mirror of
https://github.com/open-cluster-management-io/ocm.git
synced 2026-02-14 18:09:57 +00:00
1b40e72e0b
Some checks failed
Scorecard supply-chain security / Scorecard analysis (push) Failing after 14s
Post / images (amd64, addon-manager) (push) Failing after 7m59s
Post / coverage (push) Failing after 8m58s
Post / images (amd64, registration) (push) Failing after 52s
Post / images (amd64, registration-operator) (push) Failing after 50s
Post / images (amd64, work) (push) Failing after 48s
Post / images (arm64, placement) (push) Failing after 48s
Post / images (arm64, registration) (push) Failing after 47s
Post / images (arm64, registration-operator) (push) Failing after 46s
Post / images (arm64, work) (push) Failing after 45s
Post / images (amd64, placement) (push) Failing after 7m34s
Post / images (arm64, addon-manager) (push) Failing after 9m56s
Post / image manifest (addon-manager) (push) Has been skipped
Post / image manifest (placement) (push) Has been skipped
Post / image manifest (registration) (push) Has been skipped
Post / image manifest (registration-operator) (push) Has been skipped
Post / image manifest (work) (push) Has been skipped
Post / trigger clusteradm e2e (push) Has been skipped
Close stale issues and PRs / stale (push) Successful in 1m3s
The cluster manager controller was silently using a literal "placeholder" string as the CA bundle when the ca-bundle-configmap ConfigMap didn't exist yet. This caused CRDs to be created with an invalid caBundle field (cGxhY2Vob2xkZXI= which is base64 of "placeholder"), resulting in: 1. CRD conversion webhooks failing with "InvalidCABundle" error 2. CRDs not becoming Established 3. API endpoints not being registered 4. Dependent components (like MultiClusterHub) failing with: "no matches for kind ClusterManagementAddOn" The bug was a race condition between the cert rotation controller (which creates the ca-bundle-configmap) and the cluster manager controller (which reads it). When the ConfigMap was not found, the code did "// do nothing" and silently continued with the placeholder value. This fix: 1. Creates the hub namespace FIRST (before waiting for the CA bundle) to allow the cert rotation controller to create the ca-bundle-configmap 2. Then waits for the CA bundle ConfigMap to exist before proceeding 3. Requeues via AddAfter if the ConfigMap is not found, allowing the controller to gracefully retry until the cert rotation controller has created it This ensures CRDs are always created with valid CA bundles while avoiding the deadlock where clusterManagerController waited for CA bundle but certRotationController needed the namespace first. Changes based on review feedback: - Use requeue (AddAfter) instead of returning error (@elgnay) - Use contextual logging instead of klog.V(4).Infof (@qiujian16) The issue was discovered in OpenShift CI Prow jobs for ZTP hub deployment: - https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-kni-eco-ci-cd-ztp-left-shifting-kpi-ci-4.21-telcov10n-virtualised-single-node-hub-ztp/2005051399989104640 - https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-kni-eco-ci-cd-ztp-left-shifting-kpi-ci-4.21-telcov10n-virtualised-single-node-hub-ztp/2005219283428184064 Affected versions: ACM 2.16.0-113/114, MCE 2.11.0-142/143 on OCP 4.21.0-rc.0 Signed-off-by: Carlos Cardenosa <ccardeno@redhat.com> Co-authored-by: Claude <noreply@anthropic.com>