[release-4.15] OCPBUGS-30804: honor HC image configuration

control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go

@@ -1087,7 +1087,7 @@ func (r *HostedControlPlaneReconciler) reconcile(ctx context.Context, hostedCont
 
 	// Reconcile openshift route controller manager
 	r.Log.Info("Reconciling OpenShift Route Controller Manager")
-	if err := r.reconcileOpenShiftRouteControllerManager(ctx, hostedControlPlane, observedConfig, releaseImageProvider, createOrUpdate); err != nil {
+	if err := r.reconcileOpenShiftRouteControllerManager(ctx, hostedControlPlane, releaseImageProvider, createOrUpdate); err != nil {
 		return fmt.Errorf("failed to reconcile openshift route controller manager: %w", err)
 	}
 
@@ -2895,8 +2895,8 @@ func (r *HostedControlPlaneReconciler) reconcileOpenShiftControllerManager(ctx c
 	return nil
 }
 
-func (r *HostedControlPlaneReconciler) reconcileOpenShiftRouteControllerManager(ctx context.Context, hcp *hyperv1.HostedControlPlane, observedConfig *globalconfig.ObservedConfig, releaseImageProvider *imageprovider.ReleaseImageProvider, createOrUpdate upsert.CreateOrUpdateFN) error {
-	p := routecm.NewOpenShiftRouteControllerManagerParams(hcp, observedConfig, releaseImageProvider, r.SetDefaultSecurityContext)
+func (r *HostedControlPlaneReconciler) reconcileOpenShiftRouteControllerManager(ctx context.Context, hcp *hyperv1.HostedControlPlane, releaseImageProvider *imageprovider.ReleaseImageProvider, createOrUpdate upsert.CreateOrUpdateFN) error {
+	p := routecm.NewOpenShiftRouteControllerManagerParams(hcp, releaseImageProvider, r.SetDefaultSecurityContext)
 	config := manifests.OpenShiftRouteControllerManagerConfig(hcp.Namespace)
 	if _, err := createOrUpdate(ctx, r, config, func() error {
 		return routecm.ReconcileOpenShiftRouteControllerManagerConfig(config, p.OwnerRef, p.MinTLSVersion(), p.CipherSuites(), p.Network)

control-plane-operator/controllers/hostedcontrolplane/kcm/deployment.go

@@ -99,7 +99,7 @@ func ReconcileDeployment(deployment *appsv1.Deployment, config, rootCA, serviceS
 		deployment.Spec.Template.ObjectMeta.Annotations = map[string]string{}
 	}
 	deployment.Spec.Template.ObjectMeta.Annotations[configHashAnnotation] = util.ComputeHash(configBytes)
-	deployment.Spec.Template.ObjectMeta.Annotations[rootCAHashAnnotation] = util.HashStruct(rootCA.Data)
+	deployment.Spec.Template.ObjectMeta.Annotations[rootCAHashAnnotation] = util.HashSimple(rootCA.Data)
 
 	deployment.Spec.Template.Spec = corev1.PodSpec{
 		AutomountServiceAccountToken: pointer.Bool(false),
@@ -120,7 +120,7 @@ func ReconcileDeployment(deployment *appsv1.Deployment, config, rootCA, serviceS
 	}
 	p.DeploymentConfig.ApplyTo(deployment)
 	if serviceServingCA != nil {
-		deployment.Spec.Template.ObjectMeta.Annotations[serviceCAHashAnnotation] = util.HashStruct(serviceServingCA.Data)
+		deployment.Spec.Template.ObjectMeta.Annotations[serviceCAHashAnnotation] = util.HashSimple(serviceServingCA.Data)
 		applyServingCAVolume(&deployment.Spec.Template.Spec, serviceServingCA)
 	} else {
 		deployment.Spec.Template.ObjectMeta.Annotations[serviceCAHashAnnotation] = ""

control-plane-operator/controllers/hostedcontrolplane/mcs/params.go

@@ -9,19 +9,22 @@ import (
 	hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
 	"github.com/openshift/hypershift/support/config"
 	"github.com/openshift/hypershift/support/globalconfig"
+	"github.com/openshift/hypershift/support/util"
 )
 
 type MCSParams struct {
-	OwnerRef        config.OwnerRef
-	RootCA          *corev1.Secret
-	KubeletClientCA *corev1.ConfigMap
-	UserCA          *corev1.ConfigMap
-	PullSecret      *corev1.Secret
-	DNS             *configv1.DNS
-	Infrastructure  *configv1.Infrastructure
-	Network         *configv1.Network
-	Proxy           *configv1.Proxy
-	InstallConfig   *globalconfig.InstallConfig
+	OwnerRef          config.OwnerRef
+	RootCA            *corev1.Secret
+	KubeletClientCA   *corev1.ConfigMap
+	UserCA            *corev1.ConfigMap
+	PullSecret        *corev1.Secret
+	DNS               *configv1.DNS
+	Infrastructure    *configv1.Infrastructure
+	Network           *configv1.Network
+	Proxy             *configv1.Proxy
+	Image             *configv1.Image
+	InstallConfig     *globalconfig.InstallConfig
+	ConfigurationHash string
 }
 
 func NewMCSParams(hcp *hyperv1.HostedControlPlane, rootCA, pullSecret *corev1.Secret, userCA, kubeletClientCA *corev1.ConfigMap) (*MCSParams, error) {
@@ -40,16 +43,26 @@ func NewMCSParams(hcp *hyperv1.HostedControlPlane, rootCA, pullSecret *corev1.Se
 	proxy := globalconfig.ProxyConfig()
 	globalconfig.ReconcileProxyConfigWithStatus(proxy, hcp)
 
+	image := globalconfig.ImageConfig()
+	globalconfig.ReconcileImageConfig(image, hcp)
+
+	hcConfigurationHash, err := util.HashStruct(hcp.Spec.Configuration)
+	if err != nil {
+		return &MCSParams{}, fmt.Errorf("failed to hash HCP configuration: %w", err)
+	}
+
 	return &MCSParams{
-		OwnerRef:        config.OwnerRefFrom(hcp),
-		RootCA:          rootCA,
-		KubeletClientCA: kubeletClientCA,
-		UserCA:          userCA,
-		PullSecret:      pullSecret,
-		DNS:             dns,
-		Infrastructure:  infra,
-		Network:         network,
-		Proxy:           proxy,
-		InstallConfig:   globalconfig.NewInstallConfig(hcp),
+		OwnerRef:          config.OwnerRefFrom(hcp),
+		RootCA:            rootCA,
+		KubeletClientCA:   kubeletClientCA,
+		UserCA:            userCA,
+		PullSecret:        pullSecret,
+		DNS:               dns,
+		Infrastructure:    infra,
+		Network:           network,
+		Proxy:             proxy,
+		Image:             image,
+		InstallConfig:     globalconfig.NewInstallConfig(hcp),
+		ConfigurationHash: hcConfigurationHash,
 	}, nil
 }

control-plane-operator/controllers/hostedcontrolplane/mcs/reconcile.go

@@ -31,6 +31,10 @@ func ReconcileMachineConfigServerConfig(cm *corev1.ConfigMap, p *MCSParams) erro
 	if err != nil {
 		return err
 	}
+	serializedImage, err := serialize(p.Image)
+	if err != nil {
+		return err
+	}
 	serializedMasterConfigPool, err := serializeConfigPool(masterConfigPool())
 	if err != nil {
 		return err
@@ -54,9 +58,11 @@ func ReconcileMachineConfigServerConfig(cm *corev1.ConfigMap, p *MCSParams) erro
 	cm.Data["cluster-infrastructure-02-config.yaml"] = serializedInfra
 	cm.Data["cluster-network-02-config.yaml"] = serializedNetwork
 	cm.Data["cluster-proxy-01-config.yaml"] = serializedProxy
+	cm.Data["image-config.yaml"] = serializedImage
 	cm.Data["install-config.yaml"] = p.InstallConfig.String()
 	cm.Data["master.machineconfigpool.yaml"] = serializedMasterConfigPool
 	cm.Data["worker.machineconfigpool.yaml"] = serializedWorkerConfigPool
+	cm.Data["configuration-hash"] = p.ConfigurationHash
 	return nil
 }
 

control-plane-operator/controllers/hostedcontrolplane/oapi/config.go

@@ -26,7 +26,7 @@ const (
 	defaultInternalRegistryHostname = "image-registry.openshift-image-registry.svc:5000"
 )
 
-func ReconcileConfig(cm *corev1.ConfigMap, auditWebhookRef *corev1.LocalObjectReference, ownerRef config.OwnerRef, etcdURL, ingressDomain, minTLSVersion string, cipherSuites []string, imageConfig *configv1.Image, projectConfig *configv1.Project) error {
+func ReconcileConfig(cm *corev1.ConfigMap, auditWebhookRef *corev1.LocalObjectReference, ownerRef config.OwnerRef, etcdURL, ingressDomain, minTLSVersion string, cipherSuites []string, imageConfig *configv1.ImageSpec, projectConfig *configv1.Project) error {
 	ownerRef.ApplyTo(cm)
 	if cm.Data == nil {
 		cm.Data = map[string]string{}
@@ -46,7 +46,7 @@ func ReconcileConfig(cm *corev1.ConfigMap, auditWebhookRef *corev1.LocalObjectRe
 	return nil
 }
 
-func reconcileConfigObject(cfg *openshiftcpv1.OpenShiftAPIServerConfig, auditWebhookRef *corev1.LocalObjectReference, etcdURL, ingressDomain, minTLSVersion string, cipherSuites []string, imageConfig *configv1.Image, projectConfig *configv1.Project) {
+func reconcileConfigObject(cfg *openshiftcpv1.OpenShiftAPIServerConfig, auditWebhookRef *corev1.LocalObjectReference, etcdURL, ingressDomain, minTLSVersion string, cipherSuites []string, imageConfig *configv1.ImageSpec, projectConfig *configv1.Project) {
 	cfg.TypeMeta = metav1.TypeMeta{
 		Kind:       "OpenShiftAPIServerConfig",
 		APIVersion: openshiftcpv1.GroupVersion.String(),
@@ -83,19 +83,18 @@ func reconcileConfigObject(cfg *openshiftcpv1.OpenShiftAPIServerConfig, auditWeb
 	}
 
 	// Image policy config
-	cfg.ImagePolicyConfig.InternalRegistryHostname = imageConfig.Status.InternalRegistryHostname
-	cfg.ImagePolicyConfig.ExternalRegistryHostnames = imageConfig.Status.ExternalRegistryHostnames
-	if cfg.ImagePolicyConfig.InternalRegistryHostname == "" {
-		cfg.ImagePolicyConfig.InternalRegistryHostname = defaultInternalRegistryHostname
-	}
-	var allowedRegistries openshiftcpv1.AllowedRegistries
-	for _, location := range imageConfig.Spec.AllowedRegistriesForImport {
-		allowedRegistries = append(allowedRegistries, openshiftcpv1.RegistryLocation{
-			DomainName: location.DomainName,
-			Insecure:   location.Insecure,
-		})
+	cfg.ImagePolicyConfig.InternalRegistryHostname = defaultInternalRegistryHostname
+	if imageConfig != nil {
+		cfg.ImagePolicyConfig.ExternalRegistryHostnames = imageConfig.ExternalRegistryHostnames
+		var allowedRegistries openshiftcpv1.AllowedRegistries
+		for _, location := range imageConfig.AllowedRegistriesForImport {
+			allowedRegistries = append(allowedRegistries, openshiftcpv1.RegistryLocation{
+				DomainName: location.DomainName,
+				Insecure:   location.Insecure,
+			})
+		}
+		cfg.ImagePolicyConfig.AllowedRegistriesForImport = allowedRegistries
 	}
-	cfg.ImagePolicyConfig.AllowedRegistriesForImport = allowedRegistries
 
 	// Routing config
 	cfg.RoutingConfig.Subdomain = ingressDomain

control-plane-operator/controllers/hostedcontrolplane/oapi/deployment.go

@@ -178,7 +178,7 @@ func ReconcileDeployment(deployment *appsv1.Deployment, auditWebhookRef *corev1.
 		deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, util.BuildVolume(serviceCASignerVolume(), buildServiceCASignerVolume))
 		trustAnchorGeneratorContainer := util.FindContainer(oasTrustAnchorGenerator().Name, deployment.Spec.Template.Spec.InitContainers)
 		trustAnchorGeneratorContainer.VolumeMounts = append(trustAnchorGeneratorContainer.VolumeMounts, serviceSignerCertMount.ContainerMounts(oasTrustAnchorGenerator().Name)...)
-		deployment.Spec.Template.ObjectMeta.Annotations[serviceCAHashAnnotation] = util.HashStruct(serviceServingCA.Data)
+		deployment.Spec.Template.ObjectMeta.Annotations[serviceCAHashAnnotation] = util.HashSimple(serviceServingCA.Data)
 	} else {
 		deployment.Spec.Template.ObjectMeta.Annotations[serviceCAHashAnnotation] = ""
 	}

control-plane-operator/controllers/hostedcontrolplane/oapi/params.go

@@ -29,7 +29,7 @@ type OpenShiftAPIServerParams struct {
 	AvailabilityProberImage                 string `json:"availabilityProberImage"`
 	Availability                            hyperv1.AvailabilityPolicy
 	Ingress                                 *configv1.IngressSpec
-	Image                                   *configv1.Image
+	Image                                   *configv1.ImageSpec
 	Project                                 *configv1.Project
 	AuditWebhookRef                         *corev1.LocalObjectReference
 	InternalOAuthDisable                    bool
@@ -58,14 +58,14 @@ func NewOpenShiftAPIServerParams(hcp *hyperv1.HostedControlPlane, observedConfig
 		IngressSubDomain:        globalconfig.IngressDomain(hcp),
 		AvailabilityProberImage: releaseImageProvider.GetImage(util.AvailabilityProberImageName),
 		Availability:            hcp.Spec.ControllerAvailabilityPolicy,
-		Image:                   observedConfig.Image,
 		Project:                 observedConfig.Project,
 		InternalOAuthDisable:    !util.HCPOAuthEnabled(hcp),
 	}
 
 	if hcp.Spec.Configuration != nil {
 		params.Ingress = hcp.Spec.Configuration.Ingress
 		params.APIServer = hcp.Spec.Configuration.APIServer
+		params.Image = hcp.Spec.Configuration.Image
 	}
 
 	if hcp.Spec.AuditWebhook != nil && len(hcp.Spec.AuditWebhook.Name) > 0 {

control-plane-operator/controllers/hostedcontrolplane/ocm/config.go

@@ -22,7 +22,7 @@ const (
 	configKey = "config.yaml"
 )
 
-func ReconcileOpenShiftControllerManagerConfig(cm *corev1.ConfigMap, ownerRef config.OwnerRef, deployerImage, dockerBuilderImage, minTLSVersion string, cipherSuites []string, imageConfig *configv1.Image, buildConfig *configv1.Build, networkConfig *configv1.NetworkSpec) error {
+func ReconcileOpenShiftControllerManagerConfig(cm *corev1.ConfigMap, ownerRef config.OwnerRef, deployerImage, dockerBuilderImage, minTLSVersion string, cipherSuites []string, imageConfig *configv1.ImageSpec, buildConfig *configv1.Build, networkConfig *configv1.NetworkSpec) error {
 	ownerRef.ApplyTo(cm)
 
 	if cm.Data == nil {
@@ -46,7 +46,7 @@ func ReconcileOpenShiftControllerManagerConfig(cm *corev1.ConfigMap, ownerRef co
 	return nil
 }
 
-func reconcileConfig(cfg *openshiftcpv1.OpenShiftControllerManagerConfig, deployerImage, dockerBuilderImage, minTLSVersion string, cipherSuites []string, imageConfig *configv1.Image, buildConfig *configv1.Build, networkConfig *configv1.NetworkSpec) error {
+func reconcileConfig(cfg *openshiftcpv1.OpenShiftControllerManagerConfig, deployerImage, dockerBuilderImage, minTLSVersion string, cipherSuites []string, imageConfig *configv1.ImageSpec, buildConfig *configv1.Build, networkConfig *configv1.NetworkSpec) error {
 	cpath := func(volume, file string) string {
 		dir := volumeMounts.Path(ocmContainerMain().Name, volume)
 		return path.Join(dir, file)
@@ -60,10 +60,9 @@ func reconcileConfig(cfg *openshiftcpv1.OpenShiftControllerManagerConfig, deploy
 	cfg.Deployer.ImageTemplateFormat.Format = deployerImage
 
 	// registry config
-	cfg.DockerPullSecret.InternalRegistryHostname = imageConfig.Status.InternalRegistryHostname
-	cfg.DockerPullSecret.RegistryURLs = imageConfig.Status.ExternalRegistryHostnames
-	if len(cfg.DockerPullSecret.InternalRegistryHostname) == 0 {
-		cfg.DockerPullSecret.InternalRegistryHostname = config.DefaultImageRegistryHostname
+	cfg.DockerPullSecret.InternalRegistryHostname = config.DefaultImageRegistryHostname
+	if imageConfig != nil {
+		cfg.DockerPullSecret.RegistryURLs = imageConfig.ExternalRegistryHostnames
 	}
 
 	// build config

control-plane-operator/controllers/hostedcontrolplane/ocm/config_test.go

@@ -37,11 +37,7 @@ func TestReconcileOpenShiftControllerManagerConfig(t *testing.T) {
 	}
 	imageProvider := imageprovider.NewFromImages(images)
 
-	imageConfig := &v1.Image{
-		Status: v1.ImageStatus{
-			InternalRegistryHostname: "image-registry.openshift-image-registry.svc:5000",
-		},
-	}
+	imageConfig := &v1.ImageSpec{}
 
 	buildConfig := &v1.Build{
 		Spec: v1.BuildSpec{
@@ -64,7 +60,6 @@ func TestReconcileOpenShiftControllerManagerConfig(t *testing.T) {
 
 	observedConfig := &globalconfig.ObservedConfig{
 		Build: buildConfig,
-		Image: imageConfig,
 	}
 
 	params := NewOpenShiftControllerManagerParams(hcp, observedConfig, imageProvider, true)

control-plane-operator/controllers/hostedcontrolplane/ocm/params.go

@@ -19,7 +19,7 @@ type OpenShiftControllerManagerParams struct {
 	APIServer                       *configv1.APIServerSpec
 	Network                         *configv1.NetworkSpec
 	Build                           *configv1.Build
-	Image                           *configv1.Image
+	Image                           *configv1.ImageSpec
 
 	DeploymentConfig config.DeploymentConfig
 	config.OwnerRef
@@ -31,11 +31,11 @@ func NewOpenShiftControllerManagerParams(hcp *hyperv1.HostedControlPlane, observ
 		DockerBuilderImage:              releaseImageProvider.GetImage("docker-builder"),
 		DeployerImage:                   releaseImageProvider.GetImage("deployer"),
 		Build:                           observedConfig.Build,
-		Image:                           observedConfig.Image,
 	}
 	if hcp.Spec.Configuration != nil {
 		params.APIServer = hcp.Spec.Configuration.APIServer
 		params.Network = hcp.Spec.Configuration.Network
+		params.Image = hcp.Spec.Configuration.Image
 	}
 
 	params.DeploymentConfig = config.DeploymentConfig{

control-plane-operator/controllers/hostedcontrolplane/routecm/config_test.go

@@ -33,7 +33,7 @@ func TestReconcileOpenShiftRouteControllerManagerConfig(t *testing.T) {
 	}
 	imageProvider := imageprovider.NewFromImages(images)
 
-	params := NewOpenShiftRouteControllerManagerParams(hcp, nil, imageProvider, true)
+	params := NewOpenShiftRouteControllerManagerParams(hcp, imageProvider, true)
 	configMap := manifests.OpenShiftRouteControllerManagerConfig(hcp.Namespace)
 
 	networkConfig := &v1.NetworkSpec{

control-plane-operator/controllers/hostedcontrolplane/routecm/params.go

@@ -9,7 +9,6 @@ import (
 	hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
 	"github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/imageprovider"
 	"github.com/openshift/hypershift/support/config"
-	"github.com/openshift/hypershift/support/globalconfig"
 )
 
 type OpenShiftRouteControllerManagerParams struct {
@@ -21,7 +20,7 @@ type OpenShiftRouteControllerManagerParams struct {
 	config.OwnerRef
 }
 
-func NewOpenShiftRouteControllerManagerParams(hcp *hyperv1.HostedControlPlane, observedConfig *globalconfig.ObservedConfig, releaseImageProvider *imageprovider.ReleaseImageProvider, setDefaultSecurityContext bool) *OpenShiftRouteControllerManagerParams {
+func NewOpenShiftRouteControllerManagerParams(hcp *hyperv1.HostedControlPlane, releaseImageProvider *imageprovider.ReleaseImageProvider, setDefaultSecurityContext bool) *OpenShiftRouteControllerManagerParams {
 	params := &OpenShiftRouteControllerManagerParams{
 		OpenShiftControllerManagerImage: releaseImageProvider.GetImage("route-controller-manager"),
 	}

control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go

@@ -635,6 +635,14 @@ func (r *reconciler) reconcileConfig(ctx context.Context, hcp *hyperv1.HostedCon
 		errs = append(errs, fmt.Errorf("failed to reconcile dns config: %w", err))
 	}
 
+	image := globalconfig.ImageConfig()
+	if _, err := r.CreateOrUpdate(ctx, r.client, image, func() error {
+		globalconfig.ReconcileImageConfig(image, hcp)
+		return nil
+	}); err != nil {
+		errs = append(errs, fmt.Errorf("failed to reconcile image config: %w", err))
+	}
+
 	ingress := globalconfig.IngressConfig()
 	if _, err := r.CreateOrUpdate(ctx, r.client, ingress, func() error {
 		globalconfig.ReconcileIngressConfig(ingress, hcp)
@@ -1499,10 +1507,6 @@ func (r *reconciler) reconcileObservedConfiguration(ctx context.Context, hcp *hy
 		source     client.Object
 		observedCM *corev1.ConfigMap
 	}{
-		{
-			source:     globalconfig.ImageConfig(),
-			observedCM: globalconfig.ObservedImageConfig(hcp.Namespace),
-		},
 		{
 			source:     globalconfig.BuildConfig(),
 			observedCM: globalconfig.ObservedBuildConfig(hcp.Namespace),