targetconfigcontroller: make sure extension-apiserver-authentication has necessary annotations

vrutkovs · vrutkovs · commit a836b12deff3 · 2025-08-28T13:28:30.000+02:00
configmap kube-system/extension-apiserver-authentication is created by kube-apiserver, but it
doesn't have ownership metadata. This commit updates target config controller to set necessary
metadata (ownership and description)
diff --git a/bindata/assets/kube-apiserver/extension-apiserver-authentication-cm.yaml b/bindata/assets/kube-apiserver/extension-apiserver-authentication-cm.yaml
@@ -0,0 +1,12 @@
+# NOTE: This asset defines the required annotations for the live
+# kube-system/extension-apiserver-authentication ConfigMap. It is not
+# applied directly; the operator reads these annotations and reconciles
+# them on the existing ConfigMap created by kube-apiserver.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: extension-apiserver-authentication
+  namespace: kube-system
+  annotations:
+    "openshift.io/owning-component": "kube-apiserver"
+    "openshift.io/description": "CA holding the root certificate bundle used to verify client certificates on incoming requests"
diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
@@ -237,6 +237,11 @@ func createTargetConfig(ctx context.Context, c TargetConfigController, recorder
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/trusted-ca-bundle", err))
 	}
 
+	err = ensureKubeAPIServerExtensionAuthenticationCA(ctx, c.kubeClient.CoreV1(), recorder)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q: %v", "configmap/extension-apiserver-authentication", err))
+	}
+
 	err = ensureLocalhostRecoverySAToken(ctx, c.kubeClient.CoreV1(), recorder)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "serviceaccount/localhost-recovery-client", err))
@@ -507,6 +512,37 @@ func ensureKubeAPIServerTrustedCA(ctx context.Context, client coreclientv1.CoreV
 	return err
 }
 
+func ensureKubeAPIServerExtensionAuthenticationCA(ctx context.Context, client coreclientv1.CoreV1Interface, recorder events.Recorder) error {
+	required := resourceread.ReadConfigMapV1OrDie(bindata.MustAsset("assets/kube-apiserver/extension-apiserver-authentication-cm.yaml"))
+	cmCLient := client.ConfigMaps("kube-system")
+
+	cm, err := cmCLient.Get(ctx, "extension-apiserver-authentication", metav1.GetOptions{})
+	if err != nil {
+		// kube-apiserver creates this CM; don't degrade while waiting.
+		if apierrors.IsNotFound(err) {
+			return nil
+		}
+		return err
+	}
+
+	// Ensure that the config map is updated with the required annotations
+	modified := false
+	for key, value := range required.Annotations {
+		if cm.Annotations[key] != value {
+			cm.Annotations[key] = value
+			modified = true
+		}
+	}
+
+	if modified {
+		updatedCM, err := cmCLient.Update(ctx, cm, metav1.UpdateOptions{})
+		resourcehelper.ReportUpdateEvent(recorder, updatedCM, err)
+		return err
+	}
+
+	return err
+}
+
 func ensureLocalhostRecoverySAToken(ctx context.Context, client coreclientv1.CoreV1Interface, recorder events.Recorder) error {
 	requiredSA := resourceread.ReadServiceAccountV1OrDie(bindata.MustAsset("assets/kube-apiserver/localhost-recovery-sa.yaml"))
 	requiredToken := resourceread.ReadSecretV1OrDie(bindata.MustAsset("assets/kube-apiserver/localhost-recovery-token.yaml"))
