From 97289cc3ebecd79d0442d156c32d8fac192b29b1 Mon Sep 17 00:00:00 2001
From: "W. Trevor King" <wking@tremily.us>
Date: Mon, 20 Sep 2021 15:54:58 -0700
Subject: [PATCH] install/0000_00_cluster-version-operator_03_deployment:
 Explicit kube-api-access

This content is injected by an admission webhook [1,2].  When we
started removing not-in-manifest volumes in 83faa6e716
(lib/resourcemerge/core: Remove unrecognized volumes and mounts,
2021-09-14, #654), the cluster-version operator started removing the
webhook-injected volume, leading to the cluster-version operator
crash-looping on updates from 4.8 to 4.9 with messages like [3]:

  F0920 13:23:23.565439       1 start.go:24] error: error creating clients: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable

With this commit, we follow the precedent of the Kubernetes API
server's own manifest [4,5].

[1]: https://github.com/kubernetes/kubernetes/blob/2f68346fbb6246961ce0a3176418630950aea500/plugin/pkg/admission/serviceaccount/admission.go#L53-L54
[2]: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume
[3]: https://bugzilla.redhat.com/show_bug.cgi?id=2005581
[4]: https://github.com/openshift/cluster-kube-apiserver-operator/pull/1142
[5]: https://bugzilla.redhat.com/show_bug.cgi?id=1946479
---
 ...luster-version-operator_03_deployment.yaml | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/install/0000_00_cluster-version-operator_03_deployment.yaml b/install/0000_00_cluster-version-operator_03_deployment.yaml
index 26b4f982be..af61032a25 100644
--- a/install/0000_00_cluster-version-operator_03_deployment.yaml
+++ b/install/0000_00_cluster-version-operator_03_deployment.yaml
@@ -20,6 +20,7 @@ spec:
       labels:
         k8s-app: cluster-version-operator
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: cluster-version-operator
         image: {{.ReleaseImage}}
@@ -48,6 +49,9 @@ spec:
           - mountPath: /etc/tls/serving-cert
             name: serving-cert
             readOnly: true
+          - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: kube-api-access
+            readOnly: true
         env:
           - name: KUBERNETES_SERVICE_PORT # allows CVO to communicate with apiserver directly on same host.  Is substituted with port from infrastructures.status.apiServerInternalURL if available.
             value: "6443"
@@ -92,3 +96,21 @@ spec:
         - name: serving-cert
           secret:
             secretName: cluster-version-operator-serving-cert
+        - name: kube-api-access
+          projected:
+            defaultMode: 420
+            sources:
+            - serviceAccountToken:
+                expirationSeconds: 3600
+                path: token
+            - configMap:
+                items:
+                - key: ca.crt
+                  path: ca.crt
+                name: kube-root-ca.crt
+            - downwardAPI:
+                items:
+                - fieldRef:
+                    apiVersion: v1
+                    fieldPath: metadata.namespace
+                  path: namespace