PyPI - qontract-reconcile - Versions diffs - 0.10.2.dev503__py3-none-any.whl → 0.10.2.dev505__py3-none-any.whl - Mend

qontract-reconcile 0.10.2.dev503py3-none-any.whl → 0.10.2.dev505py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

reconcile/utils/saasherder/saasherder.py CHANGED Viewed

@@ -70,6 +70,7 @@ from reconcile.utils.saasherder.interfaces import (
 from reconcile.utils.saasherder.models import (
     Channel,
     ImageAuth,
+    ImagePatternsBlockRule,
     Namespace,
     Promotion,
     SLOKey,
@@ -130,7 +131,8 @@ class SaasHerder:
         validate: bool = False,
         include_trigger_trace: bool = False,
         all_saas_files: Iterable[SaasFile] | None = None,
-    ):
+        image_patterns_block_rules: list[ImagePatternsBlockRule] | None = None,
+    ) -> None:
         self.error_registered = False
         self.saas_files = saas_files
         self.repo_urls = self._collect_repo_urls()
@@ -156,6 +158,9 @@ class SaasHerder:
         self.images: set[str] = set()
         self.blocked_versions = self._collect_blocked_versions()
         self.hotfix_versions = self._collect_hotfix_versions()
+        self.image_patterns_block_rules: list[ImagePatternsBlockRule] = (
+            image_patterns_block_rules or []
+        )
         # each namespace is in fact a target,
         # so we can use it to calculate.
@@ -1187,6 +1192,73 @@ class SaasHerder:
             )
         return None
+    def _is_block_rule_violated(
+        self,
+        block_rule: ImagePatternsBlockRule,
+        env_labels: dict[str, str] | None,
+        images: set[str],
+        spec: TargetSpec,
+    ) -> bool:
+        """Check if a block rule is violated for the given environment and images.
+        Args:
+            block_rule: Block rule with environmentLabelSelector and imagePatterns
+            env_labels: Environment labels dictionary
+            images: Set of image URLs to check
+            spec: TargetSpec for error reporting
+        Returns:
+            True if rule is violated, False otherwise
+        """
+        if not env_labels:
+            return False
+        # Check if environment labels match the selector
+        env_selector = block_rule.environment_label_selector or {}
+        if not all(env_labels.get(key) == value for key, value in env_selector.items()):
+            return False
+        # Check if any images match blocked patterns
+        blocked_images = [
+            image
+            for image in images
+            if any(image.startswith(pattern) for pattern in block_rule.image_patterns)
+        ]
+        if blocked_images:
+            logging.error(
+                f"{spec.error_prefix} Target contains blocked image patterns "
+                f"({', '.join(block_rule.image_patterns)}) for environment matching "
+                f"selector {env_selector}: {', '.join(blocked_images)}. "
+                f"These images are not allowed in this environment."
+            )
+            return True
+        return False
+    def _check_blocked_image_patterns(
+        self,
+        spec: TargetSpec,
+        images_set: set[str],
+    ) -> bool:
+        """Check if images violate any block rules for the given spec.
+        Args:
+            spec: TargetSpec with target and environment information
+            images_set: Set of image URLs to check
+        Returns:
+            True if any violations are found, False otherwise
+        """
+        if not self.image_patterns_block_rules or not images_set:
+            return False  # no rules configured or no images, no violations
+        env_labels = spec.target.namespace.environment.labels
+        return any(
+            self._is_block_rule_violated(block_rule, env_labels, images_set, spec)
+            for block_rule in self.image_patterns_block_rules
+        )
     def _check_images(
         self,
         spec: TargetSpec,
@@ -1199,6 +1271,12 @@ class SaasHerder:
         self.images.update(images_set)
         if not images_set:
             return False  # no errors
+        # Check blocked image patterns
+        if self._check_blocked_image_patterns(spec, images_set):
+            return True  # violations found
+        # imagePatterns validation
         images = threaded.run(
             self._get_image,
             images_set,

tools/cli_commands/systems_and_tools.py CHANGED Viewed

@@ -85,12 +85,6 @@ from reconcile.gql_definitions.statuspage.statuspages import (
 from reconcile.gql_definitions.statuspage.statuspages import (
     StatusPageV1,
 )
-from reconcile.gql_definitions.terraform_cloudflare_resources.terraform_cloudflare_accounts import (
-    DEFINITION as CLOUDFLARE_ACCOUNTS_DEFINITION,
-)
-from reconcile.gql_definitions.terraform_cloudflare_resources.terraform_cloudflare_accounts import (
-    CloudflareAccountV1,
-)
 from reconcile.gql_definitions.terraform_tgw_attachments.aws_accounts import (
     DEFINITION as AWS_ACCOUNTS_DEFINITION,
 )
@@ -110,7 +104,6 @@ from reconcile.gql_definitions.vault_instances.vault_instances import (
     VaultInstanceV1,
 )
 from reconcile.statuspage.integration import get_status_pages
-from reconcile.typed_queries.cloudflare import get_cloudflare_accounts
 from reconcile.typed_queries.clusters import get_clusters
 from reconcile.typed_queries.dynatrace import get_dynatrace_environments
 from reconcile.typed_queries.gitlab_instances import (
@@ -180,8 +173,6 @@ class SystemTool(BaseModel):
                 return cls.init_from_unleash_instance(model, enumeration)
             case VaultInstanceV1():
                 return cls.init_from_vault_instance(model, enumeration)
-            case CloudflareAccountV1():
-                return cls.init_from_cloudflare_account(model, enumeration)
             case AppCodeComponentsV1():
                 return cls.init_from_code_component(model, enumeration)
             case _:
@@ -368,19 +359,6 @@ class SystemTool(BaseModel):
             enumeration=enumeration,
         )
-    @classmethod
-    def init_from_cloudflare_account(
-        cls, a: CloudflareAccountV1, enumeration: Any
-    ) -> Self:
-        return cls(
-            system_type="cloudflare",
-            system_id=a.name,
-            name=a.name,
-            url="https://dash.cloudflare.com/",
-            description=a.description,
-            enumeration=enumeration,
-        )
     @classmethod
     def init_from_code_component(cls, c: AppCodeComponentsV1, enumeration: Any) -> Self:
         return cls(
@@ -469,7 +447,6 @@ def get_systems_and_tools_inventory() -> SystemToolInventory:
     inventory.update(get_status_pages(), STATUS_PAGES_DEFINITION)
     inventory.update(get_unleash_instances(), UNLEASH_INSTANCES_DEFINITION)
     inventory.update(get_vault_instances(), VAULT_INSTANCES_DEFINITION)
-    inventory.update(get_cloudflare_accounts(), CLOUDFLARE_ACCOUNTS_DEFINITION)
     inventory.update(
         [
             c

reconcile/gql_definitions/terraform_cloudflare_dns/__init__.py DELETED Viewed

File without changes

reconcile/gql_definitions/terraform_cloudflare_dns/app_interface_cloudflare_dns_settings.py DELETED Viewed

@@ -1,62 +0,0 @@
-"""
-Generated by qenerate plugin=pydantic_v2. DO NOT MODIFY MANUALLY!
-"""
-from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
-from datetime import datetime  # noqa: F401 # pylint: disable=W0611
-from enum import Enum  # noqa: F401 # pylint: disable=W0611
-from typing import (  # noqa: F401 # pylint: disable=W0611
-    Any,
-    Optional,
-    Union,
-)
-from pydantic import (  # noqa: F401 # pylint: disable=W0611
-    BaseModel,
-    ConfigDict,
-    Field,
-    Json,
-)
-DEFINITION = """
-query AppInterfaceSettingCloudflareDNS {
-  settings: app_interface_settings_v1 {
-    cloudflareDNSZoneMaxRecords
-    vault
-  }
-}
-"""
-class ConfiguredBaseModel(BaseModel):
-    model_config = ConfigDict(
-        extra='forbid'
-    )
-class AppInterfaceSettingsV1(ConfiguredBaseModel):
-    cloudflare_dns_zone_max_records: Optional[int] = Field(..., alias="cloudflareDNSZoneMaxRecords")
-    vault: bool = Field(..., alias="vault")
-class AppInterfaceSettingCloudflareDNSQueryData(ConfiguredBaseModel):
-    settings: Optional[list[AppInterfaceSettingsV1]] = Field(..., alias="settings")
-def query(query_func: Callable, **kwargs: Any) -> AppInterfaceSettingCloudflareDNSQueryData:
-    """
-    This is a convenience function which queries and parses the data into
-    concrete types. It should be compatible with most GQL clients.
-    You do not have to use it to consume the generated data classes.
-    Alternatively, you can also mime and alternate the behavior
-    of this function in the caller.
-    Parameters:
-        query_func (Callable): Function which queries your GQL Server
-        kwargs: optional arguments that will be passed to the query function
-    Returns:
-        AppInterfaceSettingCloudflareDNSQueryData: queried data parsed into generated classes
-    """
-    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
-    return AppInterfaceSettingCloudflareDNSQueryData(**raw_data)

reconcile/gql_definitions/terraform_cloudflare_dns/terraform_cloudflare_zones.py DELETED Viewed

@@ -1,193 +0,0 @@
-"""
-Generated by qenerate plugin=pydantic_v2. DO NOT MODIFY MANUALLY!
-"""
-from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
-from datetime import datetime  # noqa: F401 # pylint: disable=W0611
-from enum import Enum  # noqa: F401 # pylint: disable=W0611
-from typing import (  # noqa: F401 # pylint: disable=W0611
-    Any,
-    Optional,
-    Union,
-)
-from pydantic import (  # noqa: F401 # pylint: disable=W0611
-    BaseModel,
-    ConfigDict,
-    Field,
-    Json,
-)
-from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
-DEFINITION = """
-fragment VaultSecret on VaultSecret_v1 {
-  path
-  field
-  version
-  format
-}
-query CloudflareDnsZone {
-  zones: cloudflare_dns_zone_v1 {
-    identifier
-    zone
-    account {
-      name
-      type
-      description
-      providerVersion
-      enforceTwofactor
-      apiCredentials {
-        ...VaultSecret
-      }
-      terraformStateAccount {
-        name
-        consoleUrl
-        terraformUsername
-        automationToken {
-          ...VaultSecret
-        }
-        terraformState {
-          provider
-          bucket
-          region
-          integrations {
-            integration
-            key
-          }
-        }
-      }
-      deletionApprovals {
-        expiration
-        name
-        type
-      }
-    }
-    records {
-      identifier
-      name
-      type
-      ttl
-      value
-      priority
-      proxied
-      data {
-        algorithm
-        protocol
-        public_key
-        digest_type
-        digest
-        key_tag
-        flags
-        tag
-        value
-      }
-    }
-    type
-    plan
-    max_records
-    delete
-  }
-}
-"""
-class ConfiguredBaseModel(BaseModel):
-    model_config = ConfigDict(
-        extra='forbid'
-    )
-class AWSTerraformStateIntegrationsV1(ConfiguredBaseModel):
-    integration: str = Field(..., alias="integration")
-    key: str = Field(..., alias="key")
-class TerraformStateAWSV1(ConfiguredBaseModel):
-    provider: str = Field(..., alias="provider")
-    bucket: str = Field(..., alias="bucket")
-    region: str = Field(..., alias="region")
-    integrations: list[AWSTerraformStateIntegrationsV1] = Field(..., alias="integrations")
-class AWSAccountV1(ConfiguredBaseModel):
-    name: str = Field(..., alias="name")
-    console_url: str = Field(..., alias="consoleUrl")
-    terraform_username: Optional[str] = Field(..., alias="terraformUsername")
-    automation_token: VaultSecret = Field(..., alias="automationToken")
-    terraform_state: Optional[TerraformStateAWSV1] = Field(..., alias="terraformState")
-class DeletionApprovalV1(ConfiguredBaseModel):
-    expiration: str = Field(..., alias="expiration")
-    name: str = Field(..., alias="name")
-    q_type: str = Field(..., alias="type")
-class CloudflareAccountV1(ConfiguredBaseModel):
-    name: str = Field(..., alias="name")
-    q_type: Optional[str] = Field(..., alias="type")
-    description: Optional[str] = Field(..., alias="description")
-    provider_version: str = Field(..., alias="providerVersion")
-    enforce_twofactor: Optional[bool] = Field(..., alias="enforceTwofactor")
-    api_credentials: VaultSecret = Field(..., alias="apiCredentials")
-    terraform_state_account: AWSAccountV1 = Field(..., alias="terraformStateAccount")
-    deletion_approvals: Optional[list[DeletionApprovalV1]] = Field(..., alias="deletionApprovals")
-class CloudflareDnsRecordDataSettingsV1(ConfiguredBaseModel):
-    algorithm: Optional[int] = Field(..., alias="algorithm")
-    protocol: Optional[int] = Field(..., alias="protocol")
-    public_key: Optional[str] = Field(..., alias="public_key")
-    digest_type: Optional[int] = Field(..., alias="digest_type")
-    digest: Optional[str] = Field(..., alias="digest")
-    key_tag: Optional[int] = Field(..., alias="key_tag")
-    flags: Optional[int] = Field(..., alias="flags")
-    tag: Optional[str] = Field(..., alias="tag")
-    value: Optional[str] = Field(..., alias="value")
-class CloudflareDnsRecordV1(ConfiguredBaseModel):
-    identifier: str = Field(..., alias="identifier")
-    name: str = Field(..., alias="name")
-    q_type: str = Field(..., alias="type")
-    ttl: int = Field(..., alias="ttl")
-    value: Optional[str] = Field(..., alias="value")
-    priority: Optional[int] = Field(..., alias="priority")
-    proxied: Optional[bool] = Field(..., alias="proxied")
-    data: Optional[CloudflareDnsRecordDataSettingsV1] = Field(..., alias="data")
-class CloudflareDnsZoneV1(ConfiguredBaseModel):
-    identifier: str = Field(..., alias="identifier")
-    zone: str = Field(..., alias="zone")
-    account: CloudflareAccountV1 = Field(..., alias="account")
-    records: Optional[list[CloudflareDnsRecordV1]] = Field(..., alias="records")
-    q_type: Optional[str] = Field(..., alias="type")
-    plan: Optional[str] = Field(..., alias="plan")
-    max_records: Optional[int] = Field(..., alias="max_records")
-    delete: Optional[bool] = Field(..., alias="delete")
-class CloudflareDnsZoneQueryData(ConfiguredBaseModel):
-    zones: Optional[list[CloudflareDnsZoneV1]] = Field(..., alias="zones")
-def query(query_func: Callable, **kwargs: Any) -> CloudflareDnsZoneQueryData:
-    """
-    This is a convenience function which queries and parses the data into
-    concrete types. It should be compatible with most GQL clients.
-    You do not have to use it to consume the generated data classes.
-    Alternatively, you can also mime and alternate the behavior
-    of this function in the caller.
-    Parameters:
-        query_func (Callable): Function which queries your GQL Server
-        kwargs: optional arguments that will be passed to the query function
-    Returns:
-        CloudflareDnsZoneQueryData: queried data parsed into generated classes
-    """
-    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
-    return CloudflareDnsZoneQueryData(**raw_data)

reconcile/gql_definitions/terraform_cloudflare_resources/__init__.py DELETED Viewed

File without changes

reconcile/gql_definitions/terraform_cloudflare_resources/terraform_cloudflare_accounts.py DELETED Viewed

@@ -1,127 +0,0 @@
-"""
-Generated by qenerate plugin=pydantic_v2. DO NOT MODIFY MANUALLY!
-"""
-from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
-from datetime import datetime  # noqa: F401 # pylint: disable=W0611
-from enum import Enum  # noqa: F401 # pylint: disable=W0611
-from typing import (  # noqa: F401 # pylint: disable=W0611
-    Any,
-    Optional,
-    Union,
-)
-from pydantic import (  # noqa: F401 # pylint: disable=W0611
-    BaseModel,
-    ConfigDict,
-    Field,
-    Json,
-)
-from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
-DEFINITION = """
-fragment VaultSecret on VaultSecret_v1 {
-  path
-  field
-  version
-  format
-}
-query TerraformCloudflareAccounts {
-  accounts: cloudflare_accounts_v1 {
-    name
-    description
-    providerVersion
-    apiCredentials {
-      ...VaultSecret
-    }
-    terraformStateAccount {
-      name
-      automationToken {
-        ...VaultSecret
-      }
-      terraformState {
-        provider
-        bucket
-        region
-        integrations {
-          integration
-          key
-        }
-      }
-    }
-    deletionApprovals {
-      expiration
-      name
-      type
-    }
-    enforceTwofactor
-    type
-  }
-}
-"""
-class ConfiguredBaseModel(BaseModel):
-    model_config = ConfigDict(
-        extra='forbid'
-    )
-class AWSTerraformStateIntegrationsV1(ConfiguredBaseModel):
-    integration: str = Field(..., alias="integration")
-    key: str = Field(..., alias="key")
-class TerraformStateAWSV1(ConfiguredBaseModel):
-    provider: str = Field(..., alias="provider")
-    bucket: str = Field(..., alias="bucket")
-    region: str = Field(..., alias="region")
-    integrations: list[AWSTerraformStateIntegrationsV1] = Field(..., alias="integrations")
-class AWSAccountV1(ConfiguredBaseModel):
-    name: str = Field(..., alias="name")
-    automation_token: VaultSecret = Field(..., alias="automationToken")
-    terraform_state: Optional[TerraformStateAWSV1] = Field(..., alias="terraformState")
-class DeletionApprovalV1(ConfiguredBaseModel):
-    expiration: str = Field(..., alias="expiration")
-    name: str = Field(..., alias="name")
-    q_type: str = Field(..., alias="type")
-class CloudflareAccountV1(ConfiguredBaseModel):
-    name: str = Field(..., alias="name")
-    description: Optional[str] = Field(..., alias="description")
-    provider_version: str = Field(..., alias="providerVersion")
-    api_credentials: VaultSecret = Field(..., alias="apiCredentials")
-    terraform_state_account: AWSAccountV1 = Field(..., alias="terraformStateAccount")
-    deletion_approvals: Optional[list[DeletionApprovalV1]] = Field(..., alias="deletionApprovals")
-    enforce_twofactor: Optional[bool] = Field(..., alias="enforceTwofactor")
-    q_type: Optional[str] = Field(..., alias="type")
-class TerraformCloudflareAccountsQueryData(ConfiguredBaseModel):
-    accounts: Optional[list[CloudflareAccountV1]] = Field(..., alias="accounts")
-def query(query_func: Callable, **kwargs: Any) -> TerraformCloudflareAccountsQueryData:
-    """
-    This is a convenience function which queries and parses the data into
-    concrete types. It should be compatible with most GQL clients.
-    You do not have to use it to consume the generated data classes.
-    Alternatively, you can also mime and alternate the behavior
-    of this function in the caller.
-    Parameters:
-        query_func (Callable): Function which queries your GQL Server
-        kwargs: optional arguments that will be passed to the query function
-    Returns:
-        TerraformCloudflareAccountsQueryData: queried data parsed into generated classes
-    """
-    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
-    return TerraformCloudflareAccountsQueryData(**raw_data)

qontract-reconcile 0.10.2.dev503__py3-none-any.whl → 0.10.2.dev505__py3-none-any.whl

qontract-reconcile 0.10.2.dev503py3-none-any.whl → 0.10.2.dev505py3-none-any.whl