INTEROP-8979: Add per-rule Slack notifications#274
Closed
amp-rh wants to merge 13 commits into
Closed
Conversation
Jira Cloud cannot programmatically create or rotate API tokens, so fully automated rotation is not possible with basic auth. Instead, add tooling for scheduled expiry monitoring with manual rotation: - check-token-expiry.py: standalone script that reads expires_at from Vault and posts Slack alerts at 30/14/7/3/1 days before expiry - prow-periodic.yaml: reference Prow periodic job config (daily 08:00 UTC) - docs/vault-schema.md: Vault KV secret schema with new expires_at field - docs/rotation-runbook.md: step-by-step manual rotation procedure Relates: https://issues.redhat.com/browse/INTEROP-8976 Made-with: Cursor
|
Skipping CI for Draft Pull Request. |
5 tasks
Add optional slack_channel field to firewatch config rules. When set, firewatch sends a Slack notification after creating a new Jira issue, updating a duplicate, or filing a success story. Absent or empty value skips notification. Supports !default to read from env var. Changes: - Rule: add _get_slack_channel with !default/$FIREWATCH_DEFAULT_SLACK_CHANNEL - SlackClient: add post_webhook static method for webhook-based posting - Configuration: accept slack_bot_token and slack_webhook_url params - Report: send Slack after issue creation, duplicate comment, success - CLI: add --slack-bot-token and --slack-webhook-url to report command Relates: https://issues.redhat.com/browse/INTEROP-8979 Made-with: Cursor
check-token-expiry.py now uses SlackClient.post_webhook() instead of a local slack_post() function. post_webhook() propagates errors so callers can decide how to handle failures: the token-expiry script surfaces them as exit codes while Report._notify_slack() logs and continues. Made-with: Cursor
- Add types-requests to mypy pre-commit additional_dependencies - Fix bare URLs and emphasis-as-heading in rotation-runbook.md and vault-schema.md - Accept ruff-format changes and add mypy type: ignore on dict lookups Made-with: Cursor
amp-rh
changed the title
Findings from staging walkthrough: - vault kv put destroys 7 undocumented fields (secretsync config, account credentials, staging token); switch to vault kv patch - Document all 10 actual Vault secret fields, not just 3 - Add staging verification step (stage-redhat.atlassian.net) - Note that API tokens are account-scoped, not instance-scoped - Specify vault login -method=oidc for authentication - Include access_token_msi in rotation patch command Made-with: Cursor
Collaborator
Author
|
/test all |
amp-rh
changed the title
2 tasks
amp-rh
force-pushed
the
interop-8976/token-rotation-alerts
branch
from
ec98beb to
673c3e3
Compare
This was referenced Apr 24, 2026
When SLACK_WEBHOOK_URL is set globally (via CLI or env var), webhook notifications now fire for all rules, even if the rule does not define a slack_channel. Previously, _slack_new_issue, _slack_duplicate, and _slack_success all gated on rule.slack_channel, which meant the global webhook was silently skipped when rules lacked that field. Introduces _should_notify_slack() that checks either per-rule slack_channel OR global slack_webhook_url. Fixes the test CI config blocker where the webhook never fired because the FIREWATCH_CONFIG rules did not include slack_channel.
amp-rh
force-pushed
the
interop-8976/token-rotation-alerts
branch
from
3998e21 to
e02af25
Compare
…ests - Document the slack_channel rule field in the configuration guide - Wire up SLACK_BOT_TOKEN and SLACK_WEBHOOK_URL envvars in Click options (previously had default=None, now use envvar= for automatic env pickup) - Add unit tests for SlackClient.post_webhook() success and failure paths
amp-rh
force-pushed
the
interop-8976/token-rotation-alerts
branch
from
e02af25 to
eb6bc77
Compare
amp-rh
force-pushed
the
interop-8976/token-rotation-alerts
branch
from
950b817 to
9100627
Compare
The rehearsal early-exit path in Report.__init__ skipped all rule matching and Slack notification, so the webhook never fired during CI rehearsals even when SLACK_WEBHOOK_URL was set and failures were detected. Changes: - Add _notify_failure_webhooks(): matches failures against rules and fires the webhook before the rehearsal exit, without creating Jira tickets - Add slack_user attribute to Rule (parsed from rule config), so rules with "slack_user": "user@redhat.com" trigger notifications - Update _should_notify_slack() to check slack_user in addition to slack_channel and slack_webhook_url TDD: 6 new tests written first (RED), then code added to pass (GREEN).
Logs webhook_url/failure_rules/failures state on entry, warns when skipping due to missing config, and logs rule match counts per failure. Without this, the method returned silently, making CI debugging impossible.
The previous TDD tests called _notify_failure_webhooks directly via Report.__new__(), bypassing __init__. These new tests exercise the full Report(config, job) constructor path for rehearsal jobs, proving the webhook fires before exit(0) when failures exist and SLACK_WEBHOOK_URL is set.
4 tasks
Collaborator
Author
|
Closing in favor of #277 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
$SLACK_WEBHOOK_URLwhen Jira issues are created, duplicates detected, or success stories filedSlackClient.post_webhook()— no new dependenciesRelated PRs
Test plan
test_post_webhook_success— verifies correct request paramstest_post_webhook_request_error_does_not_raise— errors are logged, not raisedtest_notify_slack_posts_when_env_set— posts when$SLACK_WEBHOOK_URLis settest_notify_slack_skips_when_env_not_set— no-op without env vartest_notify_slack_does_not_raise_on_failure— swallows exceptionsslack-webhook-testvia INTEROP-8979: Wire Slack webhook into firewatch step openshift/release#78332Relates: https://issues.redhat.com/browse/INTEROP-8979
🤖 Generated with Claude Code