qontract-reconcile 0.10.1rc967__py3-none-any.whl → 0.10.1rc968__py3-none-any.whl

{qontract_reconcile-0.10.1rc967.dist-info → qontract_reconcile-0.10.1rc968.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc967
+Version: 0.10.1rc968
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc967.dist-info → qontract_reconcile-0.10.1rc968.dist-info}/RECORD

@@ -61,7 +61,7 @@ reconcile/ocm_groups.py,sha256=-rTPMewkdyo1De6gs4u-294p3z34oUbGfuNi8ov56Sk,3424
 reconcile/ocm_machine_pools.py,sha256=poGfITOCJEMwYAJpiuL8SytgTcBmGIKEZPgNGld80TY,16563
 reconcile/ocm_update_recommended_version.py,sha256=IYkfLXIprOW1jguZeELcGP1iBPuj-b53R-FTqKulMl8,4204
 reconcile/ocm_upgrade_scheduler_org_updater.py,sha256=aLgyInt9oIWAg0XtCiwJRUSwdPx3masKV8kHzkyEEOQ,4282
-reconcile/openshift_base.py,sha256=rbM6B9A4oRsklFHl0Me8XnMVW8qUME66pfdIyqM_gEg,49709
+reconcile/openshift_base.py,sha256=IS5J8nccqRELRCheuz2wiLMHpaDypA9y3aKTMAjmMuE,52389
 reconcile/openshift_cluster_bots.py,sha256=eRPYZqWMKFNxLlSN0QG97V5t1iIESQ0BbGaiaQP5VB0,10940
 reconcile/openshift_clusterrolebindings.py,sha256=QfSy1Ik8eEY5XObc1Q4xyhqyErZenJmbPv_u9wcDNNo,5864
 reconcile/openshift_groups.py,sha256=sK2wLWwNupztbfyFPl32VH42s_s8Mu3g-URdlisnwJc,9382
@@ -83,7 +83,7 @@ reconcile/openshift_saas_deploy_trigger_configs.py,sha256=eUejMGWuaQabZTLuvPLLvR
 reconcile/openshift_saas_deploy_trigger_images.py,sha256=iUsiBGJf-CyFw7tSLWo59rXmSvsVnN6TTaAObbsVpNg,936
 reconcile/openshift_saas_deploy_trigger_moving_commits.py,sha256=fpanSH-EGH15C9me--0VSpcpaw9BY4RTb8_mPtsSZGc,942
 reconcile/openshift_saas_deploy_trigger_upstream_jobs.py,sha256=0CjfeVQE0QrRrOVuTxkXvBUdKNtYLYuX4mZRB48PQ9g,940
-reconcile/openshift_serviceaccount_tokens.py,sha256=kc8o6tYDpzYTuX7BGIuZjGR1rC4tAB1tfN-ijCS0AgA,6005
+reconcile/openshift_serviceaccount_tokens.py,sha256=9zNSMEHwcaGWy4H-OLkk0zLw80CYTBnLVEZKB_xq6Ew,7331
 reconcile/openshift_tekton_resources.py,sha256=jKH5nw84aeYkgikxjQnjSOSF3m2kk3lp2BaPd3FfTew,16220
 reconcile/openshift_upgrade_watcher.py,sha256=9IB321hlRZZhzdaR9G3zoWAhVv0-KzNiEqx73p3-wmk,6539
 reconcile/openshift_users.py,sha256=63mar-swgidz8f10TCPJcofbMN9FETq-HuVFpi8dUL4,5293
@@ -94,7 +94,7 @@ reconcile/quay_mirror.py,sha256=sDLJUTWp8o9Swr2stQJl6PNR_5j-aUYyTtlKv7yznwQ,1482
 reconcile/quay_mirror_org.py,sha256=utrJpJaKCs7U6WX6DODdfCeB0EmX-lUC8Y5fkmpgFSs,10764
 reconcile/quay_permissions.py,sha256=9KOutS1w4RFQqkvMSy54VtsKNx56-phzP6yI_rEW-B8,4244
 reconcile/quay_repos.py,sha256=cuEYG0HUe0ut5yvLdEwOF5-CmccpXQHRb_wDazvDrvQ,6895
-reconcile/queries.py,sha256=2DL0yzk44m-AfgvkByTeEPpt4xQcXsCOz_Wv0ZUpfbA,51295
+reconcile/queries.py,sha256=uUc_5ni7NEUCV4UwG96xxwp_lg-8_MaLRx69i9H--wQ,50164
 reconcile/query_validator.py,sha256=BAjGrU8_VhzTOv5k0-uz0hY9ziZyconv8VAhgre1Auc,1497
 reconcile/requests_sender.py,sha256=914iluuF4UVgG3VyxxtnHOu4yf6YKS2fIy6PViSsFTQ,3875
 reconcile/resource_scraper.py,sha256=znXCHrU7YwPfKuxGBiUrV7T1tYtn4vlz9qmZlfy6Flg,2307
@@ -302,6 +302,7 @@ reconcile/gql_definitions/fragments/resource_limits_requirements.py,sha256=ucskQ
 reconcile/gql_definitions/fragments/resource_requests_requirements.py,sha256=TFKO4YALFPanSvZvIJFz0dCioBU7i73Q6hkDtGMvs9I,736
 reconcile/gql_definitions/fragments/resource_values.py,sha256=-N2lNRhWp8PgocmIeX3U9f3l90Q97N2lXoq1pXdb_LE,742
 reconcile/gql_definitions/fragments/saas_target_namespace.py,sha256=8kMXeD7u2bmdjn10zHmMJ80ScOhUp6KqSfWfjWZW-40,4001
+reconcile/gql_definitions/fragments/serviceaccount_token.py,sha256=2pG4rxAjvT-YsFBnm4zl301i7DCYznp99HOEGA-216I,1117
 reconcile/gql_definitions/fragments/terraform_state.py,sha256=S5QuTR9YlvUObiU7hevS9ybxZEssWoRGqCR9YtGwePs,1024
 reconcile/gql_definitions/fragments/upgrade_policy.py,sha256=cVza8zfra1E3yBsHiS-hKbys17fvv572GFnKshJjluE,1246
 reconcile/gql_definitions/fragments/user.py,sha256=TZyFEs1fBg5PkvWdyCxFDZ_3aRhcQzusfhObXFiOU_0,1025
@@ -341,6 +342,8 @@ reconcile/gql_definitions/openshift_cluster_bots/clusters.py,sha256=QshhCQeFRu_o
 reconcile/gql_definitions/openshift_groups/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/openshift_groups/managed_groups.py,sha256=mBWZX9xxeW3eB1ylnAI5x_7UBacRqJf_H6um-fB_nKc,2013
 reconcile/gql_definitions/openshift_groups/managed_roles.py,sha256=rsHMgDWwnh0RRJpS_-TxD22KQPC6_7rtRfauTOtxH5I,2627
+reconcile/gql_definitions/openshift_serviceaccount_tokens/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reconcile/gql_definitions/openshift_serviceaccount_tokens/tokens.py,sha256=FeraeQThHl2UbhTuCPDwm3ltczF_jfZn5E3Squ8-znw,3313
 reconcile/gql_definitions/quay_membership/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/gql_definitions/quay_membership/quay_membership.py,sha256=H2xHvdNr3K0QzB2dituwStUIWCqePt35dkgeUZycECM,2824
 reconcile/gql_definitions/rhidp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -518,7 +521,7 @@ reconcile/test/test_ocm_clusters_manifest_updates.py,sha256=jFRVfc5jby1kI2x_gT6w
 reconcile/test/test_ocm_machine_pools.py,sha256=_1tG-nF8edU29ONDUGXtR3J2-E8FWv-PI0Y9gb8HQfY,29697
 reconcile/test/test_ocm_update_recommended_version.py,sha256=iA4BVirTGVXlwcOyeR52IuNO81X_8NR6ZNd7ZFE7igs,4328
 reconcile/test/test_ocm_upgrade_scheduler_org_updater.py,sha256=V91g2XQMa2nvKwkLVWkiPwNL6pMQE16s4jO0oXJ6wdk,4330
-reconcile/test/test_openshift_base.py,sha256=gaz_C0gxoyGtn_Jw43z0JZO9-ImFuw16oGWtQ_wmXGU,33865
+reconcile/test/test_openshift_base.py,sha256=SX8URKF8Kn21nA-qcmICSUaZKHuc5YTgPzfcb2rHvk8,36385
 reconcile/test/test_openshift_cluster_bots.py,sha256=sSGLgxnXO82xcfTFVNJzsrDuNfObwAR_-AkDe4B_4WE,7983
 reconcile/test/test_openshift_namespace_labels.py,sha256=i4S5QJFxMRjLkwi3iO6A-uhjgZ1QZb4jYXwB696m82Y,12070
 reconcile/test/test_openshift_namespaces.py,sha256=HmRnCE5EnFt3MYceVEFHmk8wWRtCrxu2AFGFkY9pdyA,9214
@@ -527,6 +530,7 @@ reconcile/test/test_openshift_resources_base.py,sha256=LtlR9x3o7KkSEw0JN0fZhinFe
 reconcile/test/test_openshift_saas_deploy.py,sha256=3QXMrN9dXIiR0JktVDNQ7yJSexMTjZLb1tbRrB3-7uU,5991
 reconcile/test/test_openshift_saas_deploy_change_tester.py,sha256=1yVe54Hx9YdVjn6qdnKge5Sa_s732c-8uZqCnuT1gGI,12871
 reconcile/test/test_openshift_saas_deploy_trigger_cleaner.py,sha256=UQx1iJ21rsMa2whG-rtUIuTXbUzc0Ngr7jRLKXZCCCI,2838
+reconcile/test/test_openshift_serviceaccount_tokens.py,sha256=btaI8Au5XdZXXHtQfFPA8bGSTrXReC8ywJKUjaIQc-A,7341
 reconcile/test/test_openshift_tekton_resources.py,sha256=RtRWsdm51S13OSkENC9nY_rOH0QELSCaO5tjF0XqIDI,11222
 reconcile/test/test_openshift_upgrade_watcher.py,sha256=0GDQ_YFHIX8DbkbDYSuLv9uZeeg4NwP1vlOqvSaZvN4,7183
 reconcile/test/test_prometheus_rules_tester.py,sha256=cgVkPM3KcAw69bOkJ6iR2Lfog_WgblyoqVRtXv4ly7o,5685
@@ -847,8 +851,8 @@ tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jr
 tools/test/test_saas_promotion_state.py,sha256=dy4kkSSAQ7bC0Xp2CociETGN-2aABEfL6FU5D9Jl00Y,6056
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc967.dist-info/METADATA,sha256=U1KHlHKS0EVLd-fnOLrjHk2OZaH3Y5t1BZW8ci9Np9s,2262
-qontract_reconcile-0.10.1rc967.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-qontract_reconcile-0.10.1rc967.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc967.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc967.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc968.dist-info/METADATA,sha256=9_cctR46UDeQ8KvizoJx12uh1u7_W-xYEprAgQpq_DQ,2262
+qontract_reconcile-0.10.1rc968.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+qontract_reconcile-0.10.1rc968.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc968.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc968.dist-info/RECORD,,

reconcile/gql_definitions/fragments/serviceaccount_token.py

@@ -0,0 +1,38 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+from reconcile.gql_definitions.fragments.oc_connection_cluster import OcConnectionCluster
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class NamespaceV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    delete: Optional[bool] = Field(..., alias="delete")
+    cluster: OcConnectionCluster = Field(..., alias="cluster")
+
+
+class ServiceAccountToken(ConfiguredBaseModel):
+    name: Optional[str] = Field(..., alias="name")
+    service_account_name: str = Field(..., alias="serviceAccountName")
+    namespace: NamespaceV1 = Field(..., alias="namespace")

reconcile/gql_definitions/openshift_serviceaccount_tokens/tokens.py

@@ -0,0 +1,132 @@
+"""
+Generated by qenerate plugin=pydantic_v1. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    Extra,
+    Field,
+    Json,
+)
+
+from reconcile.gql_definitions.fragments.oc_connection_cluster import OcConnectionCluster
+from reconcile.gql_definitions.fragments.serviceaccount_token import ServiceAccountToken
+
+
+DEFINITION = """
+fragment CommonJumphostFields on ClusterJumpHost_v1 {
+  hostname
+  knownHosts
+  user
+  port
+  remotePort
+  identity {
+    ... VaultSecret
+  }
+}
+
+fragment OcConnectionCluster on Cluster_v1 {
+  name
+  serverUrl
+  internal
+  insecureSkipTLSVerify
+  jumpHost {
+    ...CommonJumphostFields
+  }
+  automationToken {
+    ...VaultSecret
+  }
+  clusterAdminAutomationToken {
+    ...VaultSecret
+  }
+  disable {
+    integrations
+  }
+}
+
+fragment ServiceAccountToken on ServiceAccountTokenSpec_v1 {
+  name
+  serviceAccountName
+  namespace {
+    name
+    delete
+    cluster {
+      ...OcConnectionCluster
+    }
+  }
+}
+
+fragment VaultSecret on VaultSecret_v1 {
+    path
+    field
+    version
+    format
+}
+
+query ServiceAccountTokens {
+  namespaces: namespaces_v1 {
+    name
+    delete
+    cluster {
+      ...OcConnectionCluster
+    }
+    sharedResources {
+      openshiftServiceAccountTokens {
+        ...ServiceAccountToken
+      }
+    }
+    openshiftServiceAccountTokens {
+      ...ServiceAccountToken
+    }
+  }
+}
+"""
+
+
+class ConfiguredBaseModel(BaseModel):
+    class Config:
+        smart_union=True
+        extra=Extra.forbid
+
+
+class SharedResourcesV1(ConfiguredBaseModel):
+    openshift_service_account_tokens: Optional[list[ServiceAccountToken]] = Field(..., alias="openshiftServiceAccountTokens")
+
+
+class NamespaceV1(ConfiguredBaseModel):
+    name: str = Field(..., alias="name")
+    delete: Optional[bool] = Field(..., alias="delete")
+    cluster: OcConnectionCluster = Field(..., alias="cluster")
+    shared_resources: Optional[list[SharedResourcesV1]] = Field(..., alias="sharedResources")
+    openshift_service_account_tokens: Optional[list[ServiceAccountToken]] = Field(..., alias="openshiftServiceAccountTokens")
+
+
+class ServiceAccountTokensQueryData(ConfiguredBaseModel):
+    namespaces: Optional[list[NamespaceV1]] = Field(..., alias="namespaces")
+
+
+def query(query_func: Callable, **kwargs: Any) -> ServiceAccountTokensQueryData:
+    """
+    This is a convenience function which queries and parses the data into
+    concrete types. It should be compatible with most GQL clients.
+    You do not have to use it to consume the generated data classes.
+    Alternatively, you can also mime and alternate the behavior
+    of this function in the caller.
+
+    Parameters:
+        query_func (Callable): Function which queries your GQL Server
+        kwargs: optional arguments that will be passed to the query function
+
+    Returns:
+        ServiceAccountTokensQueryData: queried data parsed into generated classes
+    """
+    raw_data: dict[Any, Any] = query_func(DEFINITION, **kwargs)
+    return ServiceAccountTokensQueryData(**raw_data)

reconcile/openshift_base.py

@@ -1306,6 +1306,82 @@ def aggregate_shared_resources(namespace_info, shared_resources_type):
             namespace_info[shared_resources_type] = namespace_type_resources
 
 
+@runtime_checkable
+class HasOpenShiftResources(Protocol):
+    openshift_resources: list | None
+
+
+@runtime_checkable
+class HasOpenshiftServiceAccountTokens(Protocol):
+    openshift_service_account_tokens: list | None
+
+
+@runtime_checkable
+class HasSharedResourcesOpenShiftResources(Protocol):
+    @property
+    def shared_resources(self) -> Sequence[HasOpenShiftResources] | None:
+        pass
+
+
+@runtime_checkable
+class HasSharedResourcesOpenshiftServiceAccountTokens(Protocol):
+    @property
+    def shared_resources(self) -> Sequence[HasOpenshiftServiceAccountTokens] | None:
+        pass
+
+
+@runtime_checkable
+class HasOpenshiftServiceAccountTokensAndSharedResources(
+    HasOpenshiftServiceAccountTokens,
+    HasSharedResourcesOpenshiftServiceAccountTokens,
+    Protocol,
+): ...
+
+
+@runtime_checkable
+class HasOpenShiftResourcesAndSharedResources(
+    HasOpenShiftResources, HasSharedResourcesOpenShiftResources, Protocol
+): ...
+
+
+def aggregate_shared_resources_typed(
+    namespace: HasOpenshiftServiceAccountTokensAndSharedResources
+    | HasOpenShiftResourcesAndSharedResources,
+) -> None:
+    """This function aggregates the shared resources to the appropriate namespace section.
+
+    Attention: It updates the namespace object in place and isn't indempotent!
+    """
+    if not namespace.shared_resources:
+        return
+
+    match namespace:
+        case HasOpenshiftServiceAccountTokensAndSharedResources():
+            shared_type_resources_items = []
+            for ost_shared_resources_item in namespace.shared_resources:
+                if shared_type_resources := getattr(
+                    ost_shared_resources_item, "openshift_service_account_tokens"
+                ):
+                    shared_type_resources_items.extend(shared_type_resources)
+            if namespace.openshift_service_account_tokens:
+                namespace.openshift_service_account_tokens.extend(
+                    shared_type_resources_items
+                )
+            else:
+                namespace.openshift_service_account_tokens = shared_type_resources_items
+        case HasOpenShiftResourcesAndSharedResources():
+            shared_type_resources_items = []
+            for or_shared_resources_item in namespace.shared_resources:
+                if shared_type_resources := getattr(
+                    or_shared_resources_item, "openshift_resources"
+                ):
+                    shared_type_resources_items.extend(shared_type_resources)
+            if namespace.openshift_resources:
+                namespace.openshift_resources.extend(shared_type_resources_items)
+            else:
+                namespace.openshift_resources = shared_type_resources_items
+
+
 def determine_user_keys_for_access(
     cluster_name: str,
     auth_list: Sequence[dict[str, str] | HasService],

reconcile/openshift_serviceaccount_tokens.py

@@ -1,9 +1,15 @@
 import logging
 import sys
+from collections.abc import Callable, Iterable
 
 import reconcile.openshift_base as ob
-from reconcile import queries
+from reconcile.gql_definitions.openshift_serviceaccount_tokens.tokens import NamespaceV1
+from reconcile.gql_definitions.openshift_serviceaccount_tokens.tokens import (
+    query as serviceaccount_tokens_query,
+)
+from reconcile.utils import gql
 from reconcile.utils.defer import defer
+from reconcile.utils.disabled_integrations import integration_is_enabled
 from reconcile.utils.oc import OC_Map
 from reconcile.utils.openshift_resource import OpenshiftResource as OR
 from reconcile.utils.openshift_resource import ResourceInventory
@@ -14,7 +20,7 @@ QONTRACT_INTEGRATION = "openshift-serviceaccount-tokens"
 QONTRACT_INTEGRATION_VERSION = make_semver(0, 1, 0)
 
 
-def construct_sa_token_oc_resource(name, sa_token):
+def construct_sa_token_oc_resource(name: str, sa_token: str) -> OR:
     body = {
         "apiVersion": "v1",
         "kind": "Secret",
@@ -47,104 +53,133 @@ def get_tokens_for_service_account(
     return result
 
 
-def fetch_desired_state(namespaces: list[dict], ri: ResourceInventory, oc_map: OC_Map):
-    for namespace_info in namespaces:
-        if not namespace_info.get("openshiftServiceAccountTokens"):
+def fetch_desired_state(
+    namespaces: list[NamespaceV1], ri: ResourceInventory, oc_map: OC_Map
+) -> None:
+    for namespace in namespaces:
+        if not namespace.openshift_service_account_tokens:
             continue
-        namespace_name = namespace_info["name"]
-        cluster_name = namespace_info["cluster"]["name"]
-        oc = oc_map.get(cluster_name)
-        if not oc:
+
+        if not (oc := oc_map.get(namespace.cluster.name)):
             logging.log(level=oc.log_level, msg=oc.message)
             continue
-        for sat in namespace_info["openshiftServiceAccountTokens"]:
-            sa_name = sat["serviceAccountName"]
-            sa_namespace_info = sat["namespace"]
-            sa_namespace_name = sa_namespace_info["name"]
-            sa_cluster_name = sa_namespace_info["cluster"]["name"]
-            oc = oc_map.get(sa_cluster_name)
+
+        for sat in namespace.openshift_service_account_tokens:
+            oc = oc_map.get(sat.namespace.cluster.name)
             if not oc:
                 if oc.log_level >= logging.ERROR:
                     ri.register_error()
                 logging.log(level=oc.log_level, msg=oc.message)
                 continue
 
-            all_tokens = oc.get_items(kind="Secret", namespace=sa_namespace_name)
-            oc_resource_name = (
-                sat.get("name") or f"{sa_cluster_name}-{sa_namespace_name}-{sa_name}"
+            namespace_secrets = oc.get_items(
+                kind="Secret", namespace=sat.namespace.name
             )
             try:
-                sa_token_list = get_tokens_for_service_account(sa_name, all_tokens)
-                sa_token_list.sort(key=lambda t: t["metadata"]["name"])
-                sa_token = sa_token_list[0]["data"]["token"]
+                sa_tokens = get_tokens_for_service_account(
+                    sat.service_account_name, namespace_secrets
+                )
+                sa_tokens.sort(key=lambda t: t["metadata"]["name"])
+                # take the first token found
+                sa_token = sa_tokens[0]["data"]["token"]
             except KeyError:
-                logging.log(
-                    level=logging.ERROR,
-                    msg=f"[{sa_cluster_name}/{sa_namespace_name}] Token not found for service account: {sa_name}",
+                logging.error(
+                    f"[{sat.namespace.cluster.name}/{sat.namespace.name}] Token not found for service account: {sat.service_account_name}"
                 )
                 raise
             except IndexError:
-                logging.log(
-                    level=logging.ERROR,
-                    msg=f"[{sa_cluster_name}/{sa_namespace_name}] 0 Secret found for service account: {sa_name}",
+                logging.error(
+                    f"[{sat.namespace.cluster.name}/{sat.namespace.name}] 0 Secret found for service account: {sat.service_account_name}"
                 )
                 raise
 
-            oc_resource = construct_sa_token_oc_resource(oc_resource_name, sa_token)
-            ri.add_desired(
-                cluster_name, namespace_name, "Secret", oc_resource_name, oc_resource
+            oc_resource = construct_sa_token_oc_resource(
+                name=(
+                    sat.name
+                    or f"{sat.namespace.cluster.name}-{sat.namespace.name}-{sat.service_account_name}"
+                ),
+                sa_token=sa_token,
+            )
+            ri.add_desired_resource(
+                namespace.cluster.name,
+                namespace.name,
+                oc_resource,
             )
 
 
-def write_outputs_to_vault(vault_path, ri):
+def write_outputs_to_vault(
+    vault_client: VaultClient, vault_path: str, ri: ResourceInventory
+) -> None:
     integration_name = QONTRACT_INTEGRATION.replace("_", "-")
-    vault_client = VaultClient()
     for cluster, namespace, _, data in ri:
         for name, d_item in data["desired"].items():
             body_data = d_item.body["data"]
             # write secret to per-namespace location
             secret_path = (
-                f"{vault_path}/{integration_name}/" + f"{cluster}/{namespace}/{name}"
+                f"{vault_path}/{integration_name}/{cluster}/{namespace}/{name}"
             )
             secret = {"path": secret_path, "data": body_data}
-            vault_client.write(secret)
+            vault_client.write(secret)  # type: ignore
             # write secret to shared-resources location
-            secret_path = (
-                f"{vault_path}/{integration_name}/" + f"shared-resources/{name}"
-            )
+            secret_path = f"{vault_path}/{integration_name}/shared-resources/{name}"
             secret = {"path": secret_path, "data": body_data}
-            vault_client.write(secret)
+            vault_client.write(secret)  # type: ignore
 
 
-def canonicalize_namespaces(namespaces):
-    canonicalized_namespaces = []
-    for namespace_info in namespaces:
-        if ob.is_namespace_deleted(namespace_info):
-            continue
-        ob.aggregate_shared_resources(namespace_info, "openshiftServiceAccountTokens")
-        openshift_serviceaccount_tokens = namespace_info.get(
-            "openshiftServiceAccountTokens"
+def canonicalize_namespaces(namespaces: Iterable[NamespaceV1]) -> list[NamespaceV1]:
+    canonicalized_namespaces: dict[str, NamespaceV1] = {}
+    for namespace in namespaces:
+        ob.aggregate_shared_resources_typed(namespace)
+        if namespace.openshift_service_account_tokens:
+            canonicalized_namespaces[f"{namespace.cluster.name}/{namespace.name}"] = (
+                namespace
+            )
+    for namespace in list(canonicalized_namespaces.values()):
+        for sat in namespace.openshift_service_account_tokens or []:
+            key = f"{sat.namespace.cluster.name}/{sat.namespace.name}"
+            if key not in canonicalized_namespaces:
+                canonicalized_namespaces[key] = NamespaceV1(
+                    **sat.namespace.dict(by_alias=True),
+                    sharedResources=None,
+                    openshiftServiceAccountTokens=None,
+                )
+    return list(canonicalized_namespaces.values())
+
+
+def get_namespaces_with_serviceaccount_tokens(
+    query_func: Callable,
+) -> list[NamespaceV1]:
+    return [
+        namespace
+        for namespace in serviceaccount_tokens_query(query_func=query_func).namespaces
+        or []
+        if integration_is_enabled(QONTRACT_INTEGRATION, namespace.cluster)
+        and not bool(namespace.delete)
+        and (
+            namespace.openshift_service_account_tokens
+            or any(
+                sr.openshift_service_account_tokens
+                for sr in namespace.shared_resources or []
+            )
         )
-        if openshift_serviceaccount_tokens:
-            canonicalized_namespaces.append(namespace_info)
-            for sat in openshift_serviceaccount_tokens:
-                canonicalized_namespaces.append(sat["namespace"])
-
-    return canonicalized_namespaces
+    ]
 
 
 @defer
 def run(
-    dry_run,
-    thread_pool_size=10,
-    internal=None,
-    use_jump_host=True,
-    vault_output_path="",
-    defer=None,
-):
-    namespaces = canonicalize_namespaces(queries.get_serviceaccount_tokens())
+    dry_run: bool,
+    thread_pool_size: int = 10,
+    internal: bool | None = None,
+    use_jump_host: bool = True,
+    vault_output_path: str = "",
+    defer: Callable | None = None,
+) -> None:
+    gql_api = gql.get_api()
+    namespaces = canonicalize_namespaces(
+        get_namespaces_with_serviceaccount_tokens(gql_api.query)
+    )
     ri, oc_map = ob.fetch_current_state(
-        namespaces=namespaces,
+        namespaces=[ns.dict(by_alias=True) for ns in namespaces],
         thread_pool_size=thread_pool_size,
         integration=QONTRACT_INTEGRATION,
         integration_version=QONTRACT_INTEGRATION_VERSION,
@@ -152,12 +187,13 @@ def run(
         internal=internal,
         use_jump_host=use_jump_host,
     )
-    defer(oc_map.cleanup)
+    if defer:
+        defer(oc_map.cleanup)
     fetch_desired_state(namespaces, ri, oc_map)
     ob.publish_metrics(ri, QONTRACT_INTEGRATION)
     ob.realize_data(dry_run, oc_map, ri, thread_pool_size)
     if not dry_run and vault_output_path:
-        write_outputs_to_vault(vault_output_path, ri)
+        write_outputs_to_vault(VaultClient(), vault_output_path, ri)
 
     if ri.has_error_registered():
         sys.exit(1)

reconcile/queries.py

@@ -1553,79 +1553,6 @@ def get_namespaces(minimal=False):
     return gqlapi.query(NAMESPACES_QUERY)["namespaces"]
 
 
-SA_TOKEN = """
-name
-namespace {
-  name
-  cluster {
-    name
-    serverUrl
-    insecureSkipTLSVerify
-    jumpHost {
-      %s
-    }
-    automationToken {
-      path
-      field
-      version
-      format
-    }
-    internal
-    disable {
-      integrations
-    }
-  }
-}
-serviceAccountName
-""" % (indent(JUMPHOST_FIELDS, 6 * " "),)
-
-
-SERVICEACCOUNT_TOKENS_QUERY = """
-{
-  namespaces: namespaces_v1 {
-    name
-    delete
-    cluster {
-      name
-      serverUrl
-      insecureSkipTLSVerify
-      jumpHost {
-        %s
-      }
-      automationToken {
-        path
-        field
-        version
-        format
-      }
-      internal
-      disable {
-        integrations
-      }
-    }
-    sharedResources {
-      openshiftServiceAccountTokens {
-        %s
-      }
-    }
-    openshiftServiceAccountTokens {
-      %s
-    }
-  }
-}
-""" % (
-    indent(JUMPHOST_FIELDS, 8 * " "),
-    indent(SA_TOKEN, 8 * " "),
-    indent(SA_TOKEN, 6 * " "),
-)
-
-
-def get_serviceaccount_tokens():
-    """Returns all namespaces with ServiceAccount tokens information"""
-    gqlapi = gql.get_api()
-    return gqlapi.query(SERVICEACCOUNT_TOKENS_QUERY)["namespaces"]
-
-
 PRODUCTS_QUERY = """
 {
   products: products_v1 {

reconcile/test/test_openshift_base.py

@@ -1205,3 +1205,65 @@ def test_get_state_count_combinations():
     ]
     expected = {"c1": 2, "c2": 2, "c3": 1}
     assert expected == sut.get_state_count_combinations(state)
+
+
+def test_aggregate_shared_resources_typed_openshift_service_resources() -> None:
+    class OpenShiftResourcesStub(BaseModel):
+        openshift_resources: list | None
+
+    class OpenShiftResourcesAndSharedResourcesStub(OpenShiftResourcesStub, BaseModel):
+        shared_resources: list[OpenShiftResourcesStub] | None
+
+    namespace = OpenShiftResourcesAndSharedResourcesStub(
+        openshift_resources=[1], shared_resources=None
+    )
+    sut.aggregate_shared_resources_typed(namespace=namespace)
+    assert namespace.openshift_resources == [1]
+
+    namespace = OpenShiftResourcesAndSharedResourcesStub(
+        openshift_resources=None,
+        shared_resources=[OpenShiftResourcesStub(openshift_resources=[2])],
+    )
+    sut.aggregate_shared_resources_typed(namespace=namespace)
+    assert namespace.openshift_resources == [2]
+
+    namespace = OpenShiftResourcesAndSharedResourcesStub(
+        openshift_resources=[1],
+        shared_resources=[OpenShiftResourcesStub(openshift_resources=[2])],
+    )
+    sut.aggregate_shared_resources_typed(namespace=namespace)
+    assert namespace.openshift_resources == [1, 2]
+
+
+def test_aggregate_shared_resources_typed_openshift_service_account_token() -> None:
+    class OpenshiftServiceAccountTokensStub(BaseModel):
+        openshift_service_account_tokens: list | None
+
+    class OpenshiftServiceAccountTokensAndSharedResourcesStub(
+        OpenshiftServiceAccountTokensStub, BaseModel
+    ):
+        shared_resources: list[OpenshiftServiceAccountTokensStub] | None
+
+    namespace = OpenshiftServiceAccountTokensAndSharedResourcesStub(
+        openshift_service_account_tokens=[1], shared_resources=None
+    )
+    sut.aggregate_shared_resources_typed(namespace=namespace)
+    assert namespace.openshift_service_account_tokens == [1]
+
+    namespace = OpenshiftServiceAccountTokensAndSharedResourcesStub(
+        openshift_service_account_tokens=None,
+        shared_resources=[
+            OpenshiftServiceAccountTokensStub(openshift_service_account_tokens=[2])
+        ],
+    )
+    sut.aggregate_shared_resources_typed(namespace=namespace)
+    assert namespace.openshift_service_account_tokens == [2]
+
+    namespace = OpenshiftServiceAccountTokensAndSharedResourcesStub(
+        openshift_service_account_tokens=[1],
+        shared_resources=[
+            OpenshiftServiceAccountTokensStub(openshift_service_account_tokens=[2])
+        ],
+    )
+    sut.aggregate_shared_resources_typed(namespace=namespace)
+    assert namespace.openshift_service_account_tokens == [1, 2]

reconcile/test/test_openshift_serviceaccount_tokens.py

@@ -0,0 +1,228 @@
+from collections.abc import Callable, Mapping
+from typing import Any
+from unittest.mock import call
+
+import pytest
+from pytest_mock import MockerFixture
+
+from reconcile.gql_definitions.openshift_serviceaccount_tokens.tokens import NamespaceV1
+from reconcile.openshift_serviceaccount_tokens import (
+    canonicalize_namespaces,
+    construct_sa_token_oc_resource,
+    fetch_desired_state,
+    get_namespaces_with_serviceaccount_tokens,
+    get_tokens_for_service_account,
+    write_outputs_to_vault,
+)
+from reconcile.test.fixtures import Fixtures
+from reconcile.utils.oc import OC_Map, OCCli
+from reconcile.utils.openshift_resource import ResourceInventory
+from reconcile.utils.vault import _VaultClient
+
+
+@pytest.fixture
+def fx() -> Fixtures:
+    return Fixtures("openshift_serviceaccount_tokens")
+
+
+@pytest.fixture
+def query_func(
+    data_factory: Callable[[type[NamespaceV1], Mapping[str, Any]], Mapping[str, Any]],
+    fx: Fixtures,
+) -> Callable:
+    def q(*args: Any, **kwargs: Any) -> dict:
+        return {
+            "namespaces": [
+                data_factory(NamespaceV1, item)
+                for item in fx.get_anymarkup("namespaces.yml")["namespaces"]
+            ]
+        }
+
+    return q
+
+
+@pytest.fixture
+def namespaces(query_func: Callable) -> list[NamespaceV1]:
+    return get_namespaces_with_serviceaccount_tokens(query_func)
+
+
+@pytest.fixture
+def ri(namespaces: list[NamespaceV1]) -> ResourceInventory:
+    _ri = ResourceInventory()
+    _ri.initialize_resource_type(
+        cluster="cluster", namespace="namespace", resource_type="Secret"
+    )
+    for ns in namespaces:
+        _ri.initialize_resource_type(
+            cluster=ns.cluster.name, namespace=ns.name, resource_type="Secret"
+        )
+    return _ri
+
+
+def test_openshift_serviceaccount_tokens__construct_sa_token_oc_resource() -> None:
+    qr = construct_sa_token_oc_resource("foobar", "token")
+    assert qr.body == {
+        "apiVersion": "v1",
+        "data": {"token": "token"},
+        "kind": "Secret",
+        "metadata": {"name": "foobar"},
+        "type": "Opaque",
+    }
+
+
+def test_openshift_serviceaccount_tokens__get_tokens_for_service_account() -> None:
+    foobar_secret = {
+        "metadata": {
+            "annotations": {"kubernetes.io/service-account.name": "foobar-account"}
+        },
+        "type": "kubernetes.io/service-account-token",
+    }
+    assert get_tokens_for_service_account(
+        service_account="foobar-account",
+        tokens=[
+            foobar_secret,
+            {
+                "metadata": {
+                    "annotations": {
+                        "kubernetes.io/service-account.name": "just-another-account"
+                    }
+                },
+                "type": "kubernetes.io/service-account-token",
+            },
+            foobar_secret,
+            {
+                "metadata": {"annotations": {"whatever": "foobar-account"}},
+                "type": "not-a-service-account-token",
+            },
+        ],
+    ) == [foobar_secret, foobar_secret]
+
+
+def test_openshift_serviceaccount_tokens__write_outputs_to_vault(
+    mocker: MockerFixture, ri: ResourceInventory
+) -> None:
+    vault_client = mocker.create_autospec(_VaultClient)
+
+    ri.add_desired(
+        cluster="cluster",
+        namespace="namespace",
+        resource_type="Secret",
+        name="name",
+        value=construct_sa_token_oc_resource("name", "token"),
+    )
+    write_outputs_to_vault(vault_client, "path/to/secrets", ri)
+    vault_client.write.call_count == 2
+    vault_client.write.assert_has_calls([
+        call({
+            "path": "path/to/secrets/openshift-serviceaccount-tokens/cluster/namespace/name",
+            "data": {"token": "token"},
+        }),
+        call({
+            "path": "path/to/secrets/openshift-serviceaccount-tokens/shared-resources/name",
+            "data": {"token": "token"},
+        }),
+    ])
+
+
+def test_openshift_serviceaccount_tokens__get_namespaces_with_serviceaccount_tokens(
+    namespaces: list[NamespaceV1],
+) -> None:
+    assert len(namespaces) == 3
+    assert namespaces[0].name == "with-openshift-serviceaccount-tokens"
+    assert namespaces[1].name == "with-shared-resources"
+    assert (
+        namespaces[2].name
+        == "with-openshift-serviceaccount-tokens-and-shared-resources"
+    )
+
+
+def test_openshift_serviceaccount_tokens__canonicalize_namespaces(
+    namespaces: list[NamespaceV1],
+) -> None:
+    nss = canonicalize_namespaces(namespaces)
+    # sort by number of tokens and namespace name
+    nss.sort(key=lambda n: f"{len(n.openshift_service_account_tokens or [])}-{n.name}")
+    assert len(nss) == 6
+
+    # added via remote service account token
+    assert nss[0].name == "observability"
+    assert nss[0].openshift_service_account_tokens is None
+    assert nss[1].name == "platform-changelog-stage"
+    assert nss[1].openshift_service_account_tokens is None
+    assert nss[2].name == "with-openshift-serviceaccount-tokens"
+    assert nss[2].openshift_service_account_tokens is None
+
+    # namespace with tokens or shared resources defined
+    nss[3].name == "with-shared-resources"
+    nss[3].cluster.name == "cluster"
+    assert len(nss[3].openshift_service_account_tokens or []) == 1
+
+    nss[4].name == "with-openshift-serviceaccount-tokens"
+    assert len(nss[4].openshift_service_account_tokens or []) == 2
+
+    nss[5].name == "with-openshift-serviceaccount-tokens-and-shared-resources"
+    assert len(nss[5].openshift_service_account_tokens or []) == 2
+
+
+def test_openshift_serviceaccount_tokens__fetch_desired_state(
+    mocker: MockerFixture, namespaces: list[NamespaceV1], ri: ResourceInventory
+) -> None:
+    grafana_secret = {
+        "metadata": {
+            "name": "grafana-secret",
+            "annotations": {"kubernetes.io/service-account.name": "grafana"},
+        },
+        "type": "kubernetes.io/service-account-token",
+        "data": {"token": "super-secret-token"},
+    }
+
+    oc_map = mocker.create_autospec(OC_Map)
+    oc = mocker.create_autospec(OCCli)
+    oc_map.get.return_value = oc
+    oc.get_items.return_value = [
+        grafana_secret,
+        {
+            "metadata": {
+                "name": "just-another-account-secret",
+                "annotations": {
+                    "kubernetes.io/service-account.name": "just-another-account"
+                },
+            },
+            "type": "kubernetes.io/service-account-token",
+        },
+        grafana_secret,
+        {
+            "metadata": {
+                "name": "just-something-different",
+                "annotations": {"whatever": "grafana"},
+            },
+            "type": "not-a-service-account-token",
+        },
+    ]
+    fetch_desired_state(
+        namespaces=namespaces,
+        ri=ri,
+        oc_map=oc_map,
+    )
+    assert (
+        len(
+            ri._clusters["cluster"]["with-openshift-serviceaccount-tokens"]["Secret"][
+                "desired"
+            ].keys()
+        )
+        == 2
+    )
+    assert (
+        len(
+            ri._clusters["cluster"][
+                "with-openshift-serviceaccount-tokens-and-shared-resources"
+            ]["Secret"]["desired"].keys()
+        )
+        == 1
+    )
+    assert (
+        "another-cluster-with-openshift-serviceaccount-tokens-grafana"
+        in ri._clusters["cluster"]["with-openshift-serviceaccount-tokens"]["Secret"][
+            "desired"
+        ]
+    )