OCPBUGS-55777: Sync OpenStack CA Bundles from legacy location

[stephenfin]

In #780, we added support for syncing CA bundles from the root credential secret to the generated credential secrets when running on OpenStack clouds. This is a big improvement for OpenShift developers, since it hugely simplifies how we obtain these in other operators and components and removes the need for a number of controllers. However, as things stand, it doesn't help users as it introduces a second place that they must consider when rotating credentials.

Long-term, we would like to remove the CA bundle from the cloud-providers config map. Doing so requires some rework of CCCMO as well as investigation into potential issues caused by CCMs role in early stage bootstrapping. This isn't going to happen in OpenShift 4.19, so for now we opt to leave the current documentation around cert rotation as-is and simply sync the CA cert from the CCM config map to the root credential, if it's set. We can then revert this down the line if needed.

/hold

[openshift-ci-robot]

@stephenfin: This pull request references OSASINFRA-3780 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.19." or "openshift-4.19.", but it targets "openshift-4.20" instead.

In response to this:

In #780, we added support for syncing CA bundles from the root credential secret to the generated credential secrets when running on OpenStack clouds. This is a big improvement for OpenShift developers, since it hugely simplifies how we obtain these in other operators and components and removes the need for a number of controllers. However, as things stand, it doesn't help users as it introduces a second place that they must consider when rotating credentials.

Long-term, we would like to remove the CA bundle from the cloud-providers config map. Doing so requires some rework of CCCMO as well as investigation into potential issues caused by CCMs role in early stage bootstrapping. This isn't going to happen in OpenShift 4.19, so for now we opt to leave the current documentation around cert rotation as-is and simply sync the CA cert from the CCM config map to the root credential, if it's set. We can then revert this down the line if needed.

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stephenfin]

/jira refresh

[openshift-ci-robot]

@stephenfin: This pull request references OSASINFRA-3780 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.19." or "openshift-4.19.", but it targets "openshift-4.20" instead.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stephenfin]

/jira refresh

[openshift-ci-robot]

@stephenfin: This pull request references OSASINFRA-3780 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stephenfin]

/unhold

No point holding this solely due to broken CI. We'll retest once that's fixed.

[mandre]

/retest

[codecov]

Codecov Report

Attention: Patch coverage is 50.00000% with 6 lines in your changes missing coverage. Please review.

Project coverage is 47.04%. Comparing base (d66761c) to head (db1d8d6).
Report is 10 commits behind head on master.

Files with missing lines	Patch %	Lines
...g/operator/secretannotator/openstack/reconciler.go	50.00%	4 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #850      +/-   ##
==========================================
- Coverage   47.05%   47.04%   -0.02%     
==========================================
  Files          97       97              
  Lines       11880    11889       +9     
==========================================
+ Hits         5590     5593       +3     
- Misses       5676     5680       +4     
- Partials      614      616       +2     

Files with missing lines	Coverage Δ
...g/operator/secretannotator/openstack/reconciler.go	53.67% <50.00%> (-1.45%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jstuever]

/test list

[openshift-ci]

@jstuever: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test coverage

/test e2e-aws-ovn

/test e2e-azure-manual-oidc

/test e2e-hypershift

/test e2e-upgrade

/test images

/test security

/test unit

/test verify

/test verify-deps

The following commands are available to trigger optional jobs:

/test e2e-aws-manual-oidc

/test e2e-aws-qe

/test e2e-azure

/test e2e-azure-upgrade

/test e2e-gcp

/test e2e-gcp-manual-oidc

/test e2e-openstack

/test e2e-openstack-parallel

/test okd-scos-e2e-aws-ovn

/test okd-scos-images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-cloud-credential-operator-master-coverage

pull-ci-openshift-cloud-credential-operator-master-e2e-aws-ovn

pull-ci-openshift-cloud-credential-operator-master-e2e-aws-qe

pull-ci-openshift-cloud-credential-operator-master-e2e-hypershift

pull-ci-openshift-cloud-credential-operator-master-e2e-upgrade

pull-ci-openshift-cloud-credential-operator-master-images

pull-ci-openshift-cloud-credential-operator-master-okd-scos-e2e-aws-ovn

pull-ci-openshift-cloud-credential-operator-master-security

pull-ci-openshift-cloud-credential-operator-master-unit

pull-ci-openshift-cloud-credential-operator-master-verify

pull-ci-openshift-cloud-credential-operator-master-verify-deps

In response to this:

/test list

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jstuever]

/test e2e-openstack

[jstuever]

/override ci/prow/security
There is another bug to handle this issue.

[jstuever]

/test okd-scos-e2e-aws-ovn

[openshift-ci]

@jstuever: Overrode contexts on behalf of jstuever: ci/prow/security

In response to this:

/override ci/prow/security
There is another bug to handle this issue.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@stephenfin: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	db1d8d6	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@stephenfin: This pull request references Jira Issue OCPBUGS-55777, which is invalid:

• expected the bug to target either version "4.20." or "openshift-4.20.", but it targets "4.19.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

In #780, we added support for syncing CA bundles from the root credential secret to the generated credential secrets when running on OpenStack clouds. This is a big improvement for OpenShift developers, since it hugely simplifies how we obtain these in other operators and components and removes the need for a number of controllers. However, as things stand, it doesn't help users as it introduces a second place that they must consider when rotating credentials.

Long-term, we would like to remove the CA bundle from the cloud-providers config map. Doing so requires some rework of CCCMO as well as investigation into potential issues caused by CCMs role in early stage bootstrapping. This isn't going to happen in OpenShift 4.19, so for now we opt to leave the current documentation around cert rotation as-is and simply sync the CA cert from the CCM config map to the root credential, if it's set. We can then revert this down the line if needed.

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stephenfin]

/jira refresh

[openshift-ci-robot]

@stephenfin: This pull request references Jira Issue OCPBUGS-55777, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stephenfin]

/cherry-pick release-4.19

[openshift-cherrypick-robot]

@stephenfin: once the present PR merges, I will cherry-pick it on top of release-4.19 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jstuever]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jstuever, stephenfin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@stephenfin: Jira Issue OCPBUGS-55777: All pull requests linked via external trackers have merged:

• openshift/cloud-credential-operator#850

Jira Issue OCPBUGS-55777 has been moved to the MODIFIED state.

In response to this:

In #780, we added support for syncing CA bundles from the root credential secret to the generated credential secrets when running on OpenStack clouds. This is a big improvement for OpenShift developers, since it hugely simplifies how we obtain these in other operators and components and removes the need for a number of controllers. However, as things stand, it doesn't help users as it introduces a second place that they must consider when rotating credentials.

Long-term, we would like to remove the CA bundle from the cloud-providers config map. Doing so requires some rework of CCCMO as well as investigation into potential issues caused by CCMs role in early stage bootstrapping. This isn't going to happen in OpenShift 4.19, so for now we opt to leave the current documentation around cert rotation as-is and simply sync the CA cert from the CCM config map to the root credential, if it's set. We can then revert this down the line if needed.

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@stephenfin: new pull request created: #856

In response to this:

/cherry-pick release-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-cloud-credential-operator
This PR has been included in build ose-cloud-credential-operator-container-v4.20.0-202505070015.p0.gaa065ca.assembly.stream.el9.
All builds following this will include this PR.