search

openshift / openshift-controller-manager

Coming soon. Do not import.
Apache License 2.0
25 stars 78 forks source link

OCPBUGS-33600: revert revert and fix for hypershift #305

Closed sanchezl closed 6 months ago

sanchezl commented 6 months ago

On Hypershift, the image pull secrets were created, but not properly initialized due to the image_pull_secret_controller getting stuck waiting for the existence of the bound-service-account-signing-key secret in the openshift-kube-apiserver namespace.

Ideally, Hypershift would prefer to mount the service account signing key as as a volume on OCM pod. This would match what we already do this for the KCM pod. This PR provides an OCM-only fix to get us going until we make the changes to the way hypershift runs OCM.

Since what we need is the just the hash of the service account signing public key, if OCM does not find the bound-service-account-signing-key secret on startup, OCM will create a throwaway API token and extract the service account signing public key's hash from the token.

Currently, on hypershift, the service account signing public key is provided as a CLI option. OCM would need to be restarted if the service account signing public key changes,

openshift-ci-robot commented 6 months ago

@sanchezl: This pull request references Jira Issue OCPBUGS-33600, which is invalid:

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/openshift-controller-manager/pull/305): >- **internal registry mage pull secret controllers** >- **add image pull secret to mountable secrets** >- **fallback to alternate method of obtaining token signing key hash** > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fopenshift-controller-manager). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
sanchezl commented 6 months ago

/payload-job periodic-ci-openshift-hypershift-release-4.16-periodics-e2e-aws-ovn-conformance

openshift-ci[bot] commented 6 months ago

@sanchezl: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/8ad79e00-117f-11ef-8080-22dfebaceee0-0

sanchezl commented 6 months ago

/jira refresh

openshift-ci-robot commented 6 months ago

@sanchezl: This pull request references Jira Issue OCPBUGS-33600, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.16.0) matches configured target version for branch (4.16.0) * bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
In response to [this](https://github.com/openshift/openshift-controller-manager/pull/305#issuecomment-2108981367): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fopenshift-controller-manager). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
sanchezl commented 6 months ago

/retest-required

sanchezl commented 6 months ago

/retest-required

openshift-ci-robot commented 6 months ago

@sanchezl: This pull request references Jira Issue OCPBUGS-33600, which is valid.

3 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.16.0) matches configured target version for branch (4.16.0) * bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/openshift-controller-manager/pull/305): >- Revert https://github.com/openshift/openshift-controller-manager/pull/304 >- Add fallback to alternate method of obtaining token signing key hash > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fopenshift-controller-manager). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
soltysh commented 6 months ago

/label acknowledge-critical-fixes-only

benluddy commented 6 months ago

/lgtm /hold

@sanchezl Do you want to re-run the hypershift payload job?

openshift-ci[bot] commented 6 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy, sanchezl, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/openshift-controller-manager/blob/master/OWNERS)~~ [soltysh] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
openshift-ci[bot] commented 6 months ago

@sanchezl: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security 5bcef3649d67a522ade7e668edebc83e177dbaaa link false /test security

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
benluddy commented 6 months ago

/payload-job periodic-ci-openshift-hypershift-release-4.16-periodics-e2e-aws-ovn-conformance

openshift-ci[bot] commented 6 months ago

@benluddy: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/058004d0-1234-11ef-9c79-b53ffec4c3e7-0

sanchezl commented 6 months ago

/payload 4.16 ci blocking

openshift-ci[bot] commented 6 months ago

@sanchezl: trigger 5 job(s) of type blocking for the ci release of OCP 4.16

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/39b901c0-1234-11ef-905a-e5452c9fb821-0

sanchezl commented 6 months ago

/hold cancel

openshift-ci-robot commented 6 months ago

@sanchezl: Jira Issue OCPBUGS-33600: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-33600 has been moved to the MODIFIED state.

In response to [this](https://github.com/openshift/openshift-controller-manager/pull/305): >- Revert https://github.com/openshift/openshift-controller-manager/pull/304 >- Add fallback to alternate method of obtaining token signing key hash > >On Hypershift, the image pull secrets were created, but not properly initialized due to the `image_pull_secret_controller` getting stuck waiting for the existence of the **bound-service-account-signing-key** secret in the **openshift-kube-apiserver** namespace. > >Ideally, Hypershift would prefer to mount the service account signing key as as a volume on OCM pod. This would match what we already do this for the KCM pod. This PR provides an OCM-only fix to get us going until we make the changes to the way hypershift runs OCM. > >Since what we need is the just the hash of the service account signing public key, if OCM does not find the **bound-service-account-signing-key** secret on startup, OCM will create a throwaway API token and extract the service account signing public key's hash from the token. > >Currently, on hypershift, the service account signing public key is provided as a CLI option. OCM would need to be restarted if the service account signing public key changes, Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fopenshift-controller-manager). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
openshift-bot commented 6 months ago

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-openshift-controller-manager-container-v4.17.0-202405151441.p0.g7637f1a.assembly.stream.el9 for distgit ose-openshift-controller-manager. All builds following this will include this PR.

openshift-merge-robot commented 6 months ago

Fix included in accepted release 4.16.0-0.nightly-2024-05-16-092402