diff --git a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go index 9da2f5bab36..63bc270cab7 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go +++ b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go @@ -1172,19 +1172,20 @@ func (r *HostedControlPlaneReconciler) reconcileCPOV2(ctx context.Context, hcp * } cpContext := component.ControlPlaneContext{ - Context: ctx, - Client: r.Client, - GVKAccessChecker: r.GVKAccessChecker, - HCP: hcp, - ApplyProvider: upsert.NewApplyProvider(r.EnableCIDebugOutput), - InfraStatus: infraStatus, - ReleaseImageProvider: releaseImageProvider, - UserReleaseImageProvider: userReleaseImageProvider, - SetDefaultSecurityContext: r.SetDefaultSecurityContext, - DefaultSecurityContextUID: r.DefaultSecurityContextUID, - MetricsSet: r.MetricsSet, - EnableCIDebugOutput: r.EnableCIDebugOutput, - ImageMetadataProvider: r.ImageMetadataProvider, + Context: ctx, + Client: r.Client, + GVKAccessChecker: r.GVKAccessChecker, + HCP: hcp, + ApplyProvider: upsert.NewApplyProvider(r.EnableCIDebugOutput), + InfraStatus: infraStatus, + ReleaseImageProvider: releaseImageProvider, + UserReleaseImageProvider: userReleaseImageProvider, + SetDefaultSecurityContext: r.SetDefaultSecurityContext, + DefaultSecurityContextUID: r.DefaultSecurityContextUID, + MetricsSet: r.MetricsSet, + EnableCIDebugOutput: r.EnableCIDebugOutput, + ImageMetadataProvider: r.ImageMetadataProvider, + NativeSidecarContainersEnabled: r.ManagementClusterCapabilities.Has(capabilities.CapabilityNativeSidecarContainers), } var errs []error diff --git a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go index 8392db43510..1c4eba8dfd7 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go +++ b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go @@ -1228,9 +1228,10 @@ func TestControlPlaneComponents(t *testing.T) { }, Manifest: fakeimagemetadataprovider.FakeManifest{}, }, - HCP: hcp, - SkipPredicate: true, - SkipCertificateSigning: true, + HCP: hcp, + SkipPredicate: true, + SkipCertificateSigning: true, + NativeSidecarContainersEnabled: true, } cpContext.HCP.Spec.Configuration.FeatureGate.FeatureGateSelection.FeatureSet = tt.featureSet diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 7382fdf0100..d2f4684687b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -109,6 +109,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -125,21 +126,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 74d66ad2080..ec4d646c01b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -104,6 +104,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -120,16 +121,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 74d66ad2080..ec4d646c01b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -104,6 +104,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -120,16 +121,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/GCP/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/GCP/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml index 1e06c38e47d..298f15ef1a5 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/GCP/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/GCP/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml @@ -174,6 +174,8 @@ spec: name: svc-kubeconfig - mountPath: /tmp name: tmp-dir + enableServiceLinks: false + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -190,22 +192,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: svc-kubeconfig - - mountPath: /tmp - name: tmp-dir - enableServiceLinks: false nodeSelector: kubernetes.io/os: linux priorityClassName: hypershift-control-plane diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml index 7be962d26f0..08cd268c852 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml @@ -164,6 +164,8 @@ spec: name: svc-kubeconfig - mountPath: /tmp name: tmp-dir + enableServiceLinks: false + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -180,17 +182,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: svc-kubeconfig - - mountPath: /tmp - name: tmp-dir - enableServiceLinks: false nodeSelector: kubernetes.io/os: linux priorityClassName: hypershift-control-plane diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml index 7be962d26f0..08cd268c852 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml @@ -164,6 +164,8 @@ spec: name: svc-kubeconfig - mountPath: /tmp name: tmp-dir + enableServiceLinks: false + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -180,17 +182,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: svc-kubeconfig - - mountPath: /tmp - name: tmp-dir - enableServiceLinks: false nodeSelector: kubernetes.io/os: linux priorityClassName: hypershift-control-plane diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index 07413363cc4..82e9a468ede 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -100,6 +100,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -116,21 +117,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index befb008578b..db98131c478 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -95,6 +95,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -111,16 +112,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index befb008578b..db98131c478 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -95,6 +95,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -111,16 +112,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml index 516d42e4371..3235e33d60f 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml @@ -137,6 +137,7 @@ spec: name: apiserver-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --service-account-namespace=openshift-image-registry @@ -153,16 +154,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: apiserver-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml index 3d72299f2dc..721957498ec 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml @@ -139,6 +139,7 @@ spec: name: apiserver-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=openshift-image-registry @@ -155,21 +156,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir - args: - --token-audience=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --service-account-namespace=openshift-image-registry @@ -186,21 +193,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: apiserver-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml index 1806008aff1..eab0ebaf475 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml @@ -132,6 +132,7 @@ spec: name: apiserver-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --service-account-namespace=openshift-image-registry @@ -148,16 +149,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: apiserver-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml index 6312eec5c53..88023eb1aae 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml @@ -134,6 +134,7 @@ spec: name: apiserver-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=openshift-image-registry @@ -150,16 +151,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir - args: - --token-audience=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --service-account-namespace=openshift-image-registry @@ -176,16 +182,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: apiserver-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml index 6312eec5c53..88023eb1aae 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml @@ -134,6 +134,7 @@ spec: name: apiserver-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=openshift-image-registry @@ -150,16 +151,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir - args: - --token-audience=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --service-account-namespace=openshift-image-registry @@ -176,16 +182,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: apiserver-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 1cf53d66d31..baf2c753d6a 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -18,7 +18,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: @@ -28,7 +28,7 @@ spec: component.hypershift.openshift.io/config-hash: eafd03f7 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager hypershift.openshift.io/control-plane-component: gcp-cloud-controller-manager hypershift.openshift.io/hosted-control-plane: hcp-namespace spec: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 7548d98ef51..c53dfc1673b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -18,7 +18,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: @@ -28,7 +28,7 @@ spec: component.hypershift.openshift.io/config-hash: eafd03f7 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager hypershift.openshift.io/control-plane-component: gcp-cloud-controller-manager hypershift.openshift.io/hosted-control-plane: hcp-namespace spec: @@ -104,6 +104,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -120,21 +121,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 1cf53d66d31..baf2c753d6a 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -18,7 +18,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: @@ -28,7 +28,7 @@ spec: component.hypershift.openshift.io/config-hash: eafd03f7 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager hypershift.openshift.io/control-plane-component: gcp-cloud-controller-manager hypershift.openshift.io/hosted-control-plane: hcp-namespace spec: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 3189c4b667a..2eea788e499 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -18,7 +18,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: @@ -28,7 +28,7 @@ spec: component.hypershift.openshift.io/config-hash: eafd03f7 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager hypershift.openshift.io/control-plane-component: gcp-cloud-controller-manager hypershift.openshift.io/hosted-control-plane: hcp-namespace spec: @@ -99,6 +99,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -115,16 +116,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 3189c4b667a..2eea788e499 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -18,7 +18,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: @@ -28,7 +28,7 @@ spec: component.hypershift.openshift.io/config-hash: eafd03f7 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager hypershift.openshift.io/control-plane-component: gcp-cloud-controller-manager hypershift.openshift.io/hosted-control-plane: hcp-namespace spec: @@ -99,6 +99,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -115,16 +116,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/GCP/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/GCP/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml index 8496f38fa61..4ffbeb92446 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/GCP/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/GCP/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml @@ -147,6 +147,28 @@ spec: name: konnectivity-proxy-ca - mountPath: /tmp name: tmp-dir + initContainers: + - command: + - /usr/bin/control-plane-operator + - availability-prober + - --target + - https://kube-apiserver:6443/readyz + - --kubeconfig=/var/kubeconfig/kubeconfig + - --required-api=route.openshift.io,v1,Route + image: availability-prober + imagePullPolicy: IfNotPresent + name: availability-prober + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/kubeconfig + name: service-account-kubeconfig - args: - --token-audience=openshift - --service-account-namespace=openshift-ingress-operator @@ -163,43 +185,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: admin-kubeconfig - - mountPath: /tmp - name: tmp-dir - initContainers: - - command: - - /usr/bin/control-plane-operator - - availability-prober - - --target - - https://kube-apiserver:6443/readyz - - --kubeconfig=/var/kubeconfig/kubeconfig - - --required-api=route.openshift.io,v1,Route - image: availability-prober - imagePullPolicy: IfNotPresent - name: availability-prober - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/kubeconfig - name: service-account-kubeconfig priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml index 42aadbf522a..20270519640 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml @@ -137,6 +137,22 @@ spec: name: konnectivity-proxy-ca - mountPath: /tmp name: tmp-dir + initContainers: + - command: + - /usr/bin/control-plane-operator + - availability-prober + - --target + - https://kube-apiserver:6443/readyz + - --kubeconfig=/var/kubeconfig/kubeconfig + - --required-api=route.openshift.io,v1,Route + image: availability-prober + imagePullPolicy: IfNotPresent + name: availability-prober + resources: {} + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/kubeconfig + name: service-account-kubeconfig - args: - --token-audience=openshift - --service-account-namespace=openshift-ingress-operator @@ -153,32 +169,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: admin-kubeconfig - - mountPath: /tmp - name: tmp-dir - initContainers: - - command: - - /usr/bin/control-plane-operator - - availability-prober - - --target - - https://kube-apiserver:6443/readyz - - --kubeconfig=/var/kubeconfig/kubeconfig - - --required-api=route.openshift.io,v1,Route - image: availability-prober - imagePullPolicy: IfNotPresent - name: availability-prober - resources: {} - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/kubeconfig - name: service-account-kubeconfig priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml index 42aadbf522a..20270519640 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml @@ -137,6 +137,22 @@ spec: name: konnectivity-proxy-ca - mountPath: /tmp name: tmp-dir + initContainers: + - command: + - /usr/bin/control-plane-operator + - availability-prober + - --target + - https://kube-apiserver:6443/readyz + - --kubeconfig=/var/kubeconfig/kubeconfig + - --required-api=route.openshift.io,v1,Route + image: availability-prober + imagePullPolicy: IfNotPresent + name: availability-prober + resources: {} + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/kubeconfig + name: service-account-kubeconfig - args: - --token-audience=openshift - --service-account-namespace=openshift-ingress-operator @@ -153,32 +169,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: admin-kubeconfig - - mountPath: /tmp - name: tmp-dir - initContainers: - - command: - - /usr/bin/control-plane-operator - - availability-prober - - --target - - https://kube-apiserver:6443/readyz - - --kubeconfig=/var/kubeconfig/kubeconfig - - --required-api=route.openshift.io,v1,Route - image: availability-prober - imagePullPolicy: IfNotPresent - name: availability-prober - resources: {} - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/kubeconfig - name: service-account-kubeconfig priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/gcp-cloud-controller-manager/deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/gcp-cloud-controller-manager/deployment.yaml index 0b09eed16c9..eebfa7d5975 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/gcp-cloud-controller-manager/deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/gcp-cloud-controller-manager/deployment.yaml @@ -7,13 +7,13 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: metadata: labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager spec: containers: - name: cloud-controller-manager diff --git a/control-plane-operator/main.go b/control-plane-operator/main.go index 1b5a3caec11..675c0427070 100644 --- a/control-plane-operator/main.go +++ b/control-plane-operator/main.go @@ -255,6 +255,7 @@ func NewStartCommand() *cobra.Command { setupLog.Error(err, "unable to detect cluster capabilities") os.Exit(1) } + setupLog.Info("Native sidecar containers support", "enabled", mgmtClusterCaps.Has(capabilities.CapabilityNativeSidecarContainers)) hcpClient, err := hyperclient.NewForConfig(mgr.GetConfig()) if err != nil { diff --git a/support/capabilities/management_cluster_capabilities.go b/support/capabilities/management_cluster_capabilities.go index ddf831720fb..3c93324343c 100644 --- a/support/capabilities/management_cluster_capabilities.go +++ b/support/capabilities/management_cluster_capabilities.go @@ -1,6 +1,7 @@ package capabilities import ( + "fmt" "sync" configv1 "github.com/openshift/api/config/v1" @@ -12,6 +13,8 @@ import ( "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/client-go/discovery" + + "github.com/blang/semver" ) type CapabiltyChecker interface { @@ -73,6 +76,10 @@ const ( // CapabilityValidatingAdmissionPolicy indicates if the cluster supports ValidatingAdmissionPolicy // admissionregistration.k8s.io/v1 CapabilityValidatingAdmissionPolicy + + // CapabilityNativeSidecarContainers indicates if the management cluster supports native sidecar + // containers (K8s >= 1.29, where the SidecarContainers feature gate is beta and enabled by default). + CapabilityNativeSidecarContainers ) // ManagementClusterCapabilities holds all information about optional capabilities of @@ -115,7 +122,14 @@ func isAPIResourceRegistered(client discovery.ServerResourcesInterface, groupVer return false, nil } -func DetectManagementClusterCapabilities(client discovery.ServerResourcesInterface) (*ManagementClusterCapabilities, error) { +// ManagementClusterDiscoveryClient combines the interfaces needed for detecting +// management cluster capabilities: API resource checks and server version checks. +type ManagementClusterDiscoveryClient interface { + discovery.ServerResourcesInterface + discovery.ServerVersionInterface +} + +func DetectManagementClusterCapabilities(client ManagementClusterDiscoveryClient) (*ManagementClusterCapabilities, error) { discoveredCapabilities := map[CapabilityType]struct{}{} // check for route capability @@ -227,5 +241,34 @@ func DetectManagementClusterCapabilities(client discovery.ServerResourcesInterfa discoveredCapabilities[CapabilityValidatingAdmissionPolicy] = struct{}{} } + // check for native sidecar containers support (K8s >= 1.29) + hasNativeSidecarCap, err := supportsNativeSidecarContainers(client) + if err != nil { + return nil, err + } + if hasNativeSidecarCap { + discoveredCapabilities[CapabilityNativeSidecarContainers] = struct{}{} + } + return &ManagementClusterCapabilities{capabilities: discoveredCapabilities}, nil } + +// supportsNativeSidecarContainers checks if the management cluster's Kubernetes version supports +// native sidecar containers (K8s >= 1.29, where the SidecarContainers feature gate is beta and enabled by default). +func supportsNativeSidecarContainers(client discovery.ServerVersionInterface) (bool, error) { + info, err := client.ServerVersion() + if err != nil { + return false, fmt.Errorf("failed to detect management cluster version: %w", err) + } + + version, err := semver.ParseTolerant(info.GitVersion) + if err != nil { + return false, fmt.Errorf("failed to parse management cluster version %q: %w", info.GitVersion, err) + } + + // Native sidecar containers (RestartPolicy=Always on init containers) are beta and enabled + // by default starting in K8s 1.29. See https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ + // Compare only major/minor to avoid semver pre-release ordering issues with vendor-suffixed + // versions (e.g. v1.29.0-gke.1 sorts below v1.29.0 per semver spec). + return version.Major > 1 || (version.Major == 1 && version.Minor >= 29), nil +} diff --git a/support/capabilities/management_cluster_capabilities_test.go b/support/capabilities/management_cluster_capabilities_test.go index e4254050351..ef3faa31d72 100644 --- a/support/capabilities/management_cluster_capabilities_test.go +++ b/support/capabilities/management_cluster_capabilities_test.go @@ -14,6 +14,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" + apiversion "k8s.io/apimachinery/pkg/version" "k8s.io/client-go/discovery" ) @@ -146,7 +147,7 @@ func TestDetectManagementCapabilities(t *testing.T) { testCases := []struct { name string - client discovery.ServerResourcesInterface + client ManagementClusterDiscoveryClient capabilityType CapabilityType resultErr error isRegistered bool @@ -263,11 +264,12 @@ func newFailableFakeDiscoveryClient(err error, discovered ...metav1.APIResourceL return discoveryClient } -// fakeFailableDiscoveryClient is a custom implementation of discovery.ServerResourcesInterface. +// fakeFailableDiscoveryClient is a custom implementation of ManagementClusterDiscoveryClient. // Existing fake clients are not flexible enough to express all resource and error responses relevant for testing. type fakeFailableDiscoveryClient struct { - Resources []*metav1.APIResourceList - err error + Resources []*metav1.APIResourceList + err error + gitVersion string } func (f fakeFailableDiscoveryClient) ServerResourcesForGroupVersion(groupVersion string) (*metav1.APIResourceList, error) { @@ -294,3 +296,83 @@ func (f fakeFailableDiscoveryClient) ServerPreferredResources() ([]*metav1.APIRe func (f fakeFailableDiscoveryClient) ServerPreferredNamespacedResources() ([]*metav1.APIResourceList, error) { panic("implement me") } + +func (f fakeFailableDiscoveryClient) ServerVersion() (*apiversion.Info, error) { + if f.gitVersion == "" { + return &apiversion.Info{GitVersion: "v1.30.0"}, nil + } + return &apiversion.Info{GitVersion: f.gitVersion}, nil +} + +func TestDetectNativeSidecarCapability(t *testing.T) { + tests := []struct { + name string + gitVersion string + expectedSupport bool + }{ + { + name: "When K8s version is 1.29.0 it should support native sidecars", + gitVersion: "v1.29.0", + expectedSupport: true, + }, + { + name: "When K8s version is 1.30.0 it should support native sidecars", + gitVersion: "v1.30.0", + expectedSupport: true, + }, + { + name: "When K8s version is 1.28.0 it should not support native sidecars", + gitVersion: "v1.28.0", + expectedSupport: false, + }, + { + name: "When K8s version is 1.27.0 it should not support native sidecars", + gitVersion: "v1.27.0", + expectedSupport: false, + }, + { + name: "When K8s version is an OCP-style version it should parse correctly", + gitVersion: "v1.29.3+abcdef1", + expectedSupport: true, + }, + { + name: "When K8s version is a GKE-style version it should support native sidecars", + gitVersion: "v1.29.0-gke.1", + expectedSupport: true, + }, + { + name: "When K8s version is a GKE-style version below 1.29 it should not support native sidecars", + gitVersion: "v1.28.0-gke.1", + expectedSupport: false, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + g := NewWithT(t) + + client := fakeFailableDiscoveryClient{ + Resources: []*metav1.APIResourceList{}, + gitVersion: tc.gitVersion, + } + + caps, err := DetectManagementClusterCapabilities(client) + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(caps.Has(CapabilityNativeSidecarContainers)).To(Equal(tc.expectedSupport)) + }) + } + + t.Run("When K8s version is malformed it should return an error", func(t *testing.T) { + g := NewWithT(t) + + for _, badVersion := range []string{"not-a-version", "abc.def.ghi"} { + client := fakeFailableDiscoveryClient{ + Resources: []*metav1.APIResourceList{}, + gitVersion: badVersion, + } + + _, err := DetectManagementClusterCapabilities(client) + g.Expect(err).To(HaveOccurred()) + } + }) +} diff --git a/support/controlplane-component/controlplane-component.go b/support/controlplane-component/controlplane-component.go index 885cbf70336..8d2409caa2e 100644 --- a/support/controlplane-component/controlplane-component.go +++ b/support/controlplane-component/controlplane-component.go @@ -68,6 +68,10 @@ type ControlPlaneContext struct { SkipPredicate bool // SkipCertificateSigning is used for the generic unit test to skip the signing of certificates and maintain a stable output. SkipCertificateSigning bool + + // NativeSidecarContainersEnabled indicates whether the management cluster supports native sidecar containers + // (K8s >= 1.29 with SidecarContainers feature gate enabled by default). + NativeSidecarContainersEnabled bool } // WorkloadContext is what we pass to the components(adapt, predicate functions, etc..). diff --git a/support/controlplane-component/token-minter-container.go b/support/controlplane-component/token-minter-container.go index 8687e39dc25..de52c7f4e73 100644 --- a/support/controlplane-component/token-minter-container.go +++ b/support/controlplane-component/token-minter-container.go @@ -61,25 +61,54 @@ func (opts TokenMinterContainerOptions) injectTokenMinterContainer(cpContext Con tokenVolume := opts.buildVolume(string(CloudToken)) podSpec.Volumes = append(podSpec.Volumes, tokenVolume) - podSpec.Containers = append(podSpec.Containers, opts.buildContainer(cpContext.HCP, CloudToken, image, tokenVolume)) - - podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{ - Name: tokenVolume.Name, - MountPath: cloudTokenFileMountPath, - }) + container := opts.buildContainer(cpContext.HCP, CloudToken, image, tokenVolume) + opts.injectContainer(cpContext.NativeSidecarContainersEnabled, podSpec, container, cloudTokenFileMountPath, tokenVolume.Name) } if opts.TokenType == KubeAPIServerToken || opts.TokenType == CloudAndAPIServerToken { tokenVolume := opts.buildVolume(string(KubeAPIServerToken)) podSpec.Volumes = append(podSpec.Volumes, tokenVolume) - podSpec.Containers = append(podSpec.Containers, opts.buildContainer(cpContext.HCP, KubeAPIServerToken, image, tokenVolume)) + container := opts.buildContainer(cpContext.HCP, KubeAPIServerToken, image, tokenVolume) + opts.injectContainer(cpContext.NativeSidecarContainersEnabled, podSpec, container, kubeAPITokenFileMountPath, tokenVolume.Name) + } +} - podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{ - Name: tokenVolume.Name, - MountPath: kubeAPITokenFileMountPath, - }) +// injectContainer adds the token-minter container to the pod spec. +// - OneShot minters are injected as regular init containers, which run to completion before main containers start. +// - When native sidecar containers are supported (K8s >= 1.29), it injects as an init container with +// RestartPolicy=Always and a StartupProbe that blocks main containers until the token file exists. +// - Otherwise, it falls back to a regular sidecar container. +func (opts TokenMinterContainerOptions) injectContainer(nativeSidecarsEnabled bool, podSpec *corev1.PodSpec, container corev1.Container, mainContainerMountPath string, volumeName string) { + if opts.OneShot { + // OneShot minters run once and exit. As a regular init container, K8s guarantees + // they complete before main containers start, so no probe is needed. + podSpec.InitContainers = append(podSpec.InitContainers, container) + } else if nativeSidecarsEnabled { + restartAlways := corev1.ContainerRestartPolicyAlways + container.RestartPolicy = &restartAlways + container.StartupProbe = &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + Exec: &corev1.ExecAction{ + // The token-minter always writes to cloudTokenFileMountPath regardless of token type. + Command: []string{"test", "-f", path.Join(cloudTokenFileMountPath, "token")}, + }, + }, + PeriodSeconds: 1, + FailureThreshold: 30, + } + podSpec.InitContainers = append(podSpec.InitContainers, container) + } else { + podSpec.Containers = append(podSpec.Containers, container) + } + + if len(podSpec.Containers) == 0 { + panic("injectContainer: podSpec.Containers must have at least one container") } + podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{ + Name: volumeName, + MountPath: mainContainerMountPath, + }) } func (opts TokenMinterContainerOptions) buildContainer(hcp *hyperv1.HostedControlPlane, tokenType TokenType, image string, tokenVolume corev1.Volume) corev1.Container { diff --git a/support/controlplane-component/token-minter-container_test.go b/support/controlplane-component/token-minter-container_test.go new file mode 100644 index 00000000000..c5e3afe4258 --- /dev/null +++ b/support/controlplane-component/token-minter-container_test.go @@ -0,0 +1,288 @@ +package controlplanecomponent + +import ( + "path" + "testing" + + . "github.com/onsi/gomega" + + hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" + + corev1 "k8s.io/api/core/v1" +) + +func TestInjectContainer(t *testing.T) { + baseOpts := TokenMinterContainerOptions{ + TokenType: CloudToken, + ServiceAccountName: "test-sa", + ServiceAccountNameSpace: "test-ns", + } + + baseContainer := corev1.Container{ + Name: "cloud-token-minter", + Image: "test-image", + } + + basePodSpec := func() *corev1.PodSpec { + return &corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "main"}, + }, + } + } + + t.Run("When native sidecars are enabled it should inject as init container with RestartPolicy Always", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := basePodSpec() + baseOpts.injectContainer(true, podSpec, baseContainer, cloudTokenFileMountPath, "cloud-token") + + g.Expect(podSpec.InitContainers).To(HaveLen(1)) + g.Expect(podSpec.Containers).To(HaveLen(1), "should not add to regular containers") + + initContainer := podSpec.InitContainers[0] + g.Expect(initContainer.Name).To(Equal("cloud-token-minter")) + g.Expect(initContainer.RestartPolicy).ToNot(BeNil()) + g.Expect(*initContainer.RestartPolicy).To(Equal(corev1.ContainerRestartPolicyAlways)) + }) + + t.Run("When native sidecars are enabled it should set a startup probe that checks the token file", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := basePodSpec() + baseOpts.injectContainer(true, podSpec, baseContainer, cloudTokenFileMountPath, "cloud-token") + + initContainer := podSpec.InitContainers[0] + g.Expect(initContainer.StartupProbe).ToNot(BeNil()) + g.Expect(initContainer.StartupProbe.Exec).ToNot(BeNil()) + g.Expect(initContainer.StartupProbe.Exec.Command).To(Equal( + []string{"test", "-f", path.Join(cloudTokenFileMountPath, "token")}, + )) + g.Expect(initContainer.StartupProbe.PeriodSeconds).To(Equal(int32(1))) + g.Expect(initContainer.StartupProbe.FailureThreshold).To(Equal(int32(30))) + }) + + t.Run("When native sidecars are enabled with KubeAPIServerToken it should use cloudTokenFileMountPath for the startup probe", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := basePodSpec() + baseOpts.injectContainer(true, podSpec, baseContainer, kubeAPITokenFileMountPath, "apiserver-token") + + initContainer := podSpec.InitContainers[0] + g.Expect(initContainer.StartupProbe.Exec.Command).To(Equal( + []string{"test", "-f", path.Join(cloudTokenFileMountPath, "token")}, + ), "probe must check the token-minter's own mount path, not the main container's") + }) + + t.Run("When native sidecars are disabled it should inject as regular sidecar container", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := basePodSpec() + baseOpts.injectContainer(false, podSpec, baseContainer, cloudTokenFileMountPath, "cloud-token") + + g.Expect(podSpec.InitContainers).To(BeEmpty()) + g.Expect(podSpec.Containers).To(HaveLen(2)) + + sidecar := podSpec.Containers[1] + g.Expect(sidecar.Name).To(Equal("cloud-token-minter")) + g.Expect(sidecar.RestartPolicy).To(BeNil()) + g.Expect(sidecar.StartupProbe).To(BeNil()) + }) + + t.Run("When OneShot is true it should inject as regular init container without restart policy or probe", func(t *testing.T) { + g := NewGomegaWithT(t) + + oneShotOpts := TokenMinterContainerOptions{ + TokenType: CloudToken, + ServiceAccountName: "test-sa", + ServiceAccountNameSpace: "test-ns", + OneShot: true, + } + + for _, nativeSidecars := range []bool{true, false} { + podSpec := basePodSpec() + oneShotOpts.injectContainer(nativeSidecars, podSpec, baseContainer, cloudTokenFileMountPath, "cloud-token") + + g.Expect(podSpec.InitContainers).To(HaveLen(1), "oneshot minters should be injected as init containers") + g.Expect(podSpec.Containers).To(HaveLen(1), "oneshot minters should not be added to regular containers") + g.Expect(podSpec.InitContainers[0].RestartPolicy).To(BeNil()) + g.Expect(podSpec.InitContainers[0].StartupProbe).To(BeNil()) + } + }) + + t.Run("When injecting it should always add volume mount to the main container", func(t *testing.T) { + g := NewGomegaWithT(t) + + for _, nativeSidecars := range []bool{true, false} { + podSpec := basePodSpec() + baseOpts.injectContainer(nativeSidecars, podSpec, baseContainer, cloudTokenFileMountPath, "cloud-token") + + mainContainer := podSpec.Containers[0] + g.Expect(mainContainer.VolumeMounts).To(ContainElement(corev1.VolumeMount{ + Name: "cloud-token", + MountPath: cloudTokenFileMountPath, + })) + } + }) +} + +func TestInjectTokenMinterContainer(t *testing.T) { + opts := TokenMinterContainerOptions{ + TokenType: CloudAndAPIServerToken, + ServiceAccountName: "test-sa", + ServiceAccountNameSpace: "test-ns", + } + + fakeImageProvider := &fakeReleaseImageProvider{images: map[string]string{"token-minter": "test-image:latest"}} + + t.Run("When CloudAndAPIServerToken on AWS with native sidecars it should inject two init containers", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := &corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "main"}, + }, + } + + cpContext := ControlPlaneContext{ + HCP: &hyperv1.HostedControlPlane{ + Spec: hyperv1.HostedControlPlaneSpec{ + Platform: hyperv1.PlatformSpec{ + Type: hyperv1.AWSPlatform, + }, + }, + }, + ReleaseImageProvider: fakeImageProvider, + NativeSidecarContainersEnabled: true, + } + + opts.injectTokenMinterContainer(cpContext, podSpec) + + g.Expect(podSpec.InitContainers).To(HaveLen(2)) + g.Expect(podSpec.InitContainers[0].Name).To(Equal("cloud-token-minter")) + g.Expect(podSpec.InitContainers[1].Name).To(Equal("apiserver-token-minter")) + g.Expect(podSpec.Containers).To(HaveLen(1), "should not add token-minter to regular containers") + }) + + t.Run("When CloudAndAPIServerToken on AWS without native sidecars it should inject two regular containers", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := &corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "main"}, + }, + } + + cpContext := ControlPlaneContext{ + HCP: &hyperv1.HostedControlPlane{ + Spec: hyperv1.HostedControlPlaneSpec{ + Platform: hyperv1.PlatformSpec{ + Type: hyperv1.AWSPlatform, + }, + }, + }, + ReleaseImageProvider: fakeImageProvider, + NativeSidecarContainersEnabled: false, + } + + opts.injectTokenMinterContainer(cpContext, podSpec) + + g.Expect(podSpec.InitContainers).To(BeEmpty()) + g.Expect(podSpec.Containers).To(HaveLen(3)) + g.Expect(podSpec.Containers[1].Name).To(Equal("cloud-token-minter")) + g.Expect(podSpec.Containers[2].Name).To(Equal("apiserver-token-minter")) + }) + + t.Run("When CloudToken on GCP with native sidecars it should inject one cloud init container", func(t *testing.T) { + g := NewGomegaWithT(t) + + gcpOpts := TokenMinterContainerOptions{ + TokenType: CloudToken, + ServiceAccountName: "test-sa", + ServiceAccountNameSpace: "test-ns", + } + + podSpec := &corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "main"}, + }, + } + + cpContext := ControlPlaneContext{ + HCP: &hyperv1.HostedControlPlane{ + Spec: hyperv1.HostedControlPlaneSpec{ + Platform: hyperv1.PlatformSpec{ + Type: hyperv1.GCPPlatform, + }, + }, + }, + ReleaseImageProvider: fakeImageProvider, + NativeSidecarContainersEnabled: true, + } + + gcpOpts.injectTokenMinterContainer(cpContext, podSpec) + + g.Expect(podSpec.InitContainers).To(HaveLen(1)) + g.Expect(podSpec.InitContainers[0].Name).To(Equal("cloud-token-minter")) + g.Expect(podSpec.Containers).To(HaveLen(1), "should not add token-minter to regular containers") + }) + + t.Run("When KubeAPIServerToken on non-cloud platform with native sidecars it should inject one init container", func(t *testing.T) { + g := NewGomegaWithT(t) + + apiServerOpts := TokenMinterContainerOptions{ + TokenType: KubeAPIServerToken, + ServiceAccountName: "test-sa", + ServiceAccountNameSpace: "test-ns", + } + + podSpec := &corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "main"}, + }, + } + + cpContext := ControlPlaneContext{ + HCP: &hyperv1.HostedControlPlane{ + Spec: hyperv1.HostedControlPlaneSpec{ + Platform: hyperv1.PlatformSpec{ + Type: hyperv1.KubevirtPlatform, + }, + }, + }, + ReleaseImageProvider: fakeImageProvider, + NativeSidecarContainersEnabled: true, + } + + apiServerOpts.injectTokenMinterContainer(cpContext, podSpec) + + g.Expect(podSpec.InitContainers).To(HaveLen(1)) + g.Expect(podSpec.InitContainers[0].Name).To(Equal("apiserver-token-minter")) + g.Expect(podSpec.Containers).To(HaveLen(1), "cloud token should not be injected for non-cloud platform") + }) +} + +type fakeReleaseImageProvider struct { + images map[string]string +} + +func (f *fakeReleaseImageProvider) GetImage(name string) string { + return f.images[name] +} + +func (f *fakeReleaseImageProvider) ImageExist(name string) (string, bool) { + img, ok := f.images[name] + return img, ok +} + +func (f *fakeReleaseImageProvider) Version() string { + return "4.18.0" +} + +func (f *fakeReleaseImageProvider) ComponentVersions() (map[string]string, error) { + return nil, nil +} + +func (f *fakeReleaseImageProvider) ComponentImages() map[string]string { + return f.images +} diff --git a/test/e2e/util/util.go b/test/e2e/util/util.go index 49c88f9a3ad..0df0c5a2826 100644 --- a/test/e2e/util/util.go +++ b/test/e2e/util/util.go @@ -133,9 +133,6 @@ var ( "network-node-identity": 1, // temporary workaround for https://issues.redhat.com/browse/CNV-76520 "kubevirt-cloud-controller-manager": 2, - // Allow 1 restart for token-minter sidecar race condition: https://issues.redhat.com/browse/GCP-441 - // TODO(GCP-447): Remove this toleration once token-minter is injected as a native sidecar init container. - "gcp-cloud-controller-manager": 1, // Allow 5 restarts for dns-operator due to new RBAC rollout out by CVO trailing dns-operator rollout // https://redhat.atlassian.net/browse/OCPBUGS-78539 // https://redhat.atlassian.net/browse/NE-2500