Merge pull request #2725 from dlom/HIVE-2891

HIVE-2891: Make hive able to run as a private image

Author: openshift-merge-bot[bot]

config/controllers/hive_controllers_serviceaccount.yaml

@@ -3,6 +3,3 @@ kind: ServiceAccount
 metadata:
   name: hive-controllers
   namespace: hive
-imagePullSecrets:
-# TODO: don't hardcode this in this file.  As far as I can tell, this is harmless if the secret doesn't exist
-- name: quay.io

config/hiveadmission/service-account.yaml

@@ -4,6 +4,3 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: hiveadmission
-imagePullSecrets:
-# TODO: don't hardcode this in this file.  As far as I can tell, this is harmless if the secret doesn't exist
-- name: quay.io

config/operator/operator_deployment.yaml

@@ -63,6 +63,14 @@ spec:
               fieldPath: metadata.namespace
         - name: TMPDIR
           value: /tmp
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         securityContext:
           privileged: false
           readOnlyRootFilesystem: true

hack/app-sre/saas-template.yaml

@@ -11327,6 +11327,14 @@ objects:
                 fieldPath: metadata.namespace
           - name: TMPDIR
             value: /tmp
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
           image: ${REGISTRY_IMG}@${IMAGE_DIGEST}
           imagePullPolicy: Always
           livenessProbe:

pkg/controller/clusterdeployment/clusterdeployment_controller.go

@@ -319,28 +319,24 @@ type ReconcileClusterDeployment struct {
 
 	protectedDelete bool
 
-	// nodeSelector is copied from the hive-controllers pod and must be included in any Jobs we create from here.
-	nodeSelector *map[string]string
-
-	// tolerations is copied from the hive-controllers pod and must be included in any Jobs we create from here.
-	tolerations *[]corev1.Toleration
+	// sharedPodConfig is copied from the hive-controllers pod and must be included in any Jobs we create from here.
+	sharedPodConfig *controllerutils.SharedPodConfig
 }
 
 // Reconcile reads that state of the cluster for a ClusterDeployment object and makes changes based on the state read
 // and what is in the ClusterDeployment.Spec
 func (r *ReconcileClusterDeployment) Reconcile(ctx context.Context, request reconcile.Request) (result reconcile.Result, returnErr error) {
 	cdLog := controllerutils.BuildControllerLogger(ControllerName, "clusterDeployment", request.NamespacedName)
 
-	// Discover scheduling settings from the controller. We would like to do this in NewReconciler,
+	// Discover settings from the controller. We would like to do this in NewReconciler,
 	// but we can't count on the cache having been started at that point.
-	if r.nodeSelector == nil || r.tolerations == nil {
-		thisPod, err := controllerutils.GetThisPod(r)
+	if r.sharedPodConfig == nil {
+		sharedPodConfig, err := controllerutils.ReadSharedConfigFromThisPod(r)
 		if err != nil {
-			cdLog.WithError(err).Error("Failed to retrieve the running pod")
+			cdLog.WithError(err).Error("error reading shared pod config")
 			return reconcile.Result{}, err
 		}
-		r.nodeSelector = &thisPod.Spec.NodeSelector
-		r.tolerations = &thisPod.Spec.Tolerations
+		r.sharedPodConfig = sharedPodConfig
 	}
 
 	cdLog.Info("reconciling cluster deployment")
@@ -1104,8 +1100,8 @@ func (r *ReconcileClusterDeployment) resolveInstallerImage(cd *hivev1.ClusterDep
 			os.Getenv("HTTP_PROXY"),
 			os.Getenv("HTTPS_PROXY"),
 			os.Getenv("NO_PROXY"),
-			*r.nodeSelector,
-			*r.tolerations)
+			*r.sharedPodConfig,
+		)
 
 		cdLog.WithField("derivedObject", job.Name).Debug("Setting labels on derived object")
 		job.Labels = k8slabels.AddLabel(job.Labels, constants.ClusterDeploymentNameLabel, cd.Name)

pkg/controller/clusterdeployment/clusterdeployment_controller_test.go

@@ -3589,8 +3589,7 @@ platform:
 					(schema.GroupVersionKind{Group: "hive.openshift.io", Version: "v1", Kind: "FakeClusterInstall"}).String(): {},
 				},
 				releaseImageVerifier: test.riVerifier,
-				nodeSelector:         &map[string]string{},
-				tolerations:          &[]corev1.Toleration{},
+				sharedPodConfig:      &controllerutils.SharedPodConfig{},
 			}
 
 			if test.reconcilerSetup != nil {
@@ -3667,8 +3666,7 @@ func TestClusterDeploymentReconcileResults(t *testing.T) {
 				logger:                        logger,
 				expectations:                  controllerExpectations,
 				remoteClusterAPIClientBuilder: func(*hivev1.ClusterDeployment) remoteclient.Builder { return mockRemoteClientBuilder },
-				nodeSelector:                  &map[string]string{},
-				tolerations:                   &[]corev1.Toleration{},
+				sharedPodConfig:               &controllerutils.SharedPodConfig{},
 			}
 
 			reconcileResult, err := rcd.Reconcile(context.TODO(), reconcile.Request{
@@ -3787,10 +3785,9 @@ func TestDeleteStaleProvisions(t *testing.T) {
 			}
 			fakeClient := testfake.NewFakeClientBuilder().WithRuntimeObjects(provisions...).Build()
 			rcd := &ReconcileClusterDeployment{
-				Client:       fakeClient,
-				scheme:       scheme.GetScheme(),
-				nodeSelector: &map[string]string{},
-				tolerations:  &[]corev1.Toleration{},
+				Client:          fakeClient,
+				scheme:          scheme.GetScheme(),
+				sharedPodConfig: &controllerutils.SharedPodConfig{},
 			}
 			rcd.deleteStaleProvisions(getProvisions(fakeClient), log.WithField("test", "TestDeleteStaleProvisions"))
 			actualAttempts := []int{}
@@ -3841,10 +3838,9 @@ func TestDeleteOldFailedProvisions(t *testing.T) {
 			scheme := scheme.GetScheme()
 			fakeClient := testfake.NewFakeClientBuilder().WithRuntimeObjects(provisions...).Build()
 			rcd := &ReconcileClusterDeployment{
-				Client:       fakeClient,
-				scheme:       scheme,
-				nodeSelector: &map[string]string{},
-				tolerations:  &[]corev1.Toleration{},
+				Client:          fakeClient,
+				scheme:          scheme,
+				sharedPodConfig: &controllerutils.SharedPodConfig{},
 			}
 			rcd.deleteOldFailedProvisions(getProvisions(fakeClient), log.WithField("test", "TestDeleteOldFailedProvisions"))
 			assert.Len(t, getProvisions(fakeClient), tc.expectedNumberOfProvisionsAfterDeletion, "unexpected provisions kept")
@@ -4366,8 +4362,7 @@ func TestUpdatePullSecretInfo(t *testing.T) {
 				validateCredentialsForClusterDeployment: func(client.Client, *hivev1.ClusterDeployment, log.FieldLogger) (bool, error) {
 					return true, nil
 				},
-				nodeSelector: &map[string]string{},
-				tolerations:  &[]corev1.Toleration{},
+				sharedPodConfig: &controllerutils.SharedPodConfig{},
 			}
 
 			_, err := rcd.Reconcile(context.TODO(), reconcile.Request{
@@ -4528,8 +4523,7 @@ func TestMergePullSecrets(t *testing.T) {
 				scheme:                        scheme,
 				logger:                        log.WithField("controller", "clusterDeployment"),
 				remoteClusterAPIClientBuilder: func(*hivev1.ClusterDeployment) remoteclient.Builder { return mockRemoteClientBuilder },
-				nodeSelector:                  &map[string]string{},
-				tolerations:                   &[]corev1.Toleration{},
+				sharedPodConfig:               &controllerutils.SharedPodConfig{},
 			}
 
 			cd := getCDFromClient(rcd.Client)
@@ -4596,8 +4590,7 @@ func TestCopyInstallLogSecret(t *testing.T) {
 				scheme:                        scheme,
 				logger:                        log.WithField("controller", "clusterDeployment"),
 				remoteClusterAPIClientBuilder: func(*hivev1.ClusterDeployment) remoteclient.Builder { return mockRemoteClientBuilder },
-				nodeSelector:                  &map[string]string{},
-				tolerations:                   &[]corev1.Toleration{},
+				sharedPodConfig:               &controllerutils.SharedPodConfig{},
 			}
 
 			for i, envVar := range test.existingEnvVars {
@@ -4780,8 +4773,7 @@ func TestEnsureManagedDNSZone(t *testing.T) {
 				scheme:                        scheme,
 				logger:                        log.WithField("controller", "clusterDeployment"),
 				remoteClusterAPIClientBuilder: func(*hivev1.ClusterDeployment) remoteclient.Builder { return mockRemoteClientBuilder },
-				nodeSelector:                  &map[string]string{},
-				tolerations:                   &[]corev1.Toleration{},
+				sharedPodConfig:               &controllerutils.SharedPodConfig{},
 			}
 
 			// act
@@ -4985,10 +4977,9 @@ spacing problem!
 		t.Run(test.name, func(t *testing.T) {
 			fakeClient := testfake.NewFakeClientBuilder().WithRuntimeObjects(filterNils(test.cd, test.icSecret)...).Build()
 			r := &ReconcileClusterDeployment{
-				Client:       fakeClient,
-				scheme:       scheme.GetScheme(),
-				nodeSelector: &map[string]string{},
-				tolerations:  &[]corev1.Toleration{},
+				Client:          fakeClient,
+				scheme:          scheme.GetScheme(),
+				sharedPodConfig: &controllerutils.SharedPodConfig{},
 			}
 
 			if gotReturn := r.discoverAWSHostedZoneRole(test.cd, logger); gotReturn != test.wantReturn {
@@ -5242,8 +5233,7 @@ platform:
 				Client:                        fakeClient,
 				scheme:                        scheme,
 				remoteClusterAPIClientBuilder: func(*hivev1.ClusterDeployment) remoteclient.Builder { return mockRemoteClientBuilder },
-				nodeSelector:                  &map[string]string{},
-				tolerations:                   &[]corev1.Toleration{},
+				sharedPodConfig:               &controllerutils.SharedPodConfig{},
 			}
 
 			if gotReturn := r.discoverAzureResourceGroup(test.cd, logger); gotReturn != test.wantReturn {
@@ -5430,10 +5420,9 @@ spacing problem!
 		t.Run(test.name, func(t *testing.T) {
 			fakeClient := testfake.NewFakeClientBuilder().WithRuntimeObjects(filterNils(test.cd, test.icSecret)...).Build()
 			r := &ReconcileClusterDeployment{
-				Client:       fakeClient,
-				scheme:       scheme.GetScheme(),
-				nodeSelector: &map[string]string{},
-				tolerations:  &[]corev1.Toleration{},
+				Client:          fakeClient,
+				scheme:          scheme.GetScheme(),
+				sharedPodConfig: &controllerutils.SharedPodConfig{},
 			}
 
 			if gotReturn := r.discoverGCPNetworkProjectID(test.cd, logger); gotReturn != test.wantReturn {

pkg/controller/clusterdeprovision/clusterdeprovision_controller.go

@@ -140,28 +140,24 @@ type ReconcileClusterDeprovision struct {
 	scheme               *runtime.Scheme
 	deprovisionsDisabled bool
 
-	// nodeSelector is copied from the hive-controllers pod and must be included in any Jobs we create from here.
-	nodeSelector *map[string]string
-
-	// tolerations is copied from the hive-controllers pod and must be included in any Jobs we create from here.
-	tolerations *[]corev1.Toleration
+	// sharedPodConfig is copied from the hive-controllers pod and must be included in any Jobs we create from here.
+	sharedPodConfig *controllerutils.SharedPodConfig
 }
 
 // Reconcile reads that state of the cluster for a ClusterDeprovision object and makes changes based on the state read
 // and what is in the ClusterDeprovision.Spec
 func (r *ReconcileClusterDeprovision) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	rLog := controllerutils.BuildControllerLogger(ControllerName, "clusterDeprovision", request.NamespacedName)
 
-	// Discover scheduling settings from the controller. We would like to do this in newReconciler,
+	// Discover settings from the controller. We would like to do this in newReconciler,
 	// but we can't count on the cache having been started at that point.
-	if r.nodeSelector == nil || r.tolerations == nil {
-		thisPod, err := controllerutils.GetThisPod(r)
+	if r.sharedPodConfig == nil {
+		sharedPodConfig, err := controllerutils.ReadSharedConfigFromThisPod(r)
 		if err != nil {
-			rLog.WithError(err).Error("Failed to retrieve the running pod")
+			rLog.WithError(err).Error("error reading shared pod config")
 			return reconcile.Result{}, err
 		}
-		r.nodeSelector = &thisPod.Spec.NodeSelector
-		r.tolerations = &thisPod.Spec.Tolerations
+		r.sharedPodConfig = sharedPodConfig
 	}
 
 	// For logging, we need to see when the reconciliation loop starts and ends.
@@ -307,8 +303,8 @@ func (r *ReconcileClusterDeprovision) Reconcile(ctx context.Context, request rec
 		os.Getenv("HTTPS_PROXY"),
 		os.Getenv("NO_PROXY"),
 		extraEnvVars,
-		*r.nodeSelector,
-		*r.tolerations)
+		*r.sharedPodConfig,
+	)
 	if err != nil {
 		rLog.Errorf("error generating uninstaller job: %v", err)
 		return reconcile.Result{}, err

pkg/controller/clusterdeprovision/clusterdeprovision_controller_test.go

@@ -296,8 +296,7 @@ func TestClusterDeprovisionReconcile(t *testing.T) {
 				Client:               mocks.fakeKubeClient,
 				scheme:               scheme,
 				deprovisionsDisabled: test.deprovisionsDisabled,
-				nodeSelector:         &map[string]string{},
-				tolerations:          &[]corev1.Toleration{},
+				sharedPodConfig:      &controllerutils.SharedPodConfig{},
 			}
 
 			// Save the list of actuators so that it can be restored at the end of this test
@@ -377,7 +376,7 @@ func testClusterDeployment() *hivev1.ClusterDeployment {
 // specified conditions.
 func testUninstallJob(conditions ...batchv1.JobCondition) *batchv1.Job {
 	uninstallJob, _ := install.GenerateUninstallerJobForDeprovision(testClusterDeprovision(),
-		"someserviceaccount", "", "", "", nil, map[string]string{}, []corev1.Toleration{})
+		"someserviceaccount", "", "", "", nil, controllerutils.SharedPodConfig{})
 	hash, err := controllerutils.CalculateJobSpecHash(uninstallJob)
 	if err != nil {
 		panic("should never get error calculating job spec hash")

pkg/controller/clusterprovision/clusterprovision_controller.go

@@ -131,28 +131,24 @@ type ReconcileClusterProvision struct {
 	// A TTLCache of job creates each clusterprovision expects to see
 	expectations controllerutils.ExpectationsInterface
 
-	// nodeSelector is copied from the hive-controllers pod and must be included in any Jobs we create from here.
-	nodeSelector *map[string]string
-
-	// tolerations is copied from the hive-controllers pod and must be included in any Jobs we create from here.
-	tolerations *[]corev1.Toleration
+	// sharedPodConfig is copied from the hive-controllers pod and must be included in any Jobs we create from here.
+	sharedPodConfig *controllerutils.SharedPodConfig
 }
 
 // Reconcile reads that state of the cluster for a ClusterProvision object and makes changes based on the state read
 // and what is in the ClusterProvision.Spec
 func (r *ReconcileClusterProvision) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
 	pLog := controllerutils.BuildControllerLogger(ControllerName, "clusterProvision", request.NamespacedName)
 
-	// Discover scheduling settings from the controller. We would like to do this in newReconciler,
+	// Discover settings from the controller. We would like to do this in newReconciler,
 	// but we can't count on the cache having been started at that point.
-	if r.nodeSelector == nil || r.tolerations == nil {
-		thisPod, err := controllerutils.GetThisPod(r)
+	if r.sharedPodConfig == nil {
+		sharedPodConfig, err := controllerutils.ReadSharedConfigFromThisPod(r)
 		if err != nil {
-			pLog.WithError(err).Error("Failed to retrieve the running pod")
+			pLog.WithError(err).Error("error reading shared pod config")
 			return reconcile.Result{}, err
 		}
-		r.nodeSelector = &thisPod.Spec.NodeSelector
-		r.tolerations = &thisPod.Spec.Tolerations
+		r.sharedPodConfig = sharedPodConfig
 	}
 
 	pLog.Info("reconciling cluster provision")
@@ -235,7 +231,7 @@ func (r *ReconcileClusterProvision) reconcileNewProvision(instance *hivev1.Clust
 }
 
 func (r *ReconcileClusterProvision) createJob(instance *hivev1.ClusterProvision, pLog log.FieldLogger) (reconcile.Result, error) {
-	job, err := install.GenerateInstallerJob(instance, *r.nodeSelector, *r.tolerations)
+	job, err := install.GenerateInstallerJob(instance, *r.sharedPodConfig)
 	if err != nil {
 		pLog.WithError(err).Error("error generating install job")
 		return reconcile.Result{}, err

pkg/controller/clusterprovision/clusterprovision_controller_test.go

@@ -269,12 +269,11 @@ func TestClusterProvisionReconcile(t *testing.T) {
 			fakeClient := testfake.NewFakeClientBuilder().WithRuntimeObjects(test.existing...).Build()
 			controllerExpectations := controllerutils.NewExpectations(logger)
 			rcp := &ReconcileClusterProvision{
-				Client:       fakeClient,
-				scheme:       scheme,
-				logger:       logger,
-				expectations: controllerExpectations,
-				nodeSelector: &map[string]string{},
-				tolerations:  &[]corev1.Toleration{},
+				Client:          fakeClient,
+				scheme:          scheme,
+				logger:          logger,
+				expectations:    controllerExpectations,
+				sharedPodConfig: &controllerutils.SharedPodConfig{},
 			}
 
 			reconcileRequest := reconcile.Request{
@@ -351,7 +350,7 @@ func testProvision(opts ...tcp.Option) *hivev1.ClusterProvision {
 
 func testJob(opts ...testjob.Option) *batchv1.Job {
 	provision := testProvision()
-	job, err := install.GenerateInstallerJob(provision, map[string]string{}, []corev1.Toleration{})
+	job, err := install.GenerateInstallerJob(provision, controllerutils.SharedPodConfig{})
 	if err != nil {
 		panic("should not error while generating test install job")
 	}
@@ -561,10 +560,9 @@ compute:
 			}
 			fakeClient := testfake.NewFakeClientBuilder().WithRuntimeObjects(icSecret).Build()
 			rcp := &ReconcileClusterProvision{
-				Client:       fakeClient,
-				logger:       logger,
-				nodeSelector: &map[string]string{},
-				tolerations:  &[]corev1.Toleration{},
+				Client:          fakeClient,
+				logger:          logger,
+				sharedPodConfig: &controllerutils.SharedPodConfig{},
 			}
 
 			if got := rcp.getWorkers(*cd); got != test.want {