qontract-reconcile 0.10.2.dev427__py3-none-any.whl → 0.10.2.dev465__py3-none-any.whl

reconcile/aws_account_manager/utils.py

@@ -24,7 +24,7 @@ def validate(account: AWSAccountV1) -> bool:
         raise ExceptionGroup("Multiple quotas are referenced in the account", errors)
 
     if account.organization_accounts or account.account_requests:
-        # it's payer account
+        # it's a "payer account"
         if not account.premium_support:
             raise ValueError(
                 f"Premium support is required for payer account {account.name}"

reconcile/aws_ecr_image_pull_secrets.py

@@ -21,7 +21,7 @@ def get_password(token: str) -> str:
 
 def construct_dockercfg_secret_data(data: Mapping[str, Any]) -> dict[str, str]:
     auth_data = data["authorizationData"][0]
-    server = auth_data["proxyEndpoint"]
+    server = auth_data["proxyEndpoint"].replace("https://", "")
     token = auth_data["authorizationToken"]
     password = get_password(token)
     data = {

reconcile/change_owners/README.md

@@ -15,7 +15,7 @@
 
 `change_owners` uses the `qontract-server` diff endpoint to get a highlevel overview what changed in an MR. It leverages `change_types` to find fine grained differences in datafiles and resourcefiles and build `BundleFileChange` objects that hold the state of diffs and diff coverage.
 
-`change_owners` checks `BundleFileChange` objects for `change-types` that are `restrictive`. If the MR was created by a user, that has this `change-type` not assigned, the integration will fail. A user with this role assigned could issue an `/good-to-test` command to override this restriction.
+`change_owners` checks `BundleFileChange` objects for `change-types` that are `restrictive`. If the MR was created by a user, that has this `change-type` not assigned, the integration will fail. A user with this role assigned could issue an `/ok-to-test` command to override this restriction.
 
 `change_owners` reachs out to pluggable functionality to find out which `change-types` can be applied to which changes with a set of approvers. Currently, the only module to provide such `ChangeTypeContext` is `self_service_roles` which looks for explicitly bound `change-types` and files in the context of a `Role` with users and bots will can act as approvers.
 

reconcile/change_owners/change_owners.py

@@ -23,6 +23,7 @@ from reconcile.change_owners.changes import (
 )
 from reconcile.change_owners.decision import (
     ChangeDecision,
+    ChangeResponsibles,
     DecisionCommand,
     apply_decisions_to_changes,
     get_approver_decisions_from_mr_comments,
@@ -115,6 +116,77 @@ def manage_conditional_label(
     return set(new_labels)
 
 
+def build_status_message(
+    self_serviceable: bool,
+    authoritative: bool,
+    change_admitted: bool,
+    approver_reachability: set[str],
+    supported_commands: list[str],
+) -> str:
+    """
+    Build a user-friendly status message based on the MR state.
+    """
+    approver_section = _build_approver_contact_section(approver_reachability)
+
+    # Check if changes are not admitted (security gate - takes priority)
+    if not change_admitted:
+        return f"""## ⏸️ Approval Required
+Your changes need `/ok-to-test` approval from a listed approver before review can begin.
+
+{approver_section}"""
+
+    commands_text = (
+        f"**Available commands:** {' '.join(f'`{cmd}`' for cmd in supported_commands)}"
+    )
+
+    code_warning = ""
+    if not authoritative:
+        code_warning = "⚠️ **Code changes outside of data and resources detected** - please review carefully\n\n"
+
+    if self_serviceable:
+        return f"""## ✅ Ready for Review
+Get `/lgtm` approval from the listed approvers below.
+
+{code_warning}{approver_section}
+
+{commands_text}"""
+
+    return f"""## 🔍 AppSRE Review Required
+**What happens next:**
+* AppSRE will review via their [review queue](https://gitlab.cee.redhat.com/service/app-interface-output/-/blob/master/app-interface-review-queue.md)
+* Please don't ping directly unless this is **urgent**
+* See [etiquette guide](https://gitlab.cee.redhat.com/service/app-interface#app-interface-etiquette) for more info
+
+{code_warning}{approver_section}
+
+{commands_text}"""
+
+
+def _build_approver_contact_section(approver_reachability: set[str]) -> str:
+    """Build the approver contact information section."""
+    if not approver_reachability:
+        return ""
+
+    return "**Reach out to approvers:**\n" + "\n".join([
+        f"* {ar}" for ar in approver_reachability
+    ])
+
+
+def _format_change_responsible(cr: ChangeResponsibles) -> str:
+    """
+    Format a ChangeResponsibles object.
+    """
+    usernames = [
+        f"@{a.org_username}"
+        if (a.tag_on_merge_requests or len(cr.approvers) == 1)
+        else a.org_username
+        for a in cr.approvers
+    ]
+
+    usernames_text = " ".join(usernames)
+    return f"<details><summary>{cr.context}</summary>{usernames_text}</details>"
+
+
 def write_coverage_report_to_mr(
     self_serviceable: bool,
     change_decisions: list[ChangeDecision],
@@ -135,14 +207,11 @@ def write_coverage_report_to_mr(
         startswith=change_coverage_report_header,
     )
 
-    # add new report comment
+    # Build change coverage table
     results = []
     approver_reachability = set()
     for d in change_decisions:
-        approvers = [
-            f"{cr.context} - {' '.join([f'@{a.org_username}' if (a.tag_on_merge_requests or len(cr.approvers) == 1) else a.org_username for a in cr.approvers])}"
-            for cr in d.change_responsibles
-        ]
+        approvers = [_format_change_responsible(cr) for cr in d.change_responsibles]
         if d.coverable_by_fragment_decisions:
             approvers.append(
                 "automatically approved if all sub-properties are approved"
@@ -164,41 +233,33 @@ def write_coverage_report_to_mr(
             item["status"] = "hold"
         elif d.is_approved():
             item["status"] = "approved"
-        item["approvers"] = approvers
+        item["approvers"] = "".join(approvers)
         results.append(item)
+
     coverage_report = format_table(
         results, ["file", "change", "status", "approvers"], table_format="github"
     )
 
-    self_serviceability_hint = "All changes require an `/lgtm` from a listed approver "
-    if not self_serviceable:
-        self_serviceability_hint += (
-            "but <b>not all changes are self-serviceable and require AppSRE approval</b>."
-            "The AppSRE Interrupt Catcher (IC) will review your Merge Request (MR) as it comes up in their "
-            "<a href='https://gitlab.cee.redhat.com/service/app-interface-output/-/blob/master/app-interface-review-queue.md'>queue</a>, "
-            "please do not ping them directly unless this is <b>urgent</b>."
-            "\nPlease see https://gitlab.cee.redhat.com/service/app-interface#app-interface-etiquette for more information. Thank you :)"
-        )
-    if not authoritative:
-        self_serviceability_hint += "\n\nchanges outside of data and resources detected - <b>PAY EXTRA ATTENTION WHILE REVIEWING</b>\n\n"
-
-    if not change_admitted:
-        self_serviceability_hint += "\n\nchanges are not admitted. Please request `/good-to-test` from one of the approvers.\n\n"
-
-    approver_reachability_hint = "Reach out to approvers for reviews"
-    if approver_reachability:
-        approver_reachability_hint += " on\n" + "\n".join([
-            f"* {ar}" for ar in approver_reachability or []
-        ])
-    gl.add_comment_to_merge_request(
-        merge_request,
-        f"{change_coverage_report_header}<br/>"
-        f"{self_serviceability_hint}\n"
-        f"{coverage_report}\n\n"
-        f"{approver_reachability_hint}\n\n"
-        + f"Supported commands: {' '.join([f'`{d.value}`' for d in DecisionCommand])} ",
+    # Build user-friendly status message
+    supported_commands = [d.value for d in DecisionCommand]
+    status_message = build_status_message(
+        self_serviceable=self_serviceable,
+        authoritative=authoritative,
+        change_admitted=change_admitted,
+        approver_reachability=approver_reachability,
+        supported_commands=supported_commands,
     )
 
+    # Create the full comment
+    full_comment = f"""{change_coverage_report_header}
+
+{status_message}
+
+## 📋 Change Summary
+{coverage_report}"""
+
+    gl.add_comment_to_merge_request(merge_request, full_comment)
+
 
 def write_coverage_report_to_stdout(change_decisions: list[ChangeDecision]) -> None:
     results = []
@@ -261,22 +322,22 @@ def init_gitlab(gitlab_project_id: str) -> GitLabApi:
 
 
 def is_coverage_admitted(
-    coverage: ChangeTypeContext, mr_author: str, good_to_test_approvers: set[str]
+    coverage: ChangeTypeContext, mr_author: str, ok_to_test_approvers: set[str]
 ) -> bool:
     return any(
-        a.org_username == mr_author or a.org_username in good_to_test_approvers
+        a.org_username == mr_author or a.org_username in ok_to_test_approvers
         for a in coverage.approvers
     )
 
 
 def is_change_admitted(
-    changes: list[BundleFileChange], mr_author: str, good_to_test_approvers: set[str]
+    changes: list[BundleFileChange], mr_author: str, ok_to_test_approvers: set[str]
 ) -> bool:
     # Checks if mr authors are allowed to do the changes in the merge request.
     # If a change type is restrictive and the author is not an approver,
     # this is not admitted.
     # A change might be admitted if a user that has the restrictive change
-    # type is an approver or an approver adds an /good-to-test comment.
+    # type is an approver or an approver adds an /ok-to-test comment.
 
     restrictive_coverages = [
         c
@@ -290,7 +351,7 @@ def is_change_admitted(
     change_types_approved = {
         c.origin
         for c in restrictive_coverages
-        if is_coverage_admitted(c, mr_author, good_to_test_approvers)
+        if is_coverage_admitted(c, mr_author, ok_to_test_approvers)
     }
     return change_types_to_approve == change_types_approved
 
@@ -381,17 +442,22 @@ def run(
             merge_request = gl.get_merge_request(gitlab_merge_request_id)
 
             comments = gl.get_merge_request_comments(merge_request)
-            good_to_test_approvers = {
-                c.username for c in comments if c.body.strip() == "/good-to-test"
+            ok_to_test_approvers = {
+                c.username for c in comments if c.body.strip() == "/ok-to-test"
             }
 
             change_admitted = is_change_admitted(
                 changes,
                 gl.get_merge_request_author_username(merge_request),
-                good_to_test_approvers,
+                ok_to_test_approvers,
             )
             approver_decisions = get_approver_decisions_from_mr_comments(
-                gl.get_merge_request_comments(merge_request, include_description=True)
+                gl.get_merge_request_comments(
+                    merge_request,
+                    include_description=True,
+                    include_approvals=True,
+                    approval_body=DecisionCommand.APPROVED.value,
+                )
             )
             change_decisions = apply_decisions_to_changes(
                 changes,

reconcile/change_owners/decision.py

@@ -20,7 +20,7 @@ class DecisionCommand(Enum):
     CANCEL_APPROVED = "/lgtm cancel"
     HOLD = "/hold"
     CANCEL_HOLD = "/hold cancel"
-    GOOD_TO_TEST = "/good-to-test"
+    OK_TO_TEST = "/ok-to-test"
 
 
 @dataclass

reconcile/cli.py

@@ -53,7 +53,7 @@ TERRAFORM_VERSION_REGEX = r"^Terraform\sv([\d]+\.[\d]+\.[\d]+)$"
 OC_VERSIONS = ["4.19.0", "4.16.2"]
 OC_VERSION_REGEX = r"^Client\sVersion:\s([\d]+\.[\d]+\.[\d]+)"
 
-HELM_VERSIONS = ["3.11.1"]
+HELM_VERSIONS = ["3.19.2"]
 HELM_VERSION_REGEX = r"^version.BuildInfo{Version:\"v([\d]+\.[\d]+\.[\d]+)\".*$"
 
 

reconcile/external_resources/secrets_sync.py

@@ -448,9 +448,8 @@ class VaultSecretsReconciler(SecretsReconciler):
         secret_path = self.secret_path(self.vault_path, spec)
         try:
             logging.debug("Reading Secret %s", secret_path)
-            data = self.secrets_reader.read_all({"path": secret_path})
-            spec.metadata[SECRET_UPDATED_AT] = data[SECRET_UPDATED_AT]
-            del data[SECRET_UPDATED_AT]
+            data = self.secrets_reader.read_all({"path": secret_path}).copy()
+            spec.metadata[SECRET_UPDATED_AT] = data.pop(SECRET_UPDATED_AT)
             spec.secret = data
         except SecretNotFoundError:
             logging.info("Error getting secret from vault, skipping. [%s]", secret_path)

reconcile/gql_definitions/aws_account_manager/aws_accounts.py

@@ -97,6 +97,10 @@ query AWSAccountManagerAccounts {
       ...AWSAccountManaged
     }
     organizationAccountTags
+    # for account request email address verification
+    accountOwners {
+      email
+    }
   }
 }
 """
@@ -149,6 +153,10 @@ class AWSAccountRequestV1(ConfiguredBaseModel):
     account_file_target_path: Optional[str] = Field(..., alias="accountFileTargetPath")
 
 
+class AWSAccountV1_OwnerV1(ConfiguredBaseModel):
+    email: str = Field(..., alias="email")
+
+
 class AWSAccountV1(AWSAccountManaged):
     resources_default_region: str = Field(..., alias="resourcesDefaultRegion")
     automation_token: VaultSecret = Field(..., alias="automationToken")
@@ -157,6 +165,7 @@ class AWSAccountV1(AWSAccountManaged):
     account_requests: Optional[list[AWSAccountRequestV1]] = Field(..., alias="account_requests")
     organization_accounts: Optional[list[AWSAccountManaged]] = Field(..., alias="organization_accounts")
     organization_account_tags: Optional[Json] = Field(..., alias="organizationAccountTags")
+    account_owners: list[AWSAccountV1_OwnerV1] = Field(..., alias="accountOwners")
 
 
 class AWSAccountManagerAccountsQueryData(ConfiguredBaseModel):

reconcile/gql_definitions/common/aws_vpc_requests.py

@@ -48,6 +48,9 @@ fragment VPCRequest on VPCRequest_v1 {
     automationToken {
       ...VaultSecret
     }
+    disable {
+      integrations
+    }
     supportedDeploymentRegions
     resourcesDefaultRegion
     providerVersion

reconcile/gql_definitions/common/clusters.py

@@ -113,6 +113,7 @@ query Clusters($name: String) {
     managedGroups
     managedClusterRoles
     insecureSkipTLSVerify
+    allowedToBypassPublicPeeringRestriction
     jumpHost {
       ...CommonJumphostFields
     }
@@ -635,6 +636,7 @@ class ClusterV1(ConfiguredBaseModel):
     managed_groups: Optional[list[str]] = Field(..., alias="managedGroups")
     managed_cluster_roles: Optional[bool] = Field(..., alias="managedClusterRoles")
     insecure_skip_tls_verify: Optional[bool] = Field(..., alias="insecureSkipTLSVerify")
+    allowed_to_bypass_public_peering_restriction: Optional[bool] = Field(..., alias="allowedToBypassPublicPeeringRestriction")
     jump_host: Optional[CommonJumphostFields] = Field(..., alias="jumpHost")
     auth: list[Union[ClusterAuthGithubOrgTeamV1, ClusterAuthGithubOrgV1, ClusterAuthV1]] = Field(..., alias="auth")
     ocm: Optional[OpenShiftClusterManagerV1] = Field(..., alias="ocm")

reconcile/gql_definitions/external_resources/external_resources_namespaces.py

@@ -372,6 +372,7 @@ query ExternalResourcesNamespaces {
             identifier
             defaults
             es_identifier
+            policy
             output_resource_name
             annotations
             tags
@@ -574,6 +575,7 @@ query ExternalResourcesNamespaces {
       name
       labels
       servicePhase
+      costCenter
     }
     app {
       path
@@ -933,6 +935,7 @@ class NamespaceTerraformResourceKinesisV1(NamespaceTerraformResourceAWSV1):
     identifier: str = Field(..., alias="identifier")
     defaults: str = Field(..., alias="defaults")
     es_identifier: Optional[str] = Field(..., alias="es_identifier")
+    policy: Optional[str] = Field(..., alias="policy")
     output_resource_name: Optional[str] = Field(..., alias="output_resource_name")
     annotations: Optional[str] = Field(..., alias="annotations")
     tags: Optional[str] = Field(..., alias="tags")
@@ -1167,13 +1170,14 @@ class NamespaceTerraformResourceMskV1(NamespaceTerraformResourceAWSV1):
 
 class NamespaceTerraformProviderResourceAWSV1(NamespaceExternalResourceV1):
     provisioner: AWSAccountV1 = Field(..., alias="provisioner")
-    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
+    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
 
 
 class EnvironmentV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     labels: str = Field(..., alias="labels")
     service_phase: str = Field(..., alias="servicePhase")
+    cost_center: Optional[str] = Field(..., alias="costCenter")
 
 
 class AppV1(ConfiguredBaseModel):

reconcile/gql_definitions/fragments/aws_vpc_request.py

@@ -28,6 +28,10 @@ class ConfiguredBaseModel(BaseModel):
     )
 
 
+class DisableClusterAutomationsV1(ConfiguredBaseModel):
+    integrations: Optional[list[str]] = Field(..., alias="integrations")
+
+
 class DeletionApprovalV1(ConfiguredBaseModel):
     q_type: str = Field(..., alias="type")
     name: str = Field(..., alias="name")
@@ -39,6 +43,7 @@ class AWSAccountV1(ConfiguredBaseModel):
     uid: str = Field(..., alias="uid")
     terraform_username: Optional[str] = Field(..., alias="terraformUsername")
     automation_token: VaultSecret = Field(..., alias="automationToken")
+    disable: Optional[DisableClusterAutomationsV1] = Field(..., alias="disable")
     supported_deployment_regions: Optional[list[str]] = Field(..., alias="supportedDeploymentRegions")
     resources_default_region: str = Field(..., alias="resourcesDefaultRegion")
     provider_version: str = Field(..., alias="providerVersion")

reconcile/gql_definitions/introspection.json

@@ -6489,6 +6489,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "allowedToBypassPublicPeeringRestriction",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "Boolean",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "namespaces",
                             "description": null,
@@ -17217,6 +17229,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "costCenter",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "String",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "namespaces",
                             "description": null,
@@ -41646,6 +41670,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "certificate_format",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "String",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "annotations",
                             "description": null,
@@ -47657,6 +47693,18 @@
                             },
                             "isDeprecated": false,
                             "deprecationReason": null
+                        },
+                        {
+                            "name": "bucket_policy",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "JSON",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
                         }
                     ],
                     "inputFields": null,
@@ -48266,6 +48314,18 @@
                             "isDeprecated": false,
                             "deprecationReason": null
                         },
+                        {
+                            "name": "policy",
+                            "description": null,
+                            "args": [],
+                            "type": {
+                                "kind": "SCALAR",
+                                "name": "JSON",
+                                "ofType": null
+                            },
+                            "isDeprecated": false,
+                            "deprecationReason": null
+                        },
                         {
                             "name": "output_resource_name",
                             "description": null,

reconcile/gql_definitions/rhcs/certs.py

@@ -45,6 +45,7 @@ fragment OpenshiftResourceRhcsCert on NamespaceOpenshiftResourceRhcsCert_v1 {
     }
   }
   auto_renew_threshold_days
+  certificate_format
   annotations
 }
 

reconcile/gql_definitions/rhcs/openshift_resource_rhcs_cert.py

@@ -39,4 +39,5 @@ class OpenshiftResourceRhcsCert(ConfiguredBaseModel):
     service_account_name: str = Field(..., alias="service_account_name")
     service_account_password: Union[VaultSecretV1_VaultSecretV1, VaultSecretV1] = Field(..., alias="service_account_password")
     auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
+    certificate_format: Optional[str] = Field(..., alias="certificate_format")
     annotations: Optional[Json] = Field(..., alias="annotations")

reconcile/gql_definitions/terraform_resources/terraform_resources_namespaces.py

@@ -243,6 +243,7 @@ query TerraformResourcesNamespaces {
             defaults
             output_resource_name
             storage_class
+            bucket_policy
             annotations
           }
           ... on NamespaceTerraformResourceS3SQS_v1 {
@@ -299,6 +300,7 @@ query TerraformResourcesNamespaces {
             identifier
             defaults
             es_identifier
+            policy
             output_resource_name
             annotations
           }
@@ -519,6 +521,7 @@ query TerraformResourcesNamespaces {
     environment {
       name
       servicePhase
+      costCenter
     }
     app {
       name
@@ -774,6 +777,7 @@ class NamespaceTerraformResourceS3CloudFrontV1(NamespaceTerraformResourceAWSV1):
     defaults: str = Field(..., alias="defaults")
     output_resource_name: Optional[str] = Field(..., alias="output_resource_name")
     storage_class: Optional[str] = Field(..., alias="storage_class")
+    bucket_policy: Optional[str] = Field(..., alias="bucket_policy")
     annotations: Optional[str] = Field(..., alias="annotations")
 
 
@@ -836,6 +840,7 @@ class NamespaceTerraformResourceKinesisV1(NamespaceTerraformResourceAWSV1):
     identifier: str = Field(..., alias="identifier")
     defaults: str = Field(..., alias="defaults")
     es_identifier: Optional[str] = Field(..., alias="es_identifier")
+    policy: Optional[str] = Field(..., alias="policy")
     output_resource_name: Optional[str] = Field(..., alias="output_resource_name")
     annotations: Optional[str] = Field(..., alias="annotations")
 
@@ -1100,12 +1105,13 @@ class NamespaceTerraformResourceMskV1(NamespaceTerraformResourceAWSV1):
 
 
 class NamespaceTerraformProviderResourceAWSV1(NamespaceExternalResourceV1):
-    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
+    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceRDSProxyV1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
 
 
 class EnvironmentV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     service_phase: str = Field(..., alias="servicePhase")
+    cost_center: Optional[str] = Field(..., alias="costCenter")
 
 
 class AppV1(ConfiguredBaseModel):

reconcile/gql_definitions/vpc_peerings_validator/vpc_peerings_validator.py

@@ -23,6 +23,7 @@ from reconcile.gql_definitions.vpc_peerings_validator.vpc_peerings_validator_pee
 DEFINITION = """
 fragment VpcPeeringsValidatorPeeredCluster on Cluster_v1 {
   name
+  allowedToBypassPublicPeeringRestriction
   network {
     vpc
   }
@@ -35,6 +36,7 @@ fragment VpcPeeringsValidatorPeeredCluster on Cluster_v1 {
 query VpcPeeringsValidator {
   clusters: clusters_v1 {
     name
+    allowedToBypassPublicPeeringRestriction
     network {
       vpc
     }
@@ -128,6 +130,7 @@ class ClusterPeeringV1(ConfiguredBaseModel):
 
 class ClusterV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
+    allowed_to_bypass_public_peering_restriction: Optional[bool] = Field(..., alias="allowedToBypassPublicPeeringRestriction")
     network: Optional[ClusterNetworkV1] = Field(..., alias="network")
     spec: Optional[ClusterSpecV1] = Field(..., alias="spec")
     internal: Optional[bool] = Field(..., alias="internal")

reconcile/gql_definitions/vpc_peerings_validator/vpc_peerings_validator_peered_cluster_fragment.py

@@ -34,6 +34,7 @@ class ClusterSpecV1(ConfiguredBaseModel):
 
 class VpcPeeringsValidatorPeeredCluster(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
+    allowed_to_bypass_public_peering_restriction: Optional[bool] = Field(..., alias="allowedToBypassPublicPeeringRestriction")
     network: Optional[ClusterNetworkV1] = Field(..., alias="network")
     spec: Optional[ClusterSpecV1] = Field(..., alias="spec")
     internal: Optional[bool] = Field(..., alias="internal")

reconcile/openshift_namespaces.py

@@ -43,6 +43,7 @@ class DesiredState:
     cluster: str
     namespace: str
     delete: bool
+    cluster_admin: bool
 
 
 class NamespaceDuplicateError(Exception):
@@ -92,6 +93,7 @@ def build_desired_state(
             cluster=namespace.cluster.name,
             namespace=namespace.name,
             delete=namespace.delete or False,
+            cluster_admin=namespace.cluster_admin or False,
         )
         for namespace in namespaces
     ]
@@ -104,7 +106,7 @@ def manage_namespace(
 ) -> None:
     namespace = desired_state.namespace
 
-    oc = oc_map.get(desired_state.cluster)
+    oc = oc_map.get(desired_state.cluster, privileged=desired_state.cluster_admin)
     if isinstance(oc, OCLogMsg):
         logging.log(level=oc.log_level, msg=oc.message)
         return
@@ -116,9 +118,6 @@ def manage_namespace(
 
     action = Action.DELETE if desired_state.delete else Action.CREATE
 
-    if namespace.startswith("openshift-"):
-        raise ValueError(f'cannot {action} a project starting with "openshift-"')
-
     logging.info([str(action), desired_state.cluster, namespace])
     if not dry_run:
         match action: