qontract-reconcile 0.10.1rc856__py3-none-any.whl → 0.10.1rc858__py3-none-any.whl

{qontract_reconcile-0.10.1rc856.dist-info → qontract_reconcile-0.10.1rc858.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc856
+Version: 0.10.1rc858
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc856.dist-info → qontract_reconcile-0.10.1rc858.dist-info}/RECORD

@@ -10,7 +10,7 @@ reconcile/aws_iam_password_reset.py,sha256=NwErtrqgBiXr7eGCAHdtGGOx0S7-4JnSc29Ie
 reconcile/aws_support_cases_sos.py,sha256=Jk6_XjDeJSYxgRGqcEAOcynt9qJF2r5HPIPcSKmoBv8,2974
 reconcile/blackbox_exporter_endpoint_monitoring.py,sha256=W_VJagnsJR1v5oqjlI3RJJE0_nhtJ0m81RS8zWA5u5c,3538
 reconcile/checkpoint.py,sha256=R2WFXUXLTB4sWMi4GeA4eegsuf_1-Q4vH8M0Toh3Ij4,5036
-reconcile/cli.py,sha256=7IBz-214OFOt7EFzmFHgtk6KQh6T9fvvfV_8WWmeChM,103658
+reconcile/cli.py,sha256=F5s-i-OlL6RhqiYkEhXMaNLegiPazbS0ahEtRrO2LeE,104075
 reconcile/closedbox_endpoint_monitoring_base.py,sha256=SMhkcQqprWvThrIJa3U_3uh5w1h-alleW1QnCJFY4Qw,4909
 reconcile/cluster_deployment_mapper.py,sha256=2Ah-nu-Mdig0pjuiZl_XLrmVAjYzFjORR3dMlCgkmw0,2352
 reconcile/dashdotdb_base.py,sha256=R2JuwiXAEYAFiCtnztM_IIr1rtVzPpaWAmgxuDa2FgY,4813
@@ -70,8 +70,8 @@ reconcile/openshift_namespace_labels.py,sha256=dLkQgtgsD51WtDHiQOc-lF2yaaFzkiUAZ
 reconcile/openshift_namespaces.py,sha256=nHW1e3dyUWw3JPAzeQeZQ6s2-RuQYaNR7_DUfTP8KOg,5830
 reconcile/openshift_network_policies.py,sha256=_qqv7yj17OM1J8KJPsFmzFZ85gzESJeBocC672z4_WU,4231
 reconcile/openshift_resourcequotas.py,sha256=yUi56PiOn3inMMfq_x_FEHmaW-reGipzoorjdar372g,2415
-reconcile/openshift_resources.py,sha256=kwsY5cko7udEKNlhL2oKiKv_5wzEw9wmmwROE016ng8,1400
-reconcile/openshift_resources_base.py,sha256=TuR8GgAB1KlQQlHY_E7FHNyhfHB-X65_tk3-THbFy0s,39716
+reconcile/openshift_resources.py,sha256=WPnSTftrCCHaCDfwSD0CLvs-7GQqay5B7AtM6Swxy7c,1537
+reconcile/openshift_resources_base.py,sha256=FW3gMwji2cdM8MPTL0JDXHHz3jWa50NQyhpvU78oeus,40029
 reconcile/openshift_rolebindings.py,sha256=LlImloBisEqzc36jaatic-TeM3hzqMEfxogF-dM4Yhw,6599
 reconcile/openshift_routes.py,sha256=fXvuPSjcjVw1X3j2EQvUAdbOepmIFdKk-M3qP8QzPiw,1075
 reconcile/openshift_saas_deploy.py,sha256=fmhopPEbyZsGQHRPzyzpKEvoBXEGN3aPxFi7Utq0emU,12788
@@ -149,7 +149,7 @@ reconcile/aws_cloudwatch_log_retention/integration.py,sha256=0UcSZIrGvnGY4m9fj87
 reconcile/aws_saml_idp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/aws_saml_idp/integration.py,sha256=0Q8dNMDzEF7qXW6M9cqIU5MeVCUmr7vmX9GnoJCvFMY,6536
 reconcile/aws_saml_roles/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-reconcile/aws_saml_roles/integration.py,sha256=kC4Rnbuy07TMvZO4rjUEcQkJev10M0Ro6r7YXcB7j_c,9530
+reconcile/aws_saml_roles/integration.py,sha256=d_mBdQTF0Uj2h4NYR1xF0KDuciW1H39CohCDz40HgYA,11259
 reconcile/aws_version_sync/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/aws_version_sync/integration.py,sha256=uI6k0nNS_jRrVaIcgm30Hj_M6GIJmexU2X-6Dxe0CZo,17271
 reconcile/aws_version_sync/utils.py,sha256=sVv-48PKi2VITlqqvmpbjnFDOPeGqfKzgkpIszlmjL0,1708
@@ -834,8 +834,8 @@ tools/test/test_app_interface_metrics_exporter.py,sha256=SX7qL3D1SIRKFo95FoQztvf
 tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jrss,4941
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc856.dist-info/METADATA,sha256=JfccMX9Vsbbv10UZZNVKK7jFNwzW1hVHTz-fDsMSukI,2273
-qontract_reconcile-0.10.1rc856.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc856.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc856.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc856.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc858.dist-info/METADATA,sha256=bj-1Gb96R96k2hOHPvpFebr_2irBGjI2LdMDUwliOZ8,2273
+qontract_reconcile-0.10.1rc858.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc858.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc858.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc858.dist-info/RECORD,,

reconcile/aws_saml_roles/integration.py

@@ -1,4 +1,5 @@
 import json
+import logging
 import sys
 from collections.abc import (
     Callable,
@@ -6,6 +7,7 @@ from collections.abc import (
 )
 from typing import (
     Any,
+    TypedDict,
 )
 
 from pydantic import BaseModel, root_validator, validator
@@ -25,6 +27,10 @@ from reconcile.utils.aws_api import AWSApi
 from reconcile.utils.aws_helper import unique_sso_aws_accounts
 from reconcile.utils.defer import defer
 from reconcile.utils.disabled_integrations import integration_is_enabled
+from reconcile.utils.extended_early_exit import (
+    ExtendedEarlyExitRunnerResult,
+    extended_early_exit_run,
+)
 from reconcile.utils.runtime.integration import (
     PydanticRunParams,
     QontractReconcileIntegration,
@@ -32,6 +38,7 @@ from reconcile.utils.runtime.integration import (
 from reconcile.utils.semver_helper import make_semver
 from reconcile.utils.terraform_client import TerraformClient
 from reconcile.utils.terrascript_aws_client import TerrascriptClient
+from reconcile.utils.unleash.client import get_feature_toggle_state
 
 QONTRACT_INTEGRATION = "aws-saml-roles"
 QONTRACT_INTEGRATION_VERSION = make_semver(1, 0, 0)
@@ -45,6 +52,10 @@ class AwsSamlRolesIntegrationParams(PydanticRunParams):
     saml_idp_name: str
     max_session_duration_hours: int = 1
     account_name: str | None = None
+    # extended early exit parameters
+    enable_extended_early_exit: bool = False
+    extended_early_exit_cache_ttl_seconds: int = 3600
+    log_cached_log_output: bool = False
 
     @validator("max_session_duration_hours")
     def max_session_duration_range(cls, v: str | int) -> int:
@@ -129,6 +140,12 @@ class AwsRole(BaseModel):
         return values
 
 
+class RunnerParams(TypedDict):
+    tf: TerraformClient
+    dry_run: bool
+    enable_deletion: bool
+
+
 class AwsSamlRolesIntegration(
     QontractReconcileIntegration[AwsSamlRolesIntegrationParams]
 ):
@@ -264,13 +281,42 @@ class AwsSamlRolesIntegration(
         if defer:
             defer(tf.cleanup)
 
-        _, err = tf.plan(self.params.enable_deletion)
-        if err:
-            sys.exit(ExitCodes.ERROR)
+        runner_params: RunnerParams = dict(
+            tf=tf,
+            dry_run=dry_run,
+            enable_deletion=self.params.enable_deletion,
+        )
+
+        if self.params.enable_extended_early_exit and get_feature_toggle_state(
+            f"{QONTRACT_INTEGRATION}-extended-early-exit", default=True
+        ):
+            extended_early_exit_run(
+                integration=QONTRACT_INTEGRATION,
+                integration_version=QONTRACT_INTEGRATION_VERSION,
+                dry_run=dry_run,
+                cache_source=ts.terraform_configurations(),
+                shard=self.params.account_name if self.params.account_name else "",
+                ttl_seconds=self.params.extended_early_exit_cache_ttl_seconds,
+                logger=logging.getLogger(),
+                runner=runner,
+                runner_params=runner_params,
+                log_cached_log_output=self.params.log_cached_log_output,
+            )
+        else:
+            runner(**runner_params)
+
+
+def runner(
+    dry_run: bool, tf: TerraformClient, enable_deletion: bool
+) -> ExtendedEarlyExitRunnerResult:
+    _, err = tf.plan(enable_deletion)
+    if err:
+        raise RuntimeError("Terraform plan has errors")
+
+    if dry_run:
+        return ExtendedEarlyExitRunnerResult(payload={}, applied_count=0)
 
-        if dry_run:
-            return
+    if err := tf.apply():
+        raise RuntimeError("Terraform apply has errors")
 
-        err = tf.apply()
-        if err:
-            sys.exit(ExitCodes.ERROR)
+    return ExtendedEarlyExitRunnerResult(payload={}, applied_count=tf.apply_count)

reconcile/cli.py

@@ -933,6 +933,9 @@ def openshift_serviceaccount_tokens(
     required=True,
     default=6,
 )
+@enable_extended_early_exit
+@extended_early_exit_cache_ttl_seconds
+@log_cached_log_output
 @click.pass_context
 def aws_saml_roles(
     ctx,
@@ -942,6 +945,9 @@ def aws_saml_roles(
     account_name,
     saml_idp_name,
     max_session_duration_hours,
+    enable_extended_early_exit,
+    extended_early_exit_cache_ttl_seconds,
+    log_cached_log_output,
 ):
     from reconcile.aws_saml_roles.integration import (
         AwsSamlRolesIntegration,
@@ -957,6 +963,9 @@ def aws_saml_roles(
                 saml_idp_name=saml_idp_name,
                 max_session_duration_hours=max_session_duration_hours,
                 account_name=account_name,
+                enable_extended_early_exit=enable_extended_early_exit,
+                extended_early_exit_cache_ttl_seconds=extended_early_exit_cache_ttl_seconds,
+                log_cached_log_output=log_cached_log_output,
             )
         ),
         ctx=ctx.obj,

reconcile/openshift_resources.py

@@ -1,3 +1,4 @@
+from collections.abc import Iterable
 from typing import Any
 
 import reconcile.openshift_base as ob
@@ -11,15 +12,14 @@ PROVIDERS = ["resource", "resource-template", "prometheus-rule"]
 
 
 def run(
-    dry_run,
-    thread_pool_size=10,
-    internal=None,
-    use_jump_host=True,
-    cluster_name=None,
-    exclude_cluster=None,
-    namespace_name=None,
-    defer=None,
-):
+    dry_run: bool,
+    thread_pool_size: int = 10,
+    internal: bool | None = None,
+    use_jump_host: bool = True,
+    cluster_name: Iterable[str] | None = None,
+    exclude_cluster: Iterable[str] | None = None,
+    namespace_name: str | None = None,
+) -> None:
     orb.QONTRACT_INTEGRATION = QONTRACT_INTEGRATION
     orb.QONTRACT_INTEGRATION_VERSION = QONTRACT_INTEGRATION_VERSION
 
@@ -41,7 +41,7 @@ def run(
         ob.check_unused_resource_types(ri)
 
 
-def early_exit_desired_state(*args, **kwargs) -> dict[str, Any]:
+def early_exit_desired_state(*args: Any, **kwargs: Any) -> dict[str, Any]:
     return orb.early_exit_desired_state(PROVIDERS)
 
 

reconcile/openshift_resources_base.py

@@ -7,8 +7,11 @@ import re
 import sys
 from collections import defaultdict
 from collections.abc import (
+    Callable,
+    Generator,
     Iterable,
     Mapping,
+    MutableMapping,
     Sequence,
 )
 from contextlib import contextmanager
@@ -21,6 +24,7 @@ from typing import (
     Protocol,
     Tuple,
 )
+from unittest.mock import DEFAULT, patch
 
 import anymarkup
 from deepdiff import DeepHash
@@ -29,9 +33,9 @@ from sretoolbox.utils import (
 )
 
 import reconcile.openshift_base as ob
+import reconcile.utils.jinja2.utils as jinja2_utils
 from reconcile import queries
 from reconcile.change_owners.diff import IDENTIFIER_FIELD_NAME
-from reconcile.checkpoint import url_makes_sense
 from reconcile.utils import (
     amtool,
     gql,
@@ -41,9 +45,6 @@ from reconcile.utils.defer import defer
 from reconcile.utils.exceptions import FetchResourceError
 from reconcile.utils.jinja2.utils import (
     FetchSecretError,
-    lookup_github_file_content,
-    lookup_s3_object,
-    lookup_secret,
     process_extracurlyjinja2_template,
     process_jinja2_template,
 )
@@ -237,23 +238,23 @@ KUBERNETES_SECRET_DATA_KEY_RE = "^[-._a-zA-Z0-9]+$"
 _log_lock = Lock()
 
 
-def _locked_info_log(msg: str):
+def _locked_info_log(msg: str) -> None:
     with _log_lock:
         logging.info(msg)
 
 
-def _locked_debug_log(msg: str):
+def _locked_debug_log(msg: str) -> None:
     with _log_lock:
         logging.debug(msg)
 
 
-def _locked_error_log(msg: str):
+def _locked_error_log(msg: str) -> None:
     with _log_lock:
         logging.error(msg)
 
 
 class FetchRouteError(Exception):
-    def __init__(self, msg):
+    def __init__(self, msg: Any):
         super().__init__("error fetching route: " + str(msg))
 
 
@@ -266,16 +267,21 @@ class SecretKeyFormatError(Exception):
 
 
 class UnknownProviderError(Exception):
-    def __init__(self, msg):
+    def __init__(self, msg: Any):
         super().__init__("unknown provider error: " + str(msg))
 
 
 class UnknownTemplateTypeError(Exception):
-    def __init__(self, msg):
+    def __init__(self, msg: Any):
         super().__init__("unknown template type error: " + str(msg))
 
 
-def check_alertmanager_config(data, path, alertmanager_config_key, decode_base64=False):
+def check_alertmanager_config(
+    data: Mapping[str, Any],
+    path: str,
+    alertmanager_config_key: str,
+    decode_base64: bool = False,
+) -> None:
     try:
         config = data[alertmanager_config_key]
     except KeyError:
@@ -295,15 +301,15 @@ def check_alertmanager_config(data, path, alertmanager_config_key, decode_base64
 
 
 def fetch_provider_resource(
-    resource: dict,
-    tfunc=None,
-    tvars=None,
-    validate_json=False,
-    validate_alertmanager_config=False,
-    alertmanager_config_key="alertmanager.yaml",
-    add_path_to_prom_rules=True,
-    skip_validation=False,
-    settings=None,
+    resource: Mapping,
+    tfunc: Callable | None = None,
+    tvars: Mapping[str, Any] | None = None,
+    validate_json: bool = False,
+    validate_alertmanager_config: bool = False,
+    alertmanager_config_key: str = "alertmanager.yaml",
+    add_path_to_prom_rules: bool = True,
+    skip_validation: bool = False,
+    settings: Mapping[str, Any] | None = None,
 ) -> OR:
     path = resource["path"]
     content = resource["content"]
@@ -383,17 +389,17 @@ def fetch_provider_resource(
 
 
 def fetch_provider_vault_secret(
-    path,
-    version,
-    name,
-    labels,
-    annotations,
-    type,
-    integration,
-    integration_version,
-    validate_alertmanager_config=False,
-    alertmanager_config_key="alertmanager.yaml",
-    settings=None,
+    path: str,
+    version: str,
+    name: str,
+    labels: Mapping[str, str] | None,
+    annotations: Mapping[str, str],
+    type: str,
+    integration: str,
+    integration_version: str,
+    validate_alertmanager_config: bool = False,
+    alertmanager_config_key: str = "alertmanager.yaml",
+    settings: Mapping[str, Any] | None = None,
 ) -> OR:
     # get the fields from vault
     secret_reader = SecretReader(settings)
@@ -403,7 +409,7 @@ def fetch_provider_vault_secret(
         check_alertmanager_config(raw_data, path, alertmanager_config_key)
 
     # construct oc resource
-    body = {
+    body: dict[str, Any] = {
         "apiVersion": "v1",
         "kind": "Secret",
         "type": type,
@@ -433,7 +439,7 @@ def fetch_provider_vault_secret(
 # any white space issues. If any issues are uncovered, an exception will be
 # raised.
 # we're receiving the full key: value information, not simply a list of keys.
-def assert_valid_secret_keys(secrets_data: dict[str, str]):
+def assert_valid_secret_keys(secrets_data: dict[str, str]) -> None:
     for k in secrets_data:
         matches = re.search(KUBERNETES_SECRET_DATA_KEY_RE, k)
         if not matches:
@@ -442,7 +448,12 @@ def assert_valid_secret_keys(secrets_data: dict[str, str]):
             )
 
 
-def fetch_provider_route(resource: dict, tls_path, tls_version, settings=None) -> OR:
+def fetch_provider_route(
+    resource: Mapping,
+    tls_path: str | None,
+    tls_version: str | None,
+    settings: Mapping | None = None,
+) -> OR:
     path = resource["path"]
     openshift_resource = fetch_provider_resource(resource)
 
@@ -485,7 +496,10 @@ def fetch_provider_route(resource: dict, tls_path, tls_version, settings=None) -
 
 
 def fetch_openshift_resource(
-    resource, parent, settings=None, skip_validation=False
+    resource: Mapping,
+    parent: Mapping[str, Any],
+    settings: Mapping | None = None,
+    skip_validation: bool = False,
 ) -> OR:
     provider = resource["provider"]
     if provider == "resource":
@@ -632,8 +646,8 @@ def fetch_current_state(
     cluster: str,
     namespace: str,
     kind: str,
-    resource_names=Iterable[str],
-):
+    resource_names: Iterable[str] | None,
+) -> None:
     _locked_debug_log(f"Fetching {kind} from {cluster}/{namespace}")
     if not oc.is_kind_supported(kind):
         logging.warning(f"[{cluster}] cluster has no API resource {kind}.")
@@ -659,8 +673,8 @@ def fetch_desired_state(
     resource: Mapping[str, Any],
     parent: Mapping[str, Any],
     privileged: bool,
-    settings: Optional[Mapping[str, Any]] = None,
-):
+    settings: Mapping[str, Any] | None = None,
+) -> None:
     try:
         openshift_resource = fetch_openshift_resource(resource, parent, settings)
     except (
@@ -717,7 +731,7 @@ def fetch_desired_state(
 def fetch_states(
     spec: ob.StateSpec,
     ri: ResourceInventory,
-    settings: Optional[Mapping[str, Any]] = None,
+    settings: Mapping[str, Any] | None = None,
 ) -> None:
     try:
         if isinstance(spec, ob.CurrentStateSpec):
@@ -747,13 +761,13 @@ def fetch_states(
 
 
 def fetch_data(
-    namespaces,
-    thread_pool_size,
-    internal,
-    use_jump_host,
-    init_api_resources=False,
-    overrides=None,
-):
+    namespaces: Iterable[Mapping[str, Any]],
+    thread_pool_size: int,
+    internal: bool | None,
+    use_jump_host: bool,
+    init_api_resources: bool = False,
+    overrides: Iterable[str] | None = None,
+) -> tuple[OC_Map, ResourceInventory]:
     ri = ResourceInventory()
     settings = queries.get_app_interface_settings()
     logging.debug(f"Overriding keys {overrides}")
@@ -775,11 +789,11 @@ def fetch_data(
 
 
 def filter_namespaces_by_cluster_and_namespace(
-    namespaces,
-    cluster_names: Optional[Iterable[str]],
-    exclude_clusters: Optional[Iterable[str]],
-    namespace_name: Optional[str],
-):
+    namespaces: Sequence[dict[str, Any]],
+    cluster_names: Iterable[str] | None,
+    exclude_clusters: Iterable[str] | None,
+    namespace_name: str | None,
+) -> Sequence[dict[str, Any]]:
     if cluster_names:
         namespaces = [n for n in namespaces if n["cluster"]["name"] in cluster_names]
     elif exclude_clusters:
@@ -795,9 +809,9 @@ def filter_namespaces_by_cluster_and_namespace(
 
 def canonicalize_namespaces(
     namespaces: Iterable[dict[str, Any]],
-    providers: list[str],
-    resource_schema_filter: Optional[str] = None,
-) -> tuple[list[dict[str, Any]], Optional[list[str]]]:
+    providers: Sequence[str],
+    resource_schema_filter: str | None = None,
+) -> tuple[list[dict[str, Any]], list[str] | None]:
     canonicalized_namespaces = []
     override = None
     logging.debug(f"Received providers {providers}")
@@ -829,17 +843,17 @@ def canonicalize_namespaces(
 
 
 def get_namespaces(
-    providers: Optional[list[str]] = None,
-    cluster_names: Optional[Iterable[str]] = None,
-    exclude_clusters: Optional[Iterable[str]] = None,
-    namespace_name: Optional[str] = None,
-    resource_schema_filter: Optional[str] = None,
-    filter_by_shard: Optional[bool] = True,
-) -> tuple[list[dict[str, Any]], Optional[list[str]]]:
+    providers: Sequence[str] | None = None,
+    cluster_names: Iterable[str] | None = None,
+    exclude_clusters: Iterable[str] | None = None,
+    namespace_name: str | None = None,
+    resource_schema_filter: str | None = None,
+    filter_by_shard: bool | None = True,
+) -> tuple[list[dict[str, Any]], list[str] | None]:
     if providers is None:
         providers = []
     gqlapi = gql.get_api()
-    namespaces = [
+    namespaces: list[dict[str, Any]] = [
         namespace_info
         for namespace_info in gqlapi.query(NAMESPACES_QUERY)["namespaces"]
         if not ob.is_namespace_deleted(namespace_info)
@@ -850,33 +864,33 @@ def get_namespaces(
             )
         )
     ]
-    namespaces = filter_namespaces_by_cluster_and_namespace(
+    _namespaces = filter_namespaces_by_cluster_and_namespace(
         namespaces, cluster_names, exclude_clusters, namespace_name
     )
-    return canonicalize_namespaces(namespaces, providers, resource_schema_filter)
+    return canonicalize_namespaces(_namespaces, providers, resource_schema_filter)
 
 
 @defer
 def run(
-    dry_run,
-    thread_pool_size=10,
-    internal=None,
-    use_jump_host=True,
-    providers=None,
-    cluster_name: Optional[Sequence[str]] = None,
-    exclude_cluster: Optional[Sequence[str]] = None,
-    namespace_name=None,
-    init_api_resources=False,
-    defer=None,
-):
+    dry_run: bool,
+    thread_pool_size: int = 10,
+    internal: bool | None = None,
+    use_jump_host: bool = True,
+    providers: Sequence[str] | None = None,
+    cluster_name: Sequence[str] | None = None,
+    exclude_cluster: Sequence[str] | None = None,
+    namespace_name: str | None = None,
+    init_api_resources: bool = False,
+    defer: Callable | None = None,
+) -> ResourceInventory | None:
     # https://click.palletsprojects.com/en/8.1.x/options/#multiple-options
     cluster_names = cluster_name
     exclude_clusters = exclude_cluster
 
-    if exclude_cluster and not dry_run:
+    if exclude_clusters and not dry_run:
         raise RuntimeError("--exclude-cluster is only supported in dry-run mode")
 
-    if exclude_cluster and cluster_name:
+    if exclude_clusters and cluster_names:
         raise RuntimeError(
             "--cluster-name and --exclude-cluster can not be used together"
         )
@@ -894,7 +908,7 @@ def run(
     if not namespaces:
         logging.debug(
             "No namespaces found when filtering for "
-            f"cluster={cluster_name}, namespace={namespace_name}. "
+            f"cluster={cluster_names}, namespace={namespace_name}. "
             "Exiting."
         )
         return None
@@ -906,7 +920,8 @@ def run(
         init_api_resources=init_api_resources,
         overrides=overrides,
     )
-    defer(oc_map.cleanup)
+    if defer:
+        defer(oc_map.cleanup)
     if dry_run and QONTRACT_INTEGRATION == "openshift-resources":
         error = check_cluster_scoped_resources(oc_map, ri, namespaces, None)
         if error:
@@ -1130,7 +1145,7 @@ def early_exit_desired_state(
             settings=settings,
         )
 
-    def post_process_ns(ns):
+    def post_process_ns(ns: MutableMapping) -> MutableMapping:
         # the sharedResources have been aggreated into the openshiftResources
         # and are no longer needed - speeds up diffing process
         del ns["sharedResources"]
@@ -1151,7 +1166,7 @@ def early_exit_desired_state(
     }
 
 
-def _early_exit_fetch_resource(spec, settings):
+def _early_exit_fetch_resource(spec: Sequence, settings: Mapping) -> dict[str, str]:
     resource = spec[0]
     ns_info = spec[1]
     cluster_name = ns_info["cluster"]["name"]
@@ -1179,58 +1194,44 @@ def _early_exit_fetch_resource(spec, settings):
 
 
 @contextmanager
-def early_exit_monkey_patch():
+def early_exit_monkey_patch() -> Generator:
     """Avoid looking outside of app-interface on early-exit pr-check."""
-    orig_lookup_secret = lookup_secret
-    orig_lookup_github_file_content = lookup_github_file_content
-    orig_url_makes_sense = url_makes_sense
-    orig_check_alertmanager_config = check_alertmanager_config
-    orig_lookup_s3_object = lookup_s3_object
-
-    try:
-        yield _early_exit_monkey_patch_assign(
+    with patch.multiple(
+        jinja2_utils,
+        lookup_secret=DEFAULT,
+        lookup_github_file_content=DEFAULT,
+        url_makes_sense=DEFAULT,
+        lookup_s3_object=DEFAULT,
+    ) as mocks:
+        mocks["lookup_secret"].side_effect = (
             lambda path,
             key,
             version=None,
             tvars=None,
             allow_not_found=False,
             settings=None,
-            secret_reader=None: f"vault({path}, {key}, {version}, {allow_not_found})",
+            secret_reader=None: f"vault({path}, {key}, {version}"
+        )
+        mocks["lookup_github_file_content"].side_effect = (
             lambda repo,
             path,
             ref,
             tvars=None,
             settings=None,
-            secret_reader=None: f"github({repo}, {path}, {ref})",
-            lambda url: False,
-            lambda data, path, alertmanager_config_key, decode_base64=False: True,
+            secret_reader=None: f"github({repo}, {path}, {ref})"
+        )
+        mocks["url_makes_sense"].return_value = False
+        mocks["lookup_s3_object"].side_effect = (
             lambda account_name,
             bucket_name,
             path,
-            region_name=None: f"lookup_s3_object({account_name}, {bucket_name}, {path}, {region_name})",
+            region_name=None: f"lookup_s3_object({account_name}, {bucket_name}, {path}, {region_name})"
         )
-    finally:
-        _early_exit_monkey_patch_assign(
-            orig_lookup_secret,
-            orig_lookup_github_file_content,
-            orig_url_makes_sense,
-            orig_check_alertmanager_config,
-            orig_lookup_s3_object,
-        )
-
-
-def _early_exit_monkey_patch_assign(
-    lookup_secret,
-    lookup_github_file_content,
-    url_makes_sense,
-    check_alertmanager_config,
-    lookup_s3_object,
-):
-    sys.modules[__name__].lookup_secret = lookup_secret
-    sys.modules[__name__].lookup_github_file_content = lookup_github_file_content
-    sys.modules[__name__].url_makes_sense = url_makes_sense
-    sys.modules[__name__].check_alertmanager_config = check_alertmanager_config
-    sys.modules[__name__].lookup_s3_object = lookup_s3_object
+        with patch(
+            "reconcile.openshift_resources_base.check_alertmanager_config",
+            return_value=True,
+        ):
+            yield
 
 
 def desired_state_shard_config() -> DesiredStateShardConfig: