targetconfigcontroller: make sure extension-apiserver-authentication has necessary annotations

vrutkovs · vrutkovs · commit 35fa6938c4f6 · 2025-08-28T12:18:36.000+02:00
configmap kube-system/extension-apiserver-authentication is created by kube-apiserver, but it
doesn't have ownership metadata. This commit updates target config controller to set necessary
metadata (ownership and description)
diff --git a/bindata/assets/kube-apiserver/extension-apiserver-authentication-cm.yaml b/bindata/assets/kube-apiserver/extension-apiserver-authentication-cm.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: extension-apiserver-authentication
+  namespace: kube-system
+  annotations:
+    "openshift.io/owning-component": "kube-apiserver"
+    "openshift.io/description": "CA holding the root certificate bundle to use to verify client certificates on incoming requests"
diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"reflect"
 	"sort"
 	"strconv"
 	"strings"
@@ -237,6 +238,11 @@ func createTargetConfig(ctx context.Context, c TargetConfigController, recorder
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/trusted-ca-bundle", err))
 	}
 
+	err = ensureKubeAPIServerExtensionAuthenticationCA(ctx, c.kubeClient.CoreV1(), recorder)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q: %v", "configmap/extension-apiserver-authentication", err))
+	}
+
 	err = ensureLocalhostRecoverySAToken(ctx, c.kubeClient.CoreV1(), recorder)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "serviceaccount/localhost-recovery-client", err))
@@ -507,6 +513,25 @@ func ensureKubeAPIServerTrustedCA(ctx context.Context, client coreclientv1.CoreV
 	return err
 }
 
+func ensureKubeAPIServerExtensionAuthenticationCA(ctx context.Context, client coreclientv1.CoreV1Interface, recorder events.Recorder) error {
+	required := resourceread.ReadConfigMapV1OrDie(bindata.MustAsset("assets/kube-apiserver/extension-apiserver-authentication-cm.yaml"))
+	cmCLient := client.ConfigMaps("kube-system")
+
+	cm, err := cmCLient.Get(ctx, "extension-apiserver-authentication", metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	// update if annotations modified by the user
+	if !reflect.DeepEqual(cm.Annotations, required.Annotations) {
+		cm.Annotations = required.Annotations
+		_, err = cmCLient.Update(ctx, cm, metav1.UpdateOptions{})
+		return err
+	}
+
+	return err
+}
+
 func ensureLocalhostRecoverySAToken(ctx context.Context, client coreclientv1.CoreV1Interface, recorder events.Recorder) error {
 	requiredSA := resourceread.ReadServiceAccountV1OrDie(bindata.MustAsset("assets/kube-apiserver/localhost-recovery-sa.yaml"))
 	requiredToken := resourceread.ReadSecretV1OrDie(bindata.MustAsset("assets/kube-apiserver/localhost-recovery-token.yaml"))
