qontract-reconcile 0.10.2.dev427__py3-none-any.whl → 0.10.2.dev465__py3-none-any.whl

reconcile/openshift_rhcs_certs.py

@@ -32,7 +32,12 @@ from reconcile.utils.openshift_resource import (
     ResourceInventory,
     base64_encode_secret_field_value,
 )
-from reconcile.utils.rhcsv2_certs import RhcsV2Cert, generate_cert
+from reconcile.utils.rhcsv2_certs import (
+    CertificateFormat,
+    RhcsV2CertPem,
+    RhcsV2CertPkcs12,
+    generate_cert,
+)
 from reconcile.utils.runtime.integration import DesiredStateShardConfig
 from reconcile.utils.secret_reader import create_secret_reader
 from reconcile.utils.semver_helper import make_semver
@@ -66,6 +71,31 @@ class OpenshiftRhcsCertExpiration(GaugeMetric):
         return "qontract_reconcile_rhcs_cert_expiration_timestamp"
 
 
+def _generate_placeholder_cert(
+    cert_format: CertificateFormat,
+) -> RhcsV2CertPem | RhcsV2CertPkcs12:
+    match cert_format:
+        case CertificateFormat.PKCS12:
+            return RhcsV2CertPkcs12(
+                pkcs12_keystore="PLACEHOLDER_KEYSTORE",
+                pkcs12_truststore="PLACEHOLDER_TRUSTSTORE",
+                expiration_timestamp=int(time.time()),
+            )
+        case CertificateFormat.PEM:
+            return RhcsV2CertPem(
+                certificate="PLACEHOLDER_CERT",
+                private_key="PLACEHOLDER_PRIVATE_KEY",
+                ca_cert="PLACEHOLDER_CA_CERT",
+                expiration_timestamp=int(time.time()),
+            )
+
+
+def get_certificate_format(
+    cert_resource: OpenshiftResourceRhcsCert,
+) -> CertificateFormat:
+    return CertificateFormat(cert_resource.certificate_format or "PEM")
+
+
 def get_namespaces_with_rhcs_certs(
     query_func: Callable,
     cluster_name: Iterable[str] | None = None,
@@ -84,14 +114,21 @@ def get_namespaces_with_rhcs_certs(
 
 
 def construct_rhcs_cert_oc_secret(
-    secret_name: str, cert: Mapping[str, Any], annotations: Mapping[str, str]
+    secret_name: str,
+    cert: Mapping[str, Any],
+    annotations: Mapping[str, str],
+    certificate_format: CertificateFormat,
 ) -> OR:
     body: dict[str, Any] = {
         "apiVersion": "v1",
         "kind": "Secret",
-        "type": "kubernetes.io/tls",
         "metadata": {"name": secret_name, "annotations": annotations},
     }
+    match certificate_format:
+        case CertificateFormat.PKCS12:
+            body["type"] = "Opaque"
+        case CertificateFormat.PEM:
+            body["type"] = "kubernetes.io/tls"
     for k, v in cert.items():
         v = base64_encode_secret_field_value(v)
         body.setdefault("data", {})[k] = v
@@ -145,17 +182,18 @@ def generate_vault_cert_secret(
         f"Creating cert with service account credentials for '{cert_resource.service_account_name}'. cluster='{ns.cluster.name}', namespace='{ns.name}', secret='{cert_resource.secret_name}'"
     )
     sa_password = vault.read(cert_resource.service_account_password.model_dump())
+    cert_format = get_certificate_format(cert_resource)
+
     if dry_run:
-        rhcs_cert = RhcsV2Cert(
-            certificate="PLACEHOLDER_CERT",
-            private_key="PLACEHOLDER_PRIVATE_KEY",
-            ca_cert="PLACEHOLDER_CA_CERT",
-            expiration_timestamp=int(time.time()),
-        )
+        rhcs_cert = _generate_placeholder_cert(cert_format)
     else:
         try:
             rhcs_cert = generate_cert(
-                issuer_url, cert_resource.service_account_name, sa_password, ca_cert_url
+                issuer_url=issuer_url,
+                uid=cert_resource.service_account_name,
+                pwd=sa_password,
+                ca_url=ca_cert_url,
+                cert_format=cert_format,
             )
         except ValueError as e:
             raise Exception(
@@ -166,12 +204,12 @@ def generate_vault_cert_secret(
         )
         vault.write(
             secret={
-                "data": rhcs_cert.model_dump(by_alias=True),
+                "data": rhcs_cert.model_dump(by_alias=True, exclude_none=True),
                 "path": f"{vault_base_path}/{ns.cluster.name}/{ns.name}/{cert_resource.secret_name}",
             },
             decode_base64=False,
         )
-    return rhcs_cert.model_dump(by_alias=True)
+    return rhcs_cert.model_dump(by_alias=True, exclude_none=True)
 
 
 def fetch_openshift_resource_for_cert_resource(
@@ -213,6 +251,7 @@ def fetch_openshift_resource_for_cert_resource(
         secret_name=cert_resource.secret_name,
         cert=vault_cert_secret,
         annotations=cert_resource.annotations or {},
+        certificate_format=get_certificate_format(cert_resource),
     )
 
 

reconcile/templates/rosa-classic-cluster-creation.sh.j2

@@ -47,7 +47,7 @@ rosa create cluster -y --cluster-name={{ cluster_name }} \
     --service-cidr {{ cluster.network.service }} \
     --pod-cidr {{ cluster.network.pod }} \
     --host-prefix 23 \
-    --replicas {{ cluster.machine_pools | length }} \
+    --replicas 3 \
     --compute-machine-type {{ cluster.machine_pools[0].instance_type }} \
     {% if cluster.spec.disable_user_workload_monitoring -%}
     --disable-workload-monitoring \

reconcile/templates/rosa-hcp-cluster-creation.sh.j2

@@ -47,7 +47,7 @@ rosa create cluster --cluster-name={{ cluster_name }} \
     --service-cidr {{ cluster.network.service }} \
     --pod-cidr {{ cluster.network.pod }} \
     --host-prefix 23 \
-    --replicas {{ cluster.machine_pools | length }} \
+    --replicas 3 \
     --compute-machine-type {{ cluster.machine_pools[0].instance_type }} \
     {% if cluster.spec.private -%}
     --private \

reconcile/terraform_vpc_resources/integration.py

@@ -24,6 +24,7 @@ from reconcile.typed_queries.external_resources import get_settings
 from reconcile.typed_queries.github_orgs import get_github_orgs
 from reconcile.typed_queries.gitlab_instances import get_gitlab_instances
 from reconcile.utils import gql
+from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.runtime.integration import (
     DesiredStateShardConfig,
     PydanticRunParams,
@@ -62,12 +63,14 @@ class TerraformVpcResources(QontractReconcileIntegration[TerraformVpcResourcesPa
     ) -> list[AWSAccountV1]:
         """Return a list of accounts extracted from the provided VPCRequests.
         If account_name is given returns the account object with that name."""
-        accounts = [vpc.account for vpc in data]
-
-        if account_name:
-            accounts = [account for account in accounts if account.name == account_name]
-
-        return accounts
+        return [
+            vpc.account
+            for vpc in data
+            if (
+                integration_is_enabled(self.name, vpc.account)
+                and (not account_name or vpc.account.name == account_name)
+            )
+        ]
 
     def _handle_outputs(
         self, requests: Iterable[VPCRequest], outputs: Mapping[str, Any]
@@ -155,7 +158,7 @@ class TerraformVpcResources(QontractReconcileIntegration[TerraformVpcResourcesPa
         if data:
             accounts = self._filter_accounts(data, account_name)
             if account_name and not accounts:
-                msg = f"The account {account_name} doesn't have any managed vpc. Verify your input"
+                msg = f"The account {account_name} doesn't have any managed vpcs or the {QONTRACT_INTEGRATION} integration is disabled for this account. Verify your input"
                 logging.debug(msg)
                 sys.exit(ExitCodes.SUCCESS)
         else:

reconcile/typed_queries/saas_files.py

@@ -42,6 +42,7 @@ from reconcile.gql_definitions.fragments.saas_target_namespace import (
     SaasTargetNamespace,
 )
 from reconcile.utils import gql
+from reconcile.utils.environ import used_for_security_is_enabled
 from reconcile.utils.exceptions import (
     AppInterfaceSettingsError,
     ParameterError,
@@ -78,10 +79,14 @@ class SaasResourceTemplateTarget(
         self, parent_saas_file_name: str, parent_resource_template_name: str
     ) -> str:
         """Returns a unique identifier for a target."""
-        return hashlib.blake2s(
-            f"{parent_saas_file_name}:{parent_resource_template_name}:{self.name or 'default'}:{self.namespace.cluster.name}:{self.namespace.name}".encode(),
-            digest_size=20,
-        ).hexdigest()
+        data = f"{parent_saas_file_name}:{parent_resource_template_name}:{self.name or 'default'}:{self.namespace.cluster.name}:{self.namespace.name}".encode()
+        if used_for_security_is_enabled():
+            # When USED_FOR_SECURITY is enabled, use blake2s without digest_size and truncate to 20 bytes
+            # This is needed for FIPS compliance where digest_size parameter is not supported
+            return hashlib.sha256(data).digest()[:20].hex()
+        else:
+            # Default behavior: use blake2s with digest_size=20
+            return hashlib.blake2s(data, digest_size=20).hexdigest()
 
 
 class SaasResourceTemplate(ConfiguredBaseModel, validate_by_alias=True):

reconcile/utils/environ.py

@@ -4,6 +4,11 @@ from functools import wraps
 from typing import Any
 
 
+def used_for_security_is_enabled() -> bool:
+    used_for_security_env = os.getenv("USED_FOR_SECURITY", "false")
+    return used_for_security_env.lower() == "true"
+
+
 def environ(variables: Iterable[str] | None = None) -> Callable:
     """Check that environment variables are set before execution."""
     if variables is None:

reconcile/utils/external_resource_spec.py

@@ -157,6 +157,8 @@ class ExternalResourceSpec:
             tags["cost-center"] = cost_center
         if service_phase := self.namespace["environment"].get("servicePhase"):
             tags["service-phase"] = service_phase
+        if cost_center := self.namespace["environment"].get("costCenter"):
+            tags["cost-center"] = cost_center
 
         resource_tags_str = self.resource.get("tags")
         if resource_tags_str:

reconcile/utils/gitlab_api.py

@@ -444,6 +444,8 @@ class GitLabApi:
     def get_merge_request_comments(
         merge_request: ProjectMergeRequest,
         include_description: bool = False,
+        include_approvals: bool = False,
+        approval_body: str = "",
     ) -> list[Comment]:
         comments = []
         if include_description:
@@ -455,6 +457,16 @@ class GitLabApi:
                     created_at=merge_request.created_at,
                 )
             )
+        if include_approvals:
+            comments.extend(
+                Comment(
+                    id=approval["user"]["id"],
+                    username=approval["user"]["username"],
+                    body=approval_body,
+                    created_at=approval["approved_at"],
+                )
+                for approval in merge_request.approvals.get().approved_by
+            )
         comments.extend(
             Comment(
                 id=note.id,

reconcile/utils/jjb_client.py

@@ -33,6 +33,10 @@ from reconcile.utils.vcs import GITHUB_BASE_URL
 JJB_INI = "[jenkins]\nurl = https://JENKINS_URL"
 
 
+class MissingJobUrlError(Exception):
+    pass
+
+
 class JJB:
     """Wrapper around Jenkins Jobs"""
 
@@ -335,7 +339,7 @@ class JJB:
                 job_name = job["name"]
                 try:
                     repos.add(self.get_repo_url(job))
-                except KeyError:
+                except MissingJobUrlError:
                     logging.debug(f"missing github url: {job_name}")
         return repos
 
@@ -355,7 +359,19 @@ class JJB:
 
     @staticmethod
     def get_repo_url(job: Mapping[str, Any]) -> str:
-        repo_url_raw = job["properties"][0]["github"]["url"]
+        repo_url_raw = job.get("properties", [{}])[0].get("github", {}).get("url")
+
+        # we may be in a Github Branch Source type of job
+        if not repo_url_raw:
+            gh_org = job.get("scm", [{}])[0].get("github", {}).get("repo-owner")
+            gh_repo = job.get("scm", [{}])[0].get("github", {}).get("repo")
+            if gh_org and gh_repo:
+                repo_url_raw = f"https://github.com/{gh_org}/{gh_repo}/"
+            else:
+                raise MissingJobUrlError(
+                    f"Cannot find job url for {job['display-name']}"
+                )
+
         return repo_url_raw.strip("/").replace(".git", "")
 
     @staticmethod
@@ -404,7 +420,7 @@ class JJB:
                 try:
                     if self.get_repo_url(job).lower() == repo_url.rstrip("/").lower():
                         return job
-                except KeyError:
+                except MissingJobUrlError:
                     # something wrong here. ignore this job
                     pass
         raise ValueError(f"job with {job_type=} and {repo_url=} not found")

reconcile/utils/oc.py

@@ -651,9 +651,15 @@ class OCCli:
             raise e
         return True
 
+    def _use_oc_project(self, namespace: str) -> bool:
+        # Note, that openshift-* namespaces cannot be created via new-project
+        return self.is_kind_supported(PROJECT_KIND) and not namespace.startswith(
+            "openshift-"
+        )
+
     @OCDecorators.process_reconcile_time
     def new_project(self, namespace: str) -> OCProcessReconcileTimeDecoratorMsg:
-        if self.is_kind_supported(PROJECT_KIND):
+        if self._use_oc_project(namespace=namespace):
             cmd = ["new-project", namespace]
         else:
             cmd = ["create", "namespace", namespace]
@@ -669,7 +675,7 @@ class OCCli:
 
     @OCDecorators.process_reconcile_time
     def delete_project(self, namespace: str) -> OCProcessReconcileTimeDecoratorMsg:
-        if self.is_kind_supported(PROJECT_KIND):
+        if self._use_oc_project(namespace=namespace):
             cmd = ["delete", "project", namespace]
         else:
             cmd = ["delete", "namespace", namespace]

reconcile/utils/rhcsv2_certs.py

@@ -1,21 +1,35 @@
+import base64
 import re
 from datetime import UTC
+from enum import StrEnum
 
 import requests
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives.serialization import pkcs12
 from cryptography.x509.oid import NameOID
 from pydantic import BaseModel, Field
 
 
-class RhcsV2Cert(BaseModel, validate_by_name=True, validate_by_alias=True):
+class CertificateFormat(StrEnum):
+    PEM = "PEM"
+    PKCS12 = "PKCS12"
+
+
+class RhcsV2CertPem(BaseModel, validate_by_name=True, validate_by_alias=True):
     certificate: str = Field(alias="tls.crt")
     private_key: str = Field(alias="tls.key")
     ca_cert: str = Field(alias="ca.crt")
     expiration_timestamp: int
 
 
+class RhcsV2CertPkcs12(BaseModel, validate_by_name=True, validate_by_alias=True):
+    pkcs12_keystore: str = Field(alias="keystore.pkcs12.b64")
+    pkcs12_truststore: str = Field(alias="truststore.pkcs12.b64")
+    expiration_timestamp: int
+
+
 def extract_cert(text: str) -> re.Match:
     # The CA webform returns an HTML page with inline JS that builds an array of “outputList”
     # objects. Each object looks roughly like:
@@ -67,7 +81,66 @@ def get_cert_expiry_timestamp(js_escaped_pem: str) -> int:
     return int(dt_expiry.timestamp())
 
 
-def generate_cert(issuer_url: str, uid: str, pwd: str, ca_url: str) -> RhcsV2Cert:
+def _format_pem(
+    private_key: rsa.RSAPrivateKey,
+    cert_pem: str,
+    ca_pem: str,
+    cert_expiry_timestamp: int,
+) -> RhcsV2CertPem:
+    """Generate RhcsV2Cert with PEM components."""
+    private_key_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption(),
+    ).decode()
+    return RhcsV2CertPem(
+        private_key=private_key_pem,
+        certificate=cert_pem.encode().decode("unicode_escape").replace("\\/", "/"),
+        ca_cert=ca_pem,
+        expiration_timestamp=cert_expiry_timestamp,
+    )
+
+
+def _format_pkcs12(
+    private_key: rsa.RSAPrivateKey,
+    cert_pem: str,
+    ca_pem: str,
+    uid: str,
+    pwd: str,
+    cert_expiry_timestamp: int,
+) -> RhcsV2CertPkcs12:
+    """Generate PKCS#12 keystore and truststore components, returns base64-encoded strings."""
+    clean_cert_pem = cert_pem.encode().decode("unicode_escape").replace("\\/", "/")
+    cert_obj = x509.load_pem_x509_certificate(clean_cert_pem.encode())
+    ca_obj = x509.load_pem_x509_certificate(ca_pem.encode())
+    keystore_p12 = pkcs12.serialize_key_and_certificates(
+        name=uid.encode("utf-8"),
+        key=private_key,
+        cert=cert_obj,
+        cas=[ca_obj],
+        encryption_algorithm=serialization.BestAvailableEncryption(pwd.encode("utf-8")),
+    )
+    truststore_p12 = pkcs12.serialize_key_and_certificates(
+        name=b"ca-trust",
+        key=None,
+        cert=None,
+        cas=[ca_obj],
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+    return RhcsV2CertPkcs12(
+        pkcs12_keystore=base64.b64encode(keystore_p12).decode("utf-8"),
+        pkcs12_truststore=base64.b64encode(truststore_p12).decode("utf-8"),
+        expiration_timestamp=cert_expiry_timestamp,
+    )
+
+
+def generate_cert(
+    issuer_url: str,
+    uid: str,
+    pwd: str,
+    ca_url: str,
+    cert_format: CertificateFormat = CertificateFormat.PEM,
+) -> RhcsV2CertPem | RhcsV2CertPkcs12:
     private_key = rsa.generate_private_key(65537, 4096)
     csr = (
         x509.CertificateSigningRequestBuilder()
@@ -78,6 +151,7 @@ def generate_cert(issuer_url: str, uid: str, pwd: str, ca_url: str) -> RhcsV2Cer
         )
         .sign(private_key, hashes.SHA256())
     )
+
     data = {
         "uid": uid,
         "pwd": pwd,
@@ -87,27 +161,19 @@ def generate_cert(issuer_url: str, uid: str, pwd: str, ca_url: str) -> RhcsV2Cer
         "renewal": "false",
         "xmlOutput": "false",
     }
-    response = requests.post(issuer_url, data=data)
+    response = requests.post(issuer_url, data=data, timeout=30)
     response.raise_for_status()
+    cert_pem = extract_cert(response.text).group(1)
+    cert_expiry_timestamp = get_cert_expiry_timestamp(cert_pem)
 
-    cert_pem = extract_cert(response.text)
-    cert_expiry_timestamp = get_cert_expiry_timestamp(cert_pem.group(1))
-    private_key_pem = private_key.private_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PrivateFormat.TraditionalOpenSSL,
-        encryption_algorithm=serialization.NoEncryption(),
-    ).decode()
-
-    response = requests.get(ca_url)
+    response = requests.get(ca_url, timeout=30)
     response.raise_for_status()
     ca_pem = response.text
 
-    return RhcsV2Cert(
-        private_key=private_key_pem,
-        certificate=cert_pem.group(1)
-        .encode()
-        .decode("unicode_escape")
-        .replace("\\/", "/"),
-        ca_cert=ca_pem,
-        expiration_timestamp=cert_expiry_timestamp,
-    )
+    match cert_format:
+        case CertificateFormat.PKCS12:
+            return _format_pkcs12(
+                private_key, cert_pem, ca_pem, uid, pwd, cert_expiry_timestamp
+            )
+        case CertificateFormat.PEM:
+            return _format_pem(private_key, cert_pem, ca_pem, cert_expiry_timestamp)