qontract-reconcile 0.10.2.dev481__py3-none-any.whl → 0.10.2.dev484__py3-none-any.whl

{qontract_reconcile-0.10.2.dev481.dist-info → qontract_reconcile-0.10.2.dev484.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: qontract-reconcile
-Version: 0.10.2.dev481
+Version: 0.10.2.dev484
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Project-URL: homepage, https://github.com/app-sre/qontract-reconcile
 Project-URL: repository, https://github.com/app-sre/qontract-reconcile

{qontract_reconcile-0.10.2.dev481.dist-info → qontract_reconcile-0.10.2.dev484.dist-info}/RECORD

@@ -8,7 +8,7 @@ reconcile/aws_iam_password_reset.py,sha256=5oajSspJVAvpGd445hKsxtEGYb75dM4l1_PJT
 reconcile/aws_support_cases_sos.py,sha256=G9g0oM6ohvuJ5N592ePjiPeaDug4_vapAy58RyG-S3Y,3478
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=O1wFp52EyF538c6txaWBs8eMtUIy19gyHZ6VzJ6QXS8,3512
 reconcile/checkpoint.py,sha256=Q5Ru36ZEwWw95ZkUXBf4VfvCmqDS9TcAF7QVroOf9Vk,5375
-reconcile/cli.py,sha256=EqwFVBlDDABGD0j35I4nnw2NSis1d3NqKrOi262B7v4,115258
+reconcile/cli.py,sha256=ZHOM3LPTUyKJy-N7p9OSyrJsb8pWGCsUFthBvJgjUkE,115887
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=_OKz7K7HHw0-gzxeEma8PcUCtd70pRBy7JMoaAm8IVU,4940
 reconcile/cluster_deployment_mapper.py,sha256=aKroYLY6-nNxWi2jxDu7VRMuNZ3YgSI0J6ek7Fet2AQ,2241
 reconcile/dashdotdb_base.py,sha256=83ZWIf5JJk3P_D69y2TmXRcQr6ELJGlv10OM0h7fJVs,4767
@@ -56,7 +56,6 @@ reconcile/ocm_update_recommended_version.py,sha256=Vi3Y2sX-OQxx1mv_xiPQXnmrpsZzG
 reconcile/ocm_upgrade_scheduler_org_updater.py,sha256=j4qthqx8qREB6mSbV9NT-Giq1Tu5y2EhPgIObkvmjyU,4371
 reconcile/openshift_base.py,sha256=ERc8BELzWr8PF8SQtBbcYkzvudLe676ecEmS09MYZz0,57929
 reconcile/openshift_cluster_bots.py,sha256=QBflmFjXaIY7bxNlI2qSI5sER3Jks-_FAhrPHschI4g,10939
-reconcile/openshift_clusterrolebindings.py,sha256=jwSaYQvUUY7noQGc148Dkqm6woYxvOEd1sume7k_sUk,6212
 reconcile/openshift_groups.py,sha256=XpIyhgnWY1XUQio1wi6sHoDtoMYdk-lpHp0-1d1RC7o,9471
 reconcile/openshift_limitranges.py,sha256=-MVmUWMMLUbX50GuZ-XClm4RIH8uIKNqAAMYD1IIs0I,4017
 reconcile/openshift_namespace_labels.py,sha256=zjQNini7qgb-x_0QRBfD1zVBeX_5Pgk8ixDkBA4v488,16241
@@ -67,7 +66,6 @@ reconcile/openshift_resourcequotas.py,sha256=0CSuCre3T2ON42Ku1UDhTRugfmUNBx8PILp
 reconcile/openshift_resources.py,sha256=YnhDxCvsp0muxEmULiqWhoar9EzxohTrnbY-U7oS5Hc,1603
 reconcile/openshift_resources_base.py,sha256=wOdQMLqaiQleQTsC8MH9nwpBKFffLcOuZthpOcc1heE,43096
 reconcile/openshift_rhcs_certs.py,sha256=UjBFX344n4eFXZmoEUCVeGECBowWTpbjNyPGrEzAmkA,11544
-reconcile/openshift_rolebindings.py,sha256=G4n7wWTGZ34OsRgen0L3EpdPXuFEdZ_1E-b3ROvSb4I,10824
 reconcile/openshift_routes.py,sha256=xnA34f32xDdkfV2MXIC1QURFJioQUsXT8AZBiY7iSP0,1298
 reconcile/openshift_saas_deploy.py,sha256=YQRIjnb-V6x1a0fUv2w3hqjMj5tyqRirzkG8DzknYdc,13159
 reconcile/openshift_saas_deploy_change_tester.py,sha256=6wU7rFCaTRU1Wj8Izi6ExLvQstwqDbr9n9YfyPcb6zQ,8854
@@ -80,7 +78,7 @@ reconcile/openshift_saas_deploy_trigger_upstream_jobs.py,sha256=TBMQXyMktbCV1uI5
 reconcile/openshift_serviceaccount_tokens.py,sha256=y8pW6j_0ELTDrahZ0Fr-6St5ww1iJWCrPdAW3O-8rRA,9034
 reconcile/openshift_tekton_resources.py,sha256=5mUWEQqU9RpMLQZxHOb6IkbbZzx4iJnaVubGi2xVJLs,16368
 reconcile/openshift_upgrade_watcher.py,sha256=93l8X1-RHNtL89GzPg1XWivWart49l_hpAVFChvT6Wg,6643
-reconcile/openshift_users.py,sha256=lxHYrOhKntLnRy5mVZfh_8XWvwZaUgzrDNqkoon905U,5508
+reconcile/openshift_users.py,sha256=aQfScWJlvMcXc0ApeQMZiDYdmh8zPSAwG6v6XrEDYhw,7015
 reconcile/openshift_vault_secrets.py,sha256=Ax-_EBWWU1VRHYyKaUkGJkIjHGwWM3bZgjXL5CkPW8k,1883
 reconcile/quay_base.py,sha256=4gNca076ICJ2fDoTwCgcA3L-DqmVmBgHWLCubTk78uc,2832
 reconcile/quay_membership.py,sha256=tSS1j34RzoMXZJHmeuW3yVyM2E9onSha9SMJO3RcUMo,7694
@@ -253,6 +251,7 @@ reconcile/gql_definitions/cluster_auth_rhidp/clusters.py,sha256=f6h8AWhovxTwlqZC
 reconcile/gql_definitions/common/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/common/alerting_services_settings.py,sha256=gjdxA7DoIPvFSCo-4m4xY5msxagNLcjlwNapt0RptSw,1792
 reconcile/gql_definitions/common/app_code_component_repos.py,sha256=EB_Ri23uTZdL47hoBXIr3RNvD1WSLF81EddAwoAAH-w,2029
+reconcile/gql_definitions/common/app_interface_clusterrole.py,sha256=aLTUToIYoGggMT5B2MTH12IG9E3Gs2gI6xg2voMnHK0,2868
 reconcile/gql_definitions/common/app_interface_custom_messages.py,sha256=_EyRjSdfOj76gGyFWATNSrDmLWk1htVqPqtY5EubPaY,1995
 reconcile/gql_definitions/common/app_interface_dms_settings.py,sha256=1XU0IctKM8K5XaGz7XIvAQpfV7eCRmloL6DK7KAYjvw,2563
 reconcile/gql_definitions/common/app_interface_repo_settings.py,sha256=1kDNoj0SuqNxc_Xjr1oFAA5KQe8EuJOCGlu8yLArkdU,1749
@@ -448,6 +447,12 @@ reconcile/ocm_internal_notifications/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeu
 reconcile/ocm_internal_notifications/integration.py,sha256=MX0nXFNMS5mUAPVYAxK8MfXJ-pYanvOgyK3M5iALCZ0,4480
 reconcile/ocm_labels/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/ocm_labels/integration.py,sha256=3iAfeT_lycgKGZCrycIc6b9aofBRmcVlJivORAzy-mE,15298
+reconcile/openshift_bindings/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/openshift_bindings/constants.py,sha256=ox61yleIBG68wx-oqPiS4ZRj3RaoafGpeOh0g5rxtBI,303
+reconcile/openshift_bindings/models.py,sha256=rHnjN5gbmcrL7gqLZpTr1-9un6GaDnvm3IXnInGMRps,8872
+reconcile/openshift_bindings/openshift_clusterrolebindings.py,sha256=QhkU6x05uQEQrn8odW3zn3aY9MDUNzl6UHfJpuRCG3o,4827
+reconcile/openshift_bindings/openshift_rolebindings.py,sha256=7C4bUCPBG3QxQvuL4C33wCfrDjEHLpEQ243QFUeOUw0,5152
+reconcile/openshift_bindings/utils.py,sha256=4o4XwGAOOzBFw7MpowfrqfUKA7H0IU0_D9hQgIMJdg0,542
 reconcile/oum/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/oum/base.py,sha256=WCFdHOHXLPrJcvxVqw6HjaJthT7olC5BQqqXlD4DM6c,13552
 reconcile/oum/labelset.py,sha256=oZ_nV2ca8GU8iZptPdIqgCKgzQ2Wq89H8OiTGRIkWhw,2202
@@ -523,6 +528,7 @@ reconcile/terraform_vpc_resources/merge_request.py,sha256=MFRG7JQojmCTgr-9rLXVot
 reconcile/terraform_vpc_resources/merge_request_manager.py,sha256=0_FT_DKE39DU2NJ2dWQVy6mCdIo4T7n2tSdklUyH6S0,4124
 reconcile/typed_queries/__init__.py,sha256=rRk4CyslLsBr4vAh1pIPgt6s3P4R1M9NSEPLnyQgBpk,61
 reconcile/typed_queries/alerting_services_settings.py,sha256=YKQd60O_2C_H103nLrYgcUInndM2vFypqW_NO706L2E,833
+reconcile/typed_queries/app_interface_clusterroles.py,sha256=0pR9uebFTnfEukvumQyz2oomSLP9Z5ILoVVSNTEpULk,266
 reconcile/typed_queries/app_interface_custom_messages.py,sha256=bgSAJEzqee8aiPVCj_bIIqb4VTkrF0-vti1dos7ebEg,684
 reconcile/typed_queries/app_interface_deadmanssnitch_settings.py,sha256=znhfiAawUTYSWabZiKDKeexR_-48z9FZ44sxD-MwA14,638
 reconcile/typed_queries/app_interface_repo_url.py,sha256=9fhgWihjWNYOmK65irBWw9jdm7YPJNUWqZC1Ez__PFc,578
@@ -803,7 +809,7 @@ tools/saas_promotion_state/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 tools/saas_promotion_state/saas_promotion_state.py,sha256=uQv2QJAmUXP1g2GPIH30WTlvL9soY6m9lefpZEVDM5w,3965
 tools/sre_checkpoints/__init__.py,sha256=CDaDaywJnmRCLyl_NCcvxi-Zc0hTi_3OdwKiFOyS39I,145
 tools/sre_checkpoints/util.py,sha256=KcYVfa3UmJHVP_ocgrKe8NkrO5IDB9aWEDydSokPcRk,975
-qontract_reconcile-0.10.2.dev481.dist-info/METADATA,sha256=M9TKHf5Kbti2-70-Mj0QGQlVCAihy0yea_mC5JyNgrg,24901
-qontract_reconcile-0.10.2.dev481.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-qontract_reconcile-0.10.2.dev481.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
-qontract_reconcile-0.10.2.dev481.dist-info/RECORD,,
+qontract_reconcile-0.10.2.dev484.dist-info/METADATA,sha256=BlX3qhbod6w_uXAw5N_cu67mBLoQxpBI9AhsXBvluv4,24901
+qontract_reconcile-0.10.2.dev484.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+qontract_reconcile-0.10.2.dev484.dist-info/entry_points.txt,sha256=5i9l54La3vQrDLAdwDKQWC0iG4sV9RRfOb1BpvzOWLc,698
+qontract_reconcile-0.10.2.dev484.dist-info/RECORD,,

reconcile/cli.py

@@ -776,16 +776,25 @@ def github_validator(ctx: click.Context) -> None:
 @use_jump_host()
 @click.pass_context
 def openshift_clusterrolebindings(
-    ctx: click.Context, thread_pool_size: int, internal: bool, use_jump_host: bool
+    ctx: click.Context,
+    thread_pool_size: int,
+    internal: bool,
+    use_jump_host: bool,
 ) -> None:
-    import reconcile.openshift_clusterrolebindings
+    from reconcile.openshift_bindings.openshift_clusterrolebindings import (
+        OpenShiftClusterRoleBindingsIntegration,
+        OpenShiftClusterRoleBindingsIntegrationParams,
+    )
 
-    run_integration(
-        reconcile.openshift_clusterrolebindings,
-        ctx,
-        thread_pool_size,
-        internal,
-        use_jump_host,
+    run_class_integration(
+        integration=OpenShiftClusterRoleBindingsIntegration(
+            OpenShiftClusterRoleBindingsIntegrationParams(
+                thread_pool_size=thread_pool_size,
+                internal=internal,
+                use_jump_host=use_jump_host,
+            )
+        ),
+        ctx=ctx,
     )
 
 
@@ -808,15 +817,21 @@ def openshift_rolebindings(
     use_jump_host: bool,
     support_role_ref: bool,
 ) -> None:
-    import reconcile.openshift_rolebindings
+    from reconcile.openshift_bindings.openshift_rolebindings import (
+        OpenShiftRoleBindingsIntegration,
+        OpenShiftRoleBindingsIntegrationParams,
+    )
 
-    run_integration(
-        reconcile.openshift_rolebindings,
-        ctx,
-        thread_pool_size,
-        internal,
-        use_jump_host,
-        support_role_ref,
+    run_class_integration(
+        integration=OpenShiftRoleBindingsIntegration(
+            OpenShiftRoleBindingsIntegrationParams(
+                thread_pool_size=thread_pool_size,
+                internal=internal,
+                use_jump_host=use_jump_host,
+                support_role_ref=support_role_ref,
+            )
+        ),
+        ctx=ctx,
     )
 
 

reconcile/gql_definitions/common/app_interface_clusterrole.py

@@ -0,0 +1,104 @@
+"""
+Generated by qenerate plugin=pydantic_v2. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    ConfigDict,
+    Field,
+    Json,
+)
+
+
+DEFINITION = """
+query AppInterfaceClusterRoles {
+    clusterRoles: roles_v1 {
+    name
+    users {
+      org_username
+      github_username
+    }
+    bots {
+      openshift_serviceaccount
+    }
+    access {
+      cluster {
+        name
+        auth {
+          service
+        }
+      }
+      clusterRole
+    }
+    expirationDate
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid'
+    )
+
+
+class UserV1(ConfiguredBaseModel):
+    org_username: str = Field(..., alias="org_username")
+    github_username: str = Field(..., alias="github_username")
+
+
+class BotV1(ConfiguredBaseModel):
+    openshift_serviceaccount: Optional[str] = Field(..., alias="openshift_serviceaccount")
+
+
+class ClusterAuthV1(ConfiguredBaseModel):
+    service: str = Field(..., alias="service")
+
+
+class ClusterV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    auth: list[ClusterAuthV1] = Field(..., alias="auth")
+
+
+class AccessV1(ConfiguredBaseModel):
+    cluster: Optional[ClusterV1] = Field(..., alias="cluster")
+    cluster_role: Optional[str] = Field(..., alias="clusterRole")
+
+
+class RoleV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    users: list[UserV1] = Field(..., alias="users")
+    bots: list[BotV1] = Field(..., alias="bots")
+    access: Optional[list[AccessV1]] = Field(..., alias="access")
+    expiration_date: Optional[str] = Field(..., alias="expirationDate")
+
+
+class AppInterfaceClusterRolesQueryData(ConfiguredBaseModel):
+    cluster_roles: Optional[list[RoleV1]] = Field(..., alias="clusterRoles")
+
+
+def query(query_func: Callable, **kwargs: Any) -> AppInterfaceClusterRolesQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        AppInterfaceClusterRolesQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return AppInterfaceClusterRolesQueryData(**raw_data)

reconcile/openshift_bindings/constants.py

@@ -0,0 +1,7 @@
+OPENSHIFT_ROLEBINDINGS_INTEGRATION_NAME = "openshift-rolebindings"
+OPENSHIFT_CLUSTERROLEBINDINGS_INTEGRATION_NAME = "openshift-clusterrolebindings"
+
+ROLE_BINDING_RESOURCE_KIND = "RoleBinding"
+CLUSTER_ROLE_BINDING_RESOURCE_KIND = "ClusterRoleBinding"
+ROLE_KIND = "Role"
+CLUSTER_ROLE_KIND = "ClusterRole"

reconcile/openshift_bindings/models.py

@@ -0,0 +1,264 @@
+"""Shared data models for openshift-rolebindings and openshift-clusterrolebindings integrations."""
+
+from collections.abc import Sequence
+from typing import Any, Self
+
+from pydantic import BaseModel
+
+import reconcile.openshift_base as ob
+from reconcile.gql_definitions.common.app_interface_clusterrole import (
+    BotV1 as ClusterBotV1,
+)
+from reconcile.gql_definitions.common.app_interface_clusterrole import (
+    ClusterV1 as ClusterRoleClusterV1,
+)
+from reconcile.gql_definitions.common.app_interface_clusterrole import (
+    RoleV1 as ClusterRoleV1,
+)
+from reconcile.gql_definitions.common.app_interface_clusterrole import (
+    UserV1 as ClusterUserV1,
+)
+from reconcile.gql_definitions.common.app_interface_roles import (
+    AccessV1,
+    NamespaceV1,
+    RoleV1,
+    UserV1,
+)
+from reconcile.gql_definitions.common.app_interface_roles import (
+    BotV1 as RoleBotV1,
+)
+from reconcile.gql_definitions.common.app_interface_roles import (
+    ClusterV1 as RoleClusterV1,
+)
+from reconcile.openshift_bindings.constants import (
+    CLUSTER_ROLE_BINDING_RESOURCE_KIND,
+    CLUSTER_ROLE_KIND,
+    ROLE_BINDING_RESOURCE_KIND,
+    ROLE_KIND,
+)
+from reconcile.openshift_bindings.utils import is_valid_namespace
+from reconcile.utils.openshift_resource import OpenshiftResource as OR
+
+
+def get_usernames_from_users(
+    users: Sequence[UserV1 | ClusterUserV1] | None,
+    user_keys: list[str] | None = None,
+) -> set[str]:
+    return {
+        name
+        for user in users or []
+        for user_key in user_keys or []
+        if (name := getattr(user, user_key, None))
+    }
+
+
+class OCResource(BaseModel, arbitrary_types_allowed=True):
+    """Represents an OpenShift resource with metadata."""
+
+    resource: OR
+    resource_name: str
+    privileged: bool = False
+
+
+class OCResourceData(BaseModel):
+    body: dict[str, Any]
+    name: str
+
+
+class ServiceAccountSpec(BaseModel):
+    """Service account specification with namespace and name."""
+
+    sa_namespace_name: str
+    sa_name: str
+
+    @classmethod
+    def from_bots(cls, bots: Sequence[RoleBotV1 | ClusterBotV1] | None) -> list[Self]:
+        """Create ServiceAccountSpec list from bot configurations."""
+        return [
+            cls(
+                sa_namespace_name=full_service_account[0],
+                sa_name=full_service_account[1],
+            )
+            for bot in bots or []
+            if bot.openshift_serviceaccount
+            and (full_service_account := bot.openshift_serviceaccount.split("/"))
+            and len(full_service_account) == 2
+        ]
+
+
+class BindingSpec(BaseModel, arbitrary_types_allowed=True):
+    """Base specification for role bindings (cluster or namespace scoped)."""
+
+    role_name: str
+    role_kind: str  # "Role" or "ClusterRole"
+    cluster: RoleClusterV1 | ClusterRoleClusterV1
+    resource_kind: str
+    usernames: set[str]
+    openshift_service_accounts: list[ServiceAccountSpec]
+
+    def get_oc_resources(self) -> list[OCResourceData]:
+        user_oc_resources = [
+            self.construct_user_oc_resource(username) for username in self.usernames
+        ]
+        sa_oc_resources = [
+            self.construct_sa_oc_resource(sa.sa_namespace_name, sa.sa_name)
+            for sa in self.openshift_service_accounts
+        ]
+        return user_oc_resources + sa_oc_resources
+
+    def construct_user_oc_resource(self, username: str) -> OCResourceData:
+        name = f"{self.role_name}-{username}"
+        body: dict[str, Any] = {
+            "apiVersion": "rbac.authorization.k8s.io/v1",
+            "kind": self.resource_kind,
+            "metadata": {"name": name},
+            "roleRef": {"kind": self.role_kind, "name": self.role_name},
+            "subjects": [{"kind": "User", "name": username}],
+        }
+        return OCResourceData(body=body, name=name)
+
+    def construct_sa_oc_resource(
+        self, sa_namespace_name: str, sa_name: str
+    ) -> OCResourceData:
+        name = f"{self.role_name}-{sa_namespace_name}-{sa_name}"
+        body: dict[str, Any] = {
+            "apiVersion": "rbac.authorization.k8s.io/v1",
+            "kind": self.resource_kind,
+            "metadata": {"name": name},
+            "roleRef": {"kind": self.role_kind, "name": self.role_name},
+            "subjects": [
+                {
+                    "kind": "ServiceAccount",
+                    "name": sa_name,
+                    "namespace": sa_namespace_name,
+                }
+            ],
+        }
+        return OCResourceData(body=body, name=name)
+
+    def get_openshift_resources(
+        self,
+        integration_name: str,
+        integration_version: str,
+        privileged: bool = False,
+    ) -> list[OCResource]:
+        oc_resources = [
+            OCResource(
+                resource=OR(
+                    oc_resource_data.body,
+                    integration_name,
+                    integration_version,
+                    error_details=oc_resource_data.name,
+                ),
+                resource_name=oc_resource_data.name,
+                privileged=privileged,
+            )
+            for oc_resource_data in self.get_oc_resources()
+        ]
+        return oc_resources
+
+
+class RoleBindingSpec(BindingSpec):
+    """Namespace-scoped RoleBinding specification."""
+
+    namespace: NamespaceV1
+    privileged: bool = False
+
+    @classmethod
+    def create_role_binding_spec(
+        cls,
+        access: AccessV1,
+        users: list[UserV1] | None = None,
+        enforced_user_keys: list[str] | None = None,
+        bots: list[RoleBotV1] | None = None,
+        support_role_ref: bool = False,
+    ) -> Self | None:
+        """Create a RoleBindingSpec from access configuration."""
+        if not access.namespace:
+            return None
+        if not (access.role or access.cluster_role):
+            return None
+        privileged = access.namespace.cluster_admin or False
+        auth_dict = [
+            auth.model_dump(by_alias=True) for auth in access.namespace.cluster.auth
+        ]
+        usernames = get_usernames_from_users(
+            users,
+            ob.determine_user_keys_for_access(
+                access.namespace.cluster.name,
+                auth_dict,
+                enforced_user_keys,
+            ),
+        )
+        service_accounts = ServiceAccountSpec.from_bots(bots) if bots else []
+        role_kind = ROLE_KIND if access.role and support_role_ref else CLUSTER_ROLE_KIND
+        return cls(
+            role_name=access.role or access.cluster_role,
+            role_kind=role_kind,
+            namespace=access.namespace,
+            cluster=access.namespace.cluster,
+            privileged=privileged,
+            usernames=usernames,
+            openshift_service_accounts=service_accounts,
+            resource_kind=ROLE_BINDING_RESOURCE_KIND,
+        )
+
+    @classmethod
+    def create_rb_specs_from_role(
+        cls,
+        role: RoleV1,
+        enforced_user_keys: list[str] | None = None,
+        support_role_ref: bool = False,
+    ) -> list[Self]:
+        """Create list of RoleBindingSpec from a role configuration."""
+        rolebinding_spec_list = [
+            role_binding_spec
+            for access in role.access or []
+            if (
+                access.namespace
+                and is_valid_namespace(access.namespace)
+                and (
+                    role_binding_spec := cls.create_role_binding_spec(
+                        access,
+                        role.users,
+                        enforced_user_keys,
+                        role.bots,
+                        support_role_ref,
+                    )
+                )
+            )
+        ]
+        return rolebinding_spec_list
+
+
+class ClusterRoleBindingSpec(BindingSpec):
+    """Cluster-scoped ClusterRoleBinding specification."""
+
+    @classmethod
+    def create_cluster_role_binding_specs(
+        cls, cluster_role: ClusterRoleV1
+    ) -> list[Self]:
+        cluster_role_binding_specs = [
+            cls(
+                cluster=access.cluster,
+                usernames=get_usernames_from_users(
+                    users=cluster_role.users,
+                    user_keys=cls.get_user_keys(access.cluster),
+                ),
+                openshift_service_accounts=ServiceAccountSpec.from_bots(
+                    cluster_role.bots
+                ),
+                role_name=access.cluster_role,
+                role_kind=CLUSTER_ROLE_KIND,
+                resource_kind=CLUSTER_ROLE_BINDING_RESOURCE_KIND,
+            )
+            for access in cluster_role.access or []
+            if access.cluster and access.cluster_role
+        ]
+        return cluster_role_binding_specs
+
+    @classmethod
+    def get_user_keys(cls, cluster: ClusterRoleClusterV1) -> list[str] | None:
+        auth_dict = [auth.model_dump(by_alias=True) for auth in cluster.auth]
+        user_keys = ob.determine_user_keys_for_access(cluster.name, auth_dict)
+        return user_keys

reconcile/openshift_bindings/openshift_clusterrolebindings.py

@@ -0,0 +1,129 @@
+"""OpenShift ClusterRoleBindings integration.
+
+Manages cluster-scoped ClusterRoleBindings across OpenShift clusters.
+"""
+
+import sys
+from collections.abc import Callable
+from typing import TYPE_CHECKING
+
+import reconcile.openshift_base as ob
+from reconcile.openshift_bindings.constants import (
+    OPENSHIFT_CLUSTERROLEBINDINGS_INTEGRATION_NAME,
+)
+from reconcile.openshift_bindings.models import ClusterRoleBindingSpec
+from reconcile.typed_queries.app_interface_clusterroles import (
+    get_app_interface_clusterroles,
+)
+from reconcile.typed_queries.clusters import get_clusters
+from reconcile.utils import expiration
+from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
+from reconcile.utils.defer import defer
+from reconcile.utils.oc import OC_Map
+from reconcile.utils.openshift_resource import ResourceInventory
+from reconcile.utils.runtime.integration import (
+    PydanticRunParams,
+    QontractReconcileIntegration,
+)
+from reconcile.utils.semver_helper import make_semver
+
+if TYPE_CHECKING:
+    from reconcile.gql_definitions.common.app_interface_clusterrole import RoleV1
+
+QONTRACT_INTEGRATION_VERSION = make_semver(0, 1, 0)
+QONTRACT_INTEGRATION_MANAGED_TYPE = "ClusterRoleBinding.rbac.authorization.k8s.io"
+NAMESPACE_CLUSTER_SCOPE = "cluster"
+
+
+class OpenShiftClusterRoleBindingsIntegrationParams(PydanticRunParams):
+    thread_pool_size: int = DEFAULT_THREAD_POOL_SIZE
+    internal: bool | None = None
+    use_jump_host: bool = True
+
+
+class OpenShiftClusterRoleBindingsIntegration(
+    QontractReconcileIntegration[OpenShiftClusterRoleBindingsIntegrationParams],
+):
+    """Manages ClusterRoleBindings across OpenShift clusters."""
+
+    @defer
+    def run(self, dry_run: bool, defer: Callable | None = None) -> None:
+        ri, oc_map = self.fetch_current_state()
+        if defer:
+            defer(oc_map.cleanup)
+        self.fetch_desired_state(
+            ri,
+            allowed_clusters=set(oc_map.clusters()),
+        )
+        ob.publish_metrics(ri, self.name)
+        ob.realize_data(dry_run, oc_map, ri, self.params.thread_pool_size)
+        if ri.has_error_registered():
+            sys.exit(1)
+
+    @property
+    def name(self) -> str:
+        return OPENSHIFT_CLUSTERROLEBINDINGS_INTEGRATION_NAME
+
+    @property
+    def integration_version(self) -> str:
+        return QONTRACT_INTEGRATION_VERSION
+
+    def fetch_current_state(self) -> tuple[ResourceInventory, OC_Map]:
+        clusters = [
+            cluster.model_dump(by_alias=True)
+            for cluster in get_clusters()
+            if cluster.managed_cluster_roles and cluster.automation_token is not None
+        ]
+        return ob.fetch_current_state(
+            clusters=clusters,
+            thread_pool_size=self.params.thread_pool_size,
+            integration=self.name,
+            integration_version=self.integration_version,
+            override_managed_types=[QONTRACT_INTEGRATION_MANAGED_TYPE],
+            internal=self.params.internal,
+            use_jump_host=self.params.use_jump_host,
+        )
+
+    def fetch_desired_state(
+        self,
+        ri: ResourceInventory | None,
+        allowed_clusters: set[str] | None = None,
+    ) -> None:
+        if allowed_clusters is not None and not allowed_clusters:
+            return
+        if ri is None:
+            return
+        cluster_roles: list[RoleV1] = expiration.filter(
+            get_app_interface_clusterroles()
+        )
+        cluster_role_binding_specs = [
+            cluster_role_binding_spec
+            for cluster_role in cluster_roles
+            for cluster_role_binding_spec in ClusterRoleBindingSpec.create_cluster_role_binding_specs(
+                cluster_role
+            )
+        ]
+        if allowed_clusters:
+            cluster_role_binding_specs = [
+                cluster_role_binding_spec
+                for cluster_role_binding_spec in cluster_role_binding_specs
+                if cluster_role_binding_spec.cluster.name in allowed_clusters
+            ]
+        for cluster_role_binding_spec in cluster_role_binding_specs:
+            for oc_resource in cluster_role_binding_spec.get_openshift_resources(
+                self.name,
+                self.integration_version,
+            ):
+                if not ri.get_desired(
+                    cluster_role_binding_spec.cluster.name,
+                    NAMESPACE_CLUSTER_SCOPE,
+                    QONTRACT_INTEGRATION_MANAGED_TYPE,
+                    oc_resource.resource_name,
+                ):
+                    ri.add_desired(
+                        cluster=cluster_role_binding_spec.cluster.name,
+                        namespace=NAMESPACE_CLUSTER_SCOPE,
+                        resource_type=QONTRACT_INTEGRATION_MANAGED_TYPE,
+                        name=oc_resource.resource_name,
+                        value=oc_resource.resource,
+                    )