rebase.sh failure artifacts

assets/components/csi-snapshot-controller/05_operand_rbac.yaml

@@ -51,6 +51,7 @@ rules:
   - apiGroups: ["groupsnapshot.storage.k8s.io"]
     resources: ["volumegroupsnapshots/status"]
     verbs: ["update", "patch"]
+
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -65,16 +66,17 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: csi-snapshot-controller
-    namespace: kube-system
+    namespace: openshift-cluster-storage-operator
 roleRef:
   kind: ClusterRole
   name: openshift-csi-snapshot-controller-runner
   apiGroup: rbac.authorization.k8s.io
+
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  namespace: kube-system
+  namespace: openshift-cluster-storage-operator
   name: csi-snapshot-controller-leaderelection
   annotations:
     include.release.openshift.io/hypershift: "true"
@@ -83,15 +85,16 @@ metadata:
     include.release.openshift.io/single-node-developer: "true"
     capability.openshift.io/name: CSISnapshot
 rules:
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["get", "watch", "list", "delete", "update", "create"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: csi-snapshot-controller-leaderelection
-  namespace: kube-system
+  namespace: openshift-cluster-storage-operator
   annotations:
     include.release.openshift.io/hypershift: "true"
     include.release.openshift.io/ibm-cloud-managed: "true"
@@ -101,7 +104,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: csi-snapshot-controller
-    namespace: kube-system
+    namespace: openshift-cluster-storage-operator
 roleRef:
   kind: Role
   name: csi-snapshot-controller-leaderelection

assets/components/csi-snapshot-controller/csi_controller_deployment.yaml

@@ -2,7 +2,7 @@ kind: Deployment
 apiVersion: apps/v1
 metadata:
   name: csi-snapshot-controller
-  namespace: kube-system
+  namespace: ${CONTROLPLANE_NAMESPACE}
 spec:
   serviceName: "csi-snapshot-controller"
   # Replicas for HyperShift. On standalone OCP it will be adjusted according to nr. of master nodes.
@@ -35,18 +35,26 @@ spec:
             capabilities:
               drop:
                 - ALL
-            runAsUser: 65534
-          image: '{{ .ReleaseImage.csi_snapshot_controller }}'
+          image: ${OPERAND_IMAGE}
           args:
-            - --v=2
-            - --leader-election=false
+            - "--v=${LOG_LEVEL}"
+            - "--leader-election=true"
+            # Leader election values are from
+            # https://github.com/openshift/library-go/blob/master/pkg/config/leaderelection/leaderelection.go
+            - "--leader-election-lease-duration=137s"
+            - "--leader-election-renew-deadline=107s"
+            - "--leader-election-retry-period=26s"
+            # Force the namespace name for HyperShift
+            - "--leader-election-namespace=openshift-cluster-storage-operator"
+            # guest --kubeconfig= will be injected by the operator when running on HyperShift
           imagePullPolicy: IfNotPresent
           resources:
             requests:
               # TODO: measure on a real cluster
               cpu: 10m
               memory: 50Mi
-              # volumeMount with guest Kubeconfig will be added by the operator
+          terminationMessagePolicy: FallbackToLogsOnError
+          # volumeMount with guest Kubeconfig will be added by the operator
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -56,18 +64,19 @@ spec:
                   matchLabels:
                     app: csi-snapshot-controller
                 topologyKey: kubernetes.io/hostname
+      priorityClassName: ${PRIORITY_CLASS}
       nodeSelector:
         node-role.kubernetes.io/master: ""
       tolerations:
-        - key: "node.kubernetes.io/unreachable"
-          operator: "Exists"
-          effect: "NoExecute"
-          tolerationSeconds: 120
-        - key: "node.kubernetes.io/not-ready"
-          operator: "Exists"
-          effect: "NoExecute"
-          tolerationSeconds: 120
-        - key: node-role.kubernetes.io/master
-          operator: Exists
-          effect: "NoSchedule"
+      - key: "node.kubernetes.io/unreachable"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 120
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 120
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: "NoSchedule"
       # volume with guest Kubeconfig will be added by the operator

assets/components/csi-snapshot-controller/serviceaccount.yaml

@@ -2,4 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: csi-snapshot-controller
-  namespace: kube-system
+  namespace: ${CONTROLPLANE_NAMESPACE}

assets/components/csi-snapshot-controller/webhook_config.yaml

@@ -13,10 +13,10 @@ webhooks:
     clientConfig:
       service:
         name: csi-snapshot-webhook
-        namespace: kube-system
+        namespace: openshift-cluster-storage-operator
         path: /volumesnapshot
     rules:
-      - operations: ["CREATE", "UPDATE"]
+      - operations: [ "CREATE", "UPDATE" ]
         apiGroups: ["snapshot.storage.k8s.io"]
         apiVersions: ["v1beta1", "v1"]
         resources: ["volumesnapshots", "volumesnapshotcontents", "volumesnapshotclasses"]
@@ -32,7 +32,7 @@ webhooks:
         namespace: openshift-cluster-storage-operator
         path: /volumegroupsnapshot
     rules:
-      - operations: ["CREATE", "UPDATE"]
+      - operations: [ "CREATE", "UPDATE" ]
         apiGroups: ["groupsnapshot.storage.k8s.io"]
         apiVersions: ["v1alpha1"]
         resources: ["volumegroupsnapshots", "volumegroupsnapshotcontents", "volumegroupsnapshotclasses"]

assets/components/csi-snapshot-controller/webhook_deployment.yaml

@@ -2,7 +2,7 @@ kind: Deployment
 apiVersion: apps/v1
 metadata:
   name: csi-snapshot-webhook
-  namespace: kube-system
+  namespace: ${CONTROLPLANE_NAMESPACE}
 spec:
   serviceName: "csi-snapshot-webhook"
   selector:
@@ -22,31 +22,31 @@ spec:
     spec:
       serviceAccount: csi-snapshot-webhook
       containers:
-        - name: webhook
-          image: '{{ .ReleaseImage.csi_snapshot_validation_webhook }}'
-          args:
-            - --tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt
-            - --tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key
-            - "--v=2"
-            - --port=8443
-          ports:
-            - containerPort: 8443
-          volumeMounts:
-            - name: certs
-              mountPath: /etc/snapshot-validation-webhook/certs
-              readOnly: true
-              optional: true
-          imagePullPolicy: IfNotPresent
-          resources:
-            requests:
-              cpu: 10m
-              memory: 20Mi
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
-            runAsUser: 65534
+      - name: webhook
+        image: ${OPERAND_IMAGE}
+        args:
+          - --tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt
+          - --tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key
+          - "--v=${LOG_LEVEL}"
+          - --port=8443
+        ports:
+        - containerPort: 8443
+        volumeMounts:
+          - name: certs
+            mountPath: /etc/snapshot-validation-webhook/certs
+            readOnly: true
+            optional: true
+        imagePullPolicy: IfNotPresent
+        resources:
+          requests:
+            cpu: 10m
+            memory: 20Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+        terminationMessagePolicy: FallbackToLogsOnError
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -56,6 +56,7 @@ spec:
                   matchLabels:
                     app: csi-snapshot-webhook
                 topologyKey: kubernetes.io/hostname
+      priorityClassName: ${PRIORITY_CLASS}
       restartPolicy: Always
       securityContext:
         runAsNonRoot: true
@@ -64,18 +65,18 @@ spec:
       nodeSelector:
         node-role.kubernetes.io/master: ""
       volumes:
-        - name: certs
-          secret:
-            secretName: csi-snapshot-webhook-secret
+      - name: certs
+        secret:
+          secretName: csi-snapshot-webhook-secret
       tolerations:
-        - key: "node.kubernetes.io/unreachable"
-          operator: "Exists"
-          effect: "NoExecute"
-          tolerationSeconds: 120
-        - key: "node.kubernetes.io/not-ready"
-          operator: "Exists"
-          effect: "NoExecute"
-          tolerationSeconds: 120
-        - key: node-role.kubernetes.io/master
-          operator: Exists
-          effect: "NoSchedule"
+      - key: "node.kubernetes.io/unreachable"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 120
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 120
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: "NoSchedule"

assets/components/csi-snapshot-controller/webhook_service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: csi-snapshot-webhook
-  namespace: kube-system
+  namespace: ${CONTROLPLANE_NAMESPACE}
   labels:
     app: csi-snapshot-webhook
     hypershift.openshift.io/allow-guest-webhooks: "true"
@@ -11,8 +11,8 @@ metadata:
     capability.openshift.io/name: CSISnapshot
 spec:
   ports:
-    - name: webhook
-      port: 443
-      targetPort: 8443
+  - name: webhook
+    port: 443
+    targetPort: 8443
   selector:
     app: csi-snapshot-webhook

assets/components/csi-snapshot-controller/webhook_serviceaccount.yaml

@@ -2,4 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: csi-snapshot-webhook
-  namespace: kube-system
+  namespace: ${CONTROLPLANE_NAMESPACE}