GCP-447: inject token-minter as native sidecar init container

[cristianoveiga]

What this PR does / why we need it:

Changes InjectTokenMinterContainer in the cpov2 framework to inject the token-minter as a https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ (RestartPolicy: Always) with a StartupProbe that blocks main containers until the token file exists. This eliminates a race condition where the main container starts before the token is written, causing fatal crashes (observed in GCP CCM CI).

For backwards compatibility, the management cluster K8s version is detected at startup via ServerVersion(). On K8s >= 1.29 (where the SidecarContainers feature gate is beta and enabled by default), the native sidecar pattern is used. On older clusters, the current regular sidecar injection is preserved.

Which issue(s) this PR fixes:

Fixes GCP-447

Special notes for your reviewer:

The race condition has only been observed in GCP CI so far, but the underlying issue exists for all providers using InjectTokenMinterContainer and could surface for other cloud providers in the future.

• The second commit removes the GCP CCM crash toleration from podCrashTolerations in the e2e test suite, as it is no longer needed.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

• New Features

  • Added support for native Kubernetes sidecar containers on management clusters running Kubernetes 1.29+, enabling more efficient container initialization.
  • Enhanced token minter container injection to intelligently adapt between native sidecars, init containers, and regular sidecars based on platform capabilities.

• Changes

  • Updated GCP cloud controller manager deployment labels for consistency.

• Tests

  • Added comprehensive test coverage for native sidecar container injection across multiple scenarios and Kubernetes versions.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: e8564532-a4e8-4649-adcd-4390a41d438d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This change introduces support for Kubernetes native sidecar containers (available in Kubernetes 1.29+) across the control plane operator. It detects native sidecar capability through management cluster version discovery, propagates this flag through the reconciler and control plane context, and uses it in token minter container injection logic to conditionally inject containers as native sidecars with startup probes or as regular sidecar containers. The feature also includes test coverage for various injection scenarios and removes a toleration entry for the GCP cloud controller manager.

Sequence Diagram(s)

sequenceDiagram
    participant main as main.go
    participant cap as Capability Detection
    participant reconciler as HostedControlPlaneReconciler
    participant context as ControlPlaneContext
    participant injector as TokenMinterContainerInjector
    participant pod as PodSpec

    main->>cap: DetectManagementClusterCapabilities(discoveryClient)
    cap->>cap: supportsNativeSidecarContainers(k8s >= 1.29)
    cap-->>main: CapabilityNativeSidecarContainers flag
    
    main->>reconciler: Initialize with NativeSidecarContainersEnabled flag
    
    reconciler->>context: Create ControlPlaneContext with NativeSidecarContainersEnabled
    
    context->>injector: injectContainer(nativeSidecarsEnabled, podSpec, container, ...)
    
    alt nativeSidecarsEnabled
        injector->>pod: Add container to InitContainers with RestartPolicy: Always
        injector->>pod: Add StartupProbe (check token file existence)
    else not nativeSidecarsEnabled
        injector->>pod: Add container to Containers as regular sidecar
    end
    
    injector->>pod: Mount volume on first container in PodSpec

Loading

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@cristianoveiga: An error was encountered searching for bug GCP-447 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

No response returned: Get "https://issues.redhat.com/rest/api/2/issue/GCP-447": GET https://issues.redhat.com/rest/api/2/issue/GCP-447 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

What this PR does / why we need it:

Changes InjectTokenMinterContainer in the cpov2 framework to inject the token-minter as a https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ (RestartPolicy: Always) with a StartupProbe that blocks main containers until the token file exists. This eliminates a race condition where the main container starts before the token is written, causing fatal crashes (observed in GCP CCM CI).

For backwards compatibility, the management cluster K8s version is detected at startup via ServerVersion(). On K8s >= 1.29 (where the SidecarContainers feature gate is beta and enabled by default), the native sidecar pattern is used. On older clusters, the current regular sidecar injection is preserved.

Which issue(s) this PR fixes:

Fixes GCP-447

Special notes for your reviewer:

The race condition has only been observed in GCP CI so far, but the underlying issue exists for all providers using InjectTokenMinterContainer and could surface for other cloud providers in the future.

• The second commit removes the GCP CCM crash toleration from podCrashTolerations in the e2e test suite, as it is no longer needed.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cristianoveiga]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci-robot]

@cristianoveiga: An error was encountered searching for bug GCP-447 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

No response returned: Get "https://issues.redhat.com/rest/api/2/issue/GCP-447": GET https://issues.redhat.com/rest/api/2/issue/GCP-447 giving up after 5 attempt(s)

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

What this PR does / why we need it:

Changes InjectTokenMinterContainer in the cpov2 framework to inject the token-minter as a https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ (RestartPolicy: Always) with a StartupProbe that blocks main containers until the token file exists. This eliminates a race condition where the main container starts before the token is written, causing fatal crashes (observed in GCP CCM CI).

For backwards compatibility, the management cluster K8s version is detected at startup via ServerVersion(). On K8s >= 1.29 (where the SidecarContainers feature gate is beta and enabled by default), the native sidecar pattern is used. On older clusters, the current regular sidecar injection is preserved.

Which issue(s) this PR fixes:

Fixes GCP-447

Special notes for your reviewer:

The race condition has only been observed in GCP CI so far, but the underlying issue exists for all providers using InjectTokenMinterContainer and could surface for other cloud providers in the future.

• The second commit removes the GCP CCM crash toleration from podCrashTolerations in the e2e test suite, as it is no longer needed.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

• Added automatic detection of native sidecar container support based on management cluster version (Kubernetes 1.29.0 and later).

• Enabled conditional injection of sidecar containers as native init containers when supported, with appropriate startup probes and volume mounting.

• Tests

• Added comprehensive test coverage for native sidecar detection and injection logic across multiple Kubernetes versions and deployment scenarios.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cristianoveiga]

/test ?

[cristianoveiga]

/test e2e-aks
/test e2e-aws

[cwbotbot]

Test Results

e2e-aks

• Status: ✅ PASS
• Started: 2026-03-15T14:57:44Z
• View Job
• View Job History

e2e-aws

• Status: ✅ PASS
• Started: 2026-03-15T14:57:45Z
• View Job
• View Job History

[cristianoveiga]

/retest

[bryan-cox]

/uncc @bryan-cox

[cristianoveiga]

/test ?

[cristianoveiga]

/test e2e-gke

[enxebre]

can we pass this to karpenter-operator/controllers/karpenter/karpenter_controller.go as well

[cristianoveiga]

karpenter_controller.go creates the karpenter component (v2/karpenter/component.go) which doesn't call InjectTokenMinterContainer, so setting NativeSidecarContainersEnabled in its ControlPlaneContext would have no effect.

The karpenter-operator component (v2/karpenteroperator/component.go) does use InjectTokenMinterContainer, but it's reconciled by the HCP controller which already sets the flag.

Happy to add it proactively if you prefer. I just want to confirm since it appears to be a no-op currently.

[enxebre]

this will break on any already existing cluster

[cristianoveiga]

We don't have any production GCP clusters at the moment - and we can re-create any clusters in integration, if needed.

[cristianoveiga]

Please note that this reverts the label change in #7926.

This was only needed for the crash toleration exception, which is no longer necessary with the native sidecar fix.

We prefer reverting to keep GCP CCM consistent with how other CCMs are labeled (app: cloud-controller-manager).

[enxebre]

dropped some feedback. This looks great to me overall.

[cristianoveiga]

/test verify

[cristianoveiga]

/retest-required

[cristianoveiga]

/test e2e-gke

[cristianoveiga]

/test e2e-gke

[enxebre]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cristianoveiga, enxebre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cristianoveiga]

/verfified by @cristianoveiga

The e2e-gke validated these changes - the failure is unrelated to this PR.

PR #7887 recently added the controlPlaneVersion status check to the e2e validation, which requires all ControlPlaneComponents to report RolloutComplete: True.

The cluster-network-operator never completes because cloud-network-config-controller is stuck — the secret cloud-network-config-controller-creds doesn't exist for GCP yet (tracked in PR #7824 / GCP-431).

This was previously invisible and is now surfaced by the new check.

cc: @apahim

[muraee]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-21
/test e2e-aws-4-21
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[cristianoveiga]

/verified by @cristianoveiga

[openshift-ci-robot]

@cristianoveiga: This PR has been marked as verified by @cristianoveiga.

Details

In response to this:

/verified by @cristianoveiga

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD f0b245f and 2 for PR HEAD 9dc48ce in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD a12b316 and 1 for PR HEAD 9dc48ce in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD ee66457 and 0 for PR HEAD 9dc48ce in total

[openshift-ci]

@cristianoveiga: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-techpreview	3c7f914	link	false	/test e2e-aws-techpreview
ci/prow/verify	77737f8	link	true	/test verify
ci/prow/e2e-gke	9dc48ce	link	false	/test e2e-gke

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.