Bug 1912888: Add recycler pod template as a ConfigMap

bindata/v4.1.0/config/defaultconfig.yaml

@@ -11,10 +11,10 @@ extendedArguments:
   - "true"
   flex-volume-plugin-dir:
   - "/etc/kubernetes/kubelet-plugins/volume/exec" # created by machine-config-operator, owned by storage team/hekumar@redhat.com
-  pv-recycler-pod-template-filepath-nfs:
-  - "/etc/kubernetes/manifests/recycler-pod.yaml" # created by machine-config-operator, owned by storage team/fbertina@redhat.com
-  pv-recycler-pod-template-filepath-hostpath:
-  - "/etc/kubernetes/manifests/recycler-pod.yaml" # created by machine-config-operator, owned by storage team/fbertina@redhat.com
+  pv-recycler-pod-template-filepath-nfs: # owned by storage team/fbertina@redhat.com
+  - "/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"
+  pv-recycler-pod-template-filepath-hostpath: # owned by storage team/fbertina@redhat.com
+  - "/etc/kubernetes/static-pod-resources/configmaps/recycler-config/recycler-pod.yaml"
   leader-elect:
   - "true"
   leader-elect-retry-period:

bindata/v4.1.0/kube-controller-manager/pod.yaml

@@ -38,8 +38,6 @@ spec:
     ports:
       - containerPort: 10257
     volumeMounts:
-    - mountPath: /etc/kubernetes/manifests
-      name: manifests-dir # Used in the KubeControllerManagerConfig to pass in recycler pod templates
     - mountPath: /etc/kubernetes/static-pod-resources
       name: resource-dir
     - mountPath: /etc/kubernetes/static-pod-certs
@@ -163,9 +161,6 @@ spec:
   tolerations:
   - operator: "Exists"
   volumes:
-  - hostPath:
-      path: /etc/kubernetes/manifests
-    name: manifests-dir
   - hostPath:
       path: /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-REVISION
     name: resource-dir

bindata/v4.1.0/kube-controller-manager/recycler-cm.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-kube-controller-manager
+  name: recycler-config
+data:
+  recycler-pod.yaml: |
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: recycler-pod
+      namespace: openshift-infra
+    spec:
+      activeDeadlineSeconds: 60
+      restartPolicy: Never
+      serviceAccountName: pv-recycler-controller
+      containers:
+        - name: recycler-container
+          image: "${TOOLS_IMAGE}"
+          command:
+          - "/bin/bash"
+          args:
+          - "-c"
+          - "test -e /scrub && rm -rf /scrub/..?* /scrub/.[!.]* /scrub/*  && test -z \"$(ls -A /scrub)\" || exit 1"
+          volumeMounts:
+            - mountPath: /scrub
+              name: vol
+          securityContext:
+            runAsUser: 0
+      volumes:
+        - name: vol

manifests/0000_25_kube-controller-manager-operator_06_deployment.yaml

@@ -49,6 +49,8 @@ spec:
           value: docker.io/openshift/origin-cluster-kube-controller-manager-operator:v4.0
         - name: CLUSTER_POLICY_CONTROLLER_IMAGE
           value: quay.io/openshift/origin-cluster-policy-controller:v4.3
+        - name: TOOLS_IMAGE
+          value: quay.io/openshift/origin-tools:latest
         - name: OPERATOR_IMAGE_VERSION
           value: "0.0.1-snapshot"
         - name: OPERAND_IMAGE_VERSION

manifests/image-references

@@ -14,3 +14,7 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/openshift/origin-cluster-policy-controller:v4.3
+  - name: tools # owned by storage team/fbertina@redhat.com
+    from:
+      kind: DockerImage
+      name: quay.io/openshift/origin-tools:latest

pkg/operator/starter.go

@@ -104,6 +104,7 @@ func RunOperator(ctx context.Context, cc *controllercmd.ControllerContext) error
 		os.Getenv("IMAGE"),
 		os.Getenv("OPERATOR_IMAGE"),
 		os.Getenv("CLUSTER_POLICY_CONTROLLER_IMAGE"),
+		os.Getenv("TOOLS_IMAGE"),
 		kubeInformersForNamespaces,
 		operatorClient,
 		kubeClient,
@@ -218,6 +219,7 @@ var deploymentConfigMaps = []revision.RevisionResource{
 	{Name: "kube-controller-cert-syncer-kubeconfig"},
 	{Name: "serviceaccount-ca"},
 	{Name: "service-ca"},
+	{Name: "recycler-config"},
 }
 
 // deploymentSecrets is a list of secrets that are directly copied for the current values.  A different actor/controller modifies these.

pkg/operator/targetconfigcontroller/targetconfigcontroller.go

@@ -53,6 +53,7 @@ type TargetConfigController struct {
 	targetImagePullSpec             string
 	operatorImagePullSpec           string
 	clusterPolicyControllerPullSpec string
+	toolsImagePullSpec              string
 
 	operatorClient v1helpers.StaticPodOperatorClient
 
@@ -68,7 +69,7 @@ type TargetConfigController struct {
 
 func NewTargetConfigController(
 	ctx context.Context,
-	targetImagePullSpec, operatorImagePullSpec, clusterPolicyControllerPullSpec string,
+	targetImagePullSpec, operatorImagePullSpec, clusterPolicyControllerPullSpec, toolsImagePullSpec string,
 	kubeInformersForNamespaces v1helpers.KubeInformersForNamespaces,
 	operatorClient v1helpers.StaticPodOperatorClient,
 	kubeClient kubernetes.Interface,
@@ -80,6 +81,7 @@ func NewTargetConfigController(
 		targetImagePullSpec:             targetImagePullSpec,
 		operatorImagePullSpec:           operatorImagePullSpec,
 		clusterPolicyControllerPullSpec: clusterPolicyControllerPullSpec,
+		toolsImagePullSpec:              toolsImagePullSpec,
 
 		configMapLister:     kubeInformersForNamespaces.ConfigMapLister(),
 		secretLister:        kubeInformersForNamespaces.SecretLister(),
@@ -196,6 +198,10 @@ func createTargetConfigController(ctx context.Context, c TargetConfigController,
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/cluster-policy-controller-config", err))
 	}
+	_, _, err = manageRecycler(ctx, c.kubeClient.CoreV1(), recorder, c.toolsImagePullSpec)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q: %v", "configmap/recycler-config", err))
+	}
 	_, _, err = ManageCSRIntermediateCABundle(ctx, c.secretLister, c.kubeClient.CoreV1(), recorder)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/csr-intermediate-ca", err))
@@ -404,6 +410,19 @@ func manageControllerManagerKubeconfig(ctx context.Context, client corev1client.
 	return resourceapply.ApplyConfigMap(client, recorder, requiredCM)
 }
 
+// manageRecycler applies a ConfigMap containing the recycler config.
+// Owned by storage team/fbertina@redhat.com.
+func manageRecycler(ctx context.Context, configMapsGetter corev1client.ConfigMapsGetter, recorder events.Recorder, imagePullSpec string) (*corev1.ConfigMap, bool, error) {
+	cmString := string(v411_00_assets.MustAsset("v4.1.0/kube-controller-manager/recycler-cm.yaml"))
+	for pattern, value := range map[string]string{
+		"${TOOLS_IMAGE}": imagePullSpec,
+	} {
+		cmString = strings.ReplaceAll(cmString, pattern, value)
+	}
+	requiredCM := resourceread.ReadConfigMapV1OrDie([]byte(cmString))
+	return resourceapply.ApplyConfigMap(configMapsGetter, recorder, requiredCM)
+}
+
 func managePod(ctx context.Context, configMapsGetter corev1client.ConfigMapsGetter, secretsGetter corev1client.SecretsGetter, recorder events.Recorder, operatorSpec *operatorv1.StaticPodOperatorSpec, imagePullSpec, operatorImagePullSpec, clusterPolicyControllerPullSpec string, addServingServiceCAToTokenSecrets bool) (*corev1.ConfigMap, bool, error) {
 	required := resourceread.ReadPodV1OrDie(v411_00_assets.MustAsset("v4.1.0/kube-controller-manager/pod.yaml"))
 	// TODO: If the image pull spec is not specified, the "${IMAGE}" will be used as value and the pod will fail to start.