diff --git a/api/hypershift/v1beta1/hostedcluster_types.go b/api/hypershift/v1beta1/hostedcluster_types.go
index a9bdf6a4eab..58989453f97 100644
--- a/api/hypershift/v1beta1/hostedcluster_types.go
+++ b/api/hypershift/v1beta1/hostedcluster_types.go
@@ -652,10 +652,11 @@ type HostedClusterSpec struct {
// pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
// If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
// TODO(alberto): Signal this in a condition.
- // This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- // and it will be injected into the container runtime of all NodePools.
- // Changing this value will trigger a rollout for all existing NodePools in the cluster.
- // Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ // This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ // Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ // Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ // In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ // will still propagate the updated credentials down to the guest cluster and kubelet config.
// +required
// +rollout
// TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes.
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
index 67d4c67aa1b..64889f1e464 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml
@@ -5359,10 +5359,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml
index 6f97b3457f9..78b57c4f29c 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml
@@ -5389,10 +5389,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
index 0a323bb4efe..fc2eebcd3d0 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml
@@ -5362,10 +5362,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
index 6754575c6eb..449110612b0 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml
@@ -5699,10 +5699,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
index 2d921aefee1..d80f4eda886 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml
@@ -5853,10 +5853,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
index 22364d504b0..0fe8dbf2a02 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml
@@ -5641,10 +5641,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
index a289044c10f..5c093d885ef 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml
@@ -5364,10 +5364,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
index 8367c5054ed..1e6d3ee733c 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml
@@ -5360,10 +5360,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml
index 0dc3539806f..8ffdae5905d 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml
@@ -5418,10 +5418,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml
index e4f7780bc9d..a442f548d58 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml
@@ -5494,10 +5494,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml
index ca527151302..e3042379b22 100644
--- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml
+++ b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml
@@ -5893,10 +5893,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml
index 9fdbd7f66d0..1fbff107469 100644
--- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml
+++ b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml
@@ -7030,10 +7030,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml
index a38ac68dfd6..154a4061f57 100644
--- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml
+++ b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml
@@ -6042,10 +6042,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml
index 6e1abf441e6..957dee17b62 100644
--- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml
+++ b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml
@@ -6941,10 +6941,11 @@ spec:
description: |-
pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
- This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- and it will be injected into the container runtime of all NodePools.
- Changing this value will trigger a rollout for all existing NodePools in the cluster.
- Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ will still propagate the updated credentials down to the guest cluster and kubelet config.
properties:
name:
default: ""
diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup.go b/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup.go
index 8bb8f833082..fa430393ffe 100644
--- a/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup.go
+++ b/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup.go
@@ -5,6 +5,7 @@ import (
"fmt"
"os"
+ "github.com/openshift/hypershift/control-plane-operator/hostedclusterconfigoperator/controllers/resources/manifests"
"github.com/openshift/hypershift/control-plane-operator/hostedclusterconfigoperator/operator"
corev1 "k8s.io/api/core/v1"
@@ -15,14 +16,12 @@ import (
"sigs.k8s.io/controller-runtime/pkg/controller"
"sigs.k8s.io/controller-runtime/pkg/handler"
"sigs.k8s.io/controller-runtime/pkg/predicate"
+ "sigs.k8s.io/controller-runtime/pkg/reconcile"
"sigs.k8s.io/controller-runtime/pkg/source"
)
func Setup(ctx context.Context, opts *operator.HostedClusterConfigOperatorConfig) error {
- // Create a predicate for the pull-secret
- secretPredicate := predicate.NewPredicateFuncs(func(o crclient.Object) bool {
- return o.GetNamespace() == "kube-system"
- })
+ secretPredicate := predicate.NewPredicateFuncs(kubeSystemSecretPredicateFunc)
// Create a cache for the kube-system namespace
kubeSystemCache, err := cache.New(opts.Manager.GetConfig(), cache.Options{
@@ -96,5 +95,28 @@ func Setup(ctx context.Context, opts *operator.HostedClusterConfigOperatorConfig
return fmt.Errorf("failed to watch kube-system secrets: %w", err)
}
+ // Watch the CP namespace pull-secret so in-place updates to HostedCluster.spec.pullSecret
+ // promptly reconcile kube-system/original-pull-secret (and global-pull-secret) in the guest.
+ cpPullSecret := manifests.PullSecret(opts.Namespace)
+ cpPullSecretPredicate := predicate.NewPredicateFuncs(namespacedNamePredicateFunc(cpPullSecret.Namespace, cpPullSecret.Name))
+ cpEventHandler := handler.EnqueueRequestsFromMapFunc(staticReconcileMapper)
+ if err := c.Watch(source.Kind[crclient.Object](opts.CPCluster.GetCache(), &corev1.Secret{}, cpEventHandler, cpPullSecretPredicate)); err != nil {
+ return fmt.Errorf("failed to watch control plane pull secret: %w", err)
+ }
+
return nil
}
+
+func kubeSystemSecretPredicateFunc(o crclient.Object) bool {
+ return o.GetNamespace() == "kube-system"
+}
+
+func namespacedNamePredicateFunc(namespace, name string) func(crclient.Object) bool {
+ return func(o crclient.Object) bool {
+ return o.GetNamespace() == namespace && o.GetName() == name
+ }
+}
+
+func staticReconcileMapper(_ context.Context, _ crclient.Object) []reconcile.Request {
+ return []reconcile.Request{{}}
+}
diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup_test.go b/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup_test.go
new file mode 100644
index 00000000000..b471cce2632
--- /dev/null
+++ b/control-plane-operator/hostedclusterconfigoperator/controllers/globalps/setup_test.go
@@ -0,0 +1,89 @@
+package globalps
+
+import (
+ "context"
+ "testing"
+
+ . "github.com/onsi/gomega"
+
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func Test_kubeSystemSecretPredicateFunc(t *testing.T) {
+ tests := []struct {
+ name string
+ object *corev1.Secret
+ want bool
+ }{
+ {
+ name: "When secret is in kube-system it should return true",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "kube-system", Name: "any-secret"},
+ },
+ want: true,
+ },
+ {
+ name: "When secret is in a different namespace it should return false",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "openshift-config", Name: "pull-secret"},
+ },
+ want: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ g := NewWithT(t)
+ g.Expect(kubeSystemSecretPredicateFunc(tt.object)).To(Equal(tt.want))
+ })
+ }
+}
+
+func Test_namespacedNamePredicateFunc(t *testing.T) {
+ predicate := namespacedNamePredicateFunc("my-hcp-namespace", "pull-secret")
+
+ tests := []struct {
+ name string
+ object *corev1.Secret
+ want bool
+ }{
+ {
+ name: "When namespace and name match it should return true",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "my-hcp-namespace", Name: "pull-secret"},
+ },
+ want: true,
+ },
+ {
+ name: "When namespace differs it should return false",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "other-namespace", Name: "pull-secret"},
+ },
+ want: false,
+ },
+ {
+ name: "When name differs it should return false",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "my-hcp-namespace", Name: "other-secret"},
+ },
+ want: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ g := NewWithT(t)
+ g.Expect(predicate(tt.object)).To(Equal(tt.want))
+ })
+ }
+}
+
+func Test_staticReconcileMapper(t *testing.T) {
+ t.Run("When called it should return a single empty reconcile request", func(t *testing.T) {
+ g := NewWithT(t)
+ requests := staticReconcileMapper(context.Background(), &corev1.Secret{})
+ g.Expect(requests).To(HaveLen(1))
+ g.Expect(requests[0].NamespacedName.String()).To(Equal("/"))
+ })
+}
diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
index 783d524fbaf..89125bc6e96 100644
--- a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
+++ b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
@@ -302,9 +302,25 @@ func Setup(ctx context.Context, opts *operator.HostedClusterConfigOperatorConfig
return fmt.Errorf("failed to watch ConfigMap: %w", err)
}
+ // Watch HostedControlPlane namespace pull-secret on the control plane cluster so guest pull secrets
+ // (openshift-config, openshift) reconcile promptly when the hypershift-operator
+ // syncs in-place updates from HostedCluster.spec.pullSecret.
+ // The globalps controller has its own CP pull-secret watch for kube-system/original-pull-secret.
+ cpPullSecret := manifests.PullSecret(opts.Namespace)
+ cpPullSecretPredicate := predicate.NewPredicateFuncs(namespacedNamePredicateFunc(cpPullSecret.Namespace, cpPullSecret.Name))
+ if err := c.Watch(source.Kind[client.Object](opts.CPCluster.GetCache(), &corev1.Secret{}, eventHandler(), cpPullSecretPredicate)); err != nil {
+ return fmt.Errorf("failed to watch control plane pull secret: %w", err)
+ }
+
return nil
}
+func namespacedNamePredicateFunc(namespace, name string) func(client.Object) bool {
+ return func(o client.Object) bool {
+ return o.GetNamespace() == namespace && o.GetName() == name
+ }
+}
+
func (r *reconciler) Reconcile(ctx context.Context, _ ctrl.Request) (ctrl.Result, error) {
log := ctrl.LoggerFrom(ctx)
log.Info("Reconciling")
diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go
index 69ac404af2e..aa33e1afcd7 100644
--- a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go
+++ b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources_test.go
@@ -2555,3 +2555,42 @@ func Test_reconciler_reconcileControlPlaneDataPlaneConnectivityConditions(t *tes
})
}
}
+
+func Test_namespacedNamePredicateFunc(t *testing.T) {
+ predicate := namespacedNamePredicateFunc("my-hcp-namespace", "pull-secret")
+
+ tests := []struct {
+ name string
+ object client.Object
+ want bool
+ }{
+ {
+ name: "When namespace and name match it should return true",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "my-hcp-namespace", Name: "pull-secret"},
+ },
+ want: true,
+ },
+ {
+ name: "When namespace differs it should return false",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "other-namespace", Name: "pull-secret"},
+ },
+ want: false,
+ },
+ {
+ name: "When name differs it should return false",
+ object: &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Namespace: "my-hcp-namespace", Name: "other-secret"},
+ },
+ want: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ g := NewWithT(t)
+ g.Expect(predicate(tt.object)).To(Equal(tt.want))
+ })
+ }
+}
diff --git a/docs/content/reference/api.md b/docs/content/reference/api.md
index ed2fdc2c4da..2ff670d6e6d 100644
--- a/docs/content/reference/api.md
+++ b/docs/content/reference/api.md
@@ -569,10 +569,11 @@ Kubernetes core/v1.LocalObjectReference
pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
TODO(alberto): Signal this in a condition.
-This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
-and it will be injected into the container runtime of all NodePools.
-Changing this value will trigger a rollout for all existing NodePools in the cluster.
-Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+Updating the referenced Secret’s data in place (without changing this reference) does not trigger that rollout.
+In AWS and Azure NodePools using the Replace upgrade strategy, the Secret’s data in place changes
+will still propagate the updated credentials down to the guest cluster and kubelet config.
TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes.
@@ -6782,10 +6783,11 @@ Kubernetes core/v1.LocalObjectReference
pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON.
If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
TODO(alberto): Signal this in a condition.
-This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
-and it will be injected into the container runtime of all NodePools.
-Changing this value will trigger a rollout for all existing NodePools in the cluster.
-Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+Updating the referenced Secret’s data in place (without changing this reference) does not trigger that rollout.
+In AWS and Azure NodePools using the Replace upgrade strategy, the Secret’s data in place changes
+will still propagate the updated credentials down to the guest cluster and kubelet config.
TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes.
diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go
index a9bdf6a4eab..58989453f97 100644
--- a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go
+++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/hostedcluster_types.go
@@ -652,10 +652,11 @@ type HostedClusterSpec struct {
// pullSecret is a local reference to a Secret that must have a ".dockerconfigjson" key whose content must be a valid Openshift pull secret JSON.
// If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state.
// TODO(alberto): Signal this in a condition.
- // This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster
- // and it will be injected into the container runtime of all NodePools.
- // Changing this value will trigger a rollout for all existing NodePools in the cluster.
- // Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour.
+ // This pull secret is included in NodePool ignition/bootstrap payloads and applied to the container runtime when nodes provision.
+ // Changing this value will trigger a rollout for all existing NodePools in the cluster (for both replace and inplace upgrade types).
+ // Updating the referenced Secret's data in place (without changing this reference) does not trigger that rollout.
+ // In AWS and Azure NodePools using the Replace upgrade strategy, the Secret's data in place changes
+ // will still propagate the updated credentials down to the guest cluster and kubelet config.
// +required
// +rollout
// TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes.