OCPBUGS-33600: revert revert and fix for hypershift

pkg/cmd/controller/config.go

@@ -9,7 +9,7 @@ var ControllerInitializers = map[openshiftcontrolplanev1.OpenShiftControllerName
 
 	openshiftcontrolplanev1.OpenShiftDefaultRoleBindingsController: RunDefaultRoleBindingController,
 
-	openshiftcontrolplanev1.OpenShiftServiceAccountPullSecretsController: RunServiceAccountPullSecretsController,
+	openshiftcontrolplanev1.OpenShiftServiceAccountPullSecretsController: RunInternalImageRegistryPullSecretsController,
 	openshiftcontrolplanev1.OpenShiftOriginNamespaceController:           RunOriginNamespaceController,
 
 	openshiftcontrolplanev1.OpenShiftBuilderServiceAccountController: RunBuilderServiceAccountController,

pkg/cmd/controller/imageregistry.go

@@ -0,0 +1,28 @@
+package controller
+
+import "github.com/openshift/openshift-controller-manager/pkg/internalregistry/controllers"
+
+// RunInternalImageRegistryPullSecretsController starts the control loops that manage
+// the image pull secrets for the internal image registry.
+func RunInternalImageRegistryPullSecretsController(ctx *ControllerContext) (bool, error) {
+	kc := ctx.HighRateLimitClientBuilder.ClientOrDie(iInfraServiceAccountPullSecretsControllerServiceAccountName)
+	secrets := ctx.KubernetesInformers.Core().V1().Secrets()
+	serviceAccounts := ctx.KubernetesInformers.Core().V1().ServiceAccounts()
+	services := ctx.KubernetesInformers.Core().V1().Services()
+	additionalRegistryURLs := ctx.OpenshiftControllerConfig.DockerPullSecret.RegistryURLs
+
+	serviceAccountController := controllers.NewServiceAccountController(kc, serviceAccounts, secrets)
+	imagePullSecretController, kids, urls := controllers.NewImagePullSecretController(kc, secrets)
+	keyIDObservationController := controllers.NewKeyIDObservationController(kc, secrets, kids)
+	registryURLObservationController := controllers.NewRegistryURLObservationController(services, additionalRegistryURLs, urls)
+	legacyTokenSecretController := controllers.NewLegacyTokenSecretController(kc, secrets)
+	legacyImagePullSecretController := controllers.NewLegacyImagePullSecretController(kc, secrets)
+
+	go serviceAccountController.Run(ctx.Context, 5)
+	go keyIDObservationController.Run(ctx.Context, 1)
+	go registryURLObservationController.Run(ctx.Context, 1)
+	go imagePullSecretController.Run(ctx.Context, 5)
+	go legacyTokenSecretController.Run(ctx.Context, 5)
+	go legacyImagePullSecretController.Run(ctx.Context, 5)
+	return true, nil
+}

pkg/internalregistry/controllers/annotations.go

@@ -0,0 +1,18 @@
+package controllers
+
+const (
+	// Annotation added to managed image pull secrets to indicate the service account used in the token.
+	InternalRegistryAuthTokenServiceAccountAnnotation = "openshift.io/internal-registry-auth-token.service-account"
+
+	// Annotation added to managed image pull secrets to indicate the service account token's binding type.
+	InternalRegistryAuthTokenTypeAnnotation = "openshift.io/internal-registry-auth-token.binding"
+
+	// Annotation added to service accounts to document the corresponding managed image pull secret.
+	InternalRegistryImagePullSecretRefKey = "openshift.io/internal-registry-pull-secret-ref"
+
+	// Indicates a bound service account token is used for authentication.
+	AuthTokenTypeBound = "bound"
+
+	// Indicates a legacy, long-lived, service account token is used for authentication.
+	AuthTokenTypeLegacy = "legacy"
+)