From d1d3043a2650e6966c819fd7440c65f1238e6dea Mon Sep 17 00:00:00 2001 From: Jan Chaloupka Date: Wed, 1 Jul 2026 15:35:53 +0200 Subject: [PATCH 1/2] feat(cluster-storage-operator): inject centralized TLS configuration Mount a configmap with an operator config injected with the HCP TLS security profile. --- ...ter_storage_operator_config_configmap.yaml | 38 ++++++++++++++++ ...torage_operator_controlplanecomponent.yaml | 3 ++ ...s_cluster_storage_operator_deployment.yaml | 11 ++++- ...ter_storage_operator_config_configmap.yaml | 38 ++++++++++++++++ ...torage_operator_controlplanecomponent.yaml | 3 ++ ...s_cluster_storage_operator_deployment.yaml | 11 ++++- ...ter_storage_operator_config_configmap.yaml | 38 ++++++++++++++++ ...torage_operator_controlplanecomponent.yaml | 3 ++ ...s_cluster_storage_operator_deployment.yaml | 11 ++++- ...ter_storage_operator_config_configmap.yaml | 38 ++++++++++++++++ ...torage_operator_controlplanecomponent.yaml | 3 ++ ...s_cluster_storage_operator_deployment.yaml | 11 ++++- ...ter_storage_operator_config_configmap.yaml | 38 ++++++++++++++++ ...torage_operator_controlplanecomponent.yaml | 3 ++ ...s_cluster_storage_operator_deployment.yaml | 11 ++++- .../controller-config.yaml | 6 +++ .../cluster-storage-operator/deployment.yaml | 8 ++++ .../v2/storage/component.go | 4 ++ .../v2/storage/deployment.go | 44 +++++++++++++++++++ 19 files changed, 317 insertions(+), 5 deletions(-) create mode 100644 control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml create mode 100644 control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml create mode 100644 control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml create mode 100644 control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml create mode 100644 control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml create mode 100644 control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml new file mode 100644 index 000000000000..43d1a92fd700 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: config.openshift.io/v1 + authentication: {} + authorization: {} + kind: GenericControllerConfig + leaderElection: + leaseDuration: 0s + renewDeadline: 0s + retryPeriod: 0s + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: "" + certFile: "" + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + keyFile: "" + maxRequestsInFlight: 0 + minTLSVersion: VersionTLS12 + requestTimeoutSeconds: 0 +kind: ConfigMap +metadata: + name: cluster-storage-operator-config + namespace: hcp-namespace + ownerReferences: + - apiVersion: hypershift.openshift.io/v1beta1 + blockOwnerDeletion: true + controller: true + kind: HostedControlPlane + name: hcp + uid: "" + resourceVersion: "1" diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml index 0626082ac6ad..d0fc1745e258 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml @@ -31,6 +31,9 @@ status: - group: secrets-store.csi.x-k8s.io kind: SecretProviderClass name: managed-azure-file-csi + - group: "" + kind: ConfigMap + name: cluster-storage-operator-config - group: rbac.authorization.k8s.io kind: Role name: cluster-storage-operator diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml index c4a3abe07ece..8dba3d0cfc98 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/AROSwift/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml @@ -24,7 +24,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: tmp-dir - component.hypershift.openshift.io/config-hash: "" + component.hypershift.openshift.io/config-hash: a0010a21 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 openshift.io/required-scc: restricted-v2 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' @@ -65,8 +65,10 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml - --terminate-on-files=/var/run/secrets/serving-cert/tls.crt - --terminate-on-files=/var/run/secrets/serving-cert/tls.key + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig command: - cluster-storage-operator @@ -182,6 +184,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true - mountPath: /tmp name: tmp-dir initContainers: @@ -220,6 +225,10 @@ spec: secret: defaultMode: 416 secretName: service-network-admin-kubeconfig + - configMap: + defaultMode: 420 + name: cluster-storage-operator-config + name: config - emptyDir: {} name: tmp-dir status: {} diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml new file mode 100644 index 000000000000..43d1a92fd700 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: config.openshift.io/v1 + authentication: {} + authorization: {} + kind: GenericControllerConfig + leaderElection: + leaseDuration: 0s + renewDeadline: 0s + retryPeriod: 0s + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: "" + certFile: "" + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + keyFile: "" + maxRequestsInFlight: 0 + minTLSVersion: VersionTLS12 + requestTimeoutSeconds: 0 +kind: ConfigMap +metadata: + name: cluster-storage-operator-config + namespace: hcp-namespace + ownerReferences: + - apiVersion: hypershift.openshift.io/v1beta1 + blockOwnerDeletion: true + controller: true + kind: HostedControlPlane + name: hcp + uid: "" + resourceVersion: "1" diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml index 6ec51810052d..a8a0c20e842e 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml @@ -19,6 +19,9 @@ status: status: "False" type: RolloutComplete resources: + - group: "" + kind: ConfigMap + name: cluster-storage-operator-config - group: rbac.authorization.k8s.io kind: Role name: cluster-storage-operator diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml index 7a87d100196a..87d1f33d3664 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/GCP/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml @@ -24,7 +24,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: tmp-dir - component.hypershift.openshift.io/config-hash: "" + component.hypershift.openshift.io/config-hash: a0010a21 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 openshift.io/required-scc: restricted-v2 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' @@ -65,8 +65,10 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml - --terminate-on-files=/var/run/secrets/serving-cert/tls.crt - --terminate-on-files=/var/run/secrets/serving-cert/tls.key + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig command: - cluster-storage-operator @@ -179,6 +181,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true - mountPath: /tmp name: tmp-dir initContainers: @@ -223,6 +228,10 @@ spec: secret: defaultMode: 416 secretName: service-network-admin-kubeconfig + - configMap: + defaultMode: 420 + name: cluster-storage-operator-config + name: config - emptyDir: {} name: tmp-dir status: {} diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml new file mode 100644 index 000000000000..43d1a92fd700 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: config.openshift.io/v1 + authentication: {} + authorization: {} + kind: GenericControllerConfig + leaderElection: + leaseDuration: 0s + renewDeadline: 0s + retryPeriod: 0s + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: "" + certFile: "" + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + keyFile: "" + maxRequestsInFlight: 0 + minTLSVersion: VersionTLS12 + requestTimeoutSeconds: 0 +kind: ConfigMap +metadata: + name: cluster-storage-operator-config + namespace: hcp-namespace + ownerReferences: + - apiVersion: hypershift.openshift.io/v1beta1 + blockOwnerDeletion: true + controller: true + kind: HostedControlPlane + name: hcp + uid: "" + resourceVersion: "1" diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml index 6ec51810052d..a8a0c20e842e 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml @@ -19,6 +19,9 @@ status: status: "False" type: RolloutComplete resources: + - group: "" + kind: ConfigMap + name: cluster-storage-operator-config - group: rbac.authorization.k8s.io kind: Role name: cluster-storage-operator diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml index 8c994e6affcf..2b3a778faa39 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml @@ -24,7 +24,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: tmp-dir - component.hypershift.openshift.io/config-hash: "" + component.hypershift.openshift.io/config-hash: a0010a21 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 openshift.io/required-scc: restricted-v2 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' @@ -65,8 +65,10 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml - --terminate-on-files=/var/run/secrets/serving-cert/tls.crt - --terminate-on-files=/var/run/secrets/serving-cert/tls.key + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig command: - cluster-storage-operator @@ -178,6 +180,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true - mountPath: /tmp name: tmp-dir initContainers: @@ -216,6 +221,10 @@ spec: secret: defaultMode: 416 secretName: service-network-admin-kubeconfig + - configMap: + defaultMode: 420 + name: cluster-storage-operator-config + name: config - emptyDir: {} name: tmp-dir status: {} diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml new file mode 100644 index 000000000000..43d1a92fd700 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: config.openshift.io/v1 + authentication: {} + authorization: {} + kind: GenericControllerConfig + leaderElection: + leaseDuration: 0s + renewDeadline: 0s + retryPeriod: 0s + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: "" + certFile: "" + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + keyFile: "" + maxRequestsInFlight: 0 + minTLSVersion: VersionTLS12 + requestTimeoutSeconds: 0 +kind: ConfigMap +metadata: + name: cluster-storage-operator-config + namespace: hcp-namespace + ownerReferences: + - apiVersion: hypershift.openshift.io/v1beta1 + blockOwnerDeletion: true + controller: true + kind: HostedControlPlane + name: hcp + uid: "" + resourceVersion: "1" diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml index 6ec51810052d..a8a0c20e842e 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml @@ -19,6 +19,9 @@ status: status: "False" type: RolloutComplete resources: + - group: "" + kind: ConfigMap + name: cluster-storage-operator-config - group: rbac.authorization.k8s.io kind: Role name: cluster-storage-operator diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml index 0dc9bcc2a764..feda12aaffa3 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml @@ -24,7 +24,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: tmp-dir - component.hypershift.openshift.io/config-hash: "" + component.hypershift.openshift.io/config-hash: a0010a21 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 openshift.io/required-scc: restricted-v2 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' @@ -65,8 +65,10 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml - --terminate-on-files=/var/run/secrets/serving-cert/tls.crt - --terminate-on-files=/var/run/secrets/serving-cert/tls.key + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig command: - cluster-storage-operator @@ -178,6 +180,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true - mountPath: /tmp name: tmp-dir initContainers: @@ -216,6 +221,10 @@ spec: secret: defaultMode: 416 secretName: service-network-admin-kubeconfig + - configMap: + defaultMode: 420 + name: cluster-storage-operator-config + name: config - emptyDir: {} name: tmp-dir status: {} diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml new file mode 100644 index 000000000000..43d1a92fd700 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_config_configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: config.openshift.io/v1 + authentication: {} + authorization: {} + kind: GenericControllerConfig + leaderElection: + leaseDuration: 0s + renewDeadline: 0s + retryPeriod: 0s + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: "" + certFile: "" + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + keyFile: "" + maxRequestsInFlight: 0 + minTLSVersion: VersionTLS12 + requestTimeoutSeconds: 0 +kind: ConfigMap +metadata: + name: cluster-storage-operator-config + namespace: hcp-namespace + ownerReferences: + - apiVersion: hypershift.openshift.io/v1beta1 + blockOwnerDeletion: true + controller: true + kind: HostedControlPlane + name: hcp + uid: "" + resourceVersion: "1" diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml index 6ec51810052d..a8a0c20e842e 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_controlplanecomponent.yaml @@ -19,6 +19,9 @@ status: status: "False" type: RolloutComplete resources: + - group: "" + kind: ConfigMap + name: cluster-storage-operator-config - group: rbac.authorization.k8s.io kind: Role name: cluster-storage-operator diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml index 0dc9bcc2a764..feda12aaffa3 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/cluster-storage-operator/zz_fixture_TestControlPlaneComponents_cluster_storage_operator_deployment.yaml @@ -24,7 +24,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: tmp-dir - component.hypershift.openshift.io/config-hash: "" + component.hypershift.openshift.io/config-hash: a0010a21 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 openshift.io/required-scc: restricted-v2 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' @@ -65,8 +65,10 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml - --terminate-on-files=/var/run/secrets/serving-cert/tls.crt - --terminate-on-files=/var/run/secrets/serving-cert/tls.key + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig command: - cluster-storage-operator @@ -178,6 +180,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true - mountPath: /tmp name: tmp-dir initContainers: @@ -216,6 +221,10 @@ spec: secret: defaultMode: 416 secretName: service-network-admin-kubeconfig + - configMap: + defaultMode: 420 + name: cluster-storage-operator-config + name: config - emptyDir: {} name: tmp-dir status: {} diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml new file mode 100644 index 000000000000..1c1c8e519caa --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/controller-config.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-storage-operator-config +data: + config.yaml: "" diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml index 94499d47e878..0380e136e210 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/cluster-storage-operator/deployment.yaml @@ -20,8 +20,10 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml - --terminate-on-files=/var/run/secrets/serving-cert/tls.crt - --terminate-on-files=/var/run/secrets/serving-cert/tls.key + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig command: - cluster-storage-operator @@ -132,6 +134,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -141,3 +146,6 @@ spec: - name: guest-kubeconfig secret: secretName: service-network-admin-kubeconfig + - configMap: + name: cluster-storage-operator-config + name: config diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go b/control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go index 6caf7e91625e..504521d64053 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/storage/component.go @@ -64,6 +64,10 @@ func NewComponent() component.ControlPlaneComponent { component.WithAdaptFunction(adaptAzureCSIFileSecretProvider), component.WithPredicate(isAroHCP), ). + WithManifestAdapter( + "controller-config.yaml", + component.WithAdaptFunction(adaptControllerConfig), + ). WithDependencies(oapiv2.ComponentName). InjectAvailabilityProberContainer(podspec.AvailabilityProberOpts{ KubeconfigVolumeName: "guest-kubeconfig", diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go b/control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go index 92f030271e76..06f34bbd5f96 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/storage/deployment.go @@ -1,6 +1,8 @@ package storage import ( + "encoding/json" + "fmt" "strconv" "github.com/openshift/hypershift/support/azureutil" @@ -8,8 +10,12 @@ import ( component "github.com/openshift/hypershift/support/controlplane-component" "github.com/openshift/hypershift/support/podspec" + configv1 "github.com/openshift/api/config/v1" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + + "sigs.k8s.io/yaml" ) func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Deployment) error { @@ -41,3 +47,41 @@ func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Dep return nil } + +func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error { + profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile() + controllerConfig := configv1.GenericControllerConfig{ + ServingInfo: configv1.HTTPServingInfo{ + ServingInfo: configv1.ServingInfo{ + BindAddress: "0.0.0.0:8443", + CipherSuites: config.CipherSuites(profile), + MinTLSVersion: config.MinTLSVersion(profile), + }, + }, + } + + asJSON, err := json.Marshal(controllerConfig) + if err != nil { + return fmt.Errorf("failed to json marshal config: %w", err) + } + + asMap := map[string]any{} + if err := json.Unmarshal(asJSON, &asMap); err != nil { + return fmt.Errorf("failed to json unmarshal config: %w", err) + } + + asMap["apiVersion"] = configv1.GroupVersion.String() + asMap["kind"] = "GenericControllerConfig" + + data, err := yaml.Marshal(asMap) + if err != nil { + return fmt.Errorf("failed to yaml marshal config: %w", err) + } + + if cm.Data == nil { + cm.Data = map[string]string{} + } + + cm.Data["config.yaml"] = string(data) + return nil +} From b12aa98d4e1de74753f6d7f5550cd75ab521b522 Mon Sep 17 00:00:00 2001 From: Jan Chaloupka Date: Wed, 1 Jul 2026 15:51:22 +0200 Subject: [PATCH 2/2] feat(csi-snapshot-controller-operator): inject centralized TLS configuration Mount a configmap with an operator config injected with the HCP TLS security profile. --- ..._controller_operator_config_configmap.yaml | 38 ++++++++++++++++ ...roller_operator_controlplanecomponent.yaml | 3 ++ ...apshot_controller_operator_deployment.yaml | 11 ++++- ..._controller_operator_config_configmap.yaml | 38 ++++++++++++++++ ...roller_operator_controlplanecomponent.yaml | 3 ++ ...apshot_controller_operator_deployment.yaml | 11 ++++- ..._controller_operator_config_configmap.yaml | 38 ++++++++++++++++ ...roller_operator_controlplanecomponent.yaml | 3 ++ ...apshot_controller_operator_deployment.yaml | 11 ++++- ..._controller_operator_config_configmap.yaml | 38 ++++++++++++++++ ...roller_operator_controlplanecomponent.yaml | 3 ++ ...apshot_controller_operator_deployment.yaml | 11 ++++- ..._controller_operator_config_configmap.yaml | 38 ++++++++++++++++ ...roller_operator_controlplanecomponent.yaml | 3 ++ ...apshot_controller_operator_deployment.yaml | 11 ++++- .../controller-config.yaml | 6 +++ .../deployment.yaml | 8 ++++ .../v2/snapshotcontroller/component.go | 4 ++ .../v2/snapshotcontroller/deployment.go | 45 +++++++++++++++++++ 19 files changed, 318 insertions(+), 5 deletions(-) create mode 100644 control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml create mode 100644 control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml create mode 100644 control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml create mode 100644 control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml create mode 100644 control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml create mode 100644 control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml new file mode 100644 index 000000000000..c7929edf6801 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: config.openshift.io/v1 + authentication: {} + authorization: {} + kind: GenericControllerConfig + leaderElection: + leaseDuration: 0s + renewDeadline: 0s + retryPeriod: 0s + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: "" + certFile: "" + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + keyFile: "" + maxRequestsInFlight: 0 + minTLSVersion: VersionTLS12 + requestTimeoutSeconds: 0 +kind: ConfigMap +metadata: + name: csi-snapshot-controller-operator-config + namespace: hcp-namespace + ownerReferences: + - apiVersion: hypershift.openshift.io/v1beta1 + blockOwnerDeletion: true + controller: true + kind: HostedControlPlane + name: hcp + uid: "" + resourceVersion: "1" diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml index fa828e2e4a57..c5af58f4e6b5 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml @@ -28,3 +28,6 @@ status: - group: rbac.authorization.k8s.io kind: RoleBinding name: csi-snapshot-controller-operator-role + - group: "" + kind: ConfigMap + name: csi-snapshot-controller-operator-config diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml index 07016bf089fa..863814cbd404 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/AROSwift/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml @@ -25,7 +25,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: tmp-dir - component.hypershift.openshift.io/config-hash: "" + component.hypershift.openshift.io/config-hash: a0010a21 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: @@ -64,6 +64,8 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig env: - name: OPERAND_IMAGE @@ -93,6 +95,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true - mountPath: /tmp name: tmp-dir initContainers: @@ -131,6 +136,10 @@ spec: secret: defaultMode: 416 secretName: service-network-admin-kubeconfig + - configMap: + defaultMode: 420 + name: csi-snapshot-controller-operator-config + name: config - emptyDir: {} name: tmp-dir status: {} diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml new file mode 100644 index 000000000000..c7929edf6801 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: config.openshift.io/v1 + authentication: {} + authorization: {} + kind: GenericControllerConfig + leaderElection: + leaseDuration: 0s + renewDeadline: 0s + retryPeriod: 0s + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: "" + certFile: "" + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + keyFile: "" + maxRequestsInFlight: 0 + minTLSVersion: VersionTLS12 + requestTimeoutSeconds: 0 +kind: ConfigMap +metadata: + name: csi-snapshot-controller-operator-config + namespace: hcp-namespace + ownerReferences: + - apiVersion: hypershift.openshift.io/v1beta1 + blockOwnerDeletion: true + controller: true + kind: HostedControlPlane + name: hcp + uid: "" + resourceVersion: "1" diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml index fa828e2e4a57..c5af58f4e6b5 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml @@ -28,3 +28,6 @@ status: - group: rbac.authorization.k8s.io kind: RoleBinding name: csi-snapshot-controller-operator-role + - group: "" + kind: ConfigMap + name: csi-snapshot-controller-operator-config diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml index 8d212f3809e3..0bbacdedccba 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/GCP/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml @@ -25,7 +25,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: tmp-dir - component.hypershift.openshift.io/config-hash: "" + component.hypershift.openshift.io/config-hash: a0010a21 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: @@ -64,6 +64,8 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig env: - name: OPERAND_IMAGE @@ -94,6 +96,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true - mountPath: /tmp name: tmp-dir initContainers: @@ -138,6 +143,10 @@ spec: secret: defaultMode: 416 secretName: service-network-admin-kubeconfig + - configMap: + defaultMode: 420 + name: csi-snapshot-controller-operator-config + name: config - emptyDir: {} name: tmp-dir status: {} diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml new file mode 100644 index 000000000000..c7929edf6801 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: config.openshift.io/v1 + authentication: {} + authorization: {} + kind: GenericControllerConfig + leaderElection: + leaseDuration: 0s + renewDeadline: 0s + retryPeriod: 0s + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: "" + certFile: "" + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + keyFile: "" + maxRequestsInFlight: 0 + minTLSVersion: VersionTLS12 + requestTimeoutSeconds: 0 +kind: ConfigMap +metadata: + name: csi-snapshot-controller-operator-config + namespace: hcp-namespace + ownerReferences: + - apiVersion: hypershift.openshift.io/v1beta1 + blockOwnerDeletion: true + controller: true + kind: HostedControlPlane + name: hcp + uid: "" + resourceVersion: "1" diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml index fa828e2e4a57..c5af58f4e6b5 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml @@ -28,3 +28,6 @@ status: - group: rbac.authorization.k8s.io kind: RoleBinding name: csi-snapshot-controller-operator-role + - group: "" + kind: ConfigMap + name: csi-snapshot-controller-operator-config diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml index 36b1916e0f50..fc0d8c90771d 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/IBMCloud/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml @@ -25,7 +25,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: tmp-dir - component.hypershift.openshift.io/config-hash: "" + component.hypershift.openshift.io/config-hash: a0010a21 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: @@ -64,6 +64,8 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig env: - name: OPERAND_IMAGE @@ -93,6 +95,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true - mountPath: /tmp name: tmp-dir initContainers: @@ -131,6 +136,10 @@ spec: secret: defaultMode: 416 secretName: service-network-admin-kubeconfig + - configMap: + defaultMode: 420 + name: csi-snapshot-controller-operator-config + name: config - emptyDir: {} name: tmp-dir status: {} diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml new file mode 100644 index 000000000000..c7929edf6801 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: config.openshift.io/v1 + authentication: {} + authorization: {} + kind: GenericControllerConfig + leaderElection: + leaseDuration: 0s + renewDeadline: 0s + retryPeriod: 0s + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: "" + certFile: "" + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + keyFile: "" + maxRequestsInFlight: 0 + minTLSVersion: VersionTLS12 + requestTimeoutSeconds: 0 +kind: ConfigMap +metadata: + name: csi-snapshot-controller-operator-config + namespace: hcp-namespace + ownerReferences: + - apiVersion: hypershift.openshift.io/v1beta1 + blockOwnerDeletion: true + controller: true + kind: HostedControlPlane + name: hcp + uid: "" + resourceVersion: "1" diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml index fa828e2e4a57..c5af58f4e6b5 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml @@ -28,3 +28,6 @@ status: - group: rbac.authorization.k8s.io kind: RoleBinding name: csi-snapshot-controller-operator-role + - group: "" + kind: ConfigMap + name: csi-snapshot-controller-operator-config diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml index 07016bf089fa..863814cbd404 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml @@ -25,7 +25,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: tmp-dir - component.hypershift.openshift.io/config-hash: "" + component.hypershift.openshift.io/config-hash: a0010a21 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: @@ -64,6 +64,8 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig env: - name: OPERAND_IMAGE @@ -93,6 +95,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true - mountPath: /tmp name: tmp-dir initContainers: @@ -131,6 +136,10 @@ spec: secret: defaultMode: 416 secretName: service-network-admin-kubeconfig + - configMap: + defaultMode: 420 + name: csi-snapshot-controller-operator-config + name: config - emptyDir: {} name: tmp-dir status: {} diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml new file mode 100644 index 000000000000..c7929edf6801 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_config_configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +data: + config.yaml: | + apiVersion: config.openshift.io/v1 + authentication: {} + authorization: {} + kind: GenericControllerConfig + leaderElection: + leaseDuration: 0s + renewDeadline: 0s + retryPeriod: 0s + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: "" + certFile: "" + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + keyFile: "" + maxRequestsInFlight: 0 + minTLSVersion: VersionTLS12 + requestTimeoutSeconds: 0 +kind: ConfigMap +metadata: + name: csi-snapshot-controller-operator-config + namespace: hcp-namespace + ownerReferences: + - apiVersion: hypershift.openshift.io/v1beta1 + blockOwnerDeletion: true + controller: true + kind: HostedControlPlane + name: hcp + uid: "" + resourceVersion: "1" diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml index fa828e2e4a57..c5af58f4e6b5 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_controlplanecomponent.yaml @@ -28,3 +28,6 @@ status: - group: rbac.authorization.k8s.io kind: RoleBinding name: csi-snapshot-controller-operator-role + - group: "" + kind: ConfigMap + name: csi-snapshot-controller-operator-config diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml index 07016bf089fa..863814cbd404 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/csi-snapshot-controller-operator/zz_fixture_TestControlPlaneComponents_csi_snapshot_controller_operator_deployment.yaml @@ -25,7 +25,7 @@ spec: metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict-local-volumes: tmp-dir - component.hypershift.openshift.io/config-hash: "" + component.hypershift.openshift.io/config-hash: a0010a21 hypershift.openshift.io/release-image: quay.io/openshift-release-dev/ocp-release:4.16.10-x86_64 target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' labels: @@ -64,6 +64,8 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig env: - name: OPERAND_IMAGE @@ -93,6 +95,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true - mountPath: /tmp name: tmp-dir initContainers: @@ -131,6 +136,10 @@ spec: secret: defaultMode: 416 secretName: service-network-admin-kubeconfig + - configMap: + defaultMode: 420 + name: csi-snapshot-controller-operator-config + name: config - emptyDir: {} name: tmp-dir status: {} diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml new file mode 100644 index 000000000000..0d5deee57cb9 --- /dev/null +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/controller-config.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: csi-snapshot-controller-operator-config +data: + config.yaml: "" diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml index 06738f9ca983..c4e395ac6424 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/assets/csi-snapshot-controller-operator/deployment.yaml @@ -21,6 +21,8 @@ spec: - args: - start - -v=2 + - --config=/var/run/configmaps/config/config.yaml + - --terminate-on-files=/var/run/configmaps/config/config.yaml - --guest-kubeconfig=/etc/guest-kubeconfig/kubeconfig env: - name: OPERAND_IMAGE @@ -49,6 +51,9 @@ spec: volumeMounts: - mountPath: /etc/guest-kubeconfig name: guest-kubeconfig + - mountPath: /var/run/configmaps/config + name: config + readOnly: true securityContext: runAsNonRoot: true seccompProfile: @@ -58,3 +63,6 @@ spec: - name: guest-kubeconfig secret: secretName: service-network-admin-kubeconfig + - configMap: + name: csi-snapshot-controller-operator-config + name: config diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go b/control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go index 518fa7e0d4c9..53ac458b7e5e 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/component.go @@ -42,6 +42,10 @@ func NewComponent() component.ControlPlaneComponent { return component.NewDeploymentComponent(ComponentName, &snapshotController{}). WithAdaptFunction(adaptDeployment). WithPredicate(isStorageAndCSIManaged). + WithManifestAdapter( + "controller-config.yaml", + component.WithAdaptFunction(adaptControllerConfig), + ). WithDependencies(oapiv2.ComponentName). InjectAvailabilityProberContainer(podspec.AvailabilityProberOpts{ KubeconfigVolumeName: "guest-kubeconfig", diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go b/control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go index ef7f026e0856..35e80c25fd6b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/snapshotcontroller/deployment.go @@ -1,13 +1,20 @@ package snapshotcontroller import ( + "encoding/json" + "fmt" "strconv" + "github.com/openshift/hypershift/support/config" component "github.com/openshift/hypershift/support/controlplane-component" "github.com/openshift/hypershift/support/podspec" + configv1 "github.com/openshift/api/config/v1" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + + "sigs.k8s.io/yaml" ) func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Deployment) error { @@ -31,3 +38,41 @@ func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Dep return nil } + +func adaptControllerConfig(cpContext component.WorkloadContext, cm *corev1.ConfigMap) error { + profile := cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile() + controllerConfig := configv1.GenericControllerConfig{ + ServingInfo: configv1.HTTPServingInfo{ + ServingInfo: configv1.ServingInfo{ + BindAddress: "0.0.0.0:8443", + CipherSuites: config.CipherSuites(profile), + MinTLSVersion: config.MinTLSVersion(profile), + }, + }, + } + + asJSON, err := json.Marshal(controllerConfig) + if err != nil { + return fmt.Errorf("failed to json marshal config: %w", err) + } + + asMap := map[string]any{} + if err := json.Unmarshal(asJSON, &asMap); err != nil { + return fmt.Errorf("failed to json unmarshal config: %w", err) + } + + asMap["apiVersion"] = configv1.GroupVersion.String() + asMap["kind"] = "GenericControllerConfig" + + data, err := yaml.Marshal(asMap) + if err != nil { + return fmt.Errorf("failed to yaml marshal config: %w", err) + } + + if cm.Data == nil { + cm.Data = map[string]string{} + } + + cm.Data["config.yaml"] = string(data) + return nil +}