qontract-reconcile 0.9.1rc298__py3-none-any.whl → 0.10.1.dev1203__py3-none-any.whl

reconcile/openshift_base.py

@@ -1,5 +1,6 @@
 import itertools
 import logging
+from collections import Counter
 from collections.abc import (
     Iterable,
     Mapping,
@@ -11,9 +12,7 @@ from dataclasses import (
 )
 from typing import (
     Any,
-    Optional,
     Protocol,
-    Union,
     runtime_checkable,
 )
 
@@ -24,6 +23,10 @@ from sretoolbox.utils import (
 )
 
 from reconcile import queries
+from reconcile.utils import (
+    differ,
+    metrics,
+)
 from reconcile.utils.oc import (
     DeploymentFieldIsImmutableError,
     FieldIsImmutableError,
@@ -31,16 +34,21 @@ from reconcile.utils.oc import (
     MayNotChangeOnceSetError,
     MetaDataAnnotationsTooLongApplyError,
     OC_Map,
+    OCCli,
     OCClient,
-    OCDeprecated,
     OCLogMsg,
     PrimaryClusterIPCanNotBeUnsetError,
+    RequestEntityTooLargeError,
     StatefulSetUpdateForbidden,
     StatusCodeError,
     UnsupportedMediaTypeError,
 )
 from reconcile.utils.openshift_resource import OpenshiftResource as OR
-from reconcile.utils.openshift_resource import ResourceInventory
+from reconcile.utils.openshift_resource import (
+    OpenshiftResourceInventoryGauge,
+    ResourceInventory,
+)
+from reconcile.utils.three_way_diff_strategy import three_way_diff_using_hash
 
 ACTION_APPLIED = "applied"
 ACTION_DELETED = "deleted"
@@ -64,7 +72,7 @@ class BaseStateSpec:
 @dataclass
 class CurrentStateSpec(BaseStateSpec):
     kind: str
-    resource_names: Optional[Iterable[str]]
+    resource_names: Iterable[str] | None
 
 
 @dataclass
@@ -74,7 +82,7 @@ class DesiredStateSpec(BaseStateSpec):
     privileged: bool = False
 
 
-StateSpec = Union[CurrentStateSpec, DesiredStateSpec]
+StateSpec = CurrentStateSpec | DesiredStateSpec
 
 
 @runtime_checkable
@@ -104,27 +112,23 @@ class HasOrgAndGithubUsername(Protocol):
 class ClusterMap(Protocol):
     """An OCMap protocol."""
 
-    def get(
-        self, cluster: str, privileged: bool = False
-    ) -> Union[OCDeprecated, OCLogMsg]:
-        ...
+    def get(self, cluster: str, privileged: bool = False) -> OCCli | OCLogMsg: ...
 
-    def get_cluster(self, cluster: str, privileged: bool = False) -> OCDeprecated:
-        ...
+    def get_cluster(self, cluster: str, privileged: bool = False) -> OCCli: ...
 
     def clusters(
         self, include_errors: bool = False, privileged: bool = False
-    ) -> list[str]:
-        ...
+    ) -> list[str]: ...
 
 
 def init_specs_to_fetch(
     ri: ResourceInventory,
     oc_map: ClusterMap,
-    namespaces: Optional[Iterable[Mapping]] = None,
-    clusters: Optional[Iterable[Mapping]] = None,
-    override_managed_types: Optional[Iterable[str]] = None,
+    namespaces: Iterable[Mapping] | None = None,
+    clusters: Iterable[Mapping] | None = None,
+    override_managed_types: Iterable[str] | None = None,
     managed_types_key: str = "managedResourceTypes",
+    cluster_admin: bool = False,
 ) -> list[StateSpec]:
     state_specs: list[StateSpec] = []
 
@@ -141,7 +145,9 @@ def init_specs_to_fetch(
                 continue
 
             cluster = namespace_info["cluster"]["name"]
-            privileged = namespace_info.get("clusterAdmin", False) is True
+            privileged = (
+                namespace_info.get("clusterAdmin", False) is True or cluster_admin
+            )
             try:
                 oc = oc_map.get_cluster(cluster, privileged)
             except OCLogMsg as ex:
@@ -199,7 +205,9 @@ def init_specs_to_fetch(
             for kind in managed_types:
                 managed_names = resource_names.get(kind)
                 kind_to_use = resource_type_overrides.get(kind, kind)
-                ri.initialize_resource_type(cluster, namespace, kind_to_use)
+                ri.initialize_resource_type(
+                    cluster, namespace, kind_to_use, managed_names
+                )
                 state_specs.append(
                     CurrentStateSpec(
                         oc=oc,
@@ -282,7 +290,7 @@ def populate_current_state(
     ri: ResourceInventory,
     integration: str,
     integration_version: str,
-    caller: Optional[str] = None,
+    caller: str | None = None,
 ):
     # if spec.oc is None: - oc can't be none because init_namespace_specs_to_fetch does not create specs if oc is none
     #    return
@@ -292,7 +300,9 @@ def populate_current_state(
         return
     try:
         for item in spec.oc.get_items(
-            spec.kind, namespace=spec.namespace, resource_names=spec.resource_names
+            spec.kind,
+            namespace=spec.namespace,
+            resource_names=spec.resource_names,
         ):
             openshift_resource = OR(item, integration, integration_version)
 
@@ -308,21 +318,22 @@ def populate_current_state(
             )
     except StatusCodeError as e:
         ri.register_error(cluster=spec.cluster)
-        logging.error(f"[{spec.cluster}/{spec.namespace}] {str(e)}")
+        logging.error(f"[{spec.cluster}/{spec.namespace}] {e!s}")
 
 
 def fetch_current_state(
-    namespaces: Optional[Iterable[Mapping]] = None,
-    clusters: Optional[Iterable[Mapping]] = None,
-    thread_pool_size: Optional[int] = None,
-    integration: Optional[str] = None,
-    integration_version: Optional[str] = None,
-    override_managed_types: Optional[Iterable[str]] = None,
-    internal: Optional[bool] = None,
+    namespaces: Iterable[Mapping] | None = None,
+    clusters: Iterable[Mapping] | None = None,
+    thread_pool_size: int | None = None,
+    integration: str | None = None,
+    integration_version: str | None = None,
+    override_managed_types: Iterable[str] | None = None,
+    internal: bool | None = None,
     use_jump_host: bool = True,
     init_api_resources: bool = False,
     cluster_admin: bool = False,
-    caller: Optional[str] = None,
+    caller: str | None = None,
+    init_projects: bool = False,
 ) -> tuple[ResourceInventory, OC_Map]:
     ri = ResourceInventory()
     settings = queries.get_app_interface_settings()
@@ -336,6 +347,7 @@ def fetch_current_state(
         thread_pool_size=thread_pool_size,
         init_api_resources=init_api_resources,
         cluster_admin=cluster_admin,
+        init_projects=init_projects,
     )
     state_specs = init_specs_to_fetch(
         ri,
@@ -343,6 +355,7 @@ def fetch_current_state(
         namespaces=namespaces,
         clusters=clusters,
         override_managed_types=override_managed_types,
+        cluster_admin=cluster_admin,
     )
     threaded.run(
         populate_current_state,
@@ -374,7 +387,14 @@ def apply(
     recycle_pods: bool = True,
     privileged: bool = False,
 ) -> None:
-    logging.info(["apply", cluster, namespace, resource_type, resource.name])
+    logging.info([
+        "apply",
+        f"privileged={privileged}",
+        cluster,
+        namespace,
+        resource_type,
+        resource.name,
+    ])
 
     try:
         oc = oc_map.get_cluster(cluster, privileged)
@@ -401,7 +421,11 @@ def apply(
                 namespace, resource_type, resource.name
             )
             oc.apply(namespace, annotated)
-        except (MetaDataAnnotationsTooLongApplyError, UnsupportedMediaTypeError):
+        except (
+            MetaDataAnnotationsTooLongApplyError,
+            UnsupportedMediaTypeError,
+            RequestEntityTooLargeError,
+        ):
             if not oc.get(
                 namespace, resource_type, resource.name, allow_not_found=True
             ):
@@ -410,7 +434,7 @@ def apply(
         except FieldIsImmutableError:
             # Add more resources types to the list when you're
             # sure they're safe.
-            if resource_type not in ["Route", "Service", "Secret"]:
+            if resource_type not in {"Route", "Service", "Secret", "Job"}:
                 raise
             oc.delete(namespace=namespace, kind=resource_type, name=resource.name)
             oc.apply(namespace=namespace, resource=annotated)
@@ -464,7 +488,7 @@ def apply(
                 obsolete_rs["metadata"]["ownerReferences"] = owner_references
                 oc.apply(namespace=namespace, resource=OR(obsolete_rs, "", ""))
         except (MayNotChangeOnceSetError, PrimaryClusterIPCanNotBeUnsetError):
-            if resource_type not in ["Service"]:
+            if resource_type not in {"Service"}:
                 raise
 
             oc.delete(namespace=namespace, kind=resource_type, name=resource.name)
@@ -473,15 +497,13 @@ def apply(
             if resource_type != "StatefulSet":
                 raise
 
-            logging.info(
-                [
-                    "delete_sts_and_apply",
-                    cluster,
-                    namespace,
-                    resource_type,
-                    resource.name,
-                ]
-            )
+            logging.info([
+                "delete_sts_and_apply",
+                cluster,
+                namespace,
+                resource_type,
+                resource.name,
+            ])
             current_resource = oc.get(namespace, resource_type, resource.name)
             current_storage = oc.get_storage(current_resource)
             desired_storage = oc.get_storage(resource.body)
@@ -530,7 +552,14 @@ def delete(
     enable_deletion: bool,
     privileged: bool = False,
 ) -> None:
-    logging.info(["delete", cluster, namespace, resource_type, name])
+    logging.info([
+        "delete",
+        f"privileged={privileged}",
+        cluster,
+        namespace,
+        resource_type,
+        name,
+    ])
 
     if not enable_deletion:
         logging.error("'delete' action is disabled due to previous errors.")
@@ -556,182 +585,444 @@ def check_unused_resource_types(ri):
             logging.warning(msg)
 
 
-def _realize_resource_data(
-    unpacked_ri_item,
-    dry_run,
-    oc_map: ClusterMap,
+@dataclass
+class ApplyOptions:
+    dry_run: bool
+    no_dry_run_skip_compare: bool
+    wait_for_namespace: bool
+    recycle_pods: bool
+    take_over: bool
+    override_enable_deletion: bool | None
+    caller: str | None
+    all_callers: Sequence[str] | None
+    privileged: bool | None
+    enable_deletion: bool | None
+
+
+def should_apply(
+    current: OR,
+    desired: OR,
     ri: ResourceInventory,
-    take_over,
-    caller,
-    all_callers,
-    wait_for_namespace,
-    no_dry_run_skip_compare,
-    override_enable_deletion,
-    recycle_pods,
-):
-    cluster, namespace, resource_type, data = unpacked_ri_item
-    actions: list[dict] = []
-    if ri.has_error_registered(cluster=cluster):
-        msg = ("[{}] skipping realize_data for " "cluster with errors").format(cluster)
-        logging.error(msg)
-        return actions
+    options: ApplyOptions,
+    cluster: str,
+    name: str,
+    namespace: str,
+    resource_type: str,
+) -> bool:
+    if not options.dry_run and options.no_dry_run_skip_compare:
+        msg = (
+            f"[{cluster}/{namespace}] skipping compare of resource"
+            f"'{resource_type}/{name}'"
+        )
+        logging.debug(msg)
+        return True
+    if (
+        not options.take_over
+        and options.caller
+        and current.caller != options.caller
+        and options.all_callers
+        and current.caller in options.all_callers
+    ):
+        ri.register_error()
+        logging.error(
+            f"[{cluster}/{namespace}] resource '{resource_type}/{name}' present and "
+            f"managed by another caller: {current.caller}"
+        )
+        return False
 
-    enable_deletion = False if ri.has_error_registered() else True
-    # only allow to override enable_deletion if no errors were found
-    if enable_deletion is True and override_enable_deletion is False:
-        enable_deletion = False
+    if logging.getLogger().isEnabledFor(logging.DEBUG):
+        logging.debug("CURRENT: " + OR.serialize(OR.canonicalize(current.body)))
+        logging.debug("DESIRED: " + OR.serialize(OR.canonicalize(desired.body)))
 
-    # desired items
-    for name, d_item in data["desired"].items():
-        c_item: OR = data["current"].get(name)
+    return True
 
-        if c_item is not None:
-            if not dry_run and no_dry_run_skip_compare:
-                msg = ("[{}/{}] skipping compare of resource '{}/{}'.").format(
-                    cluster, namespace, resource_type, name
-                )
-                logging.debug(msg)
-            else:
-                # If resource doesn't have annotations, annotate and apply
-                if not c_item.has_qontract_annotations():
-                    msg = (
-                        "[{}/{}] resource '{}/{}' present "
-                        "w/o annotations, annotating and applying"
-                    ).format(cluster, namespace, resource_type, name)
-                    logging.info(msg)
-
-                # don't apply if there is a caller (saas file)
-                # and this is not a take over
-                # and current item caller is different from the current caller
-                elif caller and not take_over and c_item.caller != caller:
-                    # if the current item is owned by a caller that no longer exists,
-                    # do nothing. the condition is nested so we fall into this condition
-                    # so we end up either applying to take ownership, or we error if the
-                    # current caller is still present
-                    if c_item.caller in all_callers:
-                        ri.register_error()
-                        logging.error(
-                            f"[{cluster}/{namespace}] resource '{resource_type}/{name}' present and managed by another caller: {c_item.caller}"
-                        )
-                        continue
-
-                # don't apply if resources match
-                # if there is a caller (saas file) and this is a take over
-                # we skip the equal compare as it's not covering
-                # cases of a removed label (for example)
-                # d_item == c_item is uncommutative
-                elif not (caller and take_over) and d_item == c_item:
-                    msg = (
-                        "[{}/{}] resource '{}/{}' present "
-                        "and matches desired, skipping."
-                    ).format(cluster, namespace, resource_type, name)
-                    logging.debug(msg)
-                    continue
 
-                # don't apply if sha256sum hashes match
-                elif c_item.sha256sum() == d_item.sha256sum():
-                    if c_item.has_valid_sha256sum():
-                        msg = (
-                            "[{}/{}] resource '{}/{}' present "
-                            "and hashes match, skipping."
-                        ).format(cluster, namespace, resource_type, name)
-                        logging.debug(msg)
-                        continue
-
-                    msg = (
-                        "[{}/{}] resource '{}/{}' present and "
-                        "has stale sha256sum due to manual changes."
-                    ).format(cluster, namespace, resource_type, name)
-                    logging.info(msg)
-
-                logging.debug("CURRENT: " + OR.serialize(OR.canonicalize(c_item.body)))
-        else:
-            logging.debug("CURRENT: None")
+def should_delete(
+    current: OR,
+    cluster: str,
+    name: str,
+    namespace: str,
+    resource_type: str,
+    options: ApplyOptions,
+) -> bool:
+    if current.has_qontract_annotations():
+        if options.caller and current.caller != options.caller:
+            return False
+    elif not options.take_over:
+        # this is reached when the current resources:
+        # - does not have qontract annotations (not managed)
+        # - not taking over all resources of the current kind
+        msg = f"[{cluster}/{namespace}] skipping " + f"{resource_type}/{name}"
+        logging.debug(msg)
+        return False
+    elif current.has_owner_reference():
+        return False
+    return True
+
+
+def handle_new_resources(
+    oc_map: ClusterMap,
+    ri: ResourceInventory,
+    new_resources: Mapping[Any, Any],
+    cluster: str,
+    namespace: str,
+    resource_type: str,
+    data: Mapping[Any, Any],
+    options: ApplyOptions,
+) -> list[dict[str, Any]]:
+    actions: list[dict[str, Any]] = []
+
+    for name, desired in new_resources.items():
+        options.privileged = data["use_admin_token"].get(name, False)
+        action = {
+            "action": ACTION_APPLIED,
+            "cluster": cluster,
+            "namespace": namespace,
+            "kind": resource_type,
+            "name": name,
+            "privileged": options.privileged,
+        }
+        actions.append(action)
+        apply_action(
+            oc_map=oc_map,
+            ri=ri,
+            cluster=cluster,
+            namespace=namespace,
+            resource_type=resource_type,
+            resource=desired,
+            options=options,
+        )
 
-        logging.debug("DESIRED: " + OR.serialize(OR.canonicalize(d_item.body)))
+    return actions
 
-        try:
-            privileged = data["use_admin_token"].get(name, False)
-            apply(
-                dry_run,
-                oc_map,
-                cluster,
-                namespace,
-                resource_type,
-                d_item,
-                wait_for_namespace,
-                recycle_pods,
-                privileged,
+
+def should_take_over(
+    current: OR,
+    ri: ResourceInventory,
+    options: ApplyOptions,
+    cluster: str,
+    name: str,
+    namespace: str,
+    resource_type: str,
+) -> bool:
+    if options.caller and options.caller != current.caller:
+        # The resources are identical but the caller is different
+        if options.take_over or (
+            options.all_callers and current.caller not in options.all_callers
+        ):
+            return True
+        else:
+            ri.register_error()
+            logging.error(
+                f"[{cluster}/{namespace}] resource '{resource_type}/{name}' present "
+                f"and managed by another caller: {current.caller}"
             )
+    return False
+
+
+def handle_identical_resources(
+    oc_map: ClusterMap,
+    ri: ResourceInventory,
+    identical_resources: Mapping[Any, Any],
+    cluster: str,
+    namespace: str,
+    resource_type: str,
+    data: Mapping[Any, Any],
+    options: ApplyOptions,
+) -> list[dict[str, Any]]:
+    actions: list[dict[str, Any]] = []
+
+    for name, dp in identical_resources.items():
+        if should_take_over(
+            current=dp.current,
+            ri=ri,
+            cluster=cluster,
+            name=name,
+            namespace=namespace,
+            resource_type=resource_type,
+            options=options,
+        ):
+            options.privileged = data["use_admin_token"].get(name, False)
             action = {
                 "action": ACTION_APPLIED,
                 "cluster": cluster,
                 "namespace": namespace,
                 "kind": resource_type,
-                "name": d_item.name,
-                "privileged": privileged,
+                "name": name,
+                "privileged": options.privileged,
             }
             actions.append(action)
-        except StatusCodeError as e:
-            ri.register_error()
-            err = (
-                str(e)
-                if resource_type != "Secret"
-                else f"error applying Secret {d_item.name}: REDACTED"
-            )
-            msg = (
-                f"[{cluster}/{namespace}] {err} "
-                + f"(error details: {d_item.error_details})"
+            apply_action(
+                oc_map=oc_map,
+                ri=ri,
+                cluster=cluster,
+                namespace=namespace,
+                resource_type=resource_type,
+                resource=dp.desired,
+                options=options,
             )
-            logging.error(msg)
+    return actions
 
-    # current items
-    for name, c_item in data["current"].items():
-        d_item = data["desired"].get(name)
-        if d_item is not None:
-            continue
 
-        if c_item.has_qontract_annotations():
-            if caller and c_item.caller != caller:
-                continue
-        elif not take_over:
-            # this is reached when the current resources:
-            # - does not have qontract annotations (not managed)
-            # - not taking over all resources of the current kind
-            msg = (
-                f"[{cluster}/{namespace}] skipping " + f"{resource_type}/{c_item.name}"
+def handle_modified_resources(
+    oc_map: ClusterMap,
+    ri: ResourceInventory,
+    modified_resources: Mapping[Any, Any],
+    cluster: str,
+    namespace: str,
+    resource_type: str,
+    data: Mapping[Any, Any],
+    options: ApplyOptions,
+) -> list[dict[str, Any]]:
+    actions: list[dict[str, Any]] = []
+
+    for name, dp in modified_resources.items():
+        if should_apply(
+            current=dp.current,
+            desired=dp.desired,
+            ri=ri,
+            cluster=cluster,
+            name=name,
+            namespace=namespace,
+            resource_type=resource_type,
+            options=options,
+        ):
+            options.privileged = data["use_admin_token"].get(name, False)
+            action = {
+                "action": ACTION_APPLIED,
+                "cluster": cluster,
+                "namespace": namespace,
+                "kind": resource_type,
+                "name": name,
+                "privileged": options.privileged,
+            }
+            actions.append(action)
+            apply_action(
+                oc_map=oc_map,
+                ri=ri,
+                cluster=cluster,
+                namespace=namespace,
+                resource_type=resource_type,
+                resource=dp.desired,
+                options=options,
             )
-            logging.debug(msg)
-            continue
+    return actions
 
-        if c_item.has_owner_reference():
-            continue
 
-        try:
-            privileged = data["use_admin_token"].get(name, False)
-            delete(
-                dry_run,
-                oc_map,
-                cluster,
-                namespace,
-                resource_type,
-                name,
-                enable_deletion,
-                privileged,
-            )
+def handle_deleted_resources(
+    oc_map: ClusterMap,
+    ri: ResourceInventory,
+    deleted_resources: Mapping[Any, Any],
+    cluster: str,
+    namespace: str,
+    resource_type: str,
+    data: Mapping[Any, Any],
+    options: ApplyOptions,
+) -> list[dict[str, Any]]:
+    actions: list[dict[str, Any]] = []
+
+    for name, current in deleted_resources.items():
+        if should_delete(
+            current=current,
+            cluster=cluster,
+            name=name,
+            namespace=namespace,
+            resource_type=resource_type,
+            options=options,
+        ):
+            options.privileged = data["use_admin_token"].get(name, False)
             action = {
                 "action": ACTION_DELETED,
                 "cluster": cluster,
                 "namespace": namespace,
                 "kind": resource_type,
                 "name": name,
-                "privileged": privileged,
+                "privileged": options.privileged,
             }
             actions.append(action)
-        except StatusCodeError as e:
-            ri.register_error()
-            msg = "[{}/{}] {}".format(cluster, namespace, str(e))
-            logging.error(msg)
+            delete_action(
+                oc_map=oc_map,
+                ri=ri,
+                cluster=cluster,
+                namespace=namespace,
+                resource_type=resource_type,
+                resource_name=name,
+                options=options,
+            )
+
+    return actions
+
+
+def apply_action(
+    oc_map: ClusterMap,
+    ri: ResourceInventory,
+    cluster: str,
+    namespace: str,
+    resource_type: str,
+    resource: OR,
+    options: ApplyOptions,
+) -> None:
+    try:
+        apply(
+            dry_run=options.dry_run,
+            oc_map=oc_map,
+            cluster=cluster,
+            namespace=namespace,
+            resource_type=resource_type,
+            resource=resource,
+            wait_for_namespace=options.wait_for_namespace,
+            recycle_pods=options.recycle_pods,
+            privileged=bool(options.privileged),
+        )
+
+    except StatusCodeError as e:
+        ri.register_error()
+        err = (
+            str(e)
+            if resource_type != "Secret"
+            else f"error applying Secret {resource.name}: REDACTED"
+        )
+        msg = (
+            f"[{cluster}/{namespace}] {err} "
+            f"(error details: {resource.error_details})"
+        )
+        logging.error(msg)
+
+
+def delete_action(
+    oc_map: ClusterMap,
+    ri: ResourceInventory,
+    cluster: str,
+    namespace: str,
+    resource_type: str,
+    resource_name: str,
+    options: ApplyOptions,
+) -> None:
+    try:
+        delete(
+            dry_run=options.dry_run,
+            oc_map=oc_map,
+            cluster=cluster,
+            namespace=namespace,
+            resource_type=resource_type,
+            name=resource_name,
+            enable_deletion=bool(options.enable_deletion),
+            privileged=bool(options.privileged),
+        )
+    except StatusCodeError as e:
+        ri.register_error()
+        msg = f"[{cluster}/{namespace}] {e!s}"
+        logging.error(msg)
+
+
+def _realize_resource_data(
+    ri_item: tuple[str, str, str, Mapping[str, Any]],
+    dry_run: bool,
+    oc_map: ClusterMap,
+    ri: ResourceInventory,
+    take_over: bool,
+    caller: str,
+    all_callers: Sequence[str],
+    wait_for_namespace: bool,
+    no_dry_run_skip_compare: bool,
+    override_enable_deletion: bool,
+    recycle_pods: bool,
+) -> list[dict[str, Any]]:
+    options = ApplyOptions(
+        dry_run=dry_run,
+        no_dry_run_skip_compare=no_dry_run_skip_compare,
+        wait_for_namespace=wait_for_namespace,
+        override_enable_deletion=override_enable_deletion,
+        take_over=take_over,
+        caller=caller,
+        all_callers=all_callers,
+        recycle_pods=recycle_pods,
+        privileged=False,
+        enable_deletion=False,
+    )
+    return _realize_resource_data_3way_diff(
+        ri_item=ri_item, oc_map=oc_map, ri=ri, options=options
+    )
+
+
+def _realize_resource_data_3way_diff(
+    ri_item: tuple[str, str, str, Mapping[str, Any]],
+    oc_map: ClusterMap,
+    ri: ResourceInventory,
+    options: ApplyOptions,
+) -> list[dict[str, Any]]:
+    cluster, namespace, resource_type, data = ri_item
+
+    actions: list[dict] = []
+
+    if ri.has_error_registered(cluster=cluster):
+        msg = f"[{cluster}] skipping realize_data for " "cluster with errors"
+        logging.error(msg)
+        return actions
+
+    # don't delete resources if there are errors
+    options.enable_deletion = not ri.has_error_registered()
+    # only allow to override enable_deletion if no errors were found
+    if options.enable_deletion and options.override_enable_deletion is False:
+        options.enable_deletion = False
+
+    diff_result = differ.diff_mappings(
+        data["current"], data["desired"], equal=three_way_diff_using_hash
+    )
+
+    # identical resources need to be checked
+    # for take_overs and saas file deprecations
+    actions.extend(
+        handle_identical_resources(
+            oc_map=oc_map,
+            ri=ri,
+            identical_resources=diff_result.identical,
+            cluster=cluster,
+            namespace=namespace,
+            resource_type=resource_type,
+            data=data,
+            options=options,
+        )
+    )
+
+    actions.extend(
+        handle_new_resources(
+            oc_map=oc_map,
+            ri=ri,
+            new_resources=diff_result.add,
+            cluster=cluster,
+            namespace=namespace,
+            resource_type=resource_type,
+            data=data,
+            options=options,
+        )
+    )
+
+    actions.extend(
+        handle_modified_resources(
+            oc_map=oc_map,
+            ri=ri,
+            modified_resources=diff_result.change,
+            cluster=cluster,
+            namespace=namespace,
+            resource_type=resource_type,
+            data=data,
+            options=options,
+        )
+    )
+
+    actions.extend(
+        handle_deleted_resources(
+            oc_map=oc_map,
+            ri=ri,
+            deleted_resources=diff_result.delete,
+            cluster=cluster,
+            namespace=namespace,
+            resource_type=resource_type,
+            data=data,
+            options=options,
+        )
+    )
 
     return actions
 
@@ -775,7 +1066,7 @@ def realize_data(
 
 def _validate_resources_used_exist(
     ri: ResourceInventory,
-    oc: OCDeprecated,
+    oc: OCCli,
     spec: dict[str, Any],
     cluster: str,
     namespace: str,
@@ -810,10 +1101,10 @@ def _validate_resources_used_exist(
                 )
                 # we found one! does it's value (secret name) match the
                 # using resource's?
-                if used_name in (
+                if used_name in {
                     serving_cert_alpha_secret_name,
                     serving_cert_beta_secret_name,
-                ):
+                }:
                     # found a match. we assume the serving cert secret will
                     # be present at some point soon after the Service is deployed
                     resource = service
@@ -850,7 +1141,7 @@ def validate_planned_data(ri: ResourceInventory, oc_map: ClusterMap) -> None:
         oc = oc_map.get_cluster(cluster)
 
         for name, d_item in data["desired"].items():
-            if kind in ("Deployment", "DeploymentConfig"):
+            if kind in {"Deployment", "DeploymentConfig"}:
                 spec = d_item.body["spec"]["template"]["spec"]
                 _validate_resources_used_exist(
                     ri, oc, spec, cluster, namespace, kind, name, "Secret"
@@ -860,7 +1151,7 @@ def validate_planned_data(ri: ResourceInventory, oc_map: ClusterMap) -> None:
                 )
 
 
-@retry(exceptions=(ValidationError), max_attempts=100)
+@retry(exceptions=(ValidationError), max_attempts=200)
 def validate_realized_data(actions: Iterable[dict[str, str]], oc_map: ClusterMap):
     """
     Validate the realized desired state.
@@ -897,7 +1188,7 @@ def validate_realized_data(actions: Iterable[dict[str, str]], oc_map: ClusterMap
             if not status:
                 raise ValidationError("status")
             # add elif to validate additional resource kinds
-            if kind in ["Deployment", "DeploymentConfig", "StatefulSet"]:
+            if kind in {"Deployment", "DeploymentConfig", "StatefulSet"}:
                 desired_replicas = resource["spec"]["replicas"]
                 if desired_replicas == 0:
                     continue
@@ -1038,16 +1329,95 @@ def aggregate_shared_resources(namespace_info, shared_resources_type):
             namespace_info[shared_resources_type] = namespace_type_resources
 
 
+@runtime_checkable
+class HasOpenShiftResources(Protocol):
+    openshift_resources: list | None
+
+
+@runtime_checkable
+class HasOpenshiftServiceAccountTokens(Protocol):
+    openshift_service_account_tokens: list | None
+
+
+@runtime_checkable
+class HasSharedResourcesOpenShiftResources(Protocol):
+    @property
+    def shared_resources(self) -> Sequence[HasOpenShiftResources] | None:
+        pass
+
+
+@runtime_checkable
+class HasSharedResourcesOpenshiftServiceAccountTokens(Protocol):
+    @property
+    def shared_resources(self) -> Sequence[HasOpenshiftServiceAccountTokens] | None:
+        pass
+
+
+@runtime_checkable
+class HasOpenshiftServiceAccountTokensAndSharedResources(
+    HasOpenshiftServiceAccountTokens,
+    HasSharedResourcesOpenshiftServiceAccountTokens,
+    Protocol,
+): ...
+
+
+@runtime_checkable
+class HasOpenShiftResourcesAndSharedResources(
+    HasOpenShiftResources, HasSharedResourcesOpenShiftResources, Protocol
+): ...
+
+
+def aggregate_shared_resources_typed(
+    namespace: HasOpenshiftServiceAccountTokensAndSharedResources
+    | HasOpenShiftResourcesAndSharedResources,
+) -> None:
+    """This function aggregates the shared resources to the appropriate namespace section.
+
+    Attention: It updates the namespace object in place and isn't indempotent!
+    """
+    if not namespace.shared_resources:
+        return
+
+    match namespace:
+        case HasOpenshiftServiceAccountTokensAndSharedResources():
+            shared_type_resources_items = []
+            for ost_shared_resources_item in namespace.shared_resources:
+                if (
+                    shared_type_resources
+                    := ost_shared_resources_item.openshift_service_account_tokens
+                ):
+                    shared_type_resources_items.extend(shared_type_resources)
+            if namespace.openshift_service_account_tokens:
+                namespace.openshift_service_account_tokens.extend(
+                    shared_type_resources_items
+                )
+            else:
+                namespace.openshift_service_account_tokens = shared_type_resources_items
+        case HasOpenShiftResourcesAndSharedResources():
+            shared_type_resources_items = []
+            for or_shared_resources_item in namespace.shared_resources:
+                if (
+                    shared_type_resources
+                    := or_shared_resources_item.openshift_resources
+                ):
+                    shared_type_resources_items.extend(shared_type_resources)
+            if namespace.openshift_resources:
+                namespace.openshift_resources.extend(shared_type_resources_items)
+            else:
+                namespace.openshift_resources = shared_type_resources_items
+
+
 def determine_user_keys_for_access(
     cluster_name: str,
-    auth_list: Sequence[Union[dict[str, str], HasService]],
-    enforced_user_keys: Optional[list[str]] = None,
+    auth_list: Sequence[dict[str, str] | HasService],
+    enforced_user_keys: list[str] | None = None,
 ) -> list[str]:
     """Return user keys based on enabled cluster authentication methods."""
     AUTH_METHOD_USER_KEY = {
         "github-org": "github_username",
         "github-org-team": "github_username",
         "oidc": "org_username",
+        "rhidp": "org_username",
     }
     user_keys: list[str] = []
 
@@ -1060,10 +1430,7 @@ def determine_user_keys_for_access(
         return ["github_username"]
 
     for auth in auth_list:
-        if isinstance(auth, HasService):
-            service = auth.service
-        else:
-            service = auth["service"]
+        service = auth.service if isinstance(auth, HasService) else auth["service"]
         try:
             if AUTH_METHOD_USER_KEY[service] in user_keys:
                 continue
@@ -1071,7 +1438,7 @@ def determine_user_keys_for_access(
         except KeyError:
             raise NotImplementedError(
                 f"[{cluster_name}] auth service not implemented: {service}"
-            )
+            ) from None
     return user_keys
 
 
@@ -1086,7 +1453,7 @@ def user_has_cluster_access(
 ) -> bool:
     """Check user has access to cluster."""
     userkeys = determine_user_keys_for_access(cluster.name, cluster.auth)
-    return any((getattr(user, userkey) in cluster_users for userkey in userkeys))
+    return any(getattr(user, userkey) in cluster_users for userkey in userkeys)
 
 
 def get_namespace_type_overrides(namespace: Mapping) -> dict[str, str]:
@@ -1102,7 +1469,7 @@ def get_namespace_type_overrides(namespace: Mapping) -> dict[str, str]:
 
 
 def get_namespace_resource_types(
-    namespace: Mapping, type_overrides: Optional[dict[str, str]] = None
+    namespace: Mapping, type_overrides: dict[str, str] | None = None
 ) -> list[str]:
     """Returns a list with the namespace ResourceTypes, with the overrides in place
 
@@ -1119,7 +1486,7 @@ def get_namespace_resource_types(
 
 
 def get_namespace_resource_names(
-    namespace: Mapping, type_overrides: Optional[dict[str, str]] = None
+    namespace: Mapping, type_overrides: dict[str, str] | None = None
 ) -> dict[str, list[str]]:
     """Returns a list with the namespace ResourceTypeNames, with the overrides in place
 
@@ -1137,3 +1504,38 @@ def get_namespace_resource_names(
         ref += item["resourceNames"]
 
     return rnames
+
+
+def publish_metrics(ri: ResourceInventory, integration: str) -> None:
+    for cluster, namespace, kind, data in ri:
+        for state in ("current", "desired"):
+            metrics.set_gauge(
+                OpenshiftResourceInventoryGauge(
+                    integration=integration.replace("_", "-"),
+                    cluster=cluster,
+                    namespace=namespace,
+                    kind=kind,
+                    state=state,
+                ),
+                len(data[state]),
+            )
+
+
+def get_state_count_combinations(state: Iterable[Mapping[str, str]]) -> Counter[str]:
+    return Counter(s["cluster"] for s in state)
+
+
+def publish_cluster_desired_metrics_from_state(
+    state: Iterable[Mapping[str, str]], integration: str, kind: str
+) -> None:
+    for cluster, count in get_state_count_combinations(state).items():
+        metrics.set_gauge(
+            OpenshiftResourceInventoryGauge(
+                integration=integration,
+                cluster=cluster,
+                namespace="cluster",
+                kind=kind,
+                state="desired",
+            ),
+            count,
+        )