Skip to content

Add robot account management#5184

Open
esron wants to merge 32 commits intoapp-sre:masterfrom
esron:add-robot-account-management
Open

Add robot account management#5184
esron wants to merge 32 commits intoapp-sre:masterfrom
esron:add-robot-account-management

Conversation

@esron
Copy link
Contributor

@esron esron commented Aug 21, 2025
edited
Loading

JIRA: APPSRE-11883

This adds a new integration that handles robot account management.

I decided to go with this approach because quay-permissions integration already has a complex state management that when mixed with the robot accounts needs of managing teams and repository relationships gets really messy.

This approach also let's robot-accounts be more independent and clear to the user, since it relies on a single file where all relationships are defined.

Also I am getting inspiration from the original script where the robot accounts for quay are defined.

We still need to decide how are we going to migrate existent robot accounts to app-interface and deal with the permissions needed by qontract-reconcile to manage robot-account for private teams and repos.

In the current state, if you dry-run this integration locally it will show some delete actions for already defined robot accounts outside app-interface.

Also we don't heave full read access for robot-account in some of the Quay orgs defined in app-interface.

How to test this?

Create an integration file in app-interface. Here is a snippet, you can copy other integrations file if you get validations errors and edit:

$schema: /app-sre/integration-1.yml

labels: {}

name: quay-robot-accounts

description: Manage Quay Robot Accounts

upstream: https://github.com/app-sre/qontract-reconcile

pr_check:
  disabled: true
  cmd: quay-robot-accounts

# Copy this from other integrations
managed: 
- ...


schemas:
- /access/quay-robot-1.yml
- /app-interface/app-interface-settings-1.yml
- /app-sre/integration-1.yml
- /aws/account-1.yml
- /dependencies/dependency-1.yml
- /dependencies/quay-instance-1.yml
- /dependencies/quay-org-1.yml

Create a new robot-account-1.yml

---
$schema: /access/quay-robot-1.yml

labels: {}

name: app-sre-redhat-services-prod-robot-account
quay_username: appsre_pull # redhat-services-prod+appsre_pull

quay_org:
  $ref: /dependencies/quay/redhat-services-prod.yml

teams:
- devs

Set your local qontract-schemas to the branch on this PR

when you run

qontract-reconcile --log-level INFO --config config.toml --dry-run quay-robot-accounts

You should see a list of actions, the first one should be to create the robot account that we defined on the yaml file above.

Drop a comment if you have any question, issue or need help testing this.

@esron esron changed the title Add robot account management Draft: Add robot account management Aug 21, 2025
@esron esron marked this pull request as draft August 21, 2025 20:53
@esron esron force-pushed the add-robot-account-management branch from a5be134 to cfd474c Compare August 25, 2025 14:18
@esron esron changed the title Draft: Add robot account management Add robot account management Aug 25, 2025
@esron esron marked this pull request as ready for review August 25, 2025 18:20
@esron esron force-pushed the add-robot-account-management branch 2 times, most recently from c55830a to c6f4be4 Compare August 26, 2025 18:14
@esron esron force-pushed the add-robot-account-management branch from c6f4be4 to 8e8f83f Compare October 8, 2025 16:30
@esron
Copy link
Contributor Author

esron commented Oct 8, 2025

/retest

hemslo
hemslo reviewed Oct 9, 2025
View reviewed changes
reconcile/quay_robot_accounts.py
Comment on lines +132 to +135
repositories = {}
repo_permissions = robot_data.get("repositories", [])
for repo_perm in repo_permissions:
repositories[repo_perm["name"]] = repo_perm["role"]
Copy link
Contributor

@hemslo hemslo Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

similar here, why not directly let robot_data returns dict name -> role?

reconcile/quay_robot_accounts.py
actions = []

# Find robots to create
for key, desired in desired_state.items():
Copy link
Contributor

@hemslo hemslo Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can use diff_mappings to diff

Copy link
Member

@chassing chassing Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^this

reconcile/quay_robot_accounts.py
Comment on lines +255 to +265
# Find robots to delete (robots in current state but not in desired state)
for key, current in current_state.items():
if key not in desired_state:
actions.append(
RobotAccountAction(
action="delete",
robot_name=current.name,
org_name=current.org_name,
instance_name=current.instance_name,
)
)
Copy link
Contributor

@hemslo hemslo Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about introduce delete: true on robot account so we only delete account marked as delete, no accidentally delete accounts not managed by this integration

chassing
chassing reviewed Oct 9, 2025
View reviewed changes
reconcile/quay_robot_accounts.py
actions = []

# Find robots to create
for key, desired in desired_state.items():
Copy link
Member

@chassing chassing Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^this

@esron esron force-pushed the add-robot-account-management branch 3 times, most recently from 44d5a34 to 7b13f24 Compare December 18, 2025 19:33
@esron esron mentioned this pull request Jan 7, 2026
Merged
@esron esron force-pushed the add-robot-account-management branch 6 times, most recently from ffe97e7 to 51bbceb Compare January 20, 2026 15:03
esron added 23 commits January 27, 2026 06:06
@esron
Add robot accounts integration file
c6bab81
@esron
Add robot accounts integration tests
c696f28
@esron
Add quay robot accounts to cli
8808c32
@esron
Fix typing for quay_robot_accounts
5421d01
@esron
Fix typting for quay_api tests
20fcbdd
@esron
Fix typing for quay_robot_accounts tests
fd2e204
@esron
Remove test for message checking
8da2f4c
@esron
Use robot short name to get robot account details
b79e278
@esron
make gql-introspection
e3b5d5d
@esron
remove duplicate get response
a54e19b
@esron
Use create autospect
b29b1e3
@esron
Add RobotAccountDetails type
632ea56
@esron
Adapt quay api tests to be session based
1e7f726
@esron
fix quay_mirror account that depend on QuayApiStore
1b0f6df
@esron
Update test_quay_robot_accounts to use QuayApiStore
4409d5d
@esron
Adds robot account methods based on new Api class
50c8d33
@esron
Fix get_quay_api_store return type
a9c77b4
@esron
Fix integration to use QuayApiStore
ea1aae0
@esron
Fix: change logging messages to debug
c35f217
@esron
Fix: remove unwanted expection handling
06a3753
@esron
Fix: removes unecessarie type definitions
e4f0d94
@esron
Fix: use enum on RobotAccountActions
0c21c94
@esron
Fix: use mock_quay_api as a fixture to improve tests
457ed70
@esron esron force-pushed the add-robot-account-management branch from 51bbceb to 457ed70 Compare January 27, 2026 09:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chassing chassing chassing left review comments

@hemslo hemslo hemslo left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@esron @chassing @hemslo