qontract-reconcile 0.10.2.dev414__py3-none-any.whl → 0.10.2.dev427__py3-none-any.whl

reconcile/aus/version_gates/sts_version_gate_handler.py

@@ -6,6 +6,7 @@ from reconcile.utils.ocm.base import OCMCluster, OCMVersionGate
 from reconcile.utils.ocm_base_client import OCMBaseClient
 from reconcile.utils.rosa.rosa_cli import RosaCliError
 from reconcile.utils.rosa.session import RosaSession
+from reconcile.utils.semver_helper import get_version_prefix
 
 GATE_LABEL = "api.openshift.com/gate-sts"
 
@@ -63,6 +64,24 @@ class STSGateHandler(GateHandler):
             )
             return False
 
+        return self.upgrade_rosa_roles(
+            cluster=cluster,
+            version_raw_id_prefix=gate.version_raw_id_prefix,
+            dry_run=dry_run,
+            ocm_api=ocm_api,
+            ocm_org_id=ocm_org_id,
+        )
+
+    def upgrade_rosa_roles(
+        self,
+        cluster: OCMCluster,
+        version_raw_id_prefix: str,
+        dry_run: bool,
+        ocm_api: OCMBaseClient,
+        ocm_org_id: str,
+    ) -> bool:
+        if not cluster.aws:
+            return False
         rosa = RosaSession(
             aws_account_id=cluster.aws.aws_account_id,
             aws_region=cluster.region.id,
@@ -83,7 +102,7 @@ class STSGateHandler(GateHandler):
                 )
             rosa.upgrade_account_roles(
                 role_prefix=account_role_prefix,
-                minor_version=gate.version_raw_id_prefix,
+                minor_version=version_raw_id_prefix,
                 channel_group=cluster.version.channel_group,
                 dry_run=dry_run,
             )
@@ -98,3 +117,37 @@ class STSGateHandler(GateHandler):
             e.write_logs_to_logger(logging.error)
             return False
         return True
+
+    def upgrade_rosa_roles_v2(
+        self,
+        cluster: OCMCluster,
+        upgrade_version: str,
+        dry_run: bool,
+        ocm_api: OCMBaseClient,
+        ocm_org_id: str,
+    ) -> bool:
+        if not cluster.aws:
+            return False
+        rosa = RosaSession(
+            aws_account_id=cluster.aws.aws_account_id,
+            aws_region=cluster.region.id,
+            aws_iam_role=self.aws_iam_role,
+            ocm_org_id=ocm_org_id,
+            ocm_api=ocm_api,
+            job_controller=self.job_controller,
+            image=self.rosa_job_image,
+            service_account=self.rosa_job_service_account,
+        )
+        policy_version = get_version_prefix(upgrade_version)
+        try:
+            rosa.upgrade_rosa_roles(
+                cluster_name=cluster.name,
+                upgrade_version=upgrade_version,
+                policy_version=policy_version,
+                dry_run=dry_run,
+            )
+        except RosaCliError as e:
+            logging.error(f"Failed to upgrade roles for cluster {cluster.name}: {e}")
+            e.write_logs_to_logger(logging.error)
+            return False
+        return True

reconcile/automated_actions/config/integration.py

@@ -7,7 +7,7 @@ from collections.abc import (
 from typing import Any
 
 import yaml
-from kubernetes.client import (  # type: ignore[attr-defined]
+from kubernetes.client import (
     ApiClient,
     V1ConfigMap,
     V1ObjectMeta,

reconcile/cli.py

@@ -50,8 +50,8 @@ from reconcile.utils.unleash import get_feature_toggle_state
 TERRAFORM_VERSION = ["1.6.6"]
 TERRAFORM_VERSION_REGEX = r"^Terraform\sv([\d]+\.[\d]+\.[\d]+)$"
 
-OC_VERSIONS = ["4.16.2", "4.12.46", "4.10.15"]
-OC_VERSION_REGEX = r"^Client\sVersion:\s([\d]+\.[\d]+\.[\d]+)$"
+OC_VERSIONS = ["4.19.0", "4.16.2"]
+OC_VERSION_REGEX = r"^Client\sVersion:\s([\d]+\.[\d]+\.[\d]+)"
 
 HELM_VERSIONS = ["3.11.1"]
 HELM_VERSION_REGEX = r"^version.BuildInfo{Version:\"v([\d]+\.[\d]+\.[\d]+)\".*$"
@@ -2855,6 +2855,36 @@ def ocm_addons_upgrade_scheduler_org(
     default=bool(os.environ.get("IGNORE_STS_CLUSTERS")),
     help="Ignore STS clusters",
 )
+@click.option(
+    "--job-controller-cluster",
+    help="The cluster holding the job-controller namepsace",
+    required=False,
+    envvar="JOB_CONTROLLER_CLUSTER",
+)
+@click.option(
+    "--job-controller-namespace",
+    help="The namespace used for ROSA jobs",
+    required=False,
+    envvar="JOB_CONTROLLER_NAMESPACE",
+)
+@click.option(
+    "--rosa-job-service-account",
+    help="The service-account used for ROSA jobs",
+    required=False,
+    envvar="ROSA_JOB_SERVICE_ACCOUNT",
+)
+@click.option(
+    "--rosa-job-image",
+    help="The container image to use to run ROSA cli command jobs",
+    required=False,
+    envvar="ROSA_JOB_IMAGE",
+)
+@click.option(
+    "--rosa-role",
+    help="The role to assume in the ROSA cluster account",
+    required=False,
+    envvar="ROSA_ROLE",
+)
 @click.pass_context
 def advanced_upgrade_scheduler(
     ctx: click.Context,
@@ -2862,9 +2892,21 @@ def advanced_upgrade_scheduler(
     org_id: Iterable[str],
     exclude_org_id: Iterable[str],
     ignore_sts_clusters: bool,
+    job_controller_cluster: str | None,
+    job_controller_namespace: str | None,
+    rosa_job_service_account: str | None,
+    rosa_role: str | None,
+    rosa_job_image: str | None,
 ) -> None:
-    from reconcile.aus.advanced_upgrade_service import AdvancedUpgradeServiceIntegration
-    from reconcile.aus.base import AdvancedUpgradeSchedulerBaseIntegrationParams
+    from reconcile.aus.advanced_upgrade_service import (
+        QONTRACT_INTEGRATION,
+        QONTRACT_INTEGRATION_VERSION,
+        AdvancedUpgradeServiceIntegration,
+    )
+    from reconcile.aus.base import (
+        AdvancedUpgradeSchedulerBaseIntegrationParams,
+        RosaRoleUpgradeHandlerParams,
+    )
 
     run_class_integration(
         integration=AdvancedUpgradeServiceIntegration(
@@ -2873,6 +2915,22 @@ def advanced_upgrade_scheduler(
                 ocm_organization_ids=set(org_id),
                 excluded_ocm_organization_ids=set(exclude_org_id),
                 ignore_sts_clusters=ignore_sts_clusters,
+                rosa_role_upgrade_handler_params=RosaRoleUpgradeHandlerParams(
+                    job_controller_cluster=job_controller_cluster,
+                    job_controller_namespace=job_controller_namespace,
+                    rosa_job_service_account=rosa_job_service_account,
+                    rosa_role=rosa_role,
+                    rosa_job_image=rosa_job_image,
+                    integration_name=QONTRACT_INTEGRATION,
+                    integration_version=QONTRACT_INTEGRATION_VERSION,
+                )
+                if all([
+                    job_controller_cluster,
+                    job_controller_namespace,
+                    rosa_job_service_account,
+                    rosa_role,
+                ])
+                else None,
             )
         ),
         ctx=ctx,

reconcile/external_resources/manager.py

@@ -45,7 +45,6 @@ from reconcile.utils.datetime_util import utc_now
 from reconcile.utils.external_resource_spec import (
     ExternalResourceSpec,
 )
-from reconcile.utils.json import json_dumps
 from reconcile.utils.secret_reader import SecretReaderBase
 
 
@@ -245,7 +244,7 @@ class ExternalResourcesManager:
             reconciliation = Reconciliation(
                 key=key,
                 resource_hash=resource.hash(),
-                input=json_dumps(resource),
+                input=resource.export(),
                 action=Action.APPLY,
                 module_configuration=module_conf,
                 linked_resources=self._find_linked_resources(spec),
@@ -253,15 +252,11 @@ class ExternalResourcesManager:
             r.add(reconciliation)
         return r
 
-    def _get_deleted_objects_reconciliations(
-        self, enable_migration: bool = False
-    ) -> set[Reconciliation]:
+    def _get_deleted_objects_reconciliations(self) -> set[Reconciliation]:
         to_reconcile: set[Reconciliation] = set()
         deleted_keys = (k for k, v in self.er_inventory.items() if v.marked_to_delete)
         for key in deleted_keys:
-            state = self.state_mgr.get_external_resource_state(
-                key, enable_migration=enable_migration
-            )
+            state = self.state_mgr.get_external_resource_state(key)
             if state.resource_status == ResourceStatus.NOT_EXISTS:
                 logging.debug("Resource has already been removed. key: %s", key)
                 continue
@@ -354,9 +349,7 @@ class ExternalResourcesManager:
 
             if r.linked_resources:
                 for lr in r.linked_resources:
-                    lrs = self.state_mgr.get_external_resource_state(
-                        lr, enable_migration=True
-                    )
+                    lrs = self.state_mgr.get_external_resource_state(lr)
                     if not lrs.resource_status.is_in_progress:
                         lrs.resource_status = ResourceStatus.RECONCILIATION_REQUESTED
                         self.state_mgr.set_external_resource_state(lrs)
@@ -423,12 +416,10 @@ class ExternalResourcesManager:
 
     def handle_resources(self) -> None:
         desired_r = self._get_desired_objects_reconciliations()
-        deleted_r = self._get_deleted_objects_reconciliations(enable_migration=True)
+        deleted_r = self._get_deleted_objects_reconciliations()
         to_sync_keys: set[ExternalResourceKey] = set()
         for r in desired_r.union(deleted_r):
-            state = self.state_mgr.get_external_resource_state(
-                r.key, enable_migration=True
-            )
+            state = self.state_mgr.get_external_resource_state(r.key)
             reconciliation_status = self._get_reconciliation_status(r, state)
             self._update_resource_state(r, state, reconciliation_status)
 
@@ -460,9 +451,7 @@ class ExternalResourcesManager:
             for r in desired_r.union(deleted_r)
             if self._reconciliation_needs_dry_run_run(
                 r,
-                self.state_mgr.get_external_resource_state(
-                    key=r.key, enable_migration=False
-                ),
+                self.state_mgr.get_external_resource_state(key=r.key),
             )
         }
 

reconcile/external_resources/model.py

@@ -1,7 +1,4 @@
 import hashlib
-from abc import (
-    ABC,
-)
 from collections.abc import ItemsView, Iterable, Iterator, MutableMapping
 from enum import StrEnum
 from typing import Any
@@ -88,9 +85,6 @@ class ExternalResourceKey(BaseModel, frozen=True):
             provider=spec.provider,
         )
 
-    def hash(self) -> str:
-        return hashlib.md5(json_dumps(self.model_dump()).encode("utf-8")).hexdigest()
-
     @property
     def state_path(self) -> str:
         return f"{self.provision_provider}/{self.provisioner_name}/{self.provider}/{self.identifier}"
@@ -407,7 +401,7 @@ class ReconciliationStatus(BaseModel):
     resource_status: ResourceStatus
 
 
-class ModuleProvisionData(ABC, BaseModel):
+class ModuleProvisionData(BaseModel):
     pass
 
 
@@ -432,7 +426,7 @@ class ExternalResourceProvision(BaseModel):
     target_cluster: str
     target_namespace: str
     target_secret_name: str
-    module_provision_data: ModuleProvisionData
+    module_provision_data: ModuleProvisionData | TerraformModuleProvisionData
 
 
 class ExternalResource(BaseModel):
@@ -441,3 +435,9 @@ class ExternalResource(BaseModel):
 
     def hash(self) -> str:
         return hashlib.sha256(json_dumps(self.data).encode("utf-8")).hexdigest()
+
+    def export(
+        self, exclude: dict[str, Any] | None = None, indent: int | None = None
+    ) -> str:
+        """Export the ExternalResource as a JSON string."""
+        return json_dumps(self, exclude=exclude, indent=indent)

reconcile/external_resources/state.py

@@ -271,47 +271,14 @@ class ExternalResourcesStateDynamoDB:
     def get_external_resource_state(
         self,
         key: ExternalResourceKey,
-        enable_migration: bool = False,
     ) -> ExternalResourceState:
         data = self.aws_api.dynamodb.boto3_client.get_item(
             TableName=self._table,
             ConsistentRead=True,
             Key={self.adapter.ER_KEY_HASH: {"S": key.state_path}},
         )
-        item = data.get("Item")
-        if item:
+        if "Item" in data:
             return self.adapter.deserialize(data["Item"])
-
-        old_data = self.aws_api.dynamodb.boto3_client.get_item(
-            TableName=self._table,
-            ConsistentRead=True,
-            Key={self.adapter.ER_KEY_HASH: {"S": key.hash()}},
-        )
-        old_item = old_data.get("Item")
-        if old_item:
-            old_item[self.adapter.ER_KEY_HASH]["S"] = key.state_path
-            old_item[self.adapter.RECONC]["M"][self.adapter.RECONC_RESOURCE_HASH][
-                "S"
-            ] = self._new_sha256_hash(old_item)
-            if enable_migration:
-                self.aws_api.dynamodb.boto3_client.transact_write_items(
-                    TransactItems=[
-                        {
-                            "Put": {
-                                "TableName": self._table,
-                                "Item": old_item,
-                            }
-                        },
-                        {
-                            "Delete": {
-                                "TableName": self._table,
-                                "Key": {self.adapter.ER_KEY_HASH: {"S": key.hash()}},
-                            }
-                        },
-                    ]
-                )
-            return self.adapter.deserialize(old_item)
-
         return ExternalResourceState(
             key=key,
             ts=utc_now(),

reconcile/gql_definitions/rhcs/certs.py

@@ -18,6 +18,7 @@ from pydantic import (  # noqa: F401 # pylint: disable=W0611
 )
 
 from reconcile.gql_definitions.fragments.jumphost_common_fields import CommonJumphostFields
+from reconcile.gql_definitions.rhcs.openshift_resource_rhcs_cert import OpenshiftResourceRhcsCert
 from reconcile.gql_definitions.fragments.vault_secret import VaultSecret
 
 
@@ -33,6 +34,20 @@ fragment CommonJumphostFields on ClusterJumpHost_v1 {
   }
 }
 
+fragment OpenshiftResourceRhcsCert on NamespaceOpenshiftResourceRhcsCert_v1 {
+  secret_name
+  service_account_name
+  service_account_password {
+    ... on VaultSecret_v1 {
+      path
+      field
+      version
+    }
+  }
+  auto_renew_threshold_days
+  annotations
+}
+
 fragment VaultSecret on VaultSecret_v1 {
   path
   field
@@ -46,37 +61,11 @@ query RhcsCerts {
     delete
     clusterAdmin
     openshiftResources {
-      provider
-      ... on NamespaceOpenshiftResourceRhcsCert_v1 {
-        secret_name
-        service_account_name
-        service_account_password {
-          ... on VaultSecret_v1 {
-            path
-            field
-            version
-          }
-        }
-        auto_renew_threshold_days
-        annotations
-      }
+      ...OpenshiftResourceRhcsCert
     }
     sharedResources {
       openshiftResources {
-        provider
-        ... on NamespaceOpenshiftResourceRhcsCert_v1 {
-          secret_name
-          service_account_name
-          service_account_password {
-            ... on VaultSecret_v1 {
-              path
-              field
-              version
-            }
-          }
-          auto_renew_threshold_days
-          annotations
-        }
+        ...OpenshiftResourceRhcsCert
       }
     }
     cluster {
@@ -108,52 +97,8 @@ class ConfiguredBaseModel(BaseModel):
     )
 
 
-class NamespaceOpenshiftResourceV1(ConfiguredBaseModel):
-    provider: str = Field(..., alias="provider")
-
-
-class VaultSecretV1(ConfiguredBaseModel):
-    ...
-
-
-class VaultSecretV1_VaultSecretV1(VaultSecretV1):
-    path: str = Field(..., alias="path")
-    field: str = Field(..., alias="field")
-    version: Optional[int] = Field(..., alias="version")
-
-
-class NamespaceOpenshiftResourceRhcsCertV1(NamespaceOpenshiftResourceV1):
-    secret_name: str = Field(..., alias="secret_name")
-    service_account_name: str = Field(..., alias="service_account_name")
-    service_account_password: Union[VaultSecretV1_VaultSecretV1, VaultSecretV1] = Field(..., alias="service_account_password")
-    auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
-    annotations: Optional[Json] = Field(..., alias="annotations")
-
-
-class SharedResourcesV1_NamespaceOpenshiftResourceV1(ConfiguredBaseModel):
-    provider: str = Field(..., alias="provider")
-
-
-class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1(ConfiguredBaseModel):
-    ...
-
-
-class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1_VaultSecretV1(SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1):
-    path: str = Field(..., alias="path")
-    field: str = Field(..., alias="field")
-    version: Optional[int] = Field(..., alias="version")
-
-
-class SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1(SharedResourcesV1_NamespaceOpenshiftResourceV1):
-    secret_name: str = Field(..., alias="secret_name")
-    service_account_name: str = Field(..., alias="service_account_name")
-    service_account_password: Union[SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1_VaultSecretV1, SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1_VaultSecretV1] = Field(..., alias="service_account_password")
-    auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
-    annotations: Optional[Json] = Field(..., alias="annotations")
-
-
 class SharedResourcesV1(ConfiguredBaseModel):
-    openshift_resources: list[Union[SharedResourcesV1_NamespaceOpenshiftResourceV1_NamespaceOpenshiftResourceRhcsCertV1, SharedResourcesV1_NamespaceOpenshiftResourceV1]] = Field(..., alias="openshiftResources")
+    openshift_resources: list[OpenshiftResourceRhcsCert] = Field(..., alias="openshiftResources")
 
 
 class DisableClusterAutomationsV1(ConfiguredBaseModel):
@@ -175,7 +120,7 @@ class NamespaceV1(ConfiguredBaseModel):
     name: str = Field(..., alias="name")
     delete: Optional[bool] = Field(..., alias="delete")
     cluster_admin: Optional[bool] = Field(..., alias="clusterAdmin")
-    openshift_resources: Optional[list[Union[NamespaceOpenshiftResourceRhcsCertV1, NamespaceOpenshiftResourceV1]]] = Field(..., alias="openshiftResources")
+    openshift_resources: Optional[list[OpenshiftResourceRhcsCert]] = Field(..., alias="openshiftResources")
     shared_resources: Optional[list[SharedResourcesV1]] = Field(..., alias="sharedResources")
     cluster: ClusterV1 = Field(..., alias="cluster")
 

reconcile/gql_definitions/rhcs/openshift_resource_rhcs_cert.py

@@ -0,0 +1,42 @@
+"""
+Generated by qenerate plugin=pydantic_v2. DO NOT MODIFY MANUALLY!
+"""
+from collections.abc import Callable  # noqa: F401 # pylint: disable=W0611
+from datetime import datetime  # noqa: F401 # pylint: disable=W0611
+from enum import Enum  # noqa: F401 # pylint: disable=W0611
+from typing import (  # noqa: F401 # pylint: disable=W0611
+    Any,
+    Optional,
+    Union,
+)
+
+from pydantic import (  # noqa: F401 # pylint: disable=W0611
+    BaseModel,
+    ConfigDict,
+    Field,
+    Json,
+)
+
+
+class ConfiguredBaseModel(BaseModel):
+    model_config = ConfigDict(
+        extra='forbid'
+    )
+
+
+class VaultSecretV1(ConfiguredBaseModel):
+    ...
+
+
+class VaultSecretV1_VaultSecretV1(VaultSecretV1):
+    path: str = Field(..., alias="path")
+    field: str = Field(..., alias="field")
+    version: Optional[int] = Field(..., alias="version")
+
+
+class OpenshiftResourceRhcsCert(ConfiguredBaseModel):
+    secret_name: str = Field(..., alias="secret_name")
+    service_account_name: str = Field(..., alias="service_account_name")
+    service_account_password: Union[VaultSecretV1_VaultSecretV1, VaultSecretV1] = Field(..., alias="service_account_password")
+    auto_renew_threshold_days: Optional[int] = Field(..., alias="auto_renew_threshold_days")
+    annotations: Optional[Json] = Field(..., alias="annotations")

reconcile/ocm_machine_pools.py

@@ -7,7 +7,7 @@ from collections.abc import Iterable, Mapping
 from enum import Enum
 from typing import Any, Self
 
-from pydantic import BaseModel, Field, model_validator
+from pydantic import BaseModel, Field, SerializeAsAny, model_validator
 
 from reconcile import queries
 from reconcile.gql_definitions.common.clusters import (
@@ -107,7 +107,7 @@ class AbstractPool(ABC, BaseModel):
     labels: Mapping[str, str] | None = None
     cluster: str
     cluster_type: ClusterType = Field(..., exclude=True)
-    autoscaling: AbstractAutoscaling | None = None
+    autoscaling: SerializeAsAny[AbstractAutoscaling] | None = None
 
     @model_validator(mode="before")
     @classmethod
@@ -170,7 +170,10 @@ class MachinePool(AbstractPool):
         ocm.update_machine_pool(self.cluster, update_dict)
 
     def has_diff(self, pool: ClusterMachinePoolV1) -> bool:
-        if self.taints != pool.taints or self.labels != pool.labels:
+        pool_taints = (
+            [p.model_dump(by_alias=True) for p in pool.taints] if pool.taints else None
+        )
+        if self.taints != pool_taints or self.labels != pool.labels:
             logging.warning(
                 f"updating labels or taints for machine pool {pool.q_id} "
                 f"will only be applied to new Nodes"
@@ -178,7 +181,7 @@ class MachinePool(AbstractPool):
 
         return (
             self.replicas != pool.replicas
-            or self.taints != pool.taints
+            or self.taints != pool_taints
             or self.labels != pool.labels
             or self.instance_type != pool.instance_type
             or self._has_diff_autoscale(pool)
@@ -251,7 +254,10 @@ class NodePool(AbstractPool):
         ocm.update_node_pool(self.cluster, update_dict)
 
     def has_diff(self, pool: ClusterMachinePoolV1) -> bool:
-        if self.taints != pool.taints or self.labels != pool.labels:
+        pool_taints = (
+            [p.model_dump(by_alias=True) for p in pool.taints] if pool.taints else None
+        )
+        if self.taints != pool_taints or self.labels != pool.labels:
             logging.warning(
                 f"updating labels or taints for node pool {pool.q_id} "
                 f"will only be applied to new Nodes"
@@ -259,7 +265,7 @@ class NodePool(AbstractPool):
 
         return (
             self.replicas != pool.replicas
-            or self.taints != pool.taints
+            or self.taints != pool_taints
             or self.labels != pool.labels
             or self.aws_node_pool.instance_type != pool.instance_type
             or self.subnet != pool.subnet

reconcile/openshift_base.py

@@ -29,7 +29,9 @@ from reconcile.utils import (
     metrics,
 )
 from reconcile.utils.constants import DEFAULT_THREAD_POOL_SIZE
+from reconcile.utils.differ import DiffPair
 from reconcile.utils.oc import (
+    POD_RECYCLE_SUPPORTED_OWNER_KINDS,
     AmbiguousResourceTypeError,
     DeploymentFieldIsImmutableError,
     FieldIsImmutableError,
@@ -62,6 +64,10 @@ AUTH_METHOD_USER_KEY = {
     "oidc": "org_username",
     "rhidp": "org_username",
 }
+RECYCLE_POD_ANNOTATIONS = [
+    "kubectl.kubernetes.io/restartedAt",
+    "openshift.openshift.io/restartedAt",
+]
 
 
 class ValidationError(Exception):
@@ -588,7 +594,7 @@ def apply(
                 oc.resize_pvcs(namespace, owned_pvc_names, desired_storage)
 
     if recycle_pods:
-        oc.recycle_pods(dry_run, namespace, resource_type, resource)
+        oc.recycle_pods(dry_run, namespace, resource)
 
 
 def create(
@@ -832,10 +838,56 @@ def handle_identical_resources(
     return actions
 
 
+def patch_desired_resource_for_recycle_annotations(
+    desired: OR,
+    current: OR,
+) -> OR:
+    """
+    Patch desired resource with recycle annotations to pod template from current resource.
+    This is to avoid full pods recycle when changes are not affecting pod template.
+    Note desired annotations can override current annotations.
+    For example, if desired resource has kubectl.kubernetes.io/restartedAt defined,
+    it will be used instead of current resource annotation.
+
+    Args:
+        desired: desired resource
+        current: current resource
+
+    Returns:
+        patched desired resource
+    """
+    if current.kind not in POD_RECYCLE_SUPPORTED_OWNER_KINDS:
+        return desired
+
+    current_annotations = (
+        current.body.get("spec", {})
+        .get("template", {})
+        .get("metadata", {})
+        .get("annotations")
+        or {}
+    )
+    patch_annotations = {
+        k: value
+        for k in RECYCLE_POD_ANNOTATIONS
+        if (value := current_annotations.get(k))
+    }
+    if patch_annotations:
+        desired_annotations = (
+            desired.body.setdefault("spec", {})
+            .setdefault("template", {})
+            .setdefault("metadata", {})
+            .setdefault("annotations", {})
+        )
+        desired.body["spec"]["template"]["metadata"]["annotations"] = (
+            patch_annotations | desired_annotations
+        )
+    return desired
+
+
 def handle_modified_resources(
     oc_map: ClusterMap,
     ri: ResourceInventory,
-    modified_resources: Mapping[Any, Any],
+    modified_resources: Mapping[str, DiffPair[OR, OR]],
     cluster: str,
     namespace: str,
     resource_type: str,
@@ -1031,6 +1083,12 @@ def _realize_resource_data_3way_diff(
     if options.enable_deletion and options.override_enable_deletion is False:
         options.enable_deletion = False
 
+    for k in data["current"].keys() & data["desired"].keys():
+        patch_desired_resource_for_recycle_annotations(
+            desired=data["desired"][k],
+            current=data["current"][k],
+        )
+
     diff_result = differ.diff_mappings(
         data["current"], data["desired"], equal=three_way_diff_using_hash
     )