qontract-reconcile 0.10.2.dev414__py3-none-any.whl → 0.10.2.dev456__py3-none-any.whl

reconcile/cli.py

@@ -50,10 +50,10 @@ from reconcile.utils.unleash import get_feature_toggle_state
 TERRAFORM_VERSION = ["1.6.6"]
 TERRAFORM_VERSION_REGEX = r"^Terraform\sv([\d]+\.[\d]+\.[\d]+)$"
 
-OC_VERSIONS = ["4.16.2", "4.12.46", "4.10.15"]
-OC_VERSION_REGEX = r"^Client\sVersion:\s([\d]+\.[\d]+\.[\d]+)$"
+OC_VERSIONS = ["4.19.0", "4.16.2"]
+OC_VERSION_REGEX = r"^Client\sVersion:\s([\d]+\.[\d]+\.[\d]+)"
 
-HELM_VERSIONS = ["3.11.1"]
+HELM_VERSIONS = ["3.19.2"]
 HELM_VERSION_REGEX = r"^version.BuildInfo{Version:\"v([\d]+\.[\d]+\.[\d]+)\".*$"
 
 
@@ -2855,6 +2855,36 @@ def ocm_addons_upgrade_scheduler_org(
     default=bool(os.environ.get("IGNORE_STS_CLUSTERS")),
     help="Ignore STS clusters",
 )
+@click.option(
+    "--job-controller-cluster",
+    help="The cluster holding the job-controller namepsace",
+    required=False,
+    envvar="JOB_CONTROLLER_CLUSTER",
+)
+@click.option(
+    "--job-controller-namespace",
+    help="The namespace used for ROSA jobs",
+    required=False,
+    envvar="JOB_CONTROLLER_NAMESPACE",
+)
+@click.option(
+    "--rosa-job-service-account",
+    help="The service-account used for ROSA jobs",
+    required=False,
+    envvar="ROSA_JOB_SERVICE_ACCOUNT",
+)
+@click.option(
+    "--rosa-job-image",
+    help="The container image to use to run ROSA cli command jobs",
+    required=False,
+    envvar="ROSA_JOB_IMAGE",
+)
+@click.option(
+    "--rosa-role",
+    help="The role to assume in the ROSA cluster account",
+    required=False,
+    envvar="ROSA_ROLE",
+)
 @click.pass_context
 def advanced_upgrade_scheduler(
     ctx: click.Context,
@@ -2862,9 +2892,21 @@ def advanced_upgrade_scheduler(
     org_id: Iterable[str],
     exclude_org_id: Iterable[str],
     ignore_sts_clusters: bool,
+    job_controller_cluster: str | None,
+    job_controller_namespace: str | None,
+    rosa_job_service_account: str | None,
+    rosa_role: str | None,
+    rosa_job_image: str | None,
 ) -> None:
-    from reconcile.aus.advanced_upgrade_service import AdvancedUpgradeServiceIntegration
-    from reconcile.aus.base import AdvancedUpgradeSchedulerBaseIntegrationParams
+    from reconcile.aus.advanced_upgrade_service import (
+        QONTRACT_INTEGRATION,
+        QONTRACT_INTEGRATION_VERSION,
+        AdvancedUpgradeServiceIntegration,
+    )
+    from reconcile.aus.base import (
+        AdvancedUpgradeSchedulerBaseIntegrationParams,
+        RosaRoleUpgradeHandlerParams,
+    )
 
     run_class_integration(
         integration=AdvancedUpgradeServiceIntegration(
@@ -2873,6 +2915,22 @@ def advanced_upgrade_scheduler(
                 ocm_organization_ids=set(org_id),
                 excluded_ocm_organization_ids=set(exclude_org_id),
                 ignore_sts_clusters=ignore_sts_clusters,
+                rosa_role_upgrade_handler_params=RosaRoleUpgradeHandlerParams(
+                    job_controller_cluster=job_controller_cluster,
+                    job_controller_namespace=job_controller_namespace,
+                    rosa_job_service_account=rosa_job_service_account,
+                    rosa_role=rosa_role,
+                    rosa_job_image=rosa_job_image,
+                    integration_name=QONTRACT_INTEGRATION,
+                    integration_version=QONTRACT_INTEGRATION_VERSION,
+                )
+                if all([
+                    job_controller_cluster,
+                    job_controller_namespace,
+                    rosa_job_service_account,
+                    rosa_role,
+                ])
+                else None,
             )
         ),
         ctx=ctx,

reconcile/external_resources/manager.py

@@ -45,7 +45,6 @@ from reconcile.utils.datetime_util import utc_now
 from reconcile.utils.external_resource_spec import (
     ExternalResourceSpec,
 )
-from reconcile.utils.json import json_dumps
 from reconcile.utils.secret_reader import SecretReaderBase
 
 
@@ -245,7 +244,7 @@ class ExternalResourcesManager:
             reconciliation = Reconciliation(
                 key=key,
                 resource_hash=resource.hash(),
-                input=json_dumps(resource),
+                input=resource.export(),
                 action=Action.APPLY,
                 module_configuration=module_conf,
                 linked_resources=self._find_linked_resources(spec),
@@ -253,15 +252,11 @@ class ExternalResourcesManager:
             r.add(reconciliation)
         return r
 
-    def _get_deleted_objects_reconciliations(
-        self, enable_migration: bool = False
-    ) -> set[Reconciliation]:
+    def _get_deleted_objects_reconciliations(self) -> set[Reconciliation]:
         to_reconcile: set[Reconciliation] = set()
         deleted_keys = (k for k, v in self.er_inventory.items() if v.marked_to_delete)
         for key in deleted_keys:
-            state = self.state_mgr.get_external_resource_state(
-                key, enable_migration=enable_migration
-            )
+            state = self.state_mgr.get_external_resource_state(key)
             if state.resource_status == ResourceStatus.NOT_EXISTS:
                 logging.debug("Resource has already been removed. key: %s", key)
                 continue
@@ -354,9 +349,7 @@ class ExternalResourcesManager:
 
             if r.linked_resources:
                 for lr in r.linked_resources:
-                    lrs = self.state_mgr.get_external_resource_state(
-                        lr, enable_migration=True
-                    )
+                    lrs = self.state_mgr.get_external_resource_state(lr)
                     if not lrs.resource_status.is_in_progress:
                         lrs.resource_status = ResourceStatus.RECONCILIATION_REQUESTED
                         self.state_mgr.set_external_resource_state(lrs)
@@ -423,12 +416,10 @@ class ExternalResourcesManager:
 
     def handle_resources(self) -> None:
         desired_r = self._get_desired_objects_reconciliations()
-        deleted_r = self._get_deleted_objects_reconciliations(enable_migration=True)
+        deleted_r = self._get_deleted_objects_reconciliations()
         to_sync_keys: set[ExternalResourceKey] = set()
         for r in desired_r.union(deleted_r):
-            state = self.state_mgr.get_external_resource_state(
-                r.key, enable_migration=True
-            )
+            state = self.state_mgr.get_external_resource_state(r.key)
             reconciliation_status = self._get_reconciliation_status(r, state)
             self._update_resource_state(r, state, reconciliation_status)
 
@@ -460,9 +451,7 @@ class ExternalResourcesManager:
             for r in desired_r.union(deleted_r)
             if self._reconciliation_needs_dry_run_run(
                 r,
-                self.state_mgr.get_external_resource_state(
-                    key=r.key, enable_migration=False
-                ),
+                self.state_mgr.get_external_resource_state(key=r.key),
             )
         }
 

reconcile/external_resources/model.py

@@ -1,7 +1,4 @@
 import hashlib
-from abc import (
-    ABC,
-)
 from collections.abc import ItemsView, Iterable, Iterator, MutableMapping
 from enum import StrEnum
 from typing import Any
@@ -88,9 +85,6 @@ class ExternalResourceKey(BaseModel, frozen=True):
             provider=spec.provider,
         )
 
-    def hash(self) -> str:
-        return hashlib.md5(json_dumps(self.model_dump()).encode("utf-8")).hexdigest()
-
     @property
     def state_path(self) -> str:
         return f"{self.provision_provider}/{self.provisioner_name}/{self.provider}/{self.identifier}"
@@ -407,7 +401,7 @@ class ReconciliationStatus(BaseModel):
     resource_status: ResourceStatus
 
 
-class ModuleProvisionData(ABC, BaseModel):
+class ModuleProvisionData(BaseModel):
     pass
 
 
@@ -432,7 +426,7 @@ class ExternalResourceProvision(BaseModel):
     target_cluster: str
     target_namespace: str
     target_secret_name: str
-    module_provision_data: ModuleProvisionData
+    module_provision_data: ModuleProvisionData | TerraformModuleProvisionData
 
 
 class ExternalResource(BaseModel):
@@ -441,3 +435,9 @@ class ExternalResource(BaseModel):
 
     def hash(self) -> str:
         return hashlib.sha256(json_dumps(self.data).encode("utf-8")).hexdigest()
+
+    def export(
+        self, exclude: dict[str, Any] | None = None, indent: int | None = None
+    ) -> str:
+        """Export the ExternalResource as a JSON string."""
+        return json_dumps(self, exclude=exclude, indent=indent)

reconcile/external_resources/secrets_sync.py

@@ -448,9 +448,8 @@ class VaultSecretsReconciler(SecretsReconciler):
         secret_path = self.secret_path(self.vault_path, spec)
         try:
             logging.debug("Reading Secret %s", secret_path)
-            data = self.secrets_reader.read_all({"path": secret_path})
-            spec.metadata[SECRET_UPDATED_AT] = data[SECRET_UPDATED_AT]
-            del data[SECRET_UPDATED_AT]
+            data = self.secrets_reader.read_all({"path": secret_path}).copy()
+            spec.metadata[SECRET_UPDATED_AT] = data.pop(SECRET_UPDATED_AT)
             spec.secret = data
         except SecretNotFoundError:
             logging.info("Error getting secret from vault, skipping. [%s]", secret_path)

reconcile/external_resources/state.py

@@ -271,47 +271,14 @@ class ExternalResourcesStateDynamoDB:
     def get_external_resource_state(
         self,
         key: ExternalResourceKey,
-        enable_migration: bool = False,
     ) -> ExternalResourceState:
         data = self.aws_api.dynamodb.boto3_client.get_item(
             TableName=self._table,
             ConsistentRead=True,
             Key={self.adapter.ER_KEY_HASH: {"S": key.state_path}},
         )
-        item = data.get("Item")
-        if item:
+        if "Item" in data:
             return self.adapter.deserialize(data["Item"])
-
-        old_data = self.aws_api.dynamodb.boto3_client.get_item(
-            TableName=self._table,
-            ConsistentRead=True,
-            Key={self.adapter.ER_KEY_HASH: {"S": key.hash()}},
-        )
-        old_item = old_data.get("Item")
-        if old_item:
-            old_item[self.adapter.ER_KEY_HASH]["S"] = key.state_path
-            old_item[self.adapter.RECONC]["M"][self.adapter.RECONC_RESOURCE_HASH][
-                "S"
-            ] = self._new_sha256_hash(old_item)
-            if enable_migration:
-                self.aws_api.dynamodb.boto3_client.transact_write_items(
-                    TransactItems=[
-                        {
-                            "Put": {
-                                "TableName": self._table,
-                                "Item": old_item,
-                            }
-                        },
-                        {
-                            "Delete": {
-                                "TableName": self._table,
-                                "Key": {self.adapter.ER_KEY_HASH: {"S": key.hash()}},
-                            }
-                        },
-                    ]
-                )
-            return self.adapter.deserialize(old_item)
-
         return ExternalResourceState(
             key=key,
             ts=utc_now(),

reconcile/gql_definitions/common/aws_vpc_requests.py

@@ -48,6 +48,9 @@ fragment VPCRequest on VPCRequest_v1 {
     automationToken {
       ...VaultSecret
     }
+    disable {
+      integrations
+    }
     supportedDeploymentRegions
     resourcesDefaultRegion
     providerVersion

reconcile/gql_definitions/common/clusters.py

@@ -113,6 +113,7 @@ query Clusters($name: String) {
     managedGroups
     managedClusterRoles
     insecureSkipTLSVerify
+    allowedToBypassPublicPeeringRestriction
     jumpHost {
       ...CommonJumphostFields
     }
@@ -635,6 +636,7 @@ class ClusterV1(ConfiguredBaseModel):
     managed_groups: Optional[list[str]] = Field(..., alias="managedGroups")
     managed_cluster_roles: Optional[bool] = Field(..., alias="managedClusterRoles")
     insecure_skip_tls_verify: Optional[bool] = Field(..., alias="insecureSkipTLSVerify")
+    allowed_to_bypass_public_peering_restriction: Optional[bool] = Field(..., alias="allowedToBypassPublicPeeringRestriction")
     jump_host: Optional[CommonJumphostFields] = Field(..., alias="jumpHost")
     auth: list[Union[ClusterAuthGithubOrgTeamV1, ClusterAuthGithubOrgV1, ClusterAuthV1]] = Field(..., alias="auth")
     ocm: Optional[OpenShiftClusterManagerV1] = Field(..., alias="ocm")

reconcile/gql_definitions/external_resources/external_resources_namespaces.py

@@ -372,6 +372,7 @@ query ExternalResourcesNamespaces {
             identifier
             defaults
             es_identifier
+            policy
             output_resource_name
             annotations
             tags
@@ -933,6 +934,7 @@ class NamespaceTerraformResourceKinesisV1(NamespaceTerraformResourceAWSV1):
     identifier: str = Field(..., alias="identifier")
     defaults: str = Field(..., alias="defaults")
     es_identifier: Optional[str] = Field(..., alias="es_identifier")
+    policy: Optional[str] = Field(..., alias="policy")
     output_resource_name: Optional[str] = Field(..., alias="output_resource_name")
     annotations: Optional[str] = Field(..., alias="annotations")
     tags: Optional[str] = Field(..., alias="tags")
@@ -1167,7 +1169,7 @@ class NamespaceTerraformResourceMskV1(NamespaceTerraformResourceAWSV1):
 
 class NamespaceTerraformProviderResourceAWSV1(NamespaceExternalResourceV1):
     provisioner: AWSAccountV1 = Field(..., alias="provisioner")
-    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
+    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
 
 
 class EnvironmentV1(ConfiguredBaseModel):

reconcile/gql_definitions/fragments/aws_vpc_request.py

@@ -28,6 +28,10 @@ class ConfiguredBaseModel(BaseModel):
     )
 
 
+class DisableClusterAutomationsV1(ConfiguredBaseModel):
+    integrations: Optional[list[str]] = Field(..., alias="integrations")
+
+
 class DeletionApprovalV1(ConfiguredBaseModel):
     q_type: str = Field(..., alias="type")
     name: str = Field(..., alias="name")
@@ -39,6 +43,7 @@ class AWSAccountV1(ConfiguredBaseModel):
     uid: str = Field(..., alias="uid")
     terraform_username: Optional[str] = Field(..., alias="terraformUsername")
     automation_token: VaultSecret = Field(..., alias="automationToken")
+    disable: Optional[DisableClusterAutomationsV1] = Field(..., alias="disable")
     supported_deployment_regions: Optional[list[str]] = Field(..., alias="supportedDeploymentRegions")
     resources_default_region: str = Field(..., alias="resourcesDefaultRegion")
     provider_version: str = Field(..., alias="providerVersion")

reconcile/gql_definitions/introspection.json

@@ -6489,6 +6489,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "allowedToBypassPublicPeeringRestriction",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "Boolean",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "namespaces",
                             "description": null,
@@ -41646,6 +41658,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "certificate_format",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "String",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "annotations",
                             "description": null,
@@ -47657,6 +47681,18 @@
                             },
                             "isDeprecated": false,
                             "deprecationReason": null
+                        },
+                        {
+                            "name": "bucket_policy",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "JSON",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
                         }
                     ],
                     "inputFields": null,
@@ -48266,6 +48302,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "policy",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "JSON",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "output_resource_name",
                             "description": null,

reconcile/gql_definitions/rhcs/certs.py

@@ -18,6 +18,7 @@ from pydantic import (  # noqa: F401 # pylint: disable=W0611
 )
 
 from reconcile.gql_definitions.fragments.jumphost_common_fields import CommonJumphostFields
+from reconcile.gql_definitions.rhcs.openshift_resource_rhcs_cert import OpenshiftResourceRhcsCert
 from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
 
 
@@ -33,6 +34,21 @@ fragment CommonJumphostFields on ClusterJumpHost_v1 {
   }
 }
 
+fragment OpenshiftResourceRhcsCert on NamespaceOpenshiftResourceRhcsCert_v1 {
+  secret_name
+  service_account_name
+  service_account_password {
+    ... on VaultSecret_v1 {
+      path
+      field
+      version
+    }
+  }
+  auto_renew_threshold_days
+  certificate_format
+  annotations
+}
+
 fragment VaultSecret on VaultSecret_v1 {
   path
   field
@@ -46,37 +62,11 @@ query RhcsCerts {
     delete
     clusterAdmin
     openshiftResources {
-      provider
-      ... on NamespaceOpenshiftResourceRhcsCert_v1 {
-        secret_name
-        service_account_name
-        service_account_password {
-          ... on VaultSecret_v1 {
-            path
-            field
-            version
-          }
-        }
-        auto_renew_threshold_days
-        annotations
-      }
+      ...OpenshiftResourceRhcsCert
     }
     sharedResources {
       openshiftResources {
-        provider
-        ... on NamespaceOpenshiftResourceRhcsCert_v1 {
-          secret_name
-          service_account_name
-          service_account_password {
-            ... on VaultSecret_v1 {
-              path
-              field
-              version
-            }
-          }
-          auto_renew_threshold_days
-          annotations
-        }
+        ...OpenshiftResourceRhcsCert
       }
     }
     cluster {
@@ -108,52 +98,8 @@ class ConfiguredBaseModel(BaseModel):
     )
 
 
-class NamespaceOpenshiftResourceV1(ConfiguredBaseModel):
-    provider: str = Field(..., alias="provider")
-
-
-class VaultSecretV1(ConfiguredBaseModel):
-    ...
-
-
-class VaultSecretV1_VaultSecretV1(VaultSecretV1):
-    path: str = Field(..., alias="path")
-    field: str = Field(..., alias="field")
-    version: Optional[int] = Field(..., alias="version")
-
-
-class NamespaceOpenshiftResourceRhcsCertV1(NamespaceOpenshiftResourceV1):
-    secret_name: str = Field(..., alias="secret_name")
-    service_account_name: str = Field(..., alias="service_account_name")
-    service_account_password: Union[VaultSecretV1_VaultSecretV1, VaultSecretV1] = Field(..., alias="service_account_password")
-    auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
-    annotations: Optional[Json] = Field(..., alias="annotations")
-
-
-class SharedResourcesV1_NamespaceOpenshiftResourceV1(ConfiguredBaseModel):
-    provider: str = Field(..., alias="provider")
-
-
-class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1(ConfiguredBaseModel):
-    ...
-
-
-class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1_VaultSecretV1(SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1):
-    path: str = Field(..., alias="path")
-    field: str = Field(..., alias="field")
-    version: Optional[int] = Field(..., alias="version")
-
-
-class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1(SharedResourcesV1_NamespaceOpenshiftResourceV1):
-    secret_name: str = Field(..., alias="secret_name")
-    service_account_name: str = Field(..., alias="service_account_name")
-    service_account_password: Union[SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1_VaultSecretV1, SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1] = Field(..., alias="service_account_password")
-    auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
-    annotations: Optional[Json] = Field(..., alias="annotations")
-
-
 class SharedResourcesV1(ConfiguredBaseModel):
-    openshift_resources: list[Union[SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1, SharedResourcesV1_NamespaceOpenshiftResourceV1]] = Field(..., alias="openshiftResources")
+    openshift_resources: list[OpenshiftResourceRhcsCert] = Field(..., alias="openshiftResources")
 
 
 class DisableClusterAutomationsV1(ConfiguredBaseModel):
@@ -175,7 +121,7 @@ class NamespaceV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     delete: Optional[bool] = Field(..., alias="delete")
     cluster_admin: Optional[bool] = Field(..., alias="clusterAdmin")
-    openshift_resources: Optional[list[Union[NamespaceOpenshiftResourceRhcsCertV1, NamespaceOpenshiftResourceV1]]] = Field(..., alias="openshiftResources")
+    openshift_resources: Optional[list[OpenshiftResourceRhcsCert]] = Field(..., alias="openshiftResources")
     shared_resources: Optional[list[SharedResourcesV1]] = Field(..., alias="sharedResources")
     cluster: ClusterV1 = Field(..., alias="cluster")
 

reconcile/gql_definitions/rhcs/openshift_resource_rhcs_cert.py

@@ -0,0 +1,43 @@
+"""
+Generated by qenerate plugin=pydantic_v2. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    ConfigDict,
+    Field,
+    Json,
+)
+
+
+class ConfiguredBaseModel(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid'
+    )
+
+
+class VaultSecretV1(ConfiguredBaseModel):
+    ...
+
+
+class VaultSecretV1_VaultSecretV1(VaultSecretV1):
+    path: str = Field(..., alias="path")
+    field: str = Field(..., alias="field")
+    version: Optional[int] = Field(..., alias="version")
+
+
+class OpenshiftResourceRhcsCert(ConfiguredBaseModel):
+    secret_name: str = Field(..., alias="secret_name")
+    service_account_name: str = Field(..., alias="service_account_name")
+    service_account_password: Union[VaultSecretV1_VaultSecretV1, VaultSecretV1] = Field(..., alias="service_account_password")
+    auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
+    certificate_format: Optional[str] = Field(..., alias="certificate_format")
+    annotations: Optional[Json] = Field(..., alias="annotations")

reconcile/gql_definitions/terraform_resources/terraform_resources_namespaces.py

@@ -243,6 +243,7 @@ query TerraformResourcesNamespaces {
             defaults
             output_resource_name
             storage_class
+            bucket_policy
             annotations
           }
           ... on NamespaceTerraformResourceS3SQS_v1 {
@@ -299,6 +300,7 @@ query TerraformResourcesNamespaces {
             identifier
             defaults
             es_identifier
+            policy
             output_resource_name
             annotations
           }
@@ -774,6 +776,7 @@ class NamespaceTerraformResourceS3CloudFrontV1(NamespaceTerraformResourceAWSV1):
     defaults: str = Field(..., alias="defaults")
     output_resource_name: Optional[str] = Field(..., alias="output_resource_name")
     storage_class: Optional[str] = Field(..., alias="storage_class")
+    bucket_policy: Optional[str] = Field(..., alias="bucket_policy")
     annotations: Optional[str] = Field(..., alias="annotations")
 
 
@@ -836,6 +839,7 @@ class NamespaceTerraformResourceKinesisV1(NamespaceTerraformResourceAWSV1):
     identifier: str = Field(..., alias="identifier")
     defaults: str = Field(..., alias="defaults")
     es_identifier: Optional[str] = Field(..., alias="es_identifier")
+    policy: Optional[str] = Field(..., alias="policy")
     output_resource_name: Optional[str] = Field(..., alias="output_resource_name")
     annotations: Optional[str] = Field(..., alias="annotations")
 
@@ -1100,7 +1104,7 @@ class NamespaceTerraformResourceMskV1(NamespaceTerraformResourceAWSV1):
 
 
 class NamespaceTerraformProviderResourceAWSV1(NamespaceExternalResourceV1):
-    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
+    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
 
 
 class EnvironmentV1(ConfiguredBaseModel):

reconcile/gql_definitions/vpc_peerings_validator/vpc_peerings_validator.py

@@ -23,6 +23,7 @@ from reconcile.gql_definitions.vpc_peerings_validator.vpc_peerings_validator_pee
 DEFINITION = """
 fragment VpcPeeringsValidatorPeeredCluster on Cluster_v1 {
   name
+  allowedToBypassPublicPeeringRestriction
   network {
     vpc
   }
@@ -35,6 +36,7 @@ fragment VpcPeeringsValidatorPeeredCluster on Cluster_v1 {
 query VpcPeeringsValidator {
   clusters: clusters_v1 {
     name
+    allowedToBypassPublicPeeringRestriction
     network {
       vpc
     }
@@ -128,6 +130,7 @@ class ClusterPeeringV1(ConfiguredBaseModel):
 
 class ClusterV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
+    allowed_to_bypass_public_peering_restriction: Optional[bool] = Field(..., alias="allowedToBypassPublicPeeringRestriction")
     network: Optional[ClusterNetworkV1] = Field(..., alias="network")
     spec: Optional[ClusterSpecV1] = Field(..., alias="spec")
     internal: Optional[bool] = Field(..., alias="internal")