operator: add admin_ack handling

Author: djoshy

cmd/machine-config-operator/start.go

@@ -97,6 +97,7 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 			ctrlctx.KubeNamespacedInformerFactory.Core().V1().Secrets(),
 			ctrlctx.OpenShiftConfigKubeNamespacedInformerFactory.Core().V1().Secrets(),
 			ctrlctx.OpenShiftConfigManagedKubeNamespacedInformerFactory.Core().V1().Secrets(),
+			ctrlctx.OpenShiftConfigManagedKubeNamespacedInformerFactory.Core().V1().ConfigMaps(),
 			ctrlctx.ConfigInformerFactory.Config().V1().ClusterOperators(),
 			ctrlctx.ClientBuilder.OperatorClientOrDie(componentName),
 			ctrlctx.OperatorInformerFactory.Operator().V1().MachineConfigurations(),

pkg/operator/admin_ack.go

@@ -0,0 +1,87 @@
+package operator
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	configv1 "github.com/openshift/api/config/v1"
+	ctrlcommon "github.com/openshift/machine-config-operator/pkg/controller/common"
+
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/klog/v2"
+)
+
+const (
+	BootImageAWSGCPKey = "ack-4.18-boot-image-opt-out-in-4.19"
+	BootImageAWSGCPMsg = "GCP or AWS platform detected with no boot image configuration detected. OCP will automatically opt-in all GCP and AWS clusters that currently do not a boot image configuration in 4.19. Please add a configuration to disable boot image updates if this is not desired. See [insert-doc-link] "
+
+	AdminAckConfigMapName = "admin-gates"
+)
+
+// Syncs the admin-ack configmap in the openshift-config-managed namespace, and adds MCO specific keys if needed.
+func (optr *Operator) syncAdminAckConfigMap() error {
+	cm, err := optr.ocManagedConfigMapLister.ConfigMaps(ctrlcommon.OpenshiftConfigManagedNamespace).Get(AdminAckConfigMapName)
+	if err != nil {
+		return fmt.Errorf("error fetching configmap %s during sync", AdminAckConfigMapName)
+	}
+
+	_, bootImageAWSGCPKeyExists := cm.Data[BootImageAWSGCPKey]
+
+	bootImageAWSGCPAdminGuardNeeded, err := optr.checkAWSGCPBootImageGuard()
+	if err != nil {
+		return fmt.Errorf("error determining aws/gcp boot image guard %s during configmap %s sync", AdminAckConfigMapName)
+	}
+
+	// If guard is needed and key doesn't exist => create it
+	// If guard is needed and key exists => nothing to do
+	// If guard is not needed and key exists => delete it
+	// If guard is not needed and key doesn't exist => nothing to do
+
+	newCM := cm.DeepCopy()
+
+	// Evaluate AWS/GCP boot image guards
+	if bootImageAWSGCPAdminGuardNeeded && !bootImageAWSGCPKeyExists {
+		newCM.Data[BootImageAWSGCPKey] = BootImageAWSGCPMsg
+	}
+
+	if !bootImageAWSGCPAdminGuardNeeded && bootImageAWSGCPKeyExists {
+		delete(newCM.Data, BootImageAWSGCPKey)
+	}
+
+	// TODO: Evaluate aarch64 guards
+
+	// Only send an API request if an update is needed
+	if !reflect.DeepEqual(cm.Data, newCM.Data) {
+		_, err = optr.kubeClient.CoreV1().ConfigMaps(ctrlcommon.OpenshiftConfigManagedNamespace).Update(context.TODO(), newCM, v1.UpdateOptions{})
+		return err
+	}
+
+	return nil
+}
+
+// Checks if AWS & GCP Boot Image admin guard is needed
+func (optr *Operator) checkAWSGCPBootImageGuard() (bool, error) {
+
+	// First, check if the cluster is on AWS or GCP platform.
+	infra, err := optr.infraLister.Get("cluster")
+	if err != nil {
+		klog.Errorf("Could not get infra: %v", err)
+		return false, err
+	}
+	platforms := sets.New(configv1.GCPPlatformType, configv1.AWSPlatformType)
+	if platforms.Has(infra.Status.PlatformStatus.Type) {
+		return false, nil
+	}
+
+	// Next, check if there is any boot image configuration.
+	mcop, err := optr.mcopLister.Get(ctrlcommon.MCOOperatorKnobsObjectName)
+	if err != nil {
+		klog.Errorf("Could not get MachineConfiguration object: %v", err)
+		return false, err
+	}
+
+	// If no machine managers exist, no configuration has been defined
+	return mcop.Spec.ManagedBootImages.MachineManagers == nil, nil
+}

pkg/operator/operator.go

@@ -81,33 +81,34 @@ type Operator struct {
 
 	syncHandler func(ic string) error
 
-	imgLister             configlistersv1.ImageLister
-	crdLister             apiextlistersv1.CustomResourceDefinitionLister
-	mcpLister             mcfglistersv1.MachineConfigPoolLister
-	msLister              mcfglistersalphav1.MachineConfigNodeLister
-	ccLister              mcfglistersv1.ControllerConfigLister
-	mcLister              mcfglistersv1.MachineConfigLister
-	deployLister          appslisterv1.DeploymentLister
-	daemonsetLister       appslisterv1.DaemonSetLister
-	infraLister           configlistersv1.InfrastructureLister
-	networkLister         configlistersv1.NetworkLister
-	mcoCmLister           corelisterv1.ConfigMapLister
-	clusterCmLister       corelisterv1.ConfigMapLister
-	proxyLister           configlistersv1.ProxyLister
-	oseKubeAPILister      corelisterv1.ConfigMapLister
-	nodeLister            corelisterv1.NodeLister
-	dnsLister             configlistersv1.DNSLister
-	mcoSALister           corelisterv1.ServiceAccountLister
-	mcoSecretLister       corelisterv1.SecretLister
-	ocSecretLister        corelisterv1.SecretLister
-	ocManagedSecretLister corelisterv1.SecretLister
-	clusterOperatorLister configlistersv1.ClusterOperatorLister
-	mcopLister            mcoplistersv1.MachineConfigurationLister
-	mckLister             mcfglistersv1.KubeletConfigLister
-	crcLister             mcfglistersv1.ContainerRuntimeConfigLister
-	nodeClusterLister     configlistersv1.NodeLister
-	moscLister            mcfglistersalphav1.MachineOSConfigLister
-	apiserverLister       configlistersv1.APIServerLister
+	imgLister                configlistersv1.ImageLister
+	crdLister                apiextlistersv1.CustomResourceDefinitionLister
+	mcpLister                mcfglistersv1.MachineConfigPoolLister
+	msLister                 mcfglistersalphav1.MachineConfigNodeLister
+	ccLister                 mcfglistersv1.ControllerConfigLister
+	mcLister                 mcfglistersv1.MachineConfigLister
+	deployLister             appslisterv1.DeploymentLister
+	daemonsetLister          appslisterv1.DaemonSetLister
+	infraLister              configlistersv1.InfrastructureLister
+	networkLister            configlistersv1.NetworkLister
+	mcoCmLister              corelisterv1.ConfigMapLister
+	clusterCmLister          corelisterv1.ConfigMapLister
+	proxyLister              configlistersv1.ProxyLister
+	oseKubeAPILister         corelisterv1.ConfigMapLister
+	nodeLister               corelisterv1.NodeLister
+	dnsLister                configlistersv1.DNSLister
+	mcoSALister              corelisterv1.ServiceAccountLister
+	mcoSecretLister          corelisterv1.SecretLister
+	ocSecretLister           corelisterv1.SecretLister
+	ocManagedSecretLister    corelisterv1.SecretLister
+	ocManagedConfigMapLister corelisterv1.ConfigMapLister
+	clusterOperatorLister    configlistersv1.ClusterOperatorLister
+	mcopLister               mcoplistersv1.MachineConfigurationLister
+	mckLister                mcfglistersv1.KubeletConfigLister
+	crcLister                mcfglistersv1.ContainerRuntimeConfigLister
+	nodeClusterLister        configlistersv1.NodeLister
+	moscLister               mcfglistersalphav1.MachineOSConfigLister
+	apiserverLister          configlistersv1.APIServerLister
 
 	crdListerSynced                  cache.InformerSynced
 	deployListerSynced               cache.InformerSynced
@@ -132,6 +133,7 @@ type Operator struct {
 	mcoSecretListerSynced            cache.InformerSynced
 	ocSecretListerSynced             cache.InformerSynced
 	ocManagedSecretListerSynced      cache.InformerSynced
+	ocManagedConfigMapListerSynced   cache.InformerSynced
 	clusterOperatorListerSynced      cache.InformerSynced
 	mcopListerSynced                 cache.InformerSynced
 	mckListerSynced                  cache.InformerSynced
@@ -182,6 +184,7 @@ func New(
 	mcoSecretInformer coreinformersv1.SecretInformer,
 	ocSecretInformer coreinformersv1.SecretInformer,
 	ocManagedSecretInformer coreinformersv1.SecretInformer,
+	ocManagedConfigMapInformer coreinformersv1.ConfigMapInformer,
 	clusterOperatorInformer configinformersv1.ClusterOperatorInformer,
 	mcopClient mcopclientset.Interface,
 	mcopInformer mcopinformersv1.MachineConfigurationInformer,
@@ -252,6 +255,7 @@ func New(
 		mcoSecretInformer.Informer(),
 		ocSecretInformer.Informer(),
 		ocManagedSecretInformer.Informer(),
+		ocManagedConfigMapInformer.Informer(),
 		mcopInformer.Informer(),
 		mckInformer.Informer(),
 		crcInformer.Informer(),
@@ -310,6 +314,8 @@ func New(
 	optr.ocSecretListerSynced = ocSecretInformer.Informer().HasSynced
 	optr.ocManagedSecretLister = ocManagedSecretInformer.Lister()
 	optr.ocManagedSecretListerSynced = ocManagedSecretInformer.Informer().HasSynced
+	optr.ocManagedConfigMapLister = ocManagedConfigMapInformer.Lister()
+	optr.ocManagedConfigMapListerSynced = ocManagedConfigMapInformer.Informer().HasSynced
 	optr.clusterOperatorLister = clusterOperatorInformer.Lister()
 	optr.clusterOperatorListerSynced = clusterOperatorInformer.Informer().HasSynced
 	optr.mcopLister = mcopInformer.Lister()
@@ -366,6 +372,7 @@ func (optr *Operator) Run(workers int, stopCh <-chan struct{}) {
 		optr.mcoSecretListerSynced,
 		optr.ocSecretListerSynced,
 		optr.ocManagedSecretListerSynced,
+		optr.ocManagedConfigMapListerSynced,
 		optr.clusterOperatorListerSynced,
 		optr.mcopListerSynced,
 		optr.mckListerSynced,

pkg/operator/sync.go

@@ -235,6 +235,10 @@ func (optr *Operator) syncAll(syncFuncs []syncFunc) error {
 		return fmt.Errorf("error syncing metrics: %w", err)
 	}
 
+	if err := optr.syncAdminAckConfigMap(); err != nil {
+		return fmt.Errorf("error syncing admin ack configmap: %w", err)
+	}
+
 	if optr.inClusterBringup && syncErr.err == nil {
 		klog.Infof("Initialization complete")
 		optr.inClusterBringup = false