OCPBUGS-87889: fall back to kube-system/global-pull-secret for Insights token#1302
Conversation
On ARO HCP clusters, openshift-config/pull-secret only contains the ACR registry credential — no cloud.openshift.com token. Customers add their Red Hat pull secret (including cloud.openshift.com) day-2 via the additional-pull-secret method, which HCCO merges into kube-system/global-pull-secret. This change makes updateToken() check kube-system/global-pull-secret as a fallback when openshift-config/pull-secret has no cloud.openshift.com token, enabling Insights reporting on HCP clusters without requiring platform-level changes. Changes: - Generalize fetchSecret() to accept a namespace parameter - Add fallback lookup to kube-system/global-pull-secret in updateToken() - Add read-only RBAC (Role+RoleBinding) for global-pull-secret in kube-system - Include namespace in fetchSecret log/error messages for debuggability - Add tests for fallback and primary-wins-over-fallback precedence Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe PR adds fallback token resolution by enabling the insights-operator to read a global pull secret from kube-system when the primary pull secret is unavailable. RBAC permissions are added, secret fetching is generalized to support namespace-aware lookups, token fallback logic is implemented, and token selection is tested for both presence and precedence scenarios. ChangesGlobal Pull Secret Fallback
Sequence DiagramsequenceDiagram
participant updateToken
participant fetchSecret
participant nextConfig
updateToken->>fetchSecret: fetch openshift-config/pull-secret
fetchSecret-->>updateToken: token or empty
alt Token found
updateToken->>nextConfig: set Token, enable Report
else Token empty
updateToken->>fetchSecret: fetch kube-system/global-pull-secret
fetchSecret-->>updateToken: token or empty
alt Global token found
updateToken->>nextConfig: set Token, enable Report
else Global token empty
updateToken->>nextConfig: leave Token empty
end
end
🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5 | ❌ 10❌ Failed checks (10 inconclusive)
✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Tools execution failed with the following error: Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error) Comment |
|
/retest-required |
|
/retest |
|
/cc |
|
Seems the failed job not relate to my PR change?
|
yeah, there is an issue in the python kubernetes client that our tests are using, I will override the test failure kubernetes-client/python#2610 |
| func (c *Controller) updateToken(ctx context.Context) error { | ||
| klog.V(2).Infof("Refreshing configuration from cluster pull secret") | ||
| secret, err := c.fetchSecret(ctx, "pull-secret") | ||
| secret, err := c.fetchSecret(ctx, "openshift-config", "pull-secret") |
There was a problem hiding this comment.
Could you make the namespace names and secret names constants?
There was a problem hiding this comment.
Please take a look again. thank you
|
/retitle OCPBUGS-87889: fall back to kube-system/global-pull-secret for Insights token |
|
@judexzhu: This pull request references Jira Issue OCPBUGS-87889, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Addresses review feedback to replace hardcoded string literals with named constants for better readability and maintainability. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
@judexzhu: This pull request references Jira Issue OCPBUGS-87889, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test insights-operator-serial-tests |
|
/override ci/prow/insights-operator-e2e-tests |
|
@opokornyy: Overrode contexts on behalf of opokornyy: ci/prow/insights-operator-e2e-tests DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@judexzhu: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: judexzhu, opokornyy The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/verified by @opokornyy |
|
@opokornyy: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@judexzhu: Jira Issue Verification Checks: Jira Issue OCPBUGS-87889 Jira Issue OCPBUGS-87889 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/cherry-pick release-4.22 |
|
@opokornyy: new pull request created: #1305 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Fix included in release 5.0.0-0.nightly-2026-06-12-141614 |
|
/cherry-pick release-4.21 |
|
@opokornyy: new pull request created: #1310 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/cherry-pick release-4.20 |
|
@opokornyy: new pull request created: #1311 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Summary
On ARO HCP clusters,
openshift-config/pull-secretonly contains the ACR registry credential — nocloud.openshift.comtoken. Customers add their Red Hat pull secret (includingcloud.openshift.com) day-2 viakube-system/additional-pull-secret, which HCCO merges intokube-system/global-pull-secret. The Insights Operator currently only checksopenshift-config/pull-secret, so it reportsNoToken/GatheringDisabledeven though the token exists on the cluster.This change makes
updateToken()checkkube-system/global-pull-secretas a read-only fallback whenopenshift-config/pull-secrethas nocloud.openshift.comtoken.Changes:
fetchSecret()to accept a namespace parameterkube-system/global-pull-secretinupdateToken()getonly, no update/patch) forglobal-pull-secretinkube-systemfetchSecretlog/error messages for debuggabilityBehavior:
openshift-config/pull-secrethas the token, fallback is never reachedkube-system/global-pull-secretwhen primary lackscloud.openshift.comglobal-pull-secretis read-only — the operator does not manage, write, or claim ownership of this secretglobal-pull-secretdoesn't exist (NotFound) or is inaccessible (Forbidden), the fallback is silently skippedTest plan
make test— all unit tests passmake lint— 0 issueskube-system/global-pull-secretwhen primary lackscloud.openshift.comopenshift-config/pull-secrettakes precedence when both havecloud.openshift.comglobal-pull-secret🤖 Generated with Claude Code
Summary by CodeRabbit