Bug 1977383: [release-4.7] Ensure service ca configmap is created in all namespaces

[marun]

This is a 4.7 followup to #714 to ensure upgrades from 4.7 to 4.8 are not disrupted by the lack of service ca configmaps before BoundServiceAccountTokenVolume is enabled by the 4.8 kube-apiserver.

---

A new controller is added to create a configmap per namespace that is annotated for service ca injection. The controller is derived from the controller that creates configmaps for the root ca.

This new controller is being added in 4.7 to ensure that the service ca configmaps will be present in all namespaces in the cluster before an upgrade to 4.8 is attempted. An upgrade to 4.8 will enable the BoundServiceAccountTokenVolume feature and all new pods will expect the configmaps to already be present.

A similar strategy was pursued upstream, in that publication of root ca configmaps was added in a release previous to enablement of BoundServiceAccountTokenVolume.

/cc @s-urbaniak @stlaz @sttts @soltysh

[openshift-ci-robot]

@marun: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

• 2009739|UPSTREAM: : Ensure service ca is mounted for projected tokens: does not specify an upstream backport in the commit message

[openshift-ci]

@marun: This pull request references Bugzilla bug 1977383, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.7.z) matches configured target release for branch (4.7.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 1946479 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
• dependent Bugzilla bug 1946479 targets the "4.8.0" release, which is one of the valid target releases: 4.8.0
• bug has dependents

Requesting review from QA contact:
/cc @wangke19

Details

In response to this:

Bug 1977383: Ensure service ca configmap is created in all namespaces

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@marun: This pull request references Bugzilla bug 1977383, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.7.z) matches configured target release for branch (4.7.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 1946479 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
• dependent Bugzilla bug 1946479 targets the "4.8.0" release, which is one of the valid target releases: 4.8.0
• bug has dependents

Requesting review from QA contact:
/cc @wangke19

Details

In response to this:

Bug 1977383: [release-4.7] Ensure service ca configmap is created in all namespaces

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[marun]

Marking WIP until openshift/origin#26283 merges.

[soltysh]

/lgtm
/approve

[s-urbaniak]

/retest

[openshift-ci]

@marun: This pull request references Bugzilla bug 1977383, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.7.z) matches configured target release for branch (4.7.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 1946479 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
• dependent Bugzilla bug 1946479 targets the "4.8.0" release, which is one of the valid target releases: 4.8.0
• bug has dependents

Requesting review from QA contact:
/cc @wangke19

Details

In response to this:

Bug 1977383: [release-4.7] Ensure service ca configmap is created in all namespaces

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[sdodson]

/retest
openshift/origin#26303 has merged

[openshift-ci]

@marun: This pull request references Bugzilla bug 1977383, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.7.z) matches configured target release for branch (4.7.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 1946479 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
• dependent Bugzilla bug 1946479 targets the "4.8.0" release, which is one of the valid target releases: 4.8.0
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Bugzilla ([email protected]), skipping review request.

Details

In response to this:

Bug 1977383: [release-4.7] Ensure service ca configmap is created in all namespaces

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[deads2k]

Is this injecting the same content contained in token secret's service-ca.crt? I remember seeing a bug that the content is different.

I want to see pods start properly during upgrades, but if we know that we're going to change the included content, it seems like we want to place the correct content in there to begin with.

[marun]

As per the thread on slack, my understanding was that we do not want to maintain token secret parity. Holding the PR until this discussion is resolved one way or another.

[marun]

/retest
/hold

[marun]

metal ipi is definitely unrelated and likely points to a broken job.

[deads2k]

/lgtm
/hold cancel

This doesn't harm 4.7.z and if we decide to go this direction, merging early will assist.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, marun, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS [deads2k,marun,soltysh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sdodson]

/override ci/prow/e2e-metal-ipi
Failed at infrastructure provisioning.

[openshift-ci]

@sdodson: Overrode contexts on behalf of sdodson: ci/prow/e2e-metal-ipi

Details

In response to this:

/override ci/prow/e2e-metal-ipi
Failed at infrastructure provisioning.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[deads2k]

We have to eat this change forever.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[marun]

/retest

Not sure why we're still gating on the cmd job? iirc it's not known to pass reliably against master.

[marun]

/retest

[sdodson]

/override ci/prow/e2e-aws-downgrade
Flakey since July 1
/override ci/prow/e2e-aws-serial
No chance this is related and has passed on previous runs of same commit.
/override ci/prow/e2e-aws-jenkins
Passed previously on the same commit.

[openshift-ci]

@sdodson: Overrode contexts on behalf of sdodson: ci/prow/e2e-aws-downgrade, ci/prow/e2e-aws-jenkins, ci/prow/e2e-aws-serial

Details

In response to this:

/override ci/prow/e2e-aws-downgrade
Flakey since July 1
/override ci/prow/e2e-aws-serial
No chance this is related and has passed on previous runs of same commit.
/override ci/prow/e2e-aws-jenkins
Passed previously on the same commit.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@marun: Some pull requests linked via external trackers have merged:

• openshift/kubernetes#834
• openshift/kubernetes#839
• openshift/kubernetes#843
• openshift/origin#26283

The following pull requests linked via external trackers have not merged:

• openshift/origin#26284 is open

These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Once unlinked, request a bug refresh with /bugzilla refresh.

Bugzilla bug 1977383 has not been moved to the MODIFIED state.

Details

In response to this:

Bug 1977383: [release-4.7] Ensure service ca configmap is created in all namespaces

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sdodson]

/bugzilla refresh

[openshift-ci]

@sdodson: Bugzilla bug 1977383 is in an unrecognized state (MODIFIED) and will not be moved to the MODIFIED state.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sdodson]

/bugzilla refresh

[openshift-ci]

@sdodson: All pull requests linked via external trackers have merged:

• openshift/kubernetes#834
• openshift/kubernetes#839
• openshift/kubernetes#843
• openshift/origin#26283
• openshift/origin#26303

Bugzilla bug 1977383 has been moved to the MODIFIED state.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.