From 9dc48ceb918b4ac0fda26278e92cf43dc570dc3f Mon Sep 17 00:00:00 2001 From: Cristiano Veiga Date: Wed, 25 Mar 2026 20:32:26 -0400 Subject: [PATCH] feat(cpo): inject token-minter as native sidecar init container Change InjectTokenMinterContainer in the cpov2 framework to inject the token-minter as a native sidecar init container (RestartPolicy=Always) with a StartupProbe that blocks main containers until the token file exists. This eliminates the race condition where the main container starts before the token is written, causing fatal crashes (observed in GCP CCM CI). For backwards compatibility, the management cluster K8s version is detected at startup via DetectManagementClusterCapabilities. On K8s >= 1.29 (where the SidecarContainers feature gate is beta and enabled by default), the native sidecar pattern is used. On older clusters, the current regular sidecar container injection is preserved. OneShot token-minters are injected as regular init containers, which run to completion before main containers start. Ref: https://issues.redhat.com/browse/GCP-447 Co-Authored-By: Claude Opus 4.6 --- .../hostedcontrolplane_controller.go | 27 +- .../hostedcontrolplane_controller_test.go | 7 +- ...s_cloud_controller_manager_deployment.yaml | 13 +- ...s_cloud_controller_manager_deployment.yaml | 14 +- ...s_cloud_controller_manager_deployment.yaml | 14 +- ...s_node_termination_handler_deployment.yaml | 15 +- ...s_node_termination_handler_deployment.yaml | 16 +- ...s_node_termination_handler_deployment.yaml | 16 +- ...e_cloud_controller_manager_deployment.yaml | 13 +- ...e_cloud_controller_manager_deployment.yaml | 14 +- ...e_cloud_controller_manager_deployment.yaml | 14 +- ...er_image_registry_operator_deployment.yaml | 14 +- ...er_image_registry_operator_deployment.yaml | 25 +- ...er_image_registry_operator_deployment.yaml | 14 +- ...er_image_registry_operator_deployment.yaml | 27 +- ...er_image_registry_operator_deployment.yaml | 27 +- ...p_cloud_controller_manager_deployment.yaml | 4 +- ...p_cloud_controller_manager_deployment.yaml | 17 +- ...p_cloud_controller_manager_deployment.yaml | 4 +- ...p_cloud_controller_manager_deployment.yaml | 18 +- ...p_cloud_controller_manager_deployment.yaml | 18 +- ...omponents_ingress_operator_deployment.yaml | 56 ++-- ...omponents_ingress_operator_deployment.yaml | 45 +-- ...omponents_ingress_operator_deployment.yaml | 45 +-- .../deployment.yaml | 4 +- control-plane-operator/main.go | 1 + .../management_cluster_capabilities.go | 45 ++- .../management_cluster_capabilities_test.go | 90 +++++- .../controlplane-component.go | 4 + .../token-minter-container.go | 51 +++- .../token-minter-container_test.go | 288 ++++++++++++++++++ test/e2e/util/util.go | 3 - 32 files changed, 774 insertions(+), 189 deletions(-) create mode 100644 support/controlplane-component/token-minter-container_test.go diff --git a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go index 9da2f5bab36..63bc270cab7 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go +++ b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go @@ -1172,19 +1172,20 @@ func (r *HostedControlPlaneReconciler) reconcileCPOV2(ctx context.Context, hcp * } cpContext := component.ControlPlaneContext{ - Context: ctx, - Client: r.Client, - GVKAccessChecker: r.GVKAccessChecker, - HCP: hcp, - ApplyProvider: upsert.NewApplyProvider(r.EnableCIDebugOutput), - InfraStatus: infraStatus, - ReleaseImageProvider: releaseImageProvider, - UserReleaseImageProvider: userReleaseImageProvider, - SetDefaultSecurityContext: r.SetDefaultSecurityContext, - DefaultSecurityContextUID: r.DefaultSecurityContextUID, - MetricsSet: r.MetricsSet, - EnableCIDebugOutput: r.EnableCIDebugOutput, - ImageMetadataProvider: r.ImageMetadataProvider, + Context: ctx, + Client: r.Client, + GVKAccessChecker: r.GVKAccessChecker, + HCP: hcp, + ApplyProvider: upsert.NewApplyProvider(r.EnableCIDebugOutput), + InfraStatus: infraStatus, + ReleaseImageProvider: releaseImageProvider, + UserReleaseImageProvider: userReleaseImageProvider, + SetDefaultSecurityContext: r.SetDefaultSecurityContext, + DefaultSecurityContextUID: r.DefaultSecurityContextUID, + MetricsSet: r.MetricsSet, + EnableCIDebugOutput: r.EnableCIDebugOutput, + ImageMetadataProvider: r.ImageMetadataProvider, + NativeSidecarContainersEnabled: r.ManagementClusterCapabilities.Has(capabilities.CapabilityNativeSidecarContainers), } var errs []error diff --git a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go index 8392db43510..1c4eba8dfd7 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go +++ b/control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go @@ -1228,9 +1228,10 @@ func TestControlPlaneComponents(t *testing.T) { }, Manifest: fakeimagemetadataprovider.FakeManifest{}, }, - HCP: hcp, - SkipPredicate: true, - SkipCertificateSigning: true, + HCP: hcp, + SkipPredicate: true, + SkipCertificateSigning: true, + NativeSidecarContainersEnabled: true, } cpContext.HCP.Spec.Configuration.FeatureGate.FeatureGateSelection.FeatureSet = tt.featureSet diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 7382fdf0100..d2f4684687b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -109,6 +109,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -125,21 +126,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 74d66ad2080..ec4d646c01b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -104,6 +104,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -120,16 +121,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 74d66ad2080..ec4d646c01b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -104,6 +104,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -120,16 +121,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/GCP/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/GCP/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml index 1e06c38e47d..298f15ef1a5 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/GCP/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/GCP/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml @@ -174,6 +174,8 @@ spec: name: svc-kubeconfig - mountPath: /tmp name: tmp-dir + enableServiceLinks: false + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -190,22 +192,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: svc-kubeconfig - - mountPath: /tmp - name: tmp-dir - enableServiceLinks: false nodeSelector: kubernetes.io/os: linux priorityClassName: hypershift-control-plane diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml index 7be962d26f0..08cd268c852 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml @@ -164,6 +164,8 @@ spec: name: svc-kubeconfig - mountPath: /tmp name: tmp-dir + enableServiceLinks: false + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -180,17 +182,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: svc-kubeconfig - - mountPath: /tmp - name: tmp-dir - enableServiceLinks: false nodeSelector: kubernetes.io/os: linux priorityClassName: hypershift-control-plane diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml index 7be962d26f0..08cd268c852 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-node-termination-handler/zz_fixture_TestControlPlaneComponents_aws_node_termination_handler_deployment.yaml @@ -164,6 +164,8 @@ spec: name: svc-kubeconfig - mountPath: /tmp name: tmp-dir + enableServiceLinks: false + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -180,17 +182,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: svc-kubeconfig - - mountPath: /tmp - name: tmp-dir - enableServiceLinks: false nodeSelector: kubernetes.io/os: linux priorityClassName: hypershift-control-plane diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index 07413363cc4..82e9a468ede 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -100,6 +100,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -116,21 +117,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index befb008578b..db98131c478 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -95,6 +95,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -111,16 +112,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index befb008578b..db98131c478 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -95,6 +95,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -111,16 +112,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml index 516d42e4371..3235e33d60f 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml @@ -137,6 +137,7 @@ spec: name: apiserver-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --service-account-namespace=openshift-image-registry @@ -153,16 +154,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: apiserver-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml index 3d72299f2dc..721957498ec 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml @@ -139,6 +139,7 @@ spec: name: apiserver-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=openshift-image-registry @@ -155,21 +156,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir - args: - --token-audience=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --service-account-namespace=openshift-image-registry @@ -186,21 +193,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: apiserver-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml index 1806008aff1..eab0ebaf475 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml @@ -132,6 +132,7 @@ spec: name: apiserver-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --service-account-namespace=openshift-image-registry @@ -148,16 +149,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: apiserver-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml index 6312eec5c53..88023eb1aae 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml @@ -134,6 +134,7 @@ spec: name: apiserver-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=openshift-image-registry @@ -150,16 +151,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir - args: - --token-audience=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --service-account-namespace=openshift-image-registry @@ -176,16 +182,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: apiserver-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml index 6312eec5c53..88023eb1aae 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-image-registry-operator/zz_fixture_TestControlPlaneComponents_cluster_image_registry_operator_deployment.yaml @@ -134,6 +134,7 @@ spec: name: apiserver-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=openshift-image-registry @@ -150,16 +151,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir - args: - --token-audience=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --service-account-namespace=openshift-image-registry @@ -176,16 +182,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: apiserver-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 1cf53d66d31..baf2c753d6a 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -18,7 +18,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: @@ -28,7 +28,7 @@ spec: component.hypershift.openshift.io/config-hash: eafd03f7 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager hypershift.openshift.io/control-plane-component: gcp-cloud-controller-manager hypershift.openshift.io/hosted-control-plane: hcp-namespace spec: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 7548d98ef51..c53dfc1673b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -18,7 +18,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: @@ -28,7 +28,7 @@ spec: component.hypershift.openshift.io/config-hash: eafd03f7 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager hypershift.openshift.io/control-plane-component: gcp-cloud-controller-manager hypershift.openshift.io/hosted-control-plane: hcp-namespace spec: @@ -104,6 +104,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -120,21 +121,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 1cf53d66d31..baf2c753d6a 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -18,7 +18,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: @@ -28,7 +28,7 @@ spec: component.hypershift.openshift.io/config-hash: eafd03f7 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager hypershift.openshift.io/control-plane-component: gcp-cloud-controller-manager hypershift.openshift.io/hosted-control-plane: hcp-namespace spec: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 3189c4b667a..2eea788e499 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -18,7 +18,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: @@ -28,7 +28,7 @@ spec: component.hypershift.openshift.io/config-hash: eafd03f7 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager hypershift.openshift.io/control-plane-component: gcp-cloud-controller-manager hypershift.openshift.io/hosted-control-plane: hcp-namespace spec: @@ -99,6 +99,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -115,16 +116,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 3189c4b667a..2eea788e499 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -18,7 +18,7 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: @@ -28,7 +28,7 @@ spec: component.hypershift.openshift.io/config-hash: eafd03f7 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager hypershift.openshift.io/control-plane-component: gcp-cloud-controller-manager hypershift.openshift.io/hosted-control-plane: hcp-namespace spec: @@ -99,6 +99,7 @@ spec: name: cloud-token - mountPath: /tmp name: tmp-dir + initContainers: - args: - --token-audience=openshift - --service-account-namespace=kube-system @@ -115,16 +116,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: kubeconfig - - mountPath: /tmp - name: tmp-dir priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/GCP/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/GCP/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml index 8496f38fa61..4ffbeb92446 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/GCP/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/GCP/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml @@ -147,6 +147,28 @@ spec: name: konnectivity-proxy-ca - mountPath: /tmp name: tmp-dir + initContainers: + - command: + - /usr/bin/control-plane-operator + - availability-prober + - --target + - https://kube-apiserver:6443/readyz + - --kubeconfig=/var/kubeconfig/kubeconfig + - --required-api=route.openshift.io,v1,Route + image: availability-prober + imagePullPolicy: IfNotPresent + name: availability-prober + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/kubeconfig + name: service-account-kubeconfig - args: - --token-audience=openshift - --service-account-namespace=openshift-ingress-operator @@ -163,43 +185,27 @@ spec: requests: cpu: 10m memory: 30Mi + restartPolicy: Always securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - readOnlyRootFilesystem: true runAsNonRoot: true + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: admin-kubeconfig - - mountPath: /tmp - name: tmp-dir - initContainers: - - command: - - /usr/bin/control-plane-operator - - availability-prober - - --target - - https://kube-apiserver:6443/readyz - - --kubeconfig=/var/kubeconfig/kubeconfig - - --required-api=route.openshift.io,v1,Route - image: availability-prober - imagePullPolicy: IfNotPresent - name: availability-prober - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/kubeconfig - name: service-account-kubeconfig priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml index 42aadbf522a..20270519640 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml @@ -137,6 +137,22 @@ spec: name: konnectivity-proxy-ca - mountPath: /tmp name: tmp-dir + initContainers: + - command: + - /usr/bin/control-plane-operator + - availability-prober + - --target + - https://kube-apiserver:6443/readyz + - --kubeconfig=/var/kubeconfig/kubeconfig + - --required-api=route.openshift.io,v1,Route + image: availability-prober + imagePullPolicy: IfNotPresent + name: availability-prober + resources: {} + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/kubeconfig + name: service-account-kubeconfig - args: - --token-audience=openshift - --service-account-namespace=openshift-ingress-operator @@ -153,32 +169,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: admin-kubeconfig - - mountPath: /tmp - name: tmp-dir - initContainers: - - command: - - /usr/bin/control-plane-operator - - availability-prober - - --target - - https://kube-apiserver:6443/readyz - - --kubeconfig=/var/kubeconfig/kubeconfig - - --required-api=route.openshift.io,v1,Route - image: availability-prober - imagePullPolicy: IfNotPresent - name: availability-prober - resources: {} - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/kubeconfig - name: service-account-kubeconfig priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml index 42aadbf522a..20270519640 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/ingress-operator/zz_fixture_TestControlPlaneComponents_ingress_operator_deployment.yaml @@ -137,6 +137,22 @@ spec: name: konnectivity-proxy-ca - mountPath: /tmp name: tmp-dir + initContainers: + - command: + - /usr/bin/control-plane-operator + - availability-prober + - --target + - https://kube-apiserver:6443/readyz + - --kubeconfig=/var/kubeconfig/kubeconfig + - --required-api=route.openshift.io,v1,Route + image: availability-prober + imagePullPolicy: IfNotPresent + name: availability-prober + resources: {} + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/kubeconfig + name: service-account-kubeconfig - args: - --token-audience=openshift - --service-account-namespace=openshift-ingress-operator @@ -153,32 +169,21 @@ spec: requests: cpu: 10m memory: 30Mi - securityContext: - readOnlyRootFilesystem: true + restartPolicy: Always + startupProbe: + exec: + command: + - test + - -f + - /var/run/secrets/openshift/serviceaccount/token + failureThreshold: 30 + periodSeconds: 1 terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/run/secrets/openshift/serviceaccount name: cloud-token - mountPath: /etc/kubernetes name: admin-kubeconfig - - mountPath: /tmp - name: tmp-dir - initContainers: - - command: - - /usr/bin/control-plane-operator - - availability-prober - - --target - - https://kube-apiserver:6443/readyz - - --kubeconfig=/var/kubeconfig/kubeconfig - - --required-api=route.openshift.io,v1,Route - image: availability-prober - imagePullPolicy: IfNotPresent - name: availability-prober - resources: {} - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /var/kubeconfig - name: service-account-kubeconfig priorityClassName: hypershift-control-plane tolerations: - effect: NoSchedule diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/gcp-cloud-controller-manager/deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/gcp-cloud-controller-manager/deployment.yaml index 0b09eed16c9..eebfa7d5975 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/gcp-cloud-controller-manager/deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/gcp-cloud-controller-manager/deployment.yaml @@ -7,13 +7,13 @@ spec: revisionHistoryLimit: 2 selector: matchLabels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager strategy: type: Recreate template: metadata: labels: - app: gcp-cloud-controller-manager + app: cloud-controller-manager spec: containers: - name: cloud-controller-manager diff --git a/control-plane-operator/main.go b/control-plane-operator/main.go index 1b5a3caec11..675c0427070 100644 --- a/control-plane-operator/main.go +++ b/control-plane-operator/main.go @@ -255,6 +255,7 @@ func NewStartCommand() *cobra.Command { setupLog.Error(err, "unable to detect cluster capabilities") os.Exit(1) } + setupLog.Info("Native sidecar containers support", "enabled", mgmtClusterCaps.Has(capabilities.CapabilityNativeSidecarContainers)) hcpClient, err := hyperclient.NewForConfig(mgr.GetConfig()) if err != nil { diff --git a/support/capabilities/management_cluster_capabilities.go b/support/capabilities/management_cluster_capabilities.go index ddf831720fb..3c93324343c 100644 --- a/support/capabilities/management_cluster_capabilities.go +++ b/support/capabilities/management_cluster_capabilities.go @@ -1,6 +1,7 @@ package capabilities import ( + "fmt" "sync" configv1 "github.com/openshift/api/config/v1" @@ -12,6 +13,8 @@ import ( "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/client-go/discovery" + + "github.com/blang/semver" ) type CapabiltyChecker interface { @@ -73,6 +76,10 @@ const ( // CapabilityValidatingAdmissionPolicy indicates if the cluster supports ValidatingAdmissionPolicy // admissionregistration.k8s.io/v1 CapabilityValidatingAdmissionPolicy + + // CapabilityNativeSidecarContainers indicates if the management cluster supports native sidecar + // containers (K8s >= 1.29, where the SidecarContainers feature gate is beta and enabled by default). + CapabilityNativeSidecarContainers ) // ManagementClusterCapabilities holds all information about optional capabilities of @@ -115,7 +122,14 @@ func isAPIResourceRegistered(client discovery.ServerResourcesInterface, groupVer return false, nil } -func DetectManagementClusterCapabilities(client discovery.ServerResourcesInterface) (*ManagementClusterCapabilities, error) { +// ManagementClusterDiscoveryClient combines the interfaces needed for detecting +// management cluster capabilities: API resource checks and server version checks. +type ManagementClusterDiscoveryClient interface { + discovery.ServerResourcesInterface + discovery.ServerVersionInterface +} + +func DetectManagementClusterCapabilities(client ManagementClusterDiscoveryClient) (*ManagementClusterCapabilities, error) { discoveredCapabilities := map[CapabilityType]struct{}{} // check for route capability @@ -227,5 +241,34 @@ func DetectManagementClusterCapabilities(client discovery.ServerResourcesInterfa discoveredCapabilities[CapabilityValidatingAdmissionPolicy] = struct{}{} } + // check for native sidecar containers support (K8s >= 1.29) + hasNativeSidecarCap, err := supportsNativeSidecarContainers(client) + if err != nil { + return nil, err + } + if hasNativeSidecarCap { + discoveredCapabilities[CapabilityNativeSidecarContainers] = struct{}{} + } + return &ManagementClusterCapabilities{capabilities: discoveredCapabilities}, nil } + +// supportsNativeSidecarContainers checks if the management cluster's Kubernetes version supports +// native sidecar containers (K8s >= 1.29, where the SidecarContainers feature gate is beta and enabled by default). +func supportsNativeSidecarContainers(client discovery.ServerVersionInterface) (bool, error) { + info, err := client.ServerVersion() + if err != nil { + return false, fmt.Errorf("failed to detect management cluster version: %w", err) + } + + version, err := semver.ParseTolerant(info.GitVersion) + if err != nil { + return false, fmt.Errorf("failed to parse management cluster version %q: %w", info.GitVersion, err) + } + + // Native sidecar containers (RestartPolicy=Always on init containers) are beta and enabled + // by default starting in K8s 1.29. See https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ + // Compare only major/minor to avoid semver pre-release ordering issues with vendor-suffixed + // versions (e.g. v1.29.0-gke.1 sorts below v1.29.0 per semver spec). + return version.Major > 1 || (version.Major == 1 && version.Minor >= 29), nil +} diff --git a/support/capabilities/management_cluster_capabilities_test.go b/support/capabilities/management_cluster_capabilities_test.go index e4254050351..ef3faa31d72 100644 --- a/support/capabilities/management_cluster_capabilities_test.go +++ b/support/capabilities/management_cluster_capabilities_test.go @@ -14,6 +14,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" + apiversion "k8s.io/apimachinery/pkg/version" "k8s.io/client-go/discovery" ) @@ -146,7 +147,7 @@ func TestDetectManagementCapabilities(t *testing.T) { testCases := []struct { name string - client discovery.ServerResourcesInterface + client ManagementClusterDiscoveryClient capabilityType CapabilityType resultErr error isRegistered bool @@ -263,11 +264,12 @@ func newFailableFakeDiscoveryClient(err error, discovered ...metav1.APIResourceL return discoveryClient } -// fakeFailableDiscoveryClient is a custom implementation of discovery.ServerResourcesInterface. +// fakeFailableDiscoveryClient is a custom implementation of ManagementClusterDiscoveryClient. // Existing fake clients are not flexible enough to express all resource and error responses relevant for testing. type fakeFailableDiscoveryClient struct { - Resources []*metav1.APIResourceList - err error + Resources []*metav1.APIResourceList + err error + gitVersion string } func (f fakeFailableDiscoveryClient) ServerResourcesForGroupVersion(groupVersion string) (*metav1.APIResourceList, error) { @@ -294,3 +296,83 @@ func (f fakeFailableDiscoveryClient) ServerPreferredResources() ([]*metav1.APIRe func (f fakeFailableDiscoveryClient) ServerPreferredNamespacedResources() ([]*metav1.APIResourceList, error) { panic("implement me") } + +func (f fakeFailableDiscoveryClient) ServerVersion() (*apiversion.Info, error) { + if f.gitVersion == "" { + return &apiversion.Info{GitVersion: "v1.30.0"}, nil + } + return &apiversion.Info{GitVersion: f.gitVersion}, nil +} + +func TestDetectNativeSidecarCapability(t *testing.T) { + tests := []struct { + name string + gitVersion string + expectedSupport bool + }{ + { + name: "When K8s version is 1.29.0 it should support native sidecars", + gitVersion: "v1.29.0", + expectedSupport: true, + }, + { + name: "When K8s version is 1.30.0 it should support native sidecars", + gitVersion: "v1.30.0", + expectedSupport: true, + }, + { + name: "When K8s version is 1.28.0 it should not support native sidecars", + gitVersion: "v1.28.0", + expectedSupport: false, + }, + { + name: "When K8s version is 1.27.0 it should not support native sidecars", + gitVersion: "v1.27.0", + expectedSupport: false, + }, + { + name: "When K8s version is an OCP-style version it should parse correctly", + gitVersion: "v1.29.3+abcdef1", + expectedSupport: true, + }, + { + name: "When K8s version is a GKE-style version it should support native sidecars", + gitVersion: "v1.29.0-gke.1", + expectedSupport: true, + }, + { + name: "When K8s version is a GKE-style version below 1.29 it should not support native sidecars", + gitVersion: "v1.28.0-gke.1", + expectedSupport: false, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + g := NewWithT(t) + + client := fakeFailableDiscoveryClient{ + Resources: []*metav1.APIResourceList{}, + gitVersion: tc.gitVersion, + } + + caps, err := DetectManagementClusterCapabilities(client) + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(caps.Has(CapabilityNativeSidecarContainers)).To(Equal(tc.expectedSupport)) + }) + } + + t.Run("When K8s version is malformed it should return an error", func(t *testing.T) { + g := NewWithT(t) + + for _, badVersion := range []string{"not-a-version", "abc.def.ghi"} { + client := fakeFailableDiscoveryClient{ + Resources: []*metav1.APIResourceList{}, + gitVersion: badVersion, + } + + _, err := DetectManagementClusterCapabilities(client) + g.Expect(err).To(HaveOccurred()) + } + }) +} diff --git a/support/controlplane-component/controlplane-component.go b/support/controlplane-component/controlplane-component.go index 885cbf70336..8d2409caa2e 100644 --- a/support/controlplane-component/controlplane-component.go +++ b/support/controlplane-component/controlplane-component.go @@ -68,6 +68,10 @@ type ControlPlaneContext struct { SkipPredicate bool // SkipCertificateSigning is used for the generic unit test to skip the signing of certificates and maintain a stable output. SkipCertificateSigning bool + + // NativeSidecarContainersEnabled indicates whether the management cluster supports native sidecar containers + // (K8s >= 1.29 with SidecarContainers feature gate enabled by default). + NativeSidecarContainersEnabled bool } // WorkloadContext is what we pass to the components(adapt, predicate functions, etc..). diff --git a/support/controlplane-component/token-minter-container.go b/support/controlplane-component/token-minter-container.go index 8687e39dc25..de52c7f4e73 100644 --- a/support/controlplane-component/token-minter-container.go +++ b/support/controlplane-component/token-minter-container.go @@ -61,25 +61,54 @@ func (opts TokenMinterContainerOptions) injectTokenMinterContainer(cpContext Con tokenVolume := opts.buildVolume(string(CloudToken)) podSpec.Volumes = append(podSpec.Volumes, tokenVolume) - podSpec.Containers = append(podSpec.Containers, opts.buildContainer(cpContext.HCP, CloudToken, image, tokenVolume)) - - podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{ - Name: tokenVolume.Name, - MountPath: cloudTokenFileMountPath, - }) + container := opts.buildContainer(cpContext.HCP, CloudToken, image, tokenVolume) + opts.injectContainer(cpContext.NativeSidecarContainersEnabled, podSpec, container, cloudTokenFileMountPath, tokenVolume.Name) } if opts.TokenType == KubeAPIServerToken || opts.TokenType == CloudAndAPIServerToken { tokenVolume := opts.buildVolume(string(KubeAPIServerToken)) podSpec.Volumes = append(podSpec.Volumes, tokenVolume) - podSpec.Containers = append(podSpec.Containers, opts.buildContainer(cpContext.HCP, KubeAPIServerToken, image, tokenVolume)) + container := opts.buildContainer(cpContext.HCP, KubeAPIServerToken, image, tokenVolume) + opts.injectContainer(cpContext.NativeSidecarContainersEnabled, podSpec, container, kubeAPITokenFileMountPath, tokenVolume.Name) + } +} - podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{ - Name: tokenVolume.Name, - MountPath: kubeAPITokenFileMountPath, - }) +// injectContainer adds the token-minter container to the pod spec. +// - OneShot minters are injected as regular init containers, which run to completion before main containers start. +// - When native sidecar containers are supported (K8s >= 1.29), it injects as an init container with +// RestartPolicy=Always and a StartupProbe that blocks main containers until the token file exists. +// - Otherwise, it falls back to a regular sidecar container. +func (opts TokenMinterContainerOptions) injectContainer(nativeSidecarsEnabled bool, podSpec *corev1.PodSpec, container corev1.Container, mainContainerMountPath string, volumeName string) { + if opts.OneShot { + // OneShot minters run once and exit. As a regular init container, K8s guarantees + // they complete before main containers start, so no probe is needed. + podSpec.InitContainers = append(podSpec.InitContainers, container) + } else if nativeSidecarsEnabled { + restartAlways := corev1.ContainerRestartPolicyAlways + container.RestartPolicy = &restartAlways + container.StartupProbe = &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + Exec: &corev1.ExecAction{ + // The token-minter always writes to cloudTokenFileMountPath regardless of token type. + Command: []string{"test", "-f", path.Join(cloudTokenFileMountPath, "token")}, + }, + }, + PeriodSeconds: 1, + FailureThreshold: 30, + } + podSpec.InitContainers = append(podSpec.InitContainers, container) + } else { + podSpec.Containers = append(podSpec.Containers, container) + } + + if len(podSpec.Containers) == 0 { + panic("injectContainer: podSpec.Containers must have at least one container") } + podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{ + Name: volumeName, + MountPath: mainContainerMountPath, + }) } func (opts TokenMinterContainerOptions) buildContainer(hcp *hyperv1.HostedControlPlane, tokenType TokenType, image string, tokenVolume corev1.Volume) corev1.Container { diff --git a/support/controlplane-component/token-minter-container_test.go b/support/controlplane-component/token-minter-container_test.go new file mode 100644 index 00000000000..c5e3afe4258 --- /dev/null +++ b/support/controlplane-component/token-minter-container_test.go @@ -0,0 +1,288 @@ +package controlplanecomponent + +import ( + "path" + "testing" + + . "github.com/onsi/gomega" + + hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" + + corev1 "k8s.io/api/core/v1" +) + +func TestInjectContainer(t *testing.T) { + baseOpts := TokenMinterContainerOptions{ + TokenType: CloudToken, + ServiceAccountName: "test-sa", + ServiceAccountNameSpace: "test-ns", + } + + baseContainer := corev1.Container{ + Name: "cloud-token-minter", + Image: "test-image", + } + + basePodSpec := func() *corev1.PodSpec { + return &corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "main"}, + }, + } + } + + t.Run("When native sidecars are enabled it should inject as init container with RestartPolicy Always", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := basePodSpec() + baseOpts.injectContainer(true, podSpec, baseContainer, cloudTokenFileMountPath, "cloud-token") + + g.Expect(podSpec.InitContainers).To(HaveLen(1)) + g.Expect(podSpec.Containers).To(HaveLen(1), "should not add to regular containers") + + initContainer := podSpec.InitContainers[0] + g.Expect(initContainer.Name).To(Equal("cloud-token-minter")) + g.Expect(initContainer.RestartPolicy).ToNot(BeNil()) + g.Expect(*initContainer.RestartPolicy).To(Equal(corev1.ContainerRestartPolicyAlways)) + }) + + t.Run("When native sidecars are enabled it should set a startup probe that checks the token file", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := basePodSpec() + baseOpts.injectContainer(true, podSpec, baseContainer, cloudTokenFileMountPath, "cloud-token") + + initContainer := podSpec.InitContainers[0] + g.Expect(initContainer.StartupProbe).ToNot(BeNil()) + g.Expect(initContainer.StartupProbe.Exec).ToNot(BeNil()) + g.Expect(initContainer.StartupProbe.Exec.Command).To(Equal( + []string{"test", "-f", path.Join(cloudTokenFileMountPath, "token")}, + )) + g.Expect(initContainer.StartupProbe.PeriodSeconds).To(Equal(int32(1))) + g.Expect(initContainer.StartupProbe.FailureThreshold).To(Equal(int32(30))) + }) + + t.Run("When native sidecars are enabled with KubeAPIServerToken it should use cloudTokenFileMountPath for the startup probe", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := basePodSpec() + baseOpts.injectContainer(true, podSpec, baseContainer, kubeAPITokenFileMountPath, "apiserver-token") + + initContainer := podSpec.InitContainers[0] + g.Expect(initContainer.StartupProbe.Exec.Command).To(Equal( + []string{"test", "-f", path.Join(cloudTokenFileMountPath, "token")}, + ), "probe must check the token-minter's own mount path, not the main container's") + }) + + t.Run("When native sidecars are disabled it should inject as regular sidecar container", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := basePodSpec() + baseOpts.injectContainer(false, podSpec, baseContainer, cloudTokenFileMountPath, "cloud-token") + + g.Expect(podSpec.InitContainers).To(BeEmpty()) + g.Expect(podSpec.Containers).To(HaveLen(2)) + + sidecar := podSpec.Containers[1] + g.Expect(sidecar.Name).To(Equal("cloud-token-minter")) + g.Expect(sidecar.RestartPolicy).To(BeNil()) + g.Expect(sidecar.StartupProbe).To(BeNil()) + }) + + t.Run("When OneShot is true it should inject as regular init container without restart policy or probe", func(t *testing.T) { + g := NewGomegaWithT(t) + + oneShotOpts := TokenMinterContainerOptions{ + TokenType: CloudToken, + ServiceAccountName: "test-sa", + ServiceAccountNameSpace: "test-ns", + OneShot: true, + } + + for _, nativeSidecars := range []bool{true, false} { + podSpec := basePodSpec() + oneShotOpts.injectContainer(nativeSidecars, podSpec, baseContainer, cloudTokenFileMountPath, "cloud-token") + + g.Expect(podSpec.InitContainers).To(HaveLen(1), "oneshot minters should be injected as init containers") + g.Expect(podSpec.Containers).To(HaveLen(1), "oneshot minters should not be added to regular containers") + g.Expect(podSpec.InitContainers[0].RestartPolicy).To(BeNil()) + g.Expect(podSpec.InitContainers[0].StartupProbe).To(BeNil()) + } + }) + + t.Run("When injecting it should always add volume mount to the main container", func(t *testing.T) { + g := NewGomegaWithT(t) + + for _, nativeSidecars := range []bool{true, false} { + podSpec := basePodSpec() + baseOpts.injectContainer(nativeSidecars, podSpec, baseContainer, cloudTokenFileMountPath, "cloud-token") + + mainContainer := podSpec.Containers[0] + g.Expect(mainContainer.VolumeMounts).To(ContainElement(corev1.VolumeMount{ + Name: "cloud-token", + MountPath: cloudTokenFileMountPath, + })) + } + }) +} + +func TestInjectTokenMinterContainer(t *testing.T) { + opts := TokenMinterContainerOptions{ + TokenType: CloudAndAPIServerToken, + ServiceAccountName: "test-sa", + ServiceAccountNameSpace: "test-ns", + } + + fakeImageProvider := &fakeReleaseImageProvider{images: map[string]string{"token-minter": "test-image:latest"}} + + t.Run("When CloudAndAPIServerToken on AWS with native sidecars it should inject two init containers", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := &corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "main"}, + }, + } + + cpContext := ControlPlaneContext{ + HCP: &hyperv1.HostedControlPlane{ + Spec: hyperv1.HostedControlPlaneSpec{ + Platform: hyperv1.PlatformSpec{ + Type: hyperv1.AWSPlatform, + }, + }, + }, + ReleaseImageProvider: fakeImageProvider, + NativeSidecarContainersEnabled: true, + } + + opts.injectTokenMinterContainer(cpContext, podSpec) + + g.Expect(podSpec.InitContainers).To(HaveLen(2)) + g.Expect(podSpec.InitContainers[0].Name).To(Equal("cloud-token-minter")) + g.Expect(podSpec.InitContainers[1].Name).To(Equal("apiserver-token-minter")) + g.Expect(podSpec.Containers).To(HaveLen(1), "should not add token-minter to regular containers") + }) + + t.Run("When CloudAndAPIServerToken on AWS without native sidecars it should inject two regular containers", func(t *testing.T) { + g := NewGomegaWithT(t) + + podSpec := &corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "main"}, + }, + } + + cpContext := ControlPlaneContext{ + HCP: &hyperv1.HostedControlPlane{ + Spec: hyperv1.HostedControlPlaneSpec{ + Platform: hyperv1.PlatformSpec{ + Type: hyperv1.AWSPlatform, + }, + }, + }, + ReleaseImageProvider: fakeImageProvider, + NativeSidecarContainersEnabled: false, + } + + opts.injectTokenMinterContainer(cpContext, podSpec) + + g.Expect(podSpec.InitContainers).To(BeEmpty()) + g.Expect(podSpec.Containers).To(HaveLen(3)) + g.Expect(podSpec.Containers[1].Name).To(Equal("cloud-token-minter")) + g.Expect(podSpec.Containers[2].Name).To(Equal("apiserver-token-minter")) + }) + + t.Run("When CloudToken on GCP with native sidecars it should inject one cloud init container", func(t *testing.T) { + g := NewGomegaWithT(t) + + gcpOpts := TokenMinterContainerOptions{ + TokenType: CloudToken, + ServiceAccountName: "test-sa", + ServiceAccountNameSpace: "test-ns", + } + + podSpec := &corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "main"}, + }, + } + + cpContext := ControlPlaneContext{ + HCP: &hyperv1.HostedControlPlane{ + Spec: hyperv1.HostedControlPlaneSpec{ + Platform: hyperv1.PlatformSpec{ + Type: hyperv1.GCPPlatform, + }, + }, + }, + ReleaseImageProvider: fakeImageProvider, + NativeSidecarContainersEnabled: true, + } + + gcpOpts.injectTokenMinterContainer(cpContext, podSpec) + + g.Expect(podSpec.InitContainers).To(HaveLen(1)) + g.Expect(podSpec.InitContainers[0].Name).To(Equal("cloud-token-minter")) + g.Expect(podSpec.Containers).To(HaveLen(1), "should not add token-minter to regular containers") + }) + + t.Run("When KubeAPIServerToken on non-cloud platform with native sidecars it should inject one init container", func(t *testing.T) { + g := NewGomegaWithT(t) + + apiServerOpts := TokenMinterContainerOptions{ + TokenType: KubeAPIServerToken, + ServiceAccountName: "test-sa", + ServiceAccountNameSpace: "test-ns", + } + + podSpec := &corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "main"}, + }, + } + + cpContext := ControlPlaneContext{ + HCP: &hyperv1.HostedControlPlane{ + Spec: hyperv1.HostedControlPlaneSpec{ + Platform: hyperv1.PlatformSpec{ + Type: hyperv1.KubevirtPlatform, + }, + }, + }, + ReleaseImageProvider: fakeImageProvider, + NativeSidecarContainersEnabled: true, + } + + apiServerOpts.injectTokenMinterContainer(cpContext, podSpec) + + g.Expect(podSpec.InitContainers).To(HaveLen(1)) + g.Expect(podSpec.InitContainers[0].Name).To(Equal("apiserver-token-minter")) + g.Expect(podSpec.Containers).To(HaveLen(1), "cloud token should not be injected for non-cloud platform") + }) +} + +type fakeReleaseImageProvider struct { + images map[string]string +} + +func (f *fakeReleaseImageProvider) GetImage(name string) string { + return f.images[name] +} + +func (f *fakeReleaseImageProvider) ImageExist(name string) (string, bool) { + img, ok := f.images[name] + return img, ok +} + +func (f *fakeReleaseImageProvider) Version() string { + return "4.18.0" +} + +func (f *fakeReleaseImageProvider) ComponentVersions() (map[string]string, error) { + return nil, nil +} + +func (f *fakeReleaseImageProvider) ComponentImages() map[string]string { + return f.images +} diff --git a/test/e2e/util/util.go b/test/e2e/util/util.go index 49c88f9a3ad..0df0c5a2826 100644 --- a/test/e2e/util/util.go +++ b/test/e2e/util/util.go @@ -133,9 +133,6 @@ var ( "network-node-identity": 1, // temporary workaround for https://issues.redhat.com/browse/CNV-76520 "kubevirt-cloud-controller-manager": 2, - // Allow 1 restart for token-minter sidecar race condition: https://issues.redhat.com/browse/GCP-441 - // TODO(GCP-447): Remove this toleration once token-minter is injected as a native sidecar init container. - "gcp-cloud-controller-manager": 1, // Allow 5 restarts for dns-operator due to new RBAC rollout out by CVO trailing dns-operator rollout // https://redhat.atlassian.net/browse/OCPBUGS-78539 // https://redhat.atlassian.net/browse/NE-2500