diff --git a/api/hypershift/v1beta1/hostedcluster_types.go b/api/hypershift/v1beta1/hostedcluster_types.go
index d99f765f090..2a6a7d84fca 100644
--- a/api/hypershift/v1beta1/hostedcluster_types.go
+++ b/api/hypershift/v1beta1/hostedcluster_types.go
@@ -674,10 +674,11 @@ type HostedClusterSpec struct {
// pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
// If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
// TODO(alberto): Signal this in a condition.
- // This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- // and it will be injected into the container runtime of all NodePools.
- // Changing this value will trigger a rollout for all existing NodePools in the cluster.
- // Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ // This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ // Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ // Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ // In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ // will still propagate the updated credentials down to the guest cluster and kubelet config.
// +required
// +rollout
// TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes.
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
index b5222bb3375..44e56e67fd5 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
@@ -5690,10 +5690,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml
index 70641ae031d..636b4970874 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml
@@ -5809,10 +5809,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
index cc3c053f800..70f2a9b3530 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml
@@ -5673,10 +5673,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
index de1dc8aa58a..f5ba9fa3826 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
@@ -5693,10 +5693,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
index 6630d27aeb2..cc29eaa6e79 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
@@ -6006,10 +6006,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
index d4c1bdd7fcf..3665db71b15 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
@@ -6146,10 +6146,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml
index 7822b30358e..3019a14066a 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml
@@ -6127,10 +6127,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
index 6c6fdc61639..687a2f7d807 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
@@ -6093,10 +6093,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml
index 9f942554898..63e6335ed76 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml
@@ -5738,10 +5738,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
index 45c638c0545..5a2781e3855 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
@@ -5695,10 +5695,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
index 1dd0ce8473d..512eb0c5088 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
@@ -5691,10 +5691,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml
index 0fbf3783689..06a178dccd4 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml
@@ -5749,10 +5749,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml
index a9550f13ec1..079a6c48dcd 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml
@@ -6224,10 +6224,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml
index a3663b2d3ca..87eef962d99 100644
--- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml
+++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml
@@ -7572,10 +7572,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml
index 8e955327ae9..35463dc73c2 100644
--- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml
+++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml
@@ -6183,10 +6183,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml
index 72f606f53dc..1f1c2e80418 100644
--- a/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml
+++ b/cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml
@@ -7483,10 +7483,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup.go b/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup.go
index 6ec2a951f20..278d71184ab 100644
--- a/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup.go
+++ b/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup.go
@@ -5,6 +5,7 @@ import (
"fmt"
"os"
+ "github.com/openshift/hypershift/control-plane-operator/hostedclusterconfigoperator/controllers/resources/manifests"
"github.com/openshift/hypershift/control-plane-operator/hostedclusterconfigoperator/operator"
corev1 "k8s.io/api/core/v1"
@@ -15,14 +16,12 @@ import (
"sigs.k8s.io/controller-runtime/pkg/controller"
"sigs.k8s.io/controller-runtime/pkg/handler"
"sigs.k8s.io/controller-runtime/pkg/predicate"
+ "sigs.k8s.io/controller-runtime/pkg/reconcile"
"sigs.k8s.io/controller-runtime/pkg/source"
)
func Setup(ctx context.Context, opts *operator.HostedClusterConfigOperatorConfig) error {
- // Create a predicate for the pull-secret
- secretPredicate := predicate.NewPredicateFuncs(func(o crclient.Object) bool {
- return o.GetNamespace() == "kube-system"
- })
+ secretPredicate := predicate.NewPredicateFuncs(kubeSystemSecretPredicateFunc)
// Create a cache for the kube-system namespace
kubeSystemCache, err := cache.New(opts.Manager.GetConfig(), cache.Options{
@@ -96,5 +95,28 @@ func Setup(ctx context.Context, opts *operator.HostedClusterConfigOperatorConfig
return fmt.Errorf("failed to watch kube-system secrets: %w", err)
}
+ // Watch the CP namespace pull-secret so in-place updates to HostedCluster.spec.pullSecret
+ // promptly reconcile kube-system/original-pull-secret (and global-pull-secret) in the guest.
+ cpPullSecret := manifests.PullSecret(opts.Namespace)
+ cpPullSecretPredicate := predicate.NewPredicateFuncs(namespacedNamePredicateFunc(cpPullSecret.Namespace, cpPullSecret.Name))
+ cpEventHandler := handler.EnqueueRequestsFromMapFunc(staticReconcileMapper)
+ if err := c.Watch(source.Kind[crclient.Object](opts.CPCluster.GetCache(), &corev1.Secret{}, cpEventHandler, cpPullSecretPredicate)); err != nil {
+ return fmt.Errorf("failed to watch control plane pull secret: %w", err)
+ }
+
return nil
}
+
+func kubeSystemSecretPredicateFunc(o crclient.Object) bool {
+ return o.GetNamespace() == "kube-system"
+}
+
+func namespacedNamePredicateFunc(namespace, name string) func(crclient.Object) bool {
+ return func(o crclient.Object) bool {
+ return o.GetNamespace() == namespace && o.GetName() == name
+ }
+}
+
+func staticReconcileMapper(_ context.Context, _ crclient.Object) []reconcile.Request {
+ return []reconcile.Request{{}}
+}
diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup_test.go b/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup_test.go
new file mode 100644
index 00000000000..b471cce2632
--- /dev/null
+++ b/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup_test.go
@@ -0,0 +1,89 @@
+package globalps
+
+import (
+ "context"
+ "testing"
+
+ . "github.com/onsi/gomega"
+
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func Test_kubeSystemSecretPredicateFunc(t *testing.T) {
+ tests := []struct {
+ name string
+ object *corev1.Secret
+ want bool
+ }{
+ {
+ name: "When secret is in kube-system it should return true",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "kube-system", Name: "any-secret"},
+ },
+ want: true,
+ },
+ {
+ name: "When secret is in a different namespace it should return false",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "openshift-config", Name: "pull-secret"},
+ },
+ want: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ g := NewWithT(t)
+ g.Expect(kubeSystemSecretPredicateFunc(tt.object)).To(Equal(tt.want))
+ })
+ }
+}
+
+func Test_namespacedNamePredicateFunc(t *testing.T) {
+ predicate := namespacedNamePredicateFunc("my-hcp-namespace", "pull-secret")
+
+ tests := []struct {
+ name string
+ object *corev1.Secret
+ want bool
+ }{
+ {
+ name: "When namespace and name match it should return true",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "my-hcp-namespace", Name: "pull-secret"},
+ },
+ want: true,
+ },
+ {
+ name: "When namespace differs it should return false",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "other-namespace", Name: "pull-secret"},
+ },
+ want: false,
+ },
+ {
+ name: "When name differs it should return false",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "my-hcp-namespace", Name: "other-secret"},
+ },
+ want: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ g := NewWithT(t)
+ g.Expect(predicate(tt.object)).To(Equal(tt.want))
+ })
+ }
+}
+
+func Test_staticReconcileMapper(t *testing.T) {
+ t.Run("When called it should return a single empty reconcile request", func(t *testing.T) {
+ g := NewWithT(t)
+ requests := staticReconcileMapper(context.Background(), &corev1.Secret{})
+ g.Expect(requests).To(HaveLen(1))
+ g.Expect(requests[0].NamespacedName.String()).To(Equal("/"))
+ })
+}
diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
index 05eef030e4c..374fef72417 100644
--- a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
+++ b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
@@ -311,9 +311,25 @@ func Setup(ctx context.Context, opts *operator.HostedClusterConfigOperatorConfig
return fmt.Errorf("failed to watch Route: %w", err)
}
+ // Watch HostedControlPlane namespace pull-secret on the control plane cluster so guest pull secrets
+ // (openshift-config, openshift) reconcile promptly when the hypershift-operator
+ // syncs in-place updates from HostedCluster.spec.pullSecret.
+ // The globalps controller has its own CP pull-secret watch for kube-system/original-pull-secret.
+ cpPullSecret := manifests.PullSecret(opts.Namespace)
+ cpPullSecretPredicate := predicate.NewPredicateFuncs(namespacedNamePredicateFunc(cpPullSecret.Namespace, cpPullSecret.Name))
+ if err := c.Watch(source.Kind[client.Object](opts.CPCluster.GetCache(), &corev1.Secret{}, eventHandler(), cpPullSecretPredicate)); err != nil {
+ return fmt.Errorf("failed to watch control plane pull secret: %w", err)
+ }
+
return nil
}
+func namespacedNamePredicateFunc(namespace, name string) func(client.Object) bool {
+ return func(o client.Object) bool {
+ return o.GetNamespace() == namespace && o.GetName() == name
+ }
+}
+
func (r *reconciler) Reconcile(ctx context.Context, _ ctrl.Request) (ctrl.Result, error) {
log := ctrl.LoggerFrom(ctx)
log.Info("Reconciling")
diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go
index 7260aec5a72..ab476e6f6af 100644
--- a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go
+++ b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go
@@ -3042,3 +3042,42 @@ func TestReconcileMetricsForwarder(t *testing.T) {
})
}
}
+
+func Test_namespacedNamePredicateFunc(t *testing.T) {
+ predicate := namespacedNamePredicateFunc("my-hcp-namespace", "pull-secret")
+
+ tests := []struct {
+ name string
+ object client.Object
+ want bool
+ }{
+ {
+ name: "When namespace and name match it should return true",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "my-hcp-namespace", Name: "pull-secret"},
+ },
+ want: true,
+ },
+ {
+ name: "When namespace differs it should return false",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "other-namespace", Name: "pull-secret"},
+ },
+ want: false,
+ },
+ {
+ name: "When name differs it should return false",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "my-hcp-namespace", Name: "other-secret"},
+ },
+ want: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ g := NewWithT(t)
+ g.Expect(predicate(tt.object)).To(Equal(tt.want))
+ })
+ }
+}
diff --git a/docs/content/reference/aggregated-docs.md b/docs/content/reference/aggregated-docs.md
index 99d7dcdb582..84276ddfcdc 100644
--- a/docs/content/reference/aggregated-docs.md
+++ b/docs/content/reference/aggregated-docs.md
@@ -31177,10 +31177,11 @@ Kubernetes core/v1.LocalObjectReference
pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
TODO(alberto): Signal this in a condition.
-This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
-and it will be injected into the container runtime of all NodePools.
-Changing this value will trigger a rollout for all existing NodePools in the cluster.
-Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+Updating the referenced Secret’s data in place (without changing this reference) does not trigger that rollout.
+In AWS and Azure NodePools using the Replace upgrade strategy, the Secret’s data in place changes
+will still propagate the updated credentials down to the guest cluster and kubelet config.
TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes.
@@ -39418,10 +39419,11 @@ Kubernetes core/v1.LocalObjectReference
pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
TODO(alberto): Signal this in a condition.
-This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
-and it will be injected into the container runtime of all NodePools.
-Changing this value will trigger a rollout for all existing NodePools in the cluster.
-Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+Updating the referenced Secret’s data in place (without changing this reference) does not trigger that rollout.
+In AWS and Azure NodePools using the Replace upgrade strategy, the Secret’s data in place changes
+will still propagate the updated credentials down to the guest cluster and kubelet config.
TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes.
diff --git a/docs/content/reference/api.md b/docs/content/reference/api.md
index 1d6c5b273a4..023503430cf 100644
--- a/docs/content/reference/api.md
+++ b/docs/content/reference/api.md
@@ -726,10 +726,11 @@ Kubernetes core/v1.LocalObjectReference
pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
TODO(alberto): Signal this in a condition.
-This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
-and it will be injected into the container runtime of all NodePools.
-Changing this value will trigger a rollout for all existing NodePools in the cluster.
-Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+Updating the referenced Secret’s data in place (without changing this reference) does not trigger that rollout.
+In AWS and Azure NodePools using the Replace upgrade strategy, the Secret’s data in place changes
+will still propagate the updated credentials down to the guest cluster and kubelet config.
TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes.
@@ -8967,10 +8968,11 @@ Kubernetes core/v1.LocalObjectReference
pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
TODO(alberto): Signal this in a condition.
-This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
-and it will be injected into the container runtime of all NodePools.
-Changing this value will trigger a rollout for all existing NodePools in the cluster.
-Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+Updating the referenced Secret’s data in place (without changing this reference) does not trigger that rollout.
+In AWS and Azure NodePools using the Replace upgrade strategy, the Secret’s data in place changes
+will still propagate the updated credentials down to the guest cluster and kubelet config.
TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes.
diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go
index d99f765f090..2a6a7d84fca 100644
--- a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go
+++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go
@@ -674,10 +674,11 @@ type HostedClusterSpec struct {
// pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
// If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
// TODO(alberto): Signal this in a condition.
- // This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- // and it will be injected into the container runtime of all NodePools.
- // Changing this value will trigger a rollout for all existing NodePools in the cluster.
- // Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ // This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ // Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ // Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ // In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ // will still propagate the updated credentials down to the guest cluster and kubelet config.
// +required
// +rollout
// TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes.