app-sre
diff --git a/‎.tekton/qontract-api-client-master-pull-request.yaml‎
Lines changed: 60 additions & 0 deletions b/‎.tekton/qontract-api-client-master-pull-request.yaml‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎.tekton/qontract-api-client-master-push.yaml‎
Lines changed: 59 additions & 0 deletions b/‎.tekton/qontract-api-client-master-push.yaml‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎.tekton/qontract-utils-master-pull-request.yaml‎
Lines changed: 60 additions & 0 deletions b/‎.tekton/qontract-utils-master-pull-request.yaml‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎.tekton/qontract-utils-master-push.yaml‎
Lines changed: 59 additions & 0 deletions b/‎.tekton/qontract-utils-master-push.yaml‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 0 additions & 5 deletions b/‎Makefile‎
Lines changed: 0 additions & 5 deletions
diff --git a/‎qontract_api/Dockerfile‎
Lines changed: 8 additions & 2 deletions b/‎qontract_api/Dockerfile‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎qontract_api/Makefile‎
Lines changed: 28 additions & 29 deletions b/‎qontract_api/Makefile‎
Lines changed: 28 additions & 29 deletions
@@ -0,0 +1,60 @@
+---
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/app-sre/qontract-reconcile?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "master") || (event == "push" && target_branch.startsWith("gh-readonly-queue/master/"))
+  labels:
+    appstudio.openshift.io/application: qontract-reconcile-master
+    appstudio.openshift.io/component: qontract-api-client-master
+    pipelines.appstudio.openshift.io/type: build
+  name: qontract-api-client-master-on-pull-request
+  namespace: app-sre-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/redhat-user-workloads/app-sre-tenant/qontract-reconcile-master/qontract-api-client-master:on-pr-{{revision}}
+  - name: image-expires-after
+    value: 5d
+  - name: dockerfile
+    value: qontract_api_client/Dockerfile
+  - name: path-context
+    value: .
+  - name: target-stage
+    value: test
+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/app-sre/shared-pipelines
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/multi-arch-build-pipeline.yaml
+    resolver: git
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-qontract-api-client-master
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+      status: {}
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
@@ -0,0 +1,59 @@
+---
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/app-sre/qontract-reconcile?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master"
+  labels:
+    appstudio.openshift.io/application: qontract-reconcile-master
+    appstudio.openshift.io/component: qontract-api-client-master
+    pipelines.appstudio.openshift.io/type: build
+  name: qontract-api-client-master-on-push
+  namespace: app-sre-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/redhat-user-workloads/app-sre-tenant/qontract-reconcile-master/qontract-api-client-master:{{revision}}
+  - name: dockerfile
+    value: qontract_api_client/Dockerfile
+  - name: path-context
+    value: .
+  - name: target-stage
+    value: pypi
+  - name: additional_secret
+    value: app-sre-pypi-credentials
+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/app-sre/shared-pipelines
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/multi-arch-build-pipeline.yaml
+    resolver: git
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-qontract-api-client-master
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+      status: {}
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
@@ -0,0 +1,60 @@
+---
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/app-sre/qontract-reconcile?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "master") || (event == "push" && target_branch.startsWith("gh-readonly-queue/master/"))
+  labels:
+    appstudio.openshift.io/application: qontract-reconcile-master
+    appstudio.openshift.io/component: qontract-utils-master
+    pipelines.appstudio.openshift.io/type: build
+  name: qontract-utils-master-on-pull-request
+  namespace: app-sre-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/redhat-user-workloads/app-sre-tenant/qontract-reconcile-master/qontract-utils-master:on-pr-{{revision}}
+  - name: image-expires-after
+    value: 5d
+  - name: dockerfile
+    value: qontract_utils/Dockerfile
+  - name: path-context
+    value: .
+  - name: target-stage
+    value: test
+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/app-sre/shared-pipelines
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/multi-arch-build-pipeline.yaml
+    resolver: git
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-qontract-utils-master
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+      status: {}
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
@@ -0,0 +1,59 @@
+---
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/app-sre/qontract-reconcile?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master"
+  labels:
+    appstudio.openshift.io/application: qontract-reconcile-master
+    appstudio.openshift.io/component: qontract-utils-master
+    pipelines.appstudio.openshift.io/type: build
+  name: qontract-utils-master-on-push
+  namespace: app-sre-tenant
+spec:
+  params:
+  - name: git-url
+    value: '{{source_url}}'
+  - name: revision
+    value: '{{revision}}'
+  - name: output-image
+    value: quay.io/redhat-user-workloads/app-sre-tenant/qontract-reconcile-master/qontract-utils-master:{{revision}}
+  - name: dockerfile
+    value: qontract_utils/Dockerfile
+  - name: path-context
+    value: .
+  - name: target-stage
+    value: pypi
+  - name: additional_secret
+    value: app-sre-pypi-credentials
+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/app-sre/shared-pipelines
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/multi-arch-build-pipeline.yaml
+    resolver: git
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-qontract-utils-master
+  workspaces:
+  - name: workspace
+    volumeClaimTemplate:
+      metadata:
+        creationTimestamp: null
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+      status: {}
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
@@ -117,8 +117,3 @@ unittest: ## Run unit tests
 .PHONY: generate-client
 generate-client:
 	make -C qontract_api_client generate-client
-
-poc-tests:
-	make -C qontract_api test
-# 	cd qontract_api_client && make test
-	make -C qontract_utils test
@@ -1,6 +1,6 @@
 #
 # Base image with defaults for all stages
-FROM registry.access.redhat.com/ubi9-minimal@sha256:90bd85dcd061d1ad6dbda70a867c41958c04a86462d05c631f8205e8870f28f8 AS base
+FROM registry.access.redhat.com/ubi9-minimal@sha256:ecd4751c45e076b4e1e8d37ac0b1b9c7271930c094d1bcc5e6a4d6954c6b2289 AS base
 
 COPY LICENSE /licenses/
 
@@ -12,6 +12,7 @@ ENV \
     UV_COMPILE_BYTECODE="true" \
     # disable uv cache. it doesn't make sense in a container
     UV_NO_CACHE=true \
+    RUFF_CACHE_DIR=/tmp/.ruff_cache \
     # bypass dynamic versioning (git not available)
     UV_DYNAMIC_VERSIONING_BYPASS="0.1.0" \
     PYTHONUNBUFFERED=1 \
@@ -35,7 +36,7 @@ WORKDIR ${APP_ROOT}/src
 #
 # Builder image
 #
-FROM registry.access.redhat.com/ubi9/python-312-minimal@sha256:64a3083a25d9f7573bb9b1a167e10be0464859a8e81421853d09947e873fe500 AS builder
+FROM registry.access.redhat.com/ubi9/python-312-minimal@sha256:ecacdd63283ed3083ddd33c02ab5112d4dbf1fbf2508317bf4d4f6d7d913d2f1 AS builder
 COPY --from=ghcr.io/astral-sh/uv:0.9.26@sha256:9a23023be68b2ed09750ae636228e903a54a05ea56ed03a934d00fe9fbeded4b /uv /bin/uv
 
 ENV APP_ROOT=/opt/app-root
@@ -65,6 +66,11 @@ RUN cd qontract_api && uv sync --frozen --no-group dev
 FROM base AS test
 COPY --from=ghcr.io/astral-sh/uv:0.9.26@sha256:9a23023be68b2ed09750ae636228e903a54a05ea56ed03a934d00fe9fbeded4b /uv /bin/uv
 
+USER root
+# install dependencies
+RUN microdnf install -y diffutils && microdnf clean all
+USER 1001
+
 COPY --from=builder /opt/app-root /opt/app-root
 RUN cd qontract_api && uv sync --frozen
 RUN make -C qontract_api test
 
@@ -1,22 +1,18 @@
+OPENAPI := openapi.json
+
 .PHONY: help
 help:
 	@echo "qontract-api Makefile"
 	@echo ""
 	@echo "Development:"
-	@echo "  make run-api       Run FastAPI server locally"
-	@echo "  make run-worker    Run Celery worker locally"
-	@echo "  make generate-token SUBJECT=<subject> DAYS=<days>"
-	@echo "                     Generate JWT token (default: DAYS=30)"
-	@echo ""
-	@echo "Docker:"
-	@echo "  make docker-up     Start all services"
-	@echo "  make docker-down   Stop all services"
-	@echo "  make docker-build  Rebuild images"
-	@echo "  make docker-logs   View logs"
+	@echo "  make run-api                                                Run FastAPI server locally"
+	@echo "  make run-worker                                             Run Celery worker locally"
+	@echo "  make generate-token SUBJECT=<subject> EXPIRES_DAYS=<days>   Generate JWT token"
+	@echo "  make generate-openapi-spec                                  Generate OpenAPI spec file"
 	@echo ""
 	@echo "Quality:"
-	@echo "  make test          Run all checks (pytest, mypy, ruff)"
-	@echo "  make format        Format and fix code with ruff"
+	@echo "  make test                                                   Run all checks (pytest, mypy, ruff)"
+	@echo "  make format                                                 Format and fix code with ruff"
 
 .PHONY: run-api
 run-api:
@@ -30,29 +26,32 @@ run-worker:
 generate-token:
 	@if [ -z "$(SUBJECT)" ]; then \
 		echo "Error: SUBJECT is required"; \
-		echo "Usage: make generate-token SUBJECT=admin DAYS=30"; \
+		echo "Usage: make generate-token SUBJECT=admin EXPIRES_DAYS=365"; \
 		exit 1; \
 	fi
-	@uv run python -m qontract_api.scripts.generate_token --subject "$(SUBJECT)" --expires-days $(or $(DAYS),30)
-
-.PHONY: docker-up
-docker-up:
-	cd .. && docker compose up
-
-.PHONY: docker-down
-docker-down:
-	cd .. && docker compose down
-
-.PHONY: docker-build
-docker-build:
-	cd .. && docker compose build
+	@if [ -z "$(EXPIRES_DAYS)" ]; then \
+		echo "Error: SUBJECT is required"; \
+		echo "Usage: make generate-token SUBJECT=admin EXPIRES_DAYS=365"; \
+		exit 1; \
+	fi
+	@uv run python -m qontract_api.scripts.generate_token --subject "$(SUBJECT)" --expires-days "$(EXPIRES_DAYS)"
 
-.PHONY: docker-logs
-docker-logs:
-	cd .. && docker compose logs -f
+.PHONY: generate-openapi-spec
+generate-openapi-spec:
+	@uv run python -m qontract_api.scripts.generate_openapi_spec > $(OPENAPI)
 
 .PHONY: test
 test:
+	@TEMP_DIR=$$(mktemp -d); \
+	trap "rm -rf $$TEMP_DIR" EXIT; \
+	$(MAKE) generate-openapi-spec OPENAPI=$$TEMP_DIR/openapi.json; \
+	if ! diff -q $(OPENAPI) $$TEMP_DIR/openapi.json > /dev/null 2>&1; then \
+		echo "  ✗ openapi.json differs from generated version"; \
+		echo ""; \
+		echo "Run 'make generate-openapi-spec' to update."; \
+		echo ""; \
+		exit 1; \
+	fi
 	uv run ruff check .
 	uv run ruff format --check .
 	uv run mypy .