qontract-reconcile 0.10.2.dev427__py3-none-any.whl → 0.10.2.dev456__py3-none-any.whl

reconcile/change_owners/change_owners.py

@@ -23,6 +23,7 @@ from reconcile.change_owners.changes import (
 )
 from reconcile.change_owners.decision import (
     ChangeDecision,
+    ChangeResponsibles,
     DecisionCommand,
     apply_decisions_to_changes,
     get_approver_decisions_from_mr_comments,
@@ -115,6 +116,77 @@ def manage_conditional_label(
     return set(new_labels)
 
 
+def build_status_message(
+    self_serviceable: bool,
+    authoritative: bool,
+    change_admitted: bool,
+    approver_reachability: set[str],
+    supported_commands: list[str],
+) -> str:
+    """
+    Build a user-friendly status message based on the MR state.
+    """
+    approver_section = _build_approver_contact_section(approver_reachability)
+
+    # Check if changes are not admitted (security gate - takes priority)
+    if not change_admitted:
+        return f"""## ⏸️ Approval Required
+Your changes need `/good-to-test` approval from a listed approver before review can begin.
+
+{approver_section}"""
+
+    commands_text = (
+        f"**Available commands:** {' '.join(f'`{cmd}`' for cmd in supported_commands)}"
+    )
+
+    code_warning = ""
+    if not authoritative:
+        code_warning = "⚠️ **Code changes outside of data and resources detected** - please review carefully\n\n"
+
+    if self_serviceable:
+        return f"""## ✅ Ready for Review
+Get `/lgtm` approval from the listed approvers below.
+
+{code_warning}{approver_section}
+
+{commands_text}"""
+
+    return f"""## 🔍 AppSRE Review Required
+**What happens next:**
+* AppSRE will review via their [review queue](https://gitlab.cee.redhat.com/service/app-interface-output/-/blob/master/app-interface-review-queue.md)
+* Please don't ping directly unless this is **urgent**
+* See [etiquette guide](https://gitlab.cee.redhat.com/service/app-interface#app-interface-etiquette) for more info
+
+{code_warning}{approver_section}
+
+{commands_text}"""
+
+
+def _build_approver_contact_section(approver_reachability: set[str]) -> str:
+    """Build the approver contact information section."""
+    if not approver_reachability:
+        return ""
+
+    return "**Reach out to approvers:**\n" + "\n".join([
+        f"* {ar}" for ar in approver_reachability
+    ])
+
+
+def _format_change_responsible(cr: ChangeResponsibles) -> str:
+    """
+    Format a ChangeResponsibles object.
+    """
+    usernames = [
+        f"@{a.org_username}"
+        if (a.tag_on_merge_requests or len(cr.approvers) == 1)
+        else a.org_username
+        for a in cr.approvers
+    ]
+
+    usernames_text = " ".join(usernames)
+    return f"<details><summary>{cr.context}</summary>{usernames_text}</details>"
+
+
 def write_coverage_report_to_mr(
     self_serviceable: bool,
     change_decisions: list[ChangeDecision],
@@ -135,14 +207,11 @@ def write_coverage_report_to_mr(
         startswith=change_coverage_report_header,
     )
 
-    # add new report comment
+    # Build change coverage table
     results = []
     approver_reachability = set()
     for d in change_decisions:
-        approvers = [
-            f"{cr.context} - {' '.join([f'@{a.org_username}' if (a.tag_on_merge_requests or len(cr.approvers) == 1) else a.org_username for a in cr.approvers])}"
-            for cr in d.change_responsibles
-        ]
+        approvers = [_format_change_responsible(cr) for cr in d.change_responsibles]
         if d.coverable_by_fragment_decisions:
             approvers.append(
                 "automatically approved if all sub-properties are approved"
@@ -164,41 +233,33 @@ def write_coverage_report_to_mr(
             item["status"] = "hold"
         elif d.is_approved():
             item["status"] = "approved"
-        item["approvers"] = approvers
+        item["approvers"] = "".join(approvers)
         results.append(item)
+
     coverage_report = format_table(
         results, ["file", "change", "status", "approvers"], table_format="github"
     )
 
-    self_serviceability_hint = "All changes require an `/lgtm` from a listed approver "
-    if not self_serviceable:
-        self_serviceability_hint += (
-            "but <b>not all changes are self-serviceable and require AppSRE approval</b>."
-            "The AppSRE Interrupt Catcher (IC) will review your Merge Request (MR) as it comes up in their "
-            "<a href='https://gitlab.cee.redhat.com/service/app-interface-output/-/blob/master/app-interface-review-queue.md'>queue</a>, "
-            "please do not ping them directly unless this is <b>urgent</b>."
-            "\nPlease see https://gitlab.cee.redhat.com/service/app-interface#app-interface-etiquette for more information. Thank you :)"
-        )
-    if not authoritative:
-        self_serviceability_hint += "\n\nchanges outside of data and resources detected - <b>PAY EXTRA ATTENTION WHILE REVIEWING</b>\n\n"
-
-    if not change_admitted:
-        self_serviceability_hint += "\n\nchanges are not admitted. Please request `/good-to-test` from one of the approvers.\n\n"
-
-    approver_reachability_hint = "Reach out to approvers for reviews"
-    if approver_reachability:
-        approver_reachability_hint += " on\n" + "\n".join([
-            f"* {ar}" for ar in approver_reachability or []
-        ])
-    gl.add_comment_to_merge_request(
-        merge_request,
-        f"{change_coverage_report_header}<br/>"
-        f"{self_serviceability_hint}\n"
-        f"{coverage_report}\n\n"
-        f"{approver_reachability_hint}\n\n"
-        + f"Supported commands: {' '.join([f'`{d.value}`' for d in DecisionCommand])} ",
+    # Build user-friendly status message
+    supported_commands = [d.value for d in DecisionCommand]
+    status_message = build_status_message(
+        self_serviceable=self_serviceable,
+        authoritative=authoritative,
+        change_admitted=change_admitted,
+        approver_reachability=approver_reachability,
+        supported_commands=supported_commands,
     )
 
+    # Create the full comment
+    full_comment = f"""{change_coverage_report_header}
+
+{status_message}
+
+## 📋 Change Summary
+{coverage_report}"""
+
+    gl.add_comment_to_merge_request(merge_request, full_comment)
+
 
 def write_coverage_report_to_stdout(change_decisions: list[ChangeDecision]) -> None:
     results = []
@@ -391,7 +452,12 @@ def run(
                 good_to_test_approvers,
             )
             approver_decisions = get_approver_decisions_from_mr_comments(
-                gl.get_merge_request_comments(merge_request, include_description=True)
+                gl.get_merge_request_comments(
+                    merge_request,
+                    include_description=True,
+                    include_approvals=True,
+                    approval_body=DecisionCommand.APPROVED.value,
+                )
             )
             change_decisions = apply_decisions_to_changes(
                 changes,

reconcile/cli.py

@@ -53,7 +53,7 @@ TERRAFORM_VERSION_REGEX = r"^Terraform\sv([\d]+\.[\d]+\.[\d]+)$"
 OC_VERSIONS = ["4.19.0", "4.16.2"]
 OC_VERSION_REGEX = r"^Client\sVersion:\s([\d]+\.[\d]+\.[\d]+)"
 
-HELM_VERSIONS = ["3.11.1"]
+HELM_VERSIONS = ["3.19.2"]
 HELM_VERSION_REGEX = r"^version.BuildInfo{Version:\"v([\d]+\.[\d]+\.[\d]+)\".*$"
 
 

reconcile/external_resources/secrets_sync.py

@@ -448,9 +448,8 @@ class VaultSecretsReconciler(SecretsReconciler):
         secret_path = self.secret_path(self.vault_path, spec)
         try:
             logging.debug("Reading Secret %s", secret_path)
-            data = self.secrets_reader.read_all({"path": secret_path})
-            spec.metadata[SECRET_UPDATED_AT] = data[SECRET_UPDATED_AT]
-            del data[SECRET_UPDATED_AT]
+            data = self.secrets_reader.read_all({"path": secret_path}).copy()
+            spec.metadata[SECRET_UPDATED_AT] = data.pop(SECRET_UPDATED_AT)
             spec.secret = data
         except SecretNotFoundError:
             logging.info("Error getting secret from vault, skipping. [%s]", secret_path)

reconcile/gql_definitions/common/aws_vpc_requests.py

@@ -48,6 +48,9 @@ fragment VPCRequest on VPCRequest_v1 {
     automationToken {
       ...VaultSecret
     }
+    disable {
+      integrations
+    }
     supportedDeploymentRegions
     resourcesDefaultRegion
     providerVersion

reconcile/gql_definitions/common/clusters.py

@@ -113,6 +113,7 @@ query Clusters($name: String) {
     managedGroups
     managedClusterRoles
     insecureSkipTLSVerify
+    allowedToBypassPublicPeeringRestriction
     jumpHost {
       ...CommonJumphostFields
     }
@@ -635,6 +636,7 @@ class ClusterV1(ConfiguredBaseModel):
     managed_groups: Optional[list[str]] = Field(..., alias="managedGroups")
     managed_cluster_roles: Optional[bool] = Field(..., alias="managedClusterRoles")
     insecure_skip_tls_verify: Optional[bool] = Field(..., alias="insecureSkipTLSVerify")
+    allowed_to_bypass_public_peering_restriction: Optional[bool] = Field(..., alias="allowedToBypassPublicPeeringRestriction")
     jump_host: Optional[CommonJumphostFields] = Field(..., alias="jumpHost")
     auth: list[Union[ClusterAuthGithubOrgTeamV1, ClusterAuthGithubOrgV1, ClusterAuthV1]] = Field(..., alias="auth")
     ocm: Optional[OpenShiftClusterManagerV1] = Field(..., alias="ocm")

reconcile/gql_definitions/external_resources/external_resources_namespaces.py

@@ -372,6 +372,7 @@ query ExternalResourcesNamespaces {
             identifier
             defaults
             es_identifier
+            policy
             output_resource_name
             annotations
             tags
@@ -933,6 +934,7 @@ class NamespaceTerraformResourceKinesisV1(NamespaceTerraformResourceAWSV1):
     identifier: str = Field(..., alias="identifier")
     defaults: str = Field(..., alias="defaults")
     es_identifier: Optional[str] = Field(..., alias="es_identifier")
+    policy: Optional[str] = Field(..., alias="policy")
     output_resource_name: Optional[str] = Field(..., alias="output_resource_name")
     annotations: Optional[str] = Field(..., alias="annotations")
     tags: Optional[str] = Field(..., alias="tags")
@@ -1167,7 +1169,7 @@ class NamespaceTerraformResourceMskV1(NamespaceTerraformResourceAWSV1):
 
 class NamespaceTerraformProviderResourceAWSV1(NamespaceExternalResourceV1):
     provisioner: AWSAccountV1 = Field(..., alias="provisioner")
-    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
+    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
 
 
 class EnvironmentV1(ConfiguredBaseModel):

reconcile/gql_definitions/fragments/aws_vpc_request.py

@@ -28,6 +28,10 @@ class ConfiguredBaseModel(BaseModel):
     )
 
 
+class DisableClusterAutomationsV1(ConfiguredBaseModel):
+    integrations: Optional[list[str]] = Field(..., alias="integrations")
+
+
 class DeletionApprovalV1(ConfiguredBaseModel):
     q_type: str = Field(..., alias="type")
     name: str = Field(..., alias="name")
@@ -39,6 +43,7 @@ class AWSAccountV1(ConfiguredBaseModel):
     uid: str = Field(..., alias="uid")
     terraform_username: Optional[str] = Field(..., alias="terraformUsername")
     automation_token: VaultSecret = Field(..., alias="automationToken")
+    disable: Optional[DisableClusterAutomationsV1] = Field(..., alias="disable")
     supported_deployment_regions: Optional[list[str]] = Field(..., alias="supportedDeploymentRegions")
     resources_default_region: str = Field(..., alias="resourcesDefaultRegion")
     provider_version: str = Field(..., alias="providerVersion")

reconcile/gql_definitions/introspection.json

@@ -6489,6 +6489,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "allowedToBypassPublicPeeringRestriction",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "Boolean",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "namespaces",
                             "description": null,
@@ -41646,6 +41658,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "certificate_format",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "String",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "annotations",
                             "description": null,
@@ -47657,6 +47681,18 @@
                             },
                             "isDeprecated": false,
                             "deprecationReason": null
+                        },
+                        {
+                            "name": "bucket_policy",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "JSON",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
                         }
                     ],
                     "inputFields": null,
@@ -48266,6 +48302,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "policy",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "JSON",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "output_resource_name",
                             "description": null,

reconcile/gql_definitions/rhcs/certs.py

@@ -45,6 +45,7 @@ fragment OpenshiftResourceRhcsCert on NamespaceOpenshiftResourceRhcsCert_v1 {
     }
   }
   auto_renew_threshold_days
+  certificate_format
   annotations
 }
 

reconcile/gql_definitions/rhcs/openshift_resource_rhcs_cert.py

@@ -39,4 +39,5 @@ class OpenshiftResourceRhcsCert(ConfiguredBaseModel):
     service_account_name: str = Field(..., alias="service_account_name")
     service_account_password: Union[VaultSecretV1_VaultSecretV1, VaultSecretV1] = Field(..., alias="service_account_password")
     auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
+    certificate_format: Optional[str] = Field(..., alias="certificate_format")
     annotations: Optional[Json] = Field(..., alias="annotations")

reconcile/gql_definitions/terraform_resources/terraform_resources_namespaces.py

@@ -243,6 +243,7 @@ query TerraformResourcesNamespaces {
             defaults
             output_resource_name
             storage_class
+            bucket_policy
             annotations
           }
           ... on NamespaceTerraformResourceS3SQS_v1 {
@@ -299,6 +300,7 @@ query TerraformResourcesNamespaces {
             identifier
             defaults
             es_identifier
+            policy
             output_resource_name
             annotations
           }
@@ -774,6 +776,7 @@ class NamespaceTerraformResourceS3CloudFrontV1(NamespaceTerraformResourceAWSV1):
     defaults: str = Field(..., alias="defaults")
     output_resource_name: Optional[str] = Field(..., alias="output_resource_name")
     storage_class: Optional[str] = Field(..., alias="storage_class")
+    bucket_policy: Optional[str] = Field(..., alias="bucket_policy")
     annotations: Optional[str] = Field(..., alias="annotations")
 
 
@@ -836,6 +839,7 @@ class NamespaceTerraformResourceKinesisV1(NamespaceTerraformResourceAWSV1):
     identifier: str = Field(..., alias="identifier")
     defaults: str = Field(..., alias="defaults")
     es_identifier: Optional[str] = Field(..., alias="es_identifier")
+    policy: Optional[str] = Field(..., alias="policy")
     output_resource_name: Optional[str] = Field(..., alias="output_resource_name")
     annotations: Optional[str] = Field(..., alias="annotations")
 
@@ -1100,7 +1104,7 @@ class NamespaceTerraformResourceMskV1(NamespaceTerraformResourceAWSV1):
 
 
 class NamespaceTerraformProviderResourceAWSV1(NamespaceExternalResourceV1):
-    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
+    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
 
 
 class EnvironmentV1(ConfiguredBaseModel):

reconcile/gql_definitions/vpc_peerings_validator/vpc_peerings_validator.py

@@ -23,6 +23,7 @@ from reconcile.gql_definitions.vpc_peerings_validator.vpc_peerings_validator_pee
 DEFINITION = """
 fragment VpcPeeringsValidatorPeeredCluster on Cluster_v1 {
   name
+  allowedToBypassPublicPeeringRestriction
   network {
     vpc
   }
@@ -35,6 +36,7 @@ fragment VpcPeeringsValidatorPeeredCluster on Cluster_v1 {
 query VpcPeeringsValidator {
   clusters: clusters_v1 {
     name
+    allowedToBypassPublicPeeringRestriction
     network {
       vpc
     }
@@ -128,6 +130,7 @@ class ClusterPeeringV1(ConfiguredBaseModel):
 
 class ClusterV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
+    allowed_to_bypass_public_peering_restriction: Optional[bool] = Field(..., alias="allowedToBypassPublicPeeringRestriction")
     network: Optional[ClusterNetworkV1] = Field(..., alias="network")
     spec: Optional[ClusterSpecV1] = Field(..., alias="spec")
     internal: Optional[bool] = Field(..., alias="internal")

reconcile/gql_definitions/vpc_peerings_validator/vpc_peerings_validator_peered_cluster_fragment.py

@@ -34,6 +34,7 @@ class ClusterSpecV1(ConfiguredBaseModel):
 
 class VpcPeeringsValidatorPeeredCluster(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
+    allowed_to_bypass_public_peering_restriction: Optional[bool] = Field(..., alias="allowedToBypassPublicPeeringRestriction")
     network: Optional[ClusterNetworkV1] = Field(..., alias="network")
     spec: Optional[ClusterSpecV1] = Field(..., alias="spec")
     internal: Optional[bool] = Field(..., alias="internal")

reconcile/openshift_namespaces.py

@@ -43,6 +43,7 @@ class DesiredState:
     cluster: str
     namespace: str
     delete: bool
+    cluster_admin: bool
 
 
 class NamespaceDuplicateError(Exception):
@@ -92,6 +93,7 @@ def build_desired_state(
             cluster=namespace.cluster.name,
             namespace=namespace.name,
             delete=namespace.delete or False,
+            cluster_admin=namespace.cluster_admin or False,
         )
         for namespace in namespaces
     ]
@@ -104,7 +106,7 @@ def manage_namespace(
 ) -> None:
     namespace = desired_state.namespace
 
-    oc = oc_map.get(desired_state.cluster)
+    oc = oc_map.get(desired_state.cluster, privileged=desired_state.cluster_admin)
     if isinstance(oc, OCLogMsg):
         logging.log(level=oc.log_level, msg=oc.message)
         return
@@ -116,9 +118,6 @@ def manage_namespace(
 
     action = Action.DELETE if desired_state.delete else Action.CREATE
 
-    if namespace.startswith("openshift-"):
-        raise ValueError(f'cannot {action} a project starting with "openshift-"')
-
     logging.info([str(action), desired_state.cluster, namespace])
     if not dry_run:
         match action:

reconcile/openshift_rhcs_certs.py

@@ -32,7 +32,12 @@ from reconcile.utils.openshift_resource import (
     ResourceInventory,
     base64_encode_secret_field_value,
 )
-from reconcile.utils.rhcsv2_certs import RhcsV2Cert, generate_cert
+from reconcile.utils.rhcsv2_certs import (
+    CertificateFormat,
+    RhcsV2CertPem,
+    RhcsV2CertPkcs12,
+    generate_cert,
+)
 from reconcile.utils.runtime.integration import DesiredStateShardConfig
 from reconcile.utils.secret_reader import create_secret_reader
 from reconcile.utils.semver_helper import make_semver
@@ -66,6 +71,31 @@ class OpenshiftRhcsCertExpiration(GaugeMetric):
         return "qontract_reconcile_rhcs_cert_expiration_timestamp"
 
 
+def _generate_placeholder_cert(
+    cert_format: CertificateFormat,
+) -> RhcsV2CertPem | RhcsV2CertPkcs12:
+    match cert_format:
+        case CertificateFormat.PKCS12:
+            return RhcsV2CertPkcs12(
+                pkcs12_keystore="PLACEHOLDER_KEYSTORE",
+                pkcs12_truststore="PLACEHOLDER_TRUSTSTORE",
+                expiration_timestamp=int(time.time()),
+            )
+        case CertificateFormat.PEM:
+            return RhcsV2CertPem(
+                certificate="PLACEHOLDER_CERT",
+                private_key="PLACEHOLDER_PRIVATE_KEY",
+                ca_cert="PLACEHOLDER_CA_CERT",
+                expiration_timestamp=int(time.time()),
+            )
+
+
+def get_certificate_format(
+    cert_resource: OpenshiftResourceRhcsCert,
+) -> CertificateFormat:
+    return CertificateFormat(cert_resource.certificate_format or "PEM")
+
+
 def get_namespaces_with_rhcs_certs(
     query_func: Callable,
     cluster_name: Iterable[str] | None = None,
@@ -84,14 +114,21 @@ def get_namespaces_with_rhcs_certs(
 
 
 def construct_rhcs_cert_oc_secret(
-    secret_name: str, cert: Mapping[str, Any], annotations: Mapping[str, str]
+    secret_name: str,
+    cert: Mapping[str, Any],
+    annotations: Mapping[str, str],
+    certificate_format: CertificateFormat,
 ) -> OR:
     body: dict[str, Any] = {
         "apiVersion": "v1",
         "kind": "Secret",
-        "type": "kubernetes.io/tls",
         "metadata": {"name": secret_name, "annotations": annotations},
     }
+    match certificate_format:
+        case CertificateFormat.PKCS12:
+            body["type"] = "Opaque"
+        case CertificateFormat.PEM:
+            body["type"] = "kubernetes.io/tls"
     for k, v in cert.items():
         v = base64_encode_secret_field_value(v)
         body.setdefault("data", {})[k] = v
@@ -145,17 +182,18 @@ def generate_vault_cert_secret(
         f"Creating cert with service account credentials for '{cert_resource.service_account_name}'. cluster='{ns.cluster.name}', namespace='{ns.name}', secret='{cert_resource.secret_name}'"
     )
     sa_password = vault.read(cert_resource.service_account_password.model_dump())
+    cert_format = get_certificate_format(cert_resource)
+
     if dry_run:
-        rhcs_cert = RhcsV2Cert(
-            certificate="PLACEHOLDER_CERT",
-            private_key="PLACEHOLDER_PRIVATE_KEY",
-            ca_cert="PLACEHOLDER_CA_CERT",
-            expiration_timestamp=int(time.time()),
-        )
+        rhcs_cert = _generate_placeholder_cert(cert_format)
     else:
         try:
             rhcs_cert = generate_cert(
-                issuer_url, cert_resource.service_account_name, sa_password, ca_cert_url
+                issuer_url=issuer_url,
+                uid=cert_resource.service_account_name,
+                pwd=sa_password,
+                ca_url=ca_cert_url,
+                cert_format=cert_format,
             )
         except ValueError as e:
             raise Exception(
@@ -166,12 +204,12 @@ def generate_vault_cert_secret(
         )
         vault.write(
             secret={
-                "data": rhcs_cert.model_dump(by_alias=True),
+                "data": rhcs_cert.model_dump(by_alias=True, exclude_none=True),
                 "path": f"{vault_base_path}/{ns.cluster.name}/{ns.name}/{cert_resource.secret_name}",
             },
             decode_base64=False,
         )
-    return rhcs_cert.model_dump(by_alias=True)
+    return rhcs_cert.model_dump(by_alias=True, exclude_none=True)
 
 
 def fetch_openshift_resource_for_cert_resource(
@@ -213,6 +251,7 @@ def fetch_openshift_resource_for_cert_resource(
         secret_name=cert_resource.secret_name,
         cert=vault_cert_secret,
         annotations=cert_resource.annotations or {},
+        certificate_format=get_certificate_format(cert_resource),
     )
 
 

reconcile/templates/rosa-classic-cluster-creation.sh.j2

@@ -47,7 +47,7 @@ rosa create cluster -y --cluster-name={{ cluster_name }} \
     --service-cidr {{ cluster.network.service }} \
     --pod-cidr {{ cluster.network.pod }} \
     --host-prefix 23 \
-    --replicas {{ cluster.machine_pools | length }} \
+    --replicas 3 \
     --compute-machine-type {{ cluster.machine_pools[0].instance_type }} \
     {% if cluster.spec.disable_user_workload_monitoring -%}
     --disable-workload-monitoring \

reconcile/templates/rosa-hcp-cluster-creation.sh.j2

@@ -47,7 +47,7 @@ rosa create cluster --cluster-name={{ cluster_name }} \
     --service-cidr {{ cluster.network.service }} \
     --pod-cidr {{ cluster.network.pod }} \
     --host-prefix 23 \
-    --replicas {{ cluster.machine_pools | length }} \
+    --replicas 3 \
     --compute-machine-type {{ cluster.machine_pools[0].instance_type }} \
     {% if cluster.spec.private -%}
     --private \

reconcile/terraform_vpc_resources/integration.py

@@ -24,6 +24,7 @@ from reconcile.typed_queries.external_resources import get_settings
 from reconcile.typed_queries.github_orgs import get_github_orgs
 from reconcile.typed_queries.gitlab_instances import get_gitlab_instances
 from reconcile.utils import gql
+from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.runtime.integration import (
     DesiredStateShardConfig,
     PydanticRunParams,
@@ -62,12 +63,14 @@ class TerraformVpcResources(QontractReconcileIntegration[TerraformVpcResourcesPa
     ) -> list[AWSAccountV1]:
         """Return a list of accounts extracted from the provided VPCRequests.
         If account_name is given returns the account object with that name."""
-        accounts = [vpc.account for vpc in data]
-
-        if account_name:
-            accounts = [account for account in accounts if account.name == account_name]
-
-        return accounts
+        return [
+            vpc.account
+            for vpc in data
+            if (
+                integration_is_enabled(self.name, vpc.account)
+                and (not account_name or vpc.account.name == account_name)
+            )
+        ]
 
     def _handle_outputs(
         self, requests: Iterable[VPCRequest], outputs: Mapping[str, Any]
@@ -155,7 +158,7 @@ class TerraformVpcResources(QontractReconcileIntegration[TerraformVpcResourcesPa
         if data:
             accounts = self._filter_accounts(data, account_name)
             if account_name and not accounts:
-                msg = f"The account {account_name} doesn't have any managed vpc. Verify your input"
+                msg = f"The account {account_name} doesn't have any managed vpcs or the {QONTRACT_INTEGRATION} integration is disabled for this account. Verify your input"
                 logging.debug(msg)
                 sys.exit(ExitCodes.SUCCESS)
         else: