Merge pull request #3203 from openshift-cherrypick-robot/cherry-pick-3199-to-release-4.18

openshift-merge-bot[bot] · web-flow · commit 7c46544290d7 · 2025-08-28T19:55:30.000Z
[release-4.18]  OCPBUGS-60770: add k8s-cacert to hybrid overlay cmd
diff --git a/pkg/services/services.go b/pkg/services/services.go
@@ -108,6 +108,10 @@ func hybridOverlayConfiguration(vxlanPort string, debug bool) servicescm.Service
 	hybridOverlayServiceCmd := fmt.Sprintf("%s --node NODE_NAME --bootstrap-kubeconfig=%s --cert-dir=%s --cert-duration=24h "+
 		"--windows-service --logfile "+"%s\\hybrid-overlay.log", windows.HybridOverlayPath, windows.KubeconfigPath, windows.CniConfDir,
 		windows.HybridOverlayLogDir)
+
+	// append cacert option pointing to the trusted CA bundle path
+	hybridOverlayServiceCmd = fmt.Sprintf("%s --k8s-cacert %s", hybridOverlayServiceCmd, windows.TrustedCABundlePath)
+
 	if len(vxlanPort) > 0 {
 		hybridOverlayServiceCmd = fmt.Sprintf("%s --hybrid-overlay-vxlan-port %s", hybridOverlayServiceCmd, vxlanPort)
 	}
diff --git a/pkg/services/services_test.go b/pkg/services/services_test.go
@@ -5,6 +5,9 @@ import (
 
 	config "github.com/openshift/api/config/v1"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/openshift/windows-machine-config-operator/pkg/windows"
 )
 
 func TestGetHostnameCmd(t *testing.T) {
@@ -41,3 +44,109 @@ func TestGetHostnameCmd(t *testing.T) {
 		})
 	}
 }
+
+func TestHybridOverlayConfiguration(t *testing.T) {
+	tests := []struct {
+		name                   string
+		vxlanPort              string
+		debug                  bool
+		expectedCmdContains    []string
+		expectedCmdNotContains []string
+	}{
+		{
+			name:      "Basic configuration with no optional flags",
+			vxlanPort: "",
+			debug:     false,
+			expectedCmdContains: []string{
+				windows.HybridOverlayPath,
+				"--node NODE_NAME",
+				"--bootstrap-kubeconfig=" + windows.KubeconfigPath,
+				"--cert-dir=" + windows.CniConfDir,
+				"--cert-duration=24h",
+				"--windows-service",
+				"--logfile",
+				windows.HybridOverlayLogDir + "\\hybrid-overlay.log",
+				"--k8s-cacert " + windows.TrustedCABundlePath,
+			},
+			expectedCmdNotContains: []string{
+				"--hybrid-overlay-vxlan-port",
+				"--loglevel 5",
+			},
+		},
+		{
+			name:      "Configuration with debug logging enabled",
+			vxlanPort: "",
+			debug:     true,
+			expectedCmdContains: []string{
+				windows.HybridOverlayPath,
+				"--node NODE_NAME",
+				"--bootstrap-kubeconfig=" + windows.KubeconfigPath,
+				"--cert-dir=" + windows.CniConfDir,
+				"--cert-duration=24h",
+				"--windows-service",
+				"--logfile",
+				windows.HybridOverlayLogDir + "\\hybrid-overlay.log",
+				"--k8s-cacert " + windows.TrustedCABundlePath,
+				"--loglevel 5",
+			},
+			expectedCmdNotContains: []string{
+				"--hybrid-overlay-vxlan-port",
+			},
+		},
+		{
+			name:      "Configuration with all optional flags enabled",
+			vxlanPort: "4789",
+			debug:     true,
+			expectedCmdContains: []string{
+				windows.HybridOverlayPath,
+				"--node NODE_NAME",
+				"--bootstrap-kubeconfig=" + windows.KubeconfigPath,
+				"--cert-dir=" + windows.CniConfDir,
+				"--cert-duration=24h",
+				"--windows-service",
+				"--logfile",
+				windows.HybridOverlayLogDir + "\\hybrid-overlay.log",
+				"--k8s-cacert " + windows.TrustedCABundlePath,
+				"--hybrid-overlay-vxlan-port 4789",
+				"--loglevel 5",
+			},
+			expectedCmdNotContains: []string{},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			result := hybridOverlayConfiguration(test.vxlanPort, test.debug)
+
+			assert.Equal(t, windows.HybridOverlayServiceName, result.Name,
+				"Service name should match expected value")
+			assert.False(t, result.Bootstrap,
+				"Service should not be a bootstrap service")
+			assert.Equal(t, uint(2), result.Priority,
+				"Service priority should be 2")
+			assert.Equal(t, []string{windows.KubeletServiceName}, result.Dependencies,
+				"Service should depend on kubelet service")
+			assert.Nil(t, result.PowershellPreScripts,
+				"Service should not have PowerShell pre-scripts")
+
+			require.Len(t, result.NodeVariablesInCommand, 1,
+				"Service should have exactly one node variable")
+			assert.Equal(t, "NODE_NAME", result.NodeVariablesInCommand[0].Name,
+				"Node variable name should be NODE_NAME")
+			assert.Equal(t, "{.metadata.name}", result.NodeVariablesInCommand[0].NodeObjectJsonPath,
+				"Node variable JSON path should match expected format")
+
+			for _, expectedStr := range test.expectedCmdContains {
+				assert.Contains(t, result.Command, expectedStr,
+					"Command should contain: %s\nActual command: %s",
+					expectedStr, result.Command)
+			}
+
+			for _, unexpectedStr := range test.expectedCmdNotContains {
+				assert.NotContains(t, result.Command, unexpectedStr,
+					"Command should not contain: %s\nActual command: %s",
+					unexpectedStr, result.Command)
+			}
+		})
+	}
+}
