mirror of
https://github.com/open-cluster-management-io/ocm.git
synced 2026-05-15 13:49:20 +00:00
a5c22a2bfd
* Add service-CA certificate support for PlacementDebugServer When the PlacementDebugServer feature gate is enabled, inject a serving-cert annotation into the placement service and mount the resulting TLS secret into the debug-server container. On OpenShift, the service-serving-cert controller creates a CA-signed certificate automatically. On non-OpenShift, optional: true allows the pod to start and library-go falls back to self-signed certificates. Signed-off-by: Randy Bruno Piverger <21374229+Randy424@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Rename fields to PlacementAnnotations and PlacementServingCertSecret Scope field names to Placement per review feedback, since these are only used for the placement service and extending to other services would require separate fields. Signed-off-by: Randy Bruno Piverger <21374229+Randy424@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Replace OCP annotation with CertRotationController for PlacementDebugServer TLS Replaces the OpenShift-specific serving-cert-secret-name annotation with the OCM-native CertRotationController to provision the PlacementDebugServer's TLS serving certificate. Follows the existing GRPC conditional target pattern: the placement-debug-serving-cert target is added/removed based on the PlacementDebugServer feature gate. Signed-off-by: Randy Bruno Piverger <21374229+Randy424@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix misleading error messages and import ordering Correct error messages in feature-disabled cleanup paths to accurately state the operation (secret deletion with feature disabled) instead of implying a deleted ClusterManager. Also move ocmfeature import into the open-cluster-management.io group where it belongs. Signed-off-by: Randy Bruno Piverger <21374229+Randy424@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix RBAC and gofmt for PlacementDebugServer cert rotation Add placement-debug-serving-cert to the cluster-manager ClusterRole resourceNames allowlist and fix gofmt alignment in two files. Root cause of E2E failures: the certRotationController attempts to delete the placement-debug-serving-cert secret when the feature gate is disabled (the default). The operator ClusterRole restricts secret delete/get/update/patch to an explicit resourceNames list. Because placement-debug-serving-cert was not in that list, the delete call returned 403 Forbidden — not 404 NotFound. The error handler in syncOne() only ignores IsNotFound, so 403 caused an early return before the signing CA and ca-bundle-configmap were ever created. The clusterManagerController.sync() blocks at line 312 waiting for ca-bundle-configmap to appear, so ObservedGeneration was never set, and all four E2E suites timed out in BeforeSuite after 150 seconds. The gofmt failures were cosmetic: extra alignment spaces in the PlacementDebugServingCertSecret/PlacementDebugService const block and the PlacementDebugServerEnabled/PlacementServingCertSecret struct fields. Signed-off-by: Randy Bruno Piverger <21374229+Randy424@users.noreply.github.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * retrigger CI Signed-off-by: Randy Bruno Piverger <21374229+Randy424@users.noreply.github.com> * retrigger CI Signed-off-by: Randy Bruno Piverger <21374229+Randy424@users.noreply.github.com> --------- Signed-off-by: Randy Bruno Piverger <21374229+Randy424@users.noreply.github.com> Co-authored-by: Randy Bruno Piverger <21374229+Randy424@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>