocm.update_machine_pool(self.cluster, update_dict)
 
     def has_diff(self, pool: ClusterMachinePoolV1) -> bool:
-        if self.taints != pool.taints or self.labels != pool.labels:
+        pool_taints = (
+            [p.model_dump(by_alias=True) for p in pool.taints] if pool.taints else None
+        )
+        if self.taints != pool_taints or self.labels != pool.labels:
             logging.warning(
                 f"updating labels or taints for machine pool {pool.q_id} "
                 f"will only be applied to new Nodes"
@@ -178,7 +181,7 @@ class MachinePool(AbstractPool):
 
         return (
             self.replicas != pool.replicas
-            or self.taints != pool.taints
+            or self.taints != pool_taints
             or self.labels != pool.labels
             or self.instance_type != pool.instance_type
             or self._has_diff_autoscale(pool)
@@ -251,7 +254,10 @@ class NodePool(AbstractPool):
         ocm.update_node_pool(self.cluster, update_dict)
 
     def has_diff(self, pool: ClusterMachinePoolV1) -> bool:
-        if self.taints != pool.taints or self.labels != pool.labels:
+        pool_taints = (
+            [p.model_dump(by_alias=True) for p in pool.taints] if pool.taints else None
+        )
+        if self.taints != pool_taints or self.labels != pool.labels:
             logging.warning(
                 f"updating labels or taints for node pool {pool.q_id} "
                 f"will only be applied to new Nodes"
@@ -259,7 +265,7 @@ class NodePool(AbstractPool):
 
         return (
             self.replicas != pool.replicas
-            or self.taints != pool.taints
+            or self.taints != pool_taints
             or self.labels != pool.labels
             or self.aws_node_pool.instance_type != pool.instance_type
             or self.subnet != pool.subnet

reconcile/openshift_base.py

@@ -29,7 +29,9 @@ from reconcile.utils import (
     metrics,
 )
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
+from reconcile.utils.differ import DiffPair
 from reconcile.utils.oc import (
+    POD_RECYCLE_SUPPORTED_OWNER_KINDS,
     AmbiguousResourceTypeError,
     DeploymentFieldIsImmutableError,
     FieldIsImmutableError,
@@ -62,6 +64,10 @@ AUTH_METHOD_USER_KEY = {
     "oidc": "org_username",
     "rhidp": "org_username",
 }
+RECYCLE_POD_ANNOTATIONS = [
+    "kubectl.kubernetes.io/restartedAt",
+    "openshift.openshift.io/restartedAt",
+]
 
 
 class ValidationError(Exception):
@@ -588,7 +594,7 @@ def apply(
                 oc.resize_pvcs(namespace, owned_pvc_names, desired_storage)
 
     if recycle_pods:
-        oc.recycle_pods(dry_run, namespace, resource_type, resource)
+        oc.recycle_pods(dry_run, namespace, resource)
 
 
 def create(
@@ -832,10 +838,56 @@ def handle_identical_resources(
     return actions
 
 
+def patch_desired_resource_for_recycle_annotations(
+    desired: OR,
+    current: OR,
+) -> OR:
+    """
+    Patch desired resource with recycle annotations to pod template from current resource.
+    This is to avoid full pods recycle when changes are not affecting pod template.
+    Note desired annotations can override current annotations.
+    For example, if desired resource has kubectl.kubernetes.io/restartedAt defined,
+    it will be used instead of current resource annotation.
+
+    Args:
+        desired: desired resource
+        current: current resource
+
+    Returns:
+        patched desired resource
+    """
+    if current.kind not in POD_RECYCLE_SUPPORTED_OWNER_KINDS:
+        return desired
+
+    current_annotations = (
+        current.body.get("spec", {})
+        .get("template", {})
+        .get("metadata", {})
+        .get("annotations")
+        or {}
+    )
+    patch_annotations = {
+        k: value
+        for k in RECYCLE_POD_ANNOTATIONS
+        if (value := current_annotations.get(k))
+    }
+    if patch_annotations:
+        desired_annotations = (
+            desired.body.setdefault("spec", {})
+            .setdefault("template", {})
+            .setdefault("metadata", {})
+            .setdefault("annotations", {})
+        )
+        desired.body["spec"]["template"]["metadata"]["annotations"] = (
+            patch_annotations | desired_annotations
+        )
+    return desired
+
+
 def handle_modified_resources(
     oc_map: ClusterMap,
     ri: ResourceInventory,
-    modified_resources: Mapping[Any, Any],
+    modified_resources: Mapping[str, DiffPair[OR, OR]],
     cluster: str,
     namespace: str,
     resource_type: str,
@@ -1031,6 +1083,12 @@ def _realize_resource_data_3way_diff(
     if options.enable_deletion and options.override_enable_deletion is False:
         options.enable_deletion = False
 
+    for k in data["current"].keys() & data["desired"].keys():
+        patch_desired_resource_for_recycle_annotations(
+            desired=data["desired"][k],
+            current=data["current"][k],
+        )
+
     diff_result = differ.diff_mappings(
         data["current"], data["desired"], equal=three_way_diff_using_hash
     )

reconcile/openshift_namespaces.py

@@ -43,6 +43,7 @@ class DesiredState:
     cluster: str
     namespace: str
     delete: bool
+    cluster_admin: bool
 
 
 class NamespaceDuplicateError(Exception):
@@ -92,6 +93,7 @@ def build_desired_state(
             cluster=namespace.cluster.name,
             namespace=namespace.name,
             delete=namespace.delete or False,
+            cluster_admin=namespace.cluster_admin or False,
         )
         for namespace in namespaces
     ]
@@ -104,7 +106,7 @@ def manage_namespace(
 ) -> None:
     namespace = desired_state.namespace
 
-    oc = oc_map.get(desired_state.cluster)
+    oc = oc_map.get(desired_state.cluster, privileged=desired_state.cluster_admin)
     if isinstance(oc, OCLogMsg):
         logging.log(level=oc.log_level, msg=oc.message)
         return
@@ -116,9 +118,6 @@ def manage_namespace(
 
     action = Action.DELETE if desired_state.delete else Action.CREATE
 
-    if namespace.startswith("openshift-"):
-        raise ValueError(f'cannot {action} a project starting with "openshift-"')
-
     logging.info([str(action), desired_state.cluster, namespace])
     if not dry_run:
         match action:

reconcile/openshift_rhcs_certs.py

@@ -2,7 +2,7 @@ import logging
 import sys
 import time
 from collections.abc import Callable, Iterable, Mapping
-from typing import Any, cast
+from typing import Any
 
 import reconcile.openshift_base as ob
 import reconcile.openshift_resources_base as orb
@@ -10,8 +10,8 @@ from reconcile.gql_definitions.common.rhcs_provider_settings import (
     RhcsProviderSettingsV1,
 )
 from reconcile.gql_definitions.rhcs.certs import (
-    NamespaceOpenshiftResourceRhcsCertV1,
     NamespaceV1,
+    OpenshiftResourceRhcsCert,
 )
 from reconcile.gql_definitions.rhcs.certs import (
     query as rhcs_certs_query,
@@ -32,7 +32,12 @@ from reconcile.utils.openshift_resource import (
     ResourceInventory,
     base64_encode_secret_field_value,
 )
-from reconcile.utils.rhcsv2_certs import RhcsV2Cert, generate_cert
+from reconcile.utils.rhcsv2_certs import (
+    CertificateFormat,
+    RhcsV2CertPem,
+    RhcsV2CertPkcs12,
+    generate_cert,
+)
 from reconcile.utils.runtime.integration import DesiredStateShardConfig
 from reconcile.utils.secret_reader import create_secret_reader
 from reconcile.utils.semver_helper import make_semver
@@ -40,7 +45,6 @@ from reconcile.utils.vault import SecretNotFoundError, VaultClient
 
 QONTRACT_INTEGRATION = "openshift-rhcs-certs"
 QONTRACT_INTEGRATION_VERSION = make_semver(1, 9, 3)
-PROVIDERS = ["rhcs-cert"]
 
 
 def desired_state_shard_config() -> DesiredStateShardConfig:
@@ -67,8 +71,29 @@ class OpenshiftRhcsCertExpiration(GaugeMetric):
         return "qontract_reconcile_rhcs_cert_expiration_timestamp"
 
 
-def _is_rhcs_cert(obj: Any) -> bool:
-    return getattr(obj, "provider", None) == "rhcs-cert"
+def _generate_placeholder_cert(
+    cert_format: CertificateFormat,
+) -> RhcsV2CertPem | RhcsV2CertPkcs12:
+    match cert_format:
+        case CertificateFormat.PKCS12:
+            return RhcsV2CertPkcs12(
+                pkcs12_keystore="PLACEHOLDER_KEYSTORE",
+                pkcs12_truststore="PLACEHOLDER_TRUSTSTORE",
+                expiration_timestamp=int(time.time()),
+            )
+        case CertificateFormat.PEM:
+            return RhcsV2CertPem(
+                certificate="PLACEHOLDER_CERT",
+                private_key="PLACEHOLDER_PRIVATE_KEY",
+                ca_cert="PLACEHOLDER_CA_CERT",
+                expiration_timestamp=int(time.time()),
+            )
+
+
+def get_certificate_format(
+    cert_resource: OpenshiftResourceRhcsCert,
+) -> CertificateFormat:
+    return CertificateFormat(cert_resource.certificate_format or "PEM")
 
 
 def get_namespaces_with_rhcs_certs(
@@ -82,21 +107,28 @@ def get_namespaces_with_rhcs_certs(
             integration_is_enabled(QONTRACT_INTEGRATION, ns.cluster)
             and not bool(ns.delete)
             and (not cluster_name or ns.cluster.name in cluster_name)
-            and any(_is_rhcs_cert(r) for r in ns.openshift_resources or [])
+            and ns.openshift_resources
         ):
             result.append(ns)
     return result
 
 
 def construct_rhcs_cert_oc_secret(
-    secret_name: str, cert: Mapping[str, Any], annotations: Mapping[str, str]
+    secret_name: str,
+    cert: Mapping[str, Any],
+    annotations: Mapping[str, str],
+    certificate_format: CertificateFormat,
 ) -> OR:
     body: dict[str, Any] = {
         "apiVersion": "v1",
         "kind": "Secret",
-        "type": "kubernetes.io/tls",
         "metadata": {"name": secret_name, "annotations": annotations},
     }
+    match certificate_format:
+        case CertificateFormat.PKCS12:
+            body["type"] = "Opaque"
+        case CertificateFormat.PEM:
+            body["type"] = "kubernetes.io/tls"
     for k, v in cert.items():
         v = base64_encode_secret_field_value(v)
         body.setdefault("data", {})[k] = v
@@ -105,7 +137,7 @@ def construct_rhcs_cert_oc_secret(
 
 def cert_expires_within_threshold(
     ns: NamespaceV1,
-    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    cert_resource: OpenshiftResourceRhcsCert,
     vault_cert_secret: Mapping[str, Any],
 ) -> bool:
     auto_renew_threshold_days = cert_resource.auto_renew_threshold_days or 7
@@ -121,7 +153,7 @@ def cert_expires_within_threshold(
 
 def get_vault_cert_secret(
     ns: NamespaceV1,
-    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    cert_resource: OpenshiftResourceRhcsCert,
     vault: VaultClient,
     vault_base_path: str,
 ) -> dict | None:
@@ -140,7 +172,7 @@ def get_vault_cert_secret(
 def generate_vault_cert_secret(
     dry_run: bool,
     ns: NamespaceV1,
-    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    cert_resource: OpenshiftResourceRhcsCert,
     vault: VaultClient,
     vault_base_path: str,
     issuer_url: str,
@@ -150,17 +182,18 @@ def generate_vault_cert_secret(
         f"Creating cert with service account credentials for '{cert_resource.service_account_name}'. cluster='{ns.cluster.name}', namespace='{ns.name}', secret='{cert_resource.secret_name}'"
     )
     sa_password = vault.read(cert_resource.service_account_password.model_dump())
+    cert_format = get_certificate_format(cert_resource)
+
     if dry_run:
-        rhcs_cert = RhcsV2Cert(
-            certificate="PLACEHOLDER_CERT",
-            private_key="PLACEHOLDER_PRIVATE_KEY",
-            ca_cert="PLACEHOLDER_CA_CERT",
-            expiration_timestamp=int(time.time()),
-        )
+        rhcs_cert = _generate_placeholder_cert(cert_format)
     else:
         try:
             rhcs_cert = generate_cert(
-                issuer_url, cert_resource.service_account_name, sa_password, ca_cert_url
+                issuer_url=issuer_url,
+                uid=cert_resource.service_account_name,
+                pwd=sa_password,
+                ca_url=ca_cert_url,
+                cert_format=cert_format,
             )
         except ValueError as e:
             raise Exception(
@@ -171,18 +204,18 @@ def generate_vault_cert_secret(
         )
         vault.write(
             secret={
-                "data": rhcs_cert.model_dump(by_alias=True),
+                "data": rhcs_cert.model_dump(by_alias=True, exclude_none=True),
                 "path": f"{vault_base_path}/{ns.cluster.name}/{ns.name}/{cert_resource.secret_name}",
             },
             decode_base64=False,
         )
-    return rhcs_cert.model_dump(by_alias=True)
+    return rhcs_cert.model_dump(by_alias=True, exclude_none=True)
 
 
 def fetch_openshift_resource_for_cert_resource(
     dry_run: bool,
     ns: NamespaceV1,
-    cert_resource: NamespaceOpenshiftResourceRhcsCertV1,
+    cert_resource: OpenshiftResourceRhcsCert,
     vault: VaultClient,
     rhcs_settings: RhcsProviderSettingsV1,
 ) -> OR:
@@ -218,6 +251,7 @@ def fetch_openshift_resource_for_cert_resource(
         secret_name=cert_resource.secret_name,
         cert=vault_cert_secret,
         annotations=cert_resource.annotations or {},
+        certificate_format=get_certificate_format(cert_resource),
     )
 
 
@@ -231,18 +265,13 @@ def fetch_desired_state(
     cert_provider = get_rhcs_provider_settings(query_func=query_func)
     for ns in namespaces:
         for cert_resource in ns.openshift_resources or []:
-            if _is_rhcs_cert(cert_resource):
-                ri.add_desired_resource(
-                    cluster=ns.cluster.name,
-                    namespace=ns.name,
-                    resource=fetch_openshift_resource_for_cert_resource(
-                        dry_run,
-                        ns,
-                        cast("NamespaceOpenshiftResourceRhcsCertV1", cert_resource),
-                        vault,
-                        cert_provider,
-                    ),
-                )
+            ri.add_desired_resource(
+                cluster=ns.cluster.name,
+                namespace=ns.name,
+                resource=fetch_openshift_resource_for_cert_resource(
+                    dry_run, ns, cert_resource, vault, cert_provider
+                ),
+            )
 
 
 @defer
@@ -295,3 +324,11 @@ def run(
     ob.publish_metrics(ri, QONTRACT_INTEGRATION)
     if ri.has_error_registered():
         sys.exit(1)
+
+
+def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:
+    if not (query_func := kwargs.get("query_func")):
+        query_func = gql.get_api().query
+
+    cluster_name = kwargs.get("cluster_name")
+    return {"namespace": get_namespaces_with_rhcs_certs(query_func, cluster_name)}

reconcile/rhidp/sso_client/base.py

@@ -1,3 +1,4 @@
+import http
 import logging
 from collections.abc import (
     Iterable,
@@ -10,6 +11,7 @@ from urllib.parse import (
 )
 
 import jwt
+from requests import HTTPError
 
 from reconcile.rhidp.common import (
     Cluster,
@@ -256,9 +258,18 @@ def delete_sso_client(
     )
     sso_client = SSOClient(**secret_reader.read_all_secret(secret=secret))
     keycloak_api = keycloak_map.get(sso_client.issuer)
-    keycloak_api.delete_client(
-        registration_client_uri=sso_client.registration_client_uri,
-        registration_access_token=sso_client.registration_access_token,
-    )
+    try:
+        keycloak_api.delete_client(
+            registration_client_uri=sso_client.registration_client_uri,
+            registration_access_token=sso_client.registration_access_token,
+        )
+    except HTTPError as e:
+        if e.response.status_code != http.HTTPStatus.UNAUTHORIZED:
+            logging.error(f"Failed to delete SSO client {sso_client_id}: {e}")
+            raise
+        # something went wrong with the registration token, maybe it expired
+        logging.error(
+            f"Failed to delete SSO client {sso_client_id} due to unauthorized error: {e}. Continuing to delete the vault secret."
+        )
 
     secret_reader.vault_client.delete(path=secret.path)

reconcile/templates/rosa-classic-cluster-creation.sh.j2

@@ -47,7 +47,7 @@ rosa create cluster -y --cluster-name={{ cluster_name }} \
     --service-cidr {{ cluster.network.service }} \
     --pod-cidr {{ cluster.network.pod }} \
     --host-prefix 23 \
-    --replicas {{ cluster.machine_pools | length }} \
+    --replicas 3 \
     --compute-machine-type {{ cluster.machine_pools[0].instance_type }} \
     {% if cluster.spec.disable_user_workload_monitoring -%}
     --disable-workload-monitoring \

reconcile/templates/rosa-hcp-cluster-creation.sh.j2

@@ -47,7 +47,7 @@ rosa create cluster --cluster-name={{ cluster_name }} \
     --service-cidr {{ cluster.network.service }} \
     --pod-cidr {{ cluster.network.pod }} \
     --host-prefix 23 \
-    --replicas {{ cluster.machine_pools | length }} \
+    --replicas 3 \
     --compute-machine-type {{ cluster.machine_pools[0].instance_type }} \
     {% if cluster.spec.private -%}
     --private \

reconcile/terraform_vpc_resources/integration.py

@@ -24,6 +24,7 @@ from reconcile.typed_queries.external_resources import get_settings
 from reconcile.typed_queries.github_orgs import get_github_orgs
 from reconcile.typed_queries.gitlab_instances import get_gitlab_instances
 from reconcile.utils import gql
+from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.runtime.integration import (
     DesiredStateShardConfig,
     PydanticRunParams,
@@ -62,12 +63,14 @@ class TerraformVpcResources(QontractReconcileIntegration[TerraformVpcResourcesPa
     ) -> list[AWSAccountV1]:
         """Return a list of accounts extracted from the provided VPCRequests.
         If account_name is given returns the account object with that name."""
-        accounts = [vpc.account for vpc in data]
-
-        if account_name:
-            accounts = [account for account in accounts if account.name == account_name]
-
-        return accounts
+        return [
+            vpc.account
+            for vpc in data
+            if (
+                integration_is_enabled(self.name, vpc.account)
+                and (not account_name or vpc.account.name == account_name)
+            )
+        ]
 
     def _handle_outputs(
         self, requests: Iterable[VPCRequest], outputs: Mapping[str, Any]
@@ -155,7 +158,7 @@ class TerraformVpcResources(QontractReconcileIntegration[TerraformVpcResourcesPa
         if data:
             accounts = self._filter_accounts(data, account_name)
             if account_name and not accounts:
-                msg = f"The account {account_name} doesn't have any managed vpc. Verify your input"
+                msg = f"The account {account_name} doesn't have any managed vpcs or the {QONTRACT_INTEGRATION} integration is disabled for this account. Verify your input"
                 logging.debug(msg)
                 sys.exit(ExitCodes.SUCCESS)
         else:

reconcile/typed_queries/saas_files.py

@@ -42,6 +42,7 @@ from reconcile.gql_definitions.fragments.saas_target_namespace import (
     SaasTargetNamespace,
 )
 from reconcile.utils import gql
+from reconcile.utils.environ import used_for_security_is_enabled
 from reconcile.utils.exceptions import (
     AppInterfaceSettingsError,
     ParameterError,
@@ -78,10 +79,14 @@ class SaasResourceTemplateTarget(
         self, parent_saas_file_name: str, parent_resource_template_name: str
     ) -> str:
         """Returns a unique identifier for a target."""
-        return hashlib.blake2s(
-            f"{parent_saas_file_name}:{parent_resource_template_name}:{self.name or 'default'}:{self.namespace.cluster.name}:{self.namespace.name}".encode(),
-            digest_size=20,
-        ).hexdigest()
+        data = f"{parent_saas_file_name}:{parent_resource_template_name}:{self.name or 'default'}:{self.namespace.cluster.name}:{self.namespace.name}".encode()
+        if used_for_security_is_enabled():
+            # When USED_FOR_SECURITY is enabled, use blake2s without digest_size and truncate to 20 bytes
+            # This is needed for FIPS compliance where digest_size parameter is not supported
+            return hashlib.blake2s(data).digest()[:20].hex()
+        else:
+            # Default behavior: use blake2s with digest_size=20
+            return hashlib.blake2s(data, digest_size=20).hexdigest()
 
 
 class SaasResourceTemplate(ConfiguredBaseModel, validate_by_alias=True):

reconcile/utils/binary.py

@@ -38,10 +38,7 @@ def binary_version(
     def deco_binary_version(f: Callable) -> Callable:
         @wraps(f)
         def f_binary_version(*args: Any, **kwargs: Any) -> None:
-            regex = re.compile(search_regex)
-
-            cmd = [binary]
-            cmd.extend(version_args)
+            cmd = [binary, *version_args]
             try:
                 result = subprocess.run(cmd, capture_output=True, check=True)
             except subprocess.CalledProcessError as e:
@@ -50,15 +47,13 @@ def binary_version(
                 )
                 raise Exception(msg) from e
 
-            found = False
-            match = None
-            for line in result.stdout.splitlines():
-                match = regex.search(line.decode("utf-8"))
-                if match is not None:
-                    found = True
-                    break
+            match = re.search(
+                search_regex,
+                result.stdout.decode("utf-8"),
+                re.MULTILINE,
+            )
 
-            if not found or not match:
+            if match is None:
                 raise Exception(
                     f"Could not find version for binary '{binary}' via regex "
                     f"for binary version check: "

reconcile/utils/environ.py

@@ -4,6 +4,11 @@ from functools import wraps
 from typing import Any
 
 
+def used_for_security_is_enabled() -> bool:
+    used_for_security_env = os.getenv("USED_FOR_SECURITY", "false")
+    return used_for_security_env.lower() == "true"
+
+
 def environ(variables: Iterable[str] | None = None) -> Callable:
     """Check that environment variables are set before execution."""
     if variables is None:

reconcile/utils/gitlab_api.py

@@ -444,6 +444,8 @@ class GitLabApi:
     def get_merge_request_comments(
         merge_request: ProjectMergeRequest,
         include_description: bool = False,
+        include_approvals: bool = False,
+        approval_body: str = "",
     ) -> list[Comment]:
         comments = []
         if include_description:
@@ -455,6 +457,16 @@ class GitLabApi:
                     created_at=merge_request.created_at,
                 )
             )
+        if include_approvals:
+            comments.extend(
+                Comment(
+                    id=approval["user"]["id"],
+                    username=approval["user"]["username"],
+                    body=approval_body,
+                    created_at=approval["approved_at"],
+                )
+                for approval in merge_request.approvals.get().approved_by
+            )
         comments.extend(
             Comment(
                 id=note.id,

reconcile/utils/glitchtip/client.py

@@ -165,7 +165,7 @@ class GlitchtipClient(ApiBase):
             **self._post(
                 f"/api/0/projects/{organization_slug}/{project_slug}/alerts/",
                 data=alert.model_dump(
-                    by_alias=True, exclude_unset=True, exclude_none=True
+                    mode="json", by_alias=True, exclude_unset=True, exclude_none=True
                 ),
             )
         )
@@ -186,7 +186,7 @@ class GlitchtipClient(ApiBase):
             **self._put(
                 f"/api/0/projects/{organization_slug}/{project_slug}/alerts/{alert.pk}/",
                 data=alert.model_dump(
-                    by_alias=True, exclude_unset=True, exclude_none=True
+                    mode="json", by_alias=True, exclude_unset=True, exclude_none=True
                 ),
             )
         )