OCPBUGS-67224: fix(Portieris): Fix Portieris by mounting emptyDir to './.trust' work dir

[matlaj]

What this PR does / why we need it:

Since CPOv2, Portieris will crash if it can't write to ./trust. This fix mounts an empty dir to this path to allow Portieris to write its files inside its ReadOnlyRootFileSystem container.

Which issue(s) this PR fixes:

Fixes OCPBUGS-67224

Special notes for your reviewer:

None

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci-robot]

@matlaj: This pull request references Jira Issue OCPBUGS-67224, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

Since CPOv2, Portieris will crash if it can't write to ./trust. This fix mounts an empty dir to this path to allow Portieris to write its files inside its ReadOnlyRootFileSystem container.

Which issue(s) this PR fixes:

Fixes OCPBUGS-67224

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Modifies the KAS Portieris controller to add an in-memory trust data volume. Introduces a new EmptyDir volume mounted at /run/.trust in the Portieris container and adds a corresponding volume-building function to the Pod specification.

Changes

Cohort / File(s)	Summary
Portieris trust volume configuration control-plane-operator/controllers/hostedcontrolplane/v2/kas/portieries.go	Adds in-memory trust data volume (portieris-trust-data) with EmptyDir storage. Introduces buildKASPortierisTrustVolume function and extends volume mounts map to include new volume mounted at /run/.trust for Portieris container.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify that the EmptyDir configuration is correctly specified for ephemeral trust storage
• Confirm the volume mount path /run/.trust aligns with Portieris expectations and does not conflict with existing mount points
• Validate that the volume is properly integrated into the Pod spec and volume mounts map

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8e41a55 and 73d2bd5.

📒 Files selected for processing (1)

• control-plane-operator/controllers/hostedcontrolplane/v2/kas/portieries.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• control-plane-operator/controllers/hostedcontrolplane/v2/kas/portieries.go

🔇 Additional comments (4)

control-plane-operator/controllers/hostedcontrolplane/v2/kas/portieries.go (4)

18-18: LGTM!

Constant naming follows established conventions and clearly identifies the trust data volume.

---

33-33: LGTM!

Volume configuration correctly appends both required volumes to the Pod specification.

---

91-101: LGTM!

The EmptyDir volume with memory-backed storage is the appropriate solution for providing writable space in a read-only root filesystem container. The implementation follows established patterns.

---

26-26: Verify that the mount path matches Portieris's actual trust path expectations.

The code mounts a volume at /run/.trust (absolute path). However, without access to the PR description and Portieris's implementation, the review comment's concern cannot be resolved: does Portieris write to /run/.trust directly, or does it expect a working directory set to /run and write to ./trust relative to it? The container spec has no explicit WorkingDir configured (lines 36-78).

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[matlaj]

/auto-cc

[openshift-ci]

Hi @matlaj. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@matlaj: This pull request references Jira Issue OCPBUGS-67224, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

What this PR does / why we need it:

Since CPOv2, Portieris will crash if it can't write to ./trust. This fix mounts an empty dir to this path to allow Portieris to write its files inside its ReadOnlyRootFileSystem container.

Which issue(s) this PR fixes:

Fixes OCPBUGS-67224

Special notes for your reviewer:

None

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[TwoDCube]

/ok-to-test

[TwoDCube]

/cherry-pick release-4.20

[openshift-cherrypick-robot]

@TwoDCube: once the present PR merges, I will cherry-pick it on top of release-4.20 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[TwoDCube]

/ok-to-test

[TwoDCube]

/retest

[TwoDCube]

/ok-to-test

[TwoDCube]

/retest

[TwoDCube]

/retest

[rtheis]

/retest-required

[rtheis]

/retest-required

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: matlaj, rtheis, sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [sjenning]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rtheis]

/ok-to-test

[rtheis]

/cherry-pick release-4.21 release-4.20

[openshift-cherrypick-robot]

@rtheis: once the present PR merges, I will cherry-pick it on top of release-4.21 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.21 release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rtheis]

/retest-required

[rtheis]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 56af5d5 and 2 for PR HEAD 73d2bd5 in total

[rtheis]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 780f88b and 1 for PR HEAD 73d2bd5 in total

[rtheis]

/retest-required

[rtheis]

/retest-required

[rtheis]

/override ci/prow/okd-scos-images

[openshift-ci]

@rtheis: rtheis unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file, and the following github teams:openshift: openshift-release-oversight openshift-staff-engineers openshift-sustaining-engineers.

Details

In response to this:

/override ci/prow/okd-scos-images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 351f6ae and 0 for PR HEAD 73d2bd5 in total

[openshift-ci-robot]

/hold

Revision 73d2bd5 was retested 3 times: holding

[rtheis]

/ok-to-test
/remove-hold

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 351f6ae and 2 for PR HEAD 73d2bd5 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD da2f23d and 1 for PR HEAD 73d2bd5 in total

[TwoDCube]

/retest-required

[TwoDCube]

/retest-required

[openshift-ci]

@matlaj: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@matlaj: Jira Issue Verification Checks: Jira Issue OCPBUGS-67224
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-67224 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

What this PR does / why we need it:

Since CPOv2, Portieris will crash if it can't write to ./trust. This fix mounts an empty dir to this path to allow Portieris to write its files inside its ReadOnlyRootFileSystem container.

Which issue(s) this PR fixes:

Fixes OCPBUGS-67224

Special notes for your reviewer:

None

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-cherrypick-robot]

@TwoDCube: new pull request created: #7421

Details

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@rtheis: new pull request created: #7422

Details

In response to this:

/cherry-pick release-4.21 release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.