qontract-reconcile 0.10.2.dev310__py3-none-any.whl → 0.10.2.dev439__py3-none-any.whl

reconcile/utils/oc.py

@@ -1,4 +1,7 @@
+from __future__ import annotations
+
 import copy
+import itertools
 import json
 import logging
 import os
@@ -7,20 +10,16 @@ import re
 import subprocess
 import threading
 import time
-from collections.abc import (
-    Iterable,
-    Mapping,
-)
+from collections import defaultdict
 from contextlib import suppress
 from dataclasses import dataclass
-from datetime import datetime
 from functools import cache, wraps
 from subprocess import Popen
 from threading import Lock
-from typing import Any
+from typing import TYPE_CHECKING, Any, TextIO, cast
 
 import urllib3
-from kubernetes.client import (  # type: ignore[attr-defined]
+from kubernetes.client import (
     ApiClient,
     Configuration,
 )
@@ -48,12 +47,12 @@ from sretoolbox.utils import (
 )
 
 from reconcile.status import RunningState
+from reconcile.utils.json import json_dumps
 from reconcile.utils.jump_host import (
     JumphostParameters,
     JumpHostSSH,
 )
 from reconcile.utils.metrics import reconcile_time
-from reconcile.utils.oc_connection_parameters import OCConnectionParameters
 from reconcile.utils.openshift_resource import OpenshiftResource as OR
 from reconcile.utils.secret_reader import (
     SecretNotFoundError,
@@ -61,10 +60,26 @@ from reconcile.utils.secret_reader import (
 )
 from reconcile.utils.unleash import get_feature_toggle_state
 
+if TYPE_CHECKING:
+    from collections.abc import Callable, Iterable, Mapping, MutableMapping
+
+    from reconcile.utils.oc_connection_parameters import OCConnectionParameters
+
 urllib3.disable_warnings()
 
 GET_REPLICASET_MAX_ATTEMPTS = 20
-
+DEFAULT_GROUP = ""
+PROJECT_KIND = "Project.project.openshift.io"
+POD_RECYCLE_SUPPORTED_TRIGGER_KINDS = [
+    "ConfigMap",
+    "Secret",
+]
+POD_RECYCLE_SUPPORTED_OWNER_KINDS = [
+    "DaemonSet",
+    "Deployment",
+    "DeploymentConfig",
+    "StatefulSet",
+]
 
 oc_run_execution_counter = Counter(
     name="oc_run_execution_counter",
@@ -121,29 +136,29 @@ class JSONParsingError(Exception):
     pass
 
 
-class RecyclePodsUnsupportedKindError(Exception):
+class PodNotReadyError(Exception):
     pass
 
 
-class RecyclePodsInvalidAnnotationValueError(Exception):
+class JobNotRunningError(Exception):
     pass
 
 
-class PodNotReadyError(Exception):
+class RequestEntityTooLargeError(Exception):
     pass
 
 
-class JobNotRunningError(Exception):
+class KindNotFoundError(Exception):
     pass
 
 
-class RequestEntityTooLargeError(Exception):
+class AmbiguousResourceTypeError(Exception):
     pass
 
 
 class OCDecorators:
     @classmethod
-    def process_reconcile_time(cls, function):
+    def process_reconcile_time(cls, function: Callable) -> Callable:
         """
         Compare current time against bundle commit time and create log
         and metrics from it.
@@ -165,7 +180,7 @@ class OCDecorators:
         """
 
         @wraps(function)
-        def wrapper(*args, **kwargs):
+        def wrapper(*args: Any, **kwargs: Any) -> list | tuple | Any:
             result = function(*args, **kwargs)
             msg = result[:-1] if isinstance(result, list | tuple) else result
 
@@ -173,6 +188,8 @@ class OCDecorators:
                 return result
 
             running_state = RunningState()
+            if running_state.timestamp is None:
+                raise ValueError("Running state timestamp is None")
             commit_time = float(running_state.timestamp)
             time_spent = time.time() - commit_time
 
@@ -225,7 +242,9 @@ class OCProcessReconcileTimeDecoratorMsg:
     is_log_slow_oc_reconcile: bool
 
 
-def oc_process(template, parameters=None):
+def oc_process(
+    template: Mapping[str, Any], parameters: Mapping[str, Any] | None = None
+) -> Iterable[dict[str, Any]]:
     oc = OCLocal(cluster_name="cluster", server=None, token=None, local=True)
     return oc.process(template, parameters)
 
@@ -252,7 +271,7 @@ class OCCliApiResource:
     namespaced: bool
 
     @property
-    def group_version(self):
+    def group_version(self) -> str:
         if self.group:
             return f"{self.group}/{self.api_version}"
         return self.api_version
@@ -271,7 +290,7 @@ class OCCli:
         local: bool = False,
         insecure_skip_tls_verify: bool = False,
         connection_parameters: OCConnectionParameters | None = None,
-    ):
+    ) -> None:
         """
         As of now we have to conform with 2 ways to initialize this client:
 
@@ -300,10 +319,10 @@ class OCCli:
                 insecure_skip_tls_verify=insecure_skip_tls_verify,
             )
 
-    def __enter__(self):
+    def __enter__(self) -> OCCli:
         return self
 
-    def __exit__(self, *exc):
+    def __exit__(self, *exc: Any) -> None:
         self.cleanup()
 
     def _init_old_without_types(
@@ -317,7 +336,7 @@ class OCCli:
         init_api_resources: bool = False,
         local: bool = False,
         insecure_skip_tls_verify: bool = False,
-    ):
+    ) -> None:
         """Initiates an OC client
 
         Args:
@@ -372,10 +391,7 @@ class OCCli:
 
         self.init_projects = init_projects
         if self.init_projects:
-            if self.is_kind_supported("Project"):
-                kind = "Project.project.openshift.io"
-            else:
-                kind = "Namespace"
+            kind = PROJECT_KIND if self.is_kind_supported(PROJECT_KIND) else "Namespace"
             self.projects = {p["metadata"]["name"] for p in self.get_all(kind)["items"]}
 
         self.slow_oc_reconcile_threshold = float(
@@ -392,7 +408,7 @@ class OCCli:
         init_projects: bool = False,
         init_api_resources: bool = False,
         local: bool = False,
-    ):
+    ) -> None:
         self.cluster_name = connection_parameters.cluster_name
         self.server = connection_parameters.server_url
         oc_base_cmd = ["oc", "--kubeconfig", "/dev/null"]
@@ -445,10 +461,7 @@ class OCCli:
 
         self.init_projects = init_projects
         if self.init_projects:
-            if self.is_kind_supported("Project"):
-                kind = "Project.project.openshift.io"
-            else:
-                kind = "Namespace"
+            kind = PROJECT_KIND if self.is_kind_supported(PROJECT_KIND) else "Namespace"
             self.projects = {p["metadata"]["name"] for p in self.get_all(kind)["items"]}
 
         self.slow_oc_reconcile_threshold = float(
@@ -459,14 +472,14 @@ class OCCli:
             "LOG_SLOW_OC_RECONCILE", ""
         ).lower() in {"true", "yes"}
 
-    def whoami(self):
+    def whoami(self) -> bytes:
         return self._run(["whoami"])
 
-    def cleanup(self):
+    def cleanup(self) -> None:
         if hasattr(self, "jump_host") and isinstance(self.jump_host, JumpHostSSH):
             self.jump_host.cleanup()
 
-    def get_items(self, kind, **kwargs):
+    def get_items(self, kind: str, **kwargs: Any) -> list[dict[str, Any]]:
         cmd = ["get", kind, "-o", "json"]
 
         if "namespace" in kwargs:
@@ -479,28 +492,33 @@ class OCCli:
                 cmd.extend(["-n", namespace])
 
         if "labels" in kwargs:
-            labels_list = [f"{k}={v}" for k, v in kwargs.get("labels").items()]
+            labels_list = [f"{k}={v}" for k, v in kwargs.get("labels", {}).items()]
             cmd += ["-l", ",".join(labels_list)]
 
         resource_names = kwargs.get("resource_names")
         if resource_names:
-            items = []
+            resource_items = []
             for resource_name in resource_names:
                 resource_cmd = cmd + [resource_name]
                 item = self._run_json(resource_cmd, allow_not_found=True)
                 if item:
-                    items.append(item)
-            items_list = {"items": items}
+                    resource_items.append(item)
+            items_list = {"items": resource_items}
         else:
             items_list = self._run_json(cmd)
 
         items = items_list.get("items")
         if items is None:
             raise Exception("Expecting items")
-
         return items
 
-    def get(self, namespace, kind, name=None, allow_not_found=False):
+    def get(
+        self,
+        namespace: str | None,
+        kind: str,
+        name: str | None = None,
+        allow_not_found: bool = False,
+    ) -> dict[str, Any]:
         cmd = ["get", "-o", "json", kind]
         if name:
             cmd.append(name)
@@ -508,13 +526,15 @@ class OCCli:
             cmd.extend(["-n", namespace])
         return self._run_json(cmd, allow_not_found=allow_not_found)
 
-    def get_all(self, kind, all_namespaces=False):
+    def get_all(self, kind: str, all_namespaces: bool = False) -> dict[str, Any]:
         cmd = ["get", "-o", "json", kind]
         if all_namespaces:
             cmd.append("--all-namespaces")
         return self._run_json(cmd)
 
-    def remove_last_applied_configuration(self, namespace, kind, name):
+    def remove_last_applied_configuration(
+        self, namespace: str, kind: str, name: str
+    ) -> None:
         cmd = [
             "annotate",
             "-n",
@@ -525,7 +545,9 @@ class OCCli:
         ]
         self._run(cmd)
 
-    def _msg_to_process_reconcile_time(self, namespace: str, resource: OR):
+    def _msg_to_process_reconcile_time(
+        self, namespace: str, resource: OR
+    ) -> OCProcessReconcileTimeDecoratorMsg:
         return OCProcessReconcileTimeDecoratorMsg(
             namespace=namespace,
             resource=resource,
@@ -534,7 +556,9 @@ class OCCli:
             is_log_slow_oc_reconcile=self.is_log_slow_oc_reconcile,
         )
 
-    def process(self, template, parameters=None):
+    def process(
+        self, template: Mapping[str, Any], parameters: Mapping[str, Any] | None = None
+    ) -> Iterable[dict[str, Any]]:
         if parameters is None:
             parameters = {}
         parameters_to_process = [f"{k}={v}" for k, v in parameters.items()]
@@ -545,36 +569,44 @@ class OCCli:
             "-f",
             "-",
         ] + parameters_to_process
-        result = self._run(cmd, stdin=json.dumps(template, sort_keys=True))
+        result = self._run(cmd, stdin=json_dumps(template))
         return json.loads(result)["items"]
 
     @OCDecorators.process_reconcile_time
-    def apply(self, namespace, resource):
+    def apply(self, namespace: str, resource: OR) -> OCProcessReconcileTimeDecoratorMsg:
         cmd = ["apply", "-n", namespace, "-f", "-"]
         self._run(cmd, stdin=resource.to_json(), apply=True)
         return self._msg_to_process_reconcile_time(namespace, resource)
 
     @OCDecorators.process_reconcile_time
-    def create(self, namespace, resource):
+    def create(
+        self, namespace: str, resource: OR
+    ) -> OCProcessReconcileTimeDecoratorMsg:
         cmd = ["create", "-n", namespace, "-f", "-"]
         self._run(cmd, stdin=resource.to_json(), apply=True)
         return self._msg_to_process_reconcile_time(namespace, resource)
 
     @OCDecorators.process_reconcile_time
-    def replace(self, namespace, resource):
+    def replace(
+        self, namespace: str, resource: OR
+    ) -> OCProcessReconcileTimeDecoratorMsg:
         cmd = ["replace", "-n", namespace, "-f", "-"]
         self._run(cmd, stdin=resource.to_json(), apply=True)
         return self._msg_to_process_reconcile_time(namespace, resource)
 
     @OCDecorators.process_reconcile_time
-    def patch(self, namespace, kind, name, patch):
-        cmd = ["patch", "-n", namespace, kind, name, "-p", json.dumps(patch)]
+    def patch(
+        self, namespace: str, kind: str, name: str, patch: Mapping[str, Any]
+    ) -> OCProcessReconcileTimeDecoratorMsg:
+        cmd = ["patch", "-n", namespace, kind, name, "-p", json_dumps(patch)]
         self._run(cmd)
         resource = OR({"kind": kind, "metadata": {"name": name}}, "", "")
         return self._msg_to_process_reconcile_time(namespace, resource)
 
     @OCDecorators.process_reconcile_time
-    def delete(self, namespace, kind, name, cascade=True):
+    def delete(
+        self, namespace: str, kind: str, name: str, cascade: bool = True
+    ) -> OCProcessReconcileTimeDecoratorMsg:
         cmd = [
             "delete",
             "-n",
@@ -589,7 +621,14 @@ class OCCli:
         return self._msg_to_process_reconcile_time(namespace, resource)
 
     @OCDecorators.process_reconcile_time
-    def label(self, namespace, kind, name, labels, overwrite=False):
+    def label(
+        self,
+        namespace: str | None,
+        kind: str,
+        name: str,
+        labels: Mapping[str, str | None],
+        overwrite: bool = False,
+    ) -> OCProcessReconcileTimeDecoratorMsg:
         ns = ["-n", namespace] if namespace else []
         added = [f"{k}={v}" for k, v in labels.items() if v is not None]
         removed = [f"{k}-" for k, v in labels.items() if v is None]
@@ -598,16 +637,14 @@ class OCCli:
         cmd.extend(added + removed)
         self._run(cmd)
         resource = OR({"kind": kind, "metadata": {"name": name}}, "", "")
-        return self._msg_to_process_reconcile_time(namespace, resource)
+        return self._msg_to_process_reconcile_time(namespace or "", resource)
 
-    def project_exists(self, name):
+    def project_exists(self, name: str) -> bool:
         if name in self.projects:
             return True
+        kind = PROJECT_KIND if self.is_kind_supported(PROJECT_KIND) else "Namespace"
         try:
-            if self.is_kind_supported("Project"):
-                self.get(None, "Project.project.openshift.io", name)
-            else:
-                self.get(None, "Namespace", name)
+            self.get(None, kind, name)
         except StatusCodeError as e:
             if "NotFound" in str(e):
                 return False
@@ -615,8 +652,8 @@ class OCCli:
         return True
 
     @OCDecorators.process_reconcile_time
-    def new_project(self, namespace):
-        if self.is_kind_supported("Project"):
+    def new_project(self, namespace: str) -> OCProcessReconcileTimeDecoratorMsg:
+        if self.is_kind_supported(PROJECT_KIND):
             cmd = ["new-project", namespace]
         else:
             cmd = ["create", "namespace", namespace]
@@ -631,8 +668,8 @@ class OCCli:
         return self._msg_to_process_reconcile_time(namespace, resource)
 
     @OCDecorators.process_reconcile_time
-    def delete_project(self, namespace):
-        if self.is_kind_supported("Project"):
+    def delete_project(self, namespace: str) -> OCProcessReconcileTimeDecoratorMsg:
+        if self.is_kind_supported(PROJECT_KIND):
             cmd = ["delete", "project", namespace]
         else:
             cmd = ["delete", "namespace", namespace]
@@ -642,7 +679,7 @@ class OCCli:
         resource = OR({"kind": "Namespace", "metadata": {"name": namespace}}, "", "")
         return self._msg_to_process_reconcile_time(namespace, resource)
 
-    def get_group_if_exists(self, name):
+    def get_group_if_exists(self, name: str) -> dict[str, Any] | None:
         try:
             return self.get(None, "Group", name)
         except StatusCodeError as e:
@@ -650,20 +687,20 @@ class OCCli:
                 return None
             raise e
 
-    def create_group(self, group):
+    def create_group(self, group: str) -> None:
         if self.get_group_if_exists(group) is not None:
             return
         cmd = ["adm", "groups", "new", group]
         self._run(cmd)
 
-    def delete_group(self, group):
+    def delete_group(self, group: str) -> None:
         cmd = ["delete", "group", group]
         self._run(cmd)
 
-    def get_users(self):
+    def get_users(self) -> Iterable[dict[str, Any]]:
         return self.get_all("User")["items"]
 
-    def delete_user(self, user_name):
+    def delete_user(self, user_name: str) -> None:
         user = self.get(None, "User", user_name)
         cmd = ["delete", "user", user_name]
         self._run(cmd)
@@ -671,19 +708,19 @@ class OCCli:
             cmd = ["delete", "identity", identity]
             self._run(cmd)
 
-    def add_user_to_group(self, group, user):
+    def add_user_to_group(self, group: str, user: str) -> None:
         cmd = ["adm", "groups", "add-users", group, user]
         self._run(cmd)
 
-    def del_user_from_group(self, group, user):
+    def del_user_from_group(self, group: str, user: str) -> None:
         cmd = ["adm", "groups", "remove-users", group, user]
         self._run(cmd)
 
-    def sa_get_token(self, namespace, name):
+    def sa_get_token(self, namespace: str, name: str) -> str:
         cmd = ["sa", "-n", namespace, "get-token", name]
-        return self._run(cmd)
+        return self._run(cmd).decode("utf-8")
 
-    def get_api_resources(self):
+    def get_api_resources(self) -> dict[str, list[OCCliApiResource]]:
         with self.api_resources_lock:
             if not self.api_resources:
                 cmd = ["api-resources", "--no-headers"]
@@ -704,13 +741,13 @@ class OCCli:
 
         return self.api_resources
 
-    def get_version(self):
+    def get_version(self) -> bytes:
         # this is actually a 10 second timeout, because: oc reasons
         cmd = ["version", "--request-timeout=5"]
         return self._run(cmd)
 
     @retry(exceptions=(JobNotRunningError), max_attempts=20)
-    def wait_for_job_running(self, namespace, name):
+    def wait_for_job_running(self, namespace: str, name: str) -> None:
         logging.info("waiting for job to run: " + name)
         pods = self.get_items("Pod", namespace=namespace, labels={"job-name": name})
 
@@ -725,13 +762,13 @@ class OCCli:
 
     def job_logs(
         self,
-        namespace,
-        name,
-        follow,
-        output,
-        wait_for_job_running=True,
-        wait_for_logs_process=False,
-    ):
+        namespace: str,
+        name: str,
+        follow: bool,
+        output: str | pathlib.Path | TextIO,
+        wait_for_job_running: bool = True,
+        wait_for_logs_process: bool = False,
+    ) -> None:
         if wait_for_job_running:
             self.wait_for_job_running(namespace, name)
 
@@ -739,6 +776,7 @@ class OCCli:
         if follow:
             cmd.append("-f")
 
+        output_file: TextIO
         if isinstance(output, str | pathlib.Path):
             output_file = open(os.path.join(output, name), "w", encoding="locale")  # noqa: SIM115
         else:
@@ -779,12 +817,11 @@ class OCCli:
         return output_file_name
 
     @staticmethod
-    def get_service_account_username(user):
-        namespace = user.split("/")[0]
-        name = user.split("/")[1]
+    def get_service_account_username(user: str) -> str:
+        namespace, name, _ = user.split("/", maxsplit=2)
         return f"system:serviceaccount:{namespace}:{name}"
 
-    def get_owned_pods(self, namespace, resource):
+    def get_owned_pods(self, namespace: str, resource: OR) -> list[dict[str, Any]]:
         pods = self.get(namespace, "Pod")["items"]
         owned_pods = []
         for p in pods:
@@ -797,7 +834,9 @@ class OCCli:
 
         return owned_pods
 
-    def get_owned_replicasets(self, namespace, resource: dict) -> list[dict]:
+    def get_owned_replicasets(
+        self, namespace: str, resource: Mapping[str, Any]
+    ) -> list[dict[str, Any]]:
         owned_replicasets = []
         for rs in self.get(namespace, "ReplicaSet")["items"]:
             owner = self.get_obj_root_owner(namespace, rs, allow_not_found=True)
@@ -814,8 +853,11 @@ class OCCli:
         max_attempts=GET_REPLICASET_MAX_ATTEMPTS,
     )
     def get_replicaset(
-        self, namespace: str, deployment_resource: dict, allow_empty=False
-    ) -> dict:
+        self,
+        namespace: str,
+        deployment_resource: Mapping[str, Any],
+        allow_empty: bool = False,
+    ) -> dict[str, Any]:
         """Get last active ReplicaSet for given Deployment.
 
         Implements similar logic like in kubectl describe deployment.
@@ -835,7 +877,7 @@ class OCCli:
         raise ResourceNotFoundError("No ReplicaSet found")
 
     @staticmethod
-    def get_pod_owned_pvc_names(pods: Iterable[dict[str, dict]]) -> set[str]:
+    def get_pod_owned_pvc_names(pods: Iterable[Mapping[str, Any]]) -> set[str]:
         owned_pvc_names = set()
         for p in pods:
             vols = p["spec"].get("volumes")
@@ -849,25 +891,28 @@ class OCCli:
         return owned_pvc_names
 
     @staticmethod
-    def get_storage(resource):
+    def get_storage(resource: Mapping[str, Any]) -> str | None:
         # resources with volumeClaimTemplates
         with suppress(KeyError, IndexError):
             vct = resource["spec"]["volumeClaimTemplates"][0]
             return vct["spec"]["resources"]["requests"]["storage"]
+        return None
 
-    def resize_pvcs(self, namespace, pvc_names, size):
+    def resize_pvcs(self, namespace: str, pvc_names: Iterable[str], size: str) -> None:
         patch = {"spec": {"resources": {"requests": {"storage": size}}}}
         for p in pvc_names:
             self.patch(namespace, "PersistentVolumeClaim", p, patch)
 
-    def recycle_orphan_pods(self, namespace, pods):
+    def recycle_orphan_pods(
+        self, namespace: str, pods: Iterable[Mapping[str, Any]]
+    ) -> None:
         for p in pods:
             name = p["metadata"]["name"]
             self.delete(namespace, "Pod", name)
             self.validate_pod_ready(namespace, name)
 
     @retry(max_attempts=20)
-    def validate_pod_ready(self, namespace, name):
+    def validate_pod_ready(self, namespace: str, name: str) -> None:
         logging.info([
             self.validate_pod_ready.__name__,
             self.cluster_name,
@@ -879,108 +924,113 @@ class OCCli:
             if not status["ready"]:
                 raise PodNotReadyError(name)
 
-    def recycle_pods(self, dry_run, namespace, dep_kind, dep_resource):
-        """recycles pods which are using the specified resources.
-        will only act on Secrets containing the 'qontract.recycle' annotation.
-        dry_run: simulate pods recycle.
-        namespace: namespace in which dependant resource is applied.
-        dep_kind: dependant resource kind. currently only supports Secret.
-        dep_resource: dependant resource."""
-
-        supported_kinds = ["Secret", "ConfigMap"]
-        if dep_kind not in supported_kinds:
+    def _is_resource_supported_to_trigger_recycle(
+        self,
+        namespace: str,
+        resource: OR,
+    ) -> bool:
+        if resource.kind not in POD_RECYCLE_SUPPORTED_TRIGGER_KINDS:
             logging.debug([
                 "skipping_pod_recycle_unsupported",
                 self.cluster_name,
                 namespace,
-                dep_kind,
+                resource.kind,
+                resource.name,
             ])
-            return
+            return False
 
-        dep_annotations = dep_resource.body["metadata"].get("annotations", {})
         # Note, that annotations might have been set to None explicitly
-        dep_annotations = dep_resource.body["metadata"].get("annotations") or {}
-        qontract_recycle = dep_annotations.get("qontract.recycle")
-        if qontract_recycle is True:
-            raise RecyclePodsInvalidAnnotationValueError('should be "true"')
+        annotations = resource.body["metadata"].get("annotations") or {}
+        qontract_recycle = annotations.get("qontract.recycle")
         if qontract_recycle != "true":
             logging.debug([
                 "skipping_pod_recycle_no_annotation",
                 self.cluster_name,
                 namespace,
-                dep_kind,
+                resource.kind,
+                resource.name,
             ])
+            return False
+        return True
+
+    def recycle_pods(
+        self,
+        dry_run: bool,
+        namespace: str,
+        resource: OR,
+    ) -> None:
+        """
+        recycles pods which are using the specified resources.
+        will only act on Secret or ConfigMap containing the 'qontract.recycle' annotation.
+
+        Args:
+            dry_run (bool): if True, will only log the recycle action without executing it
+            namespace (str): namespace of the resource
+            resource (OR): resource object (Secret or ConfigMap) to check for pod usage
+        """
+
+        if not self._is_resource_supported_to_trigger_recycle(namespace, resource):
             return
 
-        dep_name = dep_resource.name
         pods = self.get(namespace, "Pod")["items"]
-
-        if dep_kind == "Secret":
-            pods_to_recycle = [
-                pod for pod in pods if self.secret_used_in_pod(dep_name, pod)
-            ]
-        elif dep_kind == "ConfigMap":
-            pods_to_recycle = [
-                pod for pod in pods if self.configmap_used_in_pod(dep_name, pod)
-            ]
-        else:
-            raise RecyclePodsUnsupportedKindError(dep_kind)
-
-        recyclables = {}
-        supported_recyclables = [
-            "Deployment",
-            "DeploymentConfig",
-            "StatefulSet",
-            "DaemonSet",
+        pods_to_recycle = [
+            pod
+            for pod in pods
+            if self.is_resource_used_in_pod(
+                name=resource.name,
+                kind=resource.kind,
+                pod=pod,
+            )
         ]
+
+        recycle_names_by_kind = defaultdict(set)
         for pod in pods_to_recycle:
             owner = self.get_obj_root_owner(namespace, pod, allow_not_found=True)
             kind = owner["kind"]
-            if kind not in supported_recyclables:
-                continue
-            recyclables.setdefault(kind, [])
-            exists = False
-            for obj in recyclables[kind]:
-                owner_name = owner["metadata"]["name"]
-                if obj["metadata"]["name"] == owner_name:
-                    exists = True
-                    break
-            if not exists:
-                recyclables[kind].append(owner)
-
-        for kind, objs in recyclables.items():
-            for obj in objs:
-                self.recycle(dry_run, namespace, kind, obj)
-
-    @retry(exceptions=ObjectHasBeenModifiedError)
-    def recycle(self, dry_run, namespace, kind, obj):
-        """Recycles an object by adding a recycle.time annotation
-
-        :param dry_run: Is this a dry run
-        :param namespace: Namespace to work in
-        :param kind: Object kind
-        :param obj: Object to recycle
+            if kind in POD_RECYCLE_SUPPORTED_OWNER_KINDS:
+                recycle_names_by_kind[kind].add(owner["metadata"]["name"])
+
+        for kind, names in recycle_names_by_kind.items():
+            for name in names:
+                self.recycle(
+                    dry_run=dry_run,
+                    namespace=namespace,
+                    kind=kind,
+                    name=name,
+                )
+
+    def recycle(
+        self,
+        dry_run: bool,
+        namespace: str,
+        kind: str,
+        name: str,
+    ) -> None:
+        """
+        Recycles an object using oc rollout restart, which will add an annotation
+        kubectl.kubernetes.io/restartedAt with the current timestamp to the pod
+        template, triggering a rolling restart.
+
+        Args:
+            dry_run (bool): if True, will only log the recycle action without executing it
+            namespace (str): namespace of the object to recycle
+            kind (str): kind of the object to recycle
+            name (str): name of the object to recycle
         """
-        name = obj["metadata"]["name"]
         logging.info([f"recycle_{kind.lower()}", self.cluster_name, namespace, name])
         if not dry_run:
-            now = datetime.now()
-            recycle_time = now.strftime("%d/%m/%Y %H:%M:%S")
-
-            # get the object in case it was modified
-            obj = self.get(namespace, kind, name)
-            # honor update strategy by setting annotations to force
-            # a new rollout
-            a = obj["spec"]["template"]["metadata"].get("annotations", {})
-            a["recycle.time"] = recycle_time
-            obj["spec"]["template"]["metadata"]["annotations"] = a
-            cmd = ["apply", "-n", namespace, "-f", "-"]
-            stdin = json.dumps(obj, sort_keys=True)
-            self._run(cmd, stdin=stdin, apply=True)
+            self._run(
+                ["rollout", "restart", f"{kind}/{name}", "-n", namespace],
+                apply=True,
+            )
 
     def get_obj_root_owner(
-        self, ns, obj, allow_not_found=False, allow_not_controller=False
-    ):
+        self,
+        ns: str,
+        obj: dict[str, Any],
+        allow_not_found: bool = False,
+        allow_not_controller: bool = False,
+    ) -> dict[str, Any]:
         """Get object root owner (recursively find the top level owner).
         - Returns obj if it has no ownerReferences
         - Returns obj if all ownerReferences have controller set to false
@@ -1014,39 +1064,65 @@ class OCCli:
                     )
         return obj
 
-    def secret_used_in_pod(self, name, pod):
-        used_resources = self.get_resources_used_in_pod_spec(pod["spec"], "Secret")
-        return name in used_resources
+    def is_resource_used_in_pod(
+        self,
+        name: str,
+        kind: str,
+        pod: Mapping[str, Any],
+    ) -> bool:
+        """
+        Check if a resource (Secret or ConfigMap) is used in a Pod.
 
-    def configmap_used_in_pod(self, name, pod):
-        used_resources = self.get_resources_used_in_pod_spec(pod["spec"], "ConfigMap")
+        Args:
+            name: Name of the resource
+            kind: "Secret" or "ConfigMap"
+            pod: Pod object
+
+        Returns:
+            True if the resource is used in the Pod, False otherwise.
+        """
+        used_resources = self.get_resources_used_in_pod_spec(pod["spec"], kind)
         return name in used_resources
 
     @staticmethod
     def get_resources_used_in_pod_spec(
-        spec: dict[str, Any],
+        spec: Mapping[str, Any],
         kind: str,
         include_optional: bool = True,
     ) -> dict[str, set[str]]:
-        if kind not in {"Secret", "ConfigMap"}:
-            raise KeyError(f"unsupported resource kind: {kind}")
+        """
+        Get resources (Secrets or ConfigMaps) used in a Pod spec.
+        Returns a dictionary where keys are resource names and values are sets of keys used from that resource.
+
+        Args:
+            spec: Pod spec
+            kind: "Secret" or "ConfigMap"
+            include_optional: Whether to include optional resources
+
+        Returns:
+            A dictionary mapping resource names to sets of keys used.
+        """
+        match kind:
+            case "Secret":
+                volume_kind, volume_kind_ref, env_from_kind, env_kind, env_ref = (
+                    "secret",
+                    "secretName",
+                    "secretRef",
+                    "secretKeyRef",
+                    "name",
+                )
+            case "ConfigMap":
+                volume_kind, volume_kind_ref, env_from_kind, env_kind, env_ref = (
+                    "configMap",
+                    "name",
+                    "configMapRef",
+                    "configMapKeyRef",
+                    "name",
+                )
+            case _:
+                raise KeyError(f"unsupported resource kind: {kind}")
+
         optional = "optional"
-        if kind == "Secret":
-            volume_kind, volume_kind_ref, env_from_kind, env_kind, env_ref = (
-                "secret",
-                "secretName",
-                "secretRef",
-                "secretKeyRef",
-                "name",
-            )
-        elif kind == "ConfigMap":
-            volume_kind, volume_kind_ref, env_from_kind, env_kind, env_ref = (
-                "configMap",
-                "name",
-                "configMapRef",
-                "configMapKeyRef",
-                "name",
-            )
 
         resources: dict[str, set[str]] = {}
         for v in spec.get("volumes") or []:
@@ -1075,15 +1151,15 @@ class OCCli:
                         continue
                     resource_name = resource_ref[env_ref]
                     resources.setdefault(resource_name, set())
-                    secret_key = resource_ref["key"]
-                    resources[resource_name].add(secret_key)
+                    key = resource_ref["key"]
+                    resources[resource_name].add(key)
                 except (KeyError, TypeError):
                     continue
 
         return resources
 
     @retry(exceptions=(StatusCodeError, NoOutputError), max_attempts=10)
-    def _run(self, cmd, **kwargs) -> bytes:
+    def _run(self, cmd: list[str], **kwargs: Any) -> bytes:
         oc_run_execution_counter.labels(integration=RunningState().integration).inc()
         stdin = kwargs.get("stdin")
         stdin_text = stdin.encode() if stdin else None
@@ -1134,8 +1210,10 @@ class OCCli:
 
         return result.stdout.strip()
 
-    def _run_json(self, cmd, allow_not_found=False):
-        out = self._run(cmd, allow_not_found=allow_not_found)
+    def _run_json(
+        self, cmd: list[str], allow_not_found: bool = False
+    ) -> dict[str, Any]:
+        out = self._run(cmd, allow_not_found=allow_not_found).decode("utf-8")
 
         try:
             out_json = json.loads(out)
@@ -1144,76 +1222,90 @@ class OCCli:
 
         return out_json
 
-    def _parse_kind(self, kind_name):
-        # This is a provisional solution while we work in redefining
-        # the api resources initialization.
-        if not self.api_resources:
-            self.get_api_resources()
+    def parse_kind(self, kind: str) -> tuple[str, str, str]:
+        """Parse a Kubernetes kind string into its components.
 
-        kind_group = kind_name.split(".", 1)
-        kind = kind_group[0]
-        if kind in self.api_resources:
-            group_version = self.api_resources[kind][0].group_version
-        else:
-            raise StatusCodeError(f"{self.server}: {kind} does not exist")
-
-        # if a kind_group has more than 1 entry than the kind_name is in
-        # the format kind.apigroup.  Find the apigroup/version that matches
-        # the apigroup passed with the kind_name
-        if len(kind_group) > 1:
-            apigroup_override = kind_group[1]
-            find = False
-            for gv in self.api_resources[kind]:
-                if apigroup_override == gv.group:
-                    if not gv.group:
-                        group_version = gv.api_version
-                    else:
-                        group_version = f"{gv.group}/{gv.api_version}"
-                    find = True
-                    break
-
-            if not find:
-                raise StatusCodeError(
-                    f"{self.server}: {apigroup_override} does not have kind {kind}"
-                )
-        return (kind, group_version)
+        Supports three formats:
+        - kind
+        - kind.group.whatever
+        - kind.group.whatever/version
+
+        Args:
+            kind: A Kubernetes kind string in one of the supported formats
+
+        Returns:
+            Tuple of (kind, group, version) where missing parts are empty strings
+
+        Raises:
+            ValueError: If the kind string format is invalid
+
+        Examples:
+            >>> parse_kind_string("Deployment")
+            ('Deployment', '', '')
+            >>> parse_kind_string("ClusterRoleBinding.rbac.authorization.k8s.io")
+            ('ClusterRoleBinding', 'rbac.authorization.k8s.io', '')
+            >>> parse_kind_string("CustomResource.mygroup.example.com/v1")
+            ('CustomResource', 'mygroup.example.com', 'v1')
+        """
+        pattern = r"^(?P<kind>[^./]+)(?:\.(?P<group>[^/]+))?(?:/(?P<version>.+))?$"
+        match = re.match(pattern, kind)
+        if not match:
+            raise ValueError(f"Invalid kind string: {kind}")
+
+        kind = match.group("kind") or ""
+        group = match.group("group") or DEFAULT_GROUP
+        version = match.group("version") or ""
+
+        return kind, group, version
 
     def is_kind_supported(self, kind: str) -> bool:
-        # This is a provisional solution while we work in redefining
-        # the api resources initialization.
-        if not self.api_resources:
-            self.get_api_resources()
+        """Returns True if the given kind is supported by the cluster, False otherwise.
 
-        if "." in kind:
-            try:
-                self._parse_kind(kind)
-                return True
-            except StatusCodeError:
-                return False
-        else:
-            return kind in self.api_resources
+        Kind can be either kind, kind.group or kind.group/version."""
+        try:
+            self.get_api_resource(kind)
+            return True
+        except KindNotFoundError:
+            return False
 
     def is_kind_namespaced(self, kind: str) -> bool:
-        # This is a provisional solution while we work in redefining
-        # the api resources initialization.
+        """Returns True if the given kind is namespaced, False if it's cluster scoped.
+
+        Kind can be either kind, kind.group or kind.group/version."""
+        return self.get_api_resource(kind).namespaced
+
+    def get_api_resource(self, kind: str) -> OCCliApiResource:
+        """Return the OCCliApiResource for the given resource type.
+
+        Resource type can be either kind, kind.group or kind.group/version.
+        If kind is not unique, group must be specified."""
+
         if not self.api_resources:
-            self.get_api_resources()
+            raise RuntimeError("API resources not initialized")
 
-        kg = kind.split(".", 1)
-        kind = kg[0]
+        kind, group, _ = self.parse_kind(kind)
 
-        # Same Kinds might exist in different api groups
-        kind_resources = self.api_resources.get(kind)
-        if not kind_resources:
-            raise StatusCodeError(f"Kind {kind} does not exist in the ApiServer")
+        if not (resources := self.api_resources.get(kind)):
+            # the kind not found at all
+            raise KindNotFoundError(f"Unsupported resource type: {kind}")
+
+        if len(resources) == 1 and group == DEFAULT_GROUP:
+            return resources[0]
+
+        # get the resource with the specified group
+        if resource := next((r for r in resources if r.group == group), None):
+            return resource
+
+        # no resource with the specified group found
+        if group == DEFAULT_GROUP:
+            message = (
+                f"Ambiguous resource type: {kind}. "
+                "Please fully qualify it with its API group. E.g., ClusterRoleBinding -> ClusterRoleBinding.rbac.authorization.k8s.io"
+            )
+            raise AmbiguousResourceTypeError(message)
 
-        if len(kg) > 1:
-            group = kg[1]
-            for r in kind_resources:
-                if group == r.group:
-                    return r.namespaced
-            raise StatusCodeError(f"Kind: {kind} does nod exist in the ApiServer")
-        return kind_resources[0].namespaced
+        # group was specified but no matching resource found
+        raise KindNotFoundError(f"Unsupported resource type: {kind}")
 
 
 REQUEST_TIMEOUT = 60
@@ -1231,7 +1323,7 @@ class OCNative(OCCli):
         local: bool = False,
         insecure_skip_tls_verify: bool = False,
         connection_parameters: OCConnectionParameters | None = None,
-    ):
+    ) -> None:
         super().__init__(
             cluster_name,
             server,
@@ -1253,35 +1345,34 @@ class OCNative(OCCli):
 
             server = connection_parameters.server_url
 
-        if server:
-            self.client = self._get_client(server, token)
-            self.api_resources = self.get_api_resources()
+        if not server:
+            raise Exception("Server name is required!")
 
-        else:
-            raise Exception("A method relies on client/api_kind_version to be set")
+        if not token:
+            raise Exception("Token is required!")
+
+        self.client = self._get_client(server, token)
+        self.api_resources = self.get_api_resources()
 
         self.projects = set()
         self.init_projects = init_projects
         if self.init_projects:
-            if self.is_kind_supported("Project"):
-                kind = "Project.project.openshift.io"
-            else:
-                kind = "Namespace"
+            kind = PROJECT_KIND if self.is_kind_supported(PROJECT_KIND) else "Namespace"
             self.projects = {p["metadata"]["name"] for p in self.get_all(kind)["items"]}
 
-    def __enter__(self):
+    def __enter__(self) -> OCNative:
         return self
 
-    def __exit__(self, *exc):
+    def __exit__(self, *exc: Any) -> None:
         self.cleanup()
 
-    def cleanup(self):
+    def cleanup(self) -> None:
         super().cleanup()
         if hasattr(self, "client") and self.client is not None:
             self.client.client.close()
 
     @retry(exceptions=(ServerTimeoutError, InternalServerError, ForbiddenError))
-    def _get_client(self, server, token):
+    def _get_client(self, server: str, token: str) -> DynamicClient:
         opts = {
             "api_key": {"authorization": f"Bearer {token}"},
             "host": server,
@@ -1315,9 +1406,11 @@ class OCNative(OCCli):
         return self.client.resources.get(api_version=group_version, kind=kind)
 
     @retry(max_attempts=5, exceptions=(ServerTimeoutError))
-    def get_items(self, kind, **kwargs):
-        k, group_version = self._parse_kind(kind)
-        obj_client = self._get_obj_client(group_version=group_version, kind=k)
+    def get_items(self, kind: str, **kwargs: Any) -> list[dict[str, Any]]:
+        resource = self.get_api_resource(kind)
+        obj_client = self._get_obj_client(
+            group_version=resource.group_version, kind=resource.kind
+        )
 
         namespace = ""
         if "namespace" in kwargs:
@@ -1330,13 +1423,12 @@ class OCNative(OCCli):
 
         labels = ""
         if "labels" in kwargs:
-            labels_list = [f"{k}={v}" for k, v in kwargs.get("labels").items()]
-
+            labels_list = [f"{k}={v}" for k, v in kwargs.get("labels", {}).items()]
             labels = ",".join(labels_list)
 
         resource_names = kwargs.get("resource_names")
         if resource_names:
-            items = []
+            resource_items = []
             for resource_name in resource_names:
                 try:
                     item = obj_client.get(
@@ -1346,10 +1438,10 @@ class OCNative(OCCli):
                         _request_timeout=REQUEST_TIMEOUT,
                     )
                     if item:
-                        items.append(item.to_dict())
+                        resource_items.append(item.to_dict())
                 except NotFoundError:
                     pass
-            items_list = {"items": items}
+            items_list = {"items": resource_items}
         else:
             items_list = obj_client.get(
                 namespace=namespace,
@@ -1363,9 +1455,17 @@ class OCNative(OCCli):
         return items
 
     @retry(max_attempts=5, exceptions=(ServerTimeoutError, ForbiddenError))
-    def get(self, namespace, kind, name=None, allow_not_found=False):
-        k, group_version = self._parse_kind(kind)
-        obj_client = self._get_obj_client(group_version=group_version, kind=k)
+    def get(
+        self,
+        namespace: str | None,
+        kind: str,
+        name: str | None = None,
+        allow_not_found: bool = False,
+    ) -> dict[str, Any]:
+        resource = self.get_api_resource(kind)
+        obj_client = self._get_obj_client(
+            group_version=resource.group_version, kind=resource.kind
+        )
         try:
             obj = obj_client.get(
                 name=name,
@@ -1378,9 +1478,11 @@ class OCNative(OCCli):
                 return {}
             raise StatusCodeError(f"[{self.server}]: {e}") from None
 
-    def get_all(self, kind, all_namespaces=False):
-        k, group_version = self._parse_kind(kind)
-        obj_client = self._get_obj_client(group_version=group_version, kind=k)
+    def get_all(self, kind: str, all_namespaces: bool = False) -> dict[str, Any]:
+        resource = self.get_api_resource(kind)
+        obj_client = self._get_obj_client(
+            group_version=resource.group_version, kind=resource.kind
+        )
         try:
             return obj_client.get(_request_timeout=REQUEST_TIMEOUT).to_dict()
         except NotFoundError as e:
@@ -1393,11 +1495,11 @@ OCClient = OCNative | OCCli
 class OCLocal(OCCli):
     def __init__(
         self,
-        cluster_name,
-        server,
-        token,
-        local=False,
-    ):
+        cluster_name: str,
+        server: str | None,
+        token: str | None,
+        local: bool = False,
+    ) -> None:
         super().__init__(
             cluster_name=cluster_name,
             server=server,
@@ -1406,6 +1508,8 @@ class OCLocal(OCCli):
         )
 
 
+# we should replace this class with a proper get_oc_client wrapper!
+# Or getting rid of one or the other OC implementations
 class OC:
     client_status = Counter(
         name="qontract_reconcile_native_client",
@@ -1413,7 +1517,7 @@ class OC:
         labelnames=["cluster_name", "native_client"],
     )
 
-    def __new__(
+    def __new__(  # type: ignore
         cls,
         cluster_name: str | None = None,
         server: str | None = None,
@@ -1425,7 +1529,7 @@ class OC:
         local: bool = False,
         insecure_skip_tls_verify: bool = False,
         connection_parameters: OCConnectionParameters | None = None,
-    ):
+    ) -> OCClient:
         use_native_env = os.environ.get("USE_NATIVE_CLIENT", "")
         use_native = True
         if len(use_native_env) > 0:
@@ -1483,19 +1587,19 @@ class OC_Map:  # noqa: N801
 
     def __init__(
         self,
-        clusters=None,
-        namespaces=None,
-        integration="",
-        settings=None,
-        internal=None,
-        use_jump_host=True,
-        thread_pool_size=1,
-        init_projects=False,
-        init_api_resources=False,
-        cluster_admin=False,
-    ):
-        self.oc_map = {}
-        self.privileged_oc_map = {}
+        clusters: Iterable[Mapping[str, Any]] | None = None,
+        namespaces: Iterable[Mapping[str, Any]] | None = None,
+        integration: str = "",
+        settings: Mapping[str, Any] | None = None,
+        internal: bool | None = None,
+        use_jump_host: bool = True,
+        thread_pool_size: int = 1,
+        init_projects: bool = False,
+        init_api_resources: bool = False,
+        cluster_admin: bool = False,
+    ) -> None:
+        self.oc_map: dict[str, OCClient | OCLogMsg] = {}
+        self.privileged_oc_map: dict[str, OCClient | OCLogMsg] = {}
         self.calling_integration = integration
         self.settings = settings
         self.internal = internal
@@ -1504,7 +1608,7 @@ class OC_Map:  # noqa: N801
         self.init_projects = init_projects
         self.init_api_resources = init_api_resources
         self._lock = Lock()
-        self.jh_ports = {}
+        self.jh_ports: dict[str, str | int] = {}
 
         if clusters and namespaces:
             raise KeyError("expected only one of clusters or namespaces.")
@@ -1548,13 +1652,13 @@ class OC_Map:  # noqa: N801
         else:
             raise KeyError("expected one of clusters or namespaces.")
 
-    def __enter__(self):
+    def __enter__(self) -> OC_Map:
         return self
 
-    def __exit__(self, *exc):
+    def __exit__(self, *exc: Any) -> None:
         self.cleanup()
 
-    def set_jh_ports(self, jh):
+    def set_jh_ports(self, jh: MutableMapping[str, str | int]) -> None:
         # This will be replaced with getting the data from app-interface in
         # a future PR.
         jh["remotePort"] = 8888
@@ -1565,7 +1669,7 @@ class OC_Map:  # noqa: N801
                 self.jh_ports[key] = port
             jh["localPort"] = self.jh_ports[key]
 
-    def init_oc_client(self, cluster_info, privileged: bool):
+    def init_oc_client(self, cluster_info: Mapping[str, Any], privileged: bool) -> None:
         cluster = cluster_info["name"]
         if not privileged and self.oc_map.get(cluster):
             return None
@@ -1640,15 +1744,18 @@ class OC_Map:  # noqa: N801
             if jump_host:
                 self.set_jh_ports(jump_host)
             try:
-                oc_client = OC(
-                    cluster,
-                    server_url,
-                    token,
-                    jump_host,
-                    settings=self.settings,
-                    init_projects=self.init_projects,
-                    init_api_resources=self.init_api_resources,
-                    insecure_skip_tls_verify=insecure_skip_tls_verify,
+                oc_client = cast(
+                    "OCClient",
+                    OC(
+                        cluster,
+                        server_url,
+                        token,
+                        jump_host,
+                        settings=self.settings,
+                        init_projects=self.init_projects,
+                        init_api_resources=self.init_api_resources,
+                        insecure_skip_tls_verify=bool(insecure_skip_tls_verify),
+                    ),
                 )
                 self.set_oc(cluster, oc_client, privileged)
             except StatusCodeError as e:
@@ -1661,14 +1768,16 @@ class OC_Map:  # noqa: N801
                     privileged,
                 )
 
-    def set_oc(self, cluster: str, value, privileged: bool):
+    def set_oc(
+        self, cluster: str, value: OCClient | OCLogMsg, privileged: bool
+    ) -> None:
         with self._lock:
             if privileged:
                 self.privileged_oc_map[cluster] = value
             else:
                 self.oc_map[cluster] = value
 
-    def cluster_disabled(self, cluster_info):
+    def cluster_disabled(self, cluster_info: Mapping[str, Any]) -> bool:
         try:
             integrations = cluster_info["disable"]["integrations"]
             if self.calling_integration.replace("_", "-") in integrations:
@@ -1678,12 +1787,13 @@ class OC_Map:  # noqa: N801
 
         return False
 
-    def get(self, cluster: str, privileged: bool = False):
+    def get(self, cluster: str, privileged: bool = False) -> OCClient | OCLogMsg:
         cluster_map = self.privileged_oc_map if privileged else self.oc_map
-        return cluster_map.get(
+        c = cluster_map.get(
             cluster,
             OCLogMsg(log_level=logging.DEBUG, message=f"[{cluster}] cluster skipped"),
         )
+        return c
 
     def get_cluster(self, cluster: str, privileged: bool = False) -> OCClient:
         result = self.get(cluster, privileged)
@@ -1705,12 +1815,11 @@ class OC_Map:  # noqa: N801
             return list(cluster_map.keys())
         return [k for k, v in cluster_map.items() if v]
 
-    def cleanup(self):
-        for oc in self.oc_map.values():
-            if oc:
-                oc.cleanup()
-        for oc in self.privileged_oc_map.values():
-            if oc:
+    def cleanup(self) -> None:
+        for oc in itertools.chain(
+            self.oc_map.values(), self.privileged_oc_map.values()
+        ):
+            if oc and isinstance(oc, OCClient):
                 oc.cleanup()
 
 
@@ -1719,12 +1828,12 @@ class OCLogMsg(Exception):  # noqa: N818
     Track log messages associated with initializing OC clients in OC_Map.
     """
 
-    def __init__(self, log_level, message):
+    def __init__(self, log_level: int, message: str) -> None:
         super().__init__()
         self.log_level = log_level
         self.message = message
 
-    def __bool__(self):
+    def __bool__(self) -> bool:
         """
         Returning False here makes this object falsy, which is used
         elsewhere when differentiating between an OC client or a log
@@ -1741,7 +1850,7 @@ LABEL_MAX_KEY_NAME_LENGTH = 63
 LABEL_MAX_KEY_PREFIX_LENGTH = 253
 
 
-def validate_labels(labels: dict[str, str]) -> Iterable[str]:
+def validate_labels(labels: Mapping[str, str]) -> list[str]:
     """
     Validate a label key/value against some rules from
     https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
@@ -1803,7 +1912,7 @@ class OpenshiftLazyDiscoverer(LazyDiscoverer):
     https://github.com/openshift/openshift-restclient-python/blob/master/openshift/dynamic/discovery.py
     """
 
-    def default_groups(self, request_resources=False):
+    def default_groups(self, request_resources: bool = False) -> dict[str, Any]:
         groups = super().default_groups(request_resources)
         if self.version.get("openshift"):
             groups["oapi"] = {
@@ -1822,7 +1931,7 @@ class OpenshiftLazyDiscoverer(LazyDiscoverer):
             }
         return groups
 
-    def get(self, **kwargs):
+    def get(self, **kwargs: Any) -> Any:
         """Same as search, but will throw an error if there are multiple or no
         results. If there are multiple results and only one is an exact match
         on api_version, that resource will be returned.