targetconfigcontroller: make sure extension-apiserver-authentication has necessary annotations

vrutkovs · vrutkovs · commit e22fa30323d5 · 2025-09-01T12:32:31.000+02:00
configmap kube-system/extension-apiserver-authentication is created by kube-apiserver, but it
doesn't have ownership metadata. This commit updates target config controller to set necessary
metadata (ownership and description)
diff --git a/bindata/assets/kube-apiserver/extension-apiserver-authentication-cm.yaml b/bindata/assets/kube-apiserver/extension-apiserver-authentication-cm.yaml
@@ -0,0 +1,12 @@
+# NOTE: This asset defines the required annotations for the live
+# kube-system/extension-apiserver-authentication ConfigMap. It is not
+# applied directly; the operator reads these annotations and reconciles
+# them on the existing ConfigMap created by kube-apiserver.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: extension-apiserver-authentication
+  namespace: kube-system
+  annotations:
+    "openshift.io/owning-component": "kube-apiserver"
+    "openshift.io/description": "CA holding the root certificate bundle used to verify client certificates on incoming requests"
diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
@@ -237,6 +237,11 @@ func createTargetConfig(ctx context.Context, c TargetConfigController, recorder
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/trusted-ca-bundle", err))
 	}
 
+	err = ensureKubeAPIServerExtensionAuthenticationCA(ctx, c.kubeClient.CoreV1(), recorder)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q: %v", "configmap/extension-apiserver-authentication", err))
+	}
+
 	err = ensureLocalhostRecoverySAToken(ctx, c.kubeClient.CoreV1(), recorder)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "serviceaccount/localhost-recovery-client", err))
@@ -507,6 +512,39 @@ func ensureKubeAPIServerTrustedCA(ctx context.Context, client coreclientv1.CoreV
 	return err
 }
 
+func ensureKubeAPIServerExtensionAuthenticationCA(ctx context.Context, client coreclientv1.CoreV1Interface, recorder events.Recorder) error {
+	required := resourceread.ReadConfigMapV1OrDie(bindata.MustAsset("assets/kube-apiserver/extension-apiserver-authentication-cm.yaml"))
+	cmClient := client.ConfigMaps("kube-system")
+
+	cm, err := cmClient.Get(ctx, "extension-apiserver-authentication", metav1.GetOptions{})
+	if err != nil {
+		// kube-apiserver creates this CM; don't degrade while waiting.
+		return nil
+	}
+
+	// Ensure that the config map is updated with the required annotations
+	modified := false
+	if cm.Annotations == nil {
+		cm.Annotations = make(map[string]string)
+	}
+
+	for key, expected := range required.Annotations {
+		if actual, ok := cm.Annotations[key]; !ok || actual != expected {
+			cm.Annotations[key] = expected
+			modified = true
+		}
+	}
+
+	if modified {
+		if _, err := cmClient.Update(ctx, cm, metav1.UpdateOptions{}); err != nil {
+			recorder.Warningf("AnnotationUpdateFailed", "Failed to update annotations on configmap kube-system/extension-apiserver-authentication: %v", err)
+		}
+		return nil
+	}
+
+	return nil
+}
+
 func ensureLocalhostRecoverySAToken(ctx context.Context, client coreclientv1.CoreV1Interface, recorder events.Recorder) error {
 	requiredSA := resourceread.ReadServiceAccountV1OrDie(bindata.MustAsset("assets/kube-apiserver/localhost-recovery-sa.yaml"))
 	requiredToken := resourceread.ReadSecretV1OrDie(bindata.MustAsset("assets/kube-apiserver/localhost-recovery-token.yaml"))
