GCP-367: Implement GCP Cloud Controller Manager component

[cristianoveiga]

What this PR does / why we need it:

Implements the GCP Cloud Controller Manager (CCM) for hosted control planes, replacing the need for a custom ProviderID controller. The CCM handles node initialization (provider ID, zone labels, taint removal) and enables LoadBalancer service support for GCP hosted clusters.

Key implementation details:

• Create CCM component under control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/
• Create CCM assets (deployment, config) under v2/assets/gcp-cloud-controller-manager/
• Configure token minter sidecar for Workload Identity Federation with kube-system/cloud-controller-manager service account
• Deploy CCM with --controllers=*,-nodeipam (nodeipam disabled - handled by cluster network operator)
• Add cloud-controller-manager-creds secret creation to hypershift-operator ReconcileCredentials, reusing existing buildGCPWorkloadIdentityCredentials function

The CCM uses the pre-created cloud-controller-manager-creds secret from the hypershift-operator, following the same pattern as node-management-creds and control-plane-operator-creds for consistent credential management.

Which issue(s) this PR fixes:

Fixes GCP-367

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@cristianoveiga: This pull request references GCP-367 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Implements the GCP Cloud Controller Manager (CCM) for hosted control planes, replacing the need for a custom ProviderID controller. The CCM handles node initialization (provider ID, zone labels, taint removal) and enables LoadBalancer service support for GCP hosted clusters.

Key implementation details:

• Create CCM component under control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/
• Create CCM assets (deployment, config) under v2/assets/gcp-cloud-controller-manager/
• Configure token minter sidecar for Workload Identity Federation with kube-system/cloud-controller-manager service account
• Deploy CCM with --controllers=*,-nodeipam (nodeipam disabled - handled by cluster network operator)
• Add cloud-controller-manager-creds secret creation to hypershift-operator ReconcileCredentials, reusing existing buildGCPWorkloadIdentityCredentials function

The CCM uses the pre-created cloud-controller-manager-creds secret from the hypershift-operator, following the same pattern as node-management-creds and control-plane-operator-creds for consistent credential management.

Which issue(s) this PR fixes:

Fixes GCP-367

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@cristianoveiga: This pull request references GCP-367 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Implements the GCP Cloud Controller Manager (CCM) for hosted control planes, replacing the need for a custom ProviderID controller. The CCM handles node initialization (provider ID, zone labels, taint removal) and enables LoadBalancer service support for GCP hosted clusters.

Key implementation details:

• Create CCM component under control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/
• Create CCM assets (deployment, config) under v2/assets/gcp-cloud-controller-manager/
• Configure token minter sidecar for Workload Identity Federation with kube-system/cloud-controller-manager service account
• Deploy CCM with --controllers=*,-nodeipam (nodeipam disabled - handled by cluster network operator)
• Add cloud-controller-manager-creds secret creation to hypershift-operator ReconcileCredentials, reusing existing buildGCPWorkloadIdentityCredentials function

The CCM uses the pre-created cloud-controller-manager-creds secret from the hypershift-operator, following the same pattern as node-management-creds and control-plane-operator-creds for consistent credential management.

Which issue(s) this PR fixes:

Fixes GCP-367

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds GCP cloud-controller-manager support: new component registration, component implementation and config adaptation, manifests (ConfigMap, Deployment), unit tests and fixtures, workload-identity credential wiring/validation for GCP, and CLI wiring for CloudController service account.

Changes

Cohort / File(s)	Summary
Controller registration control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller.go	Registers the GCP v2 cloud-controller-manager component in HostedControlPlaneReconciler.
GCP CCM assets (manifests) control-plane-operator/controllers/hostedcontrolplane/v2/assets/gcp-cloud-controller-manager/config.yaml, .../deployment.yaml	Adds gcp-cloud-config ConfigMap template and a Deployment for the gcp-cloud-controller-manager (single replica, mounts for kubeconfig/credentials, token-minter sidecar, args, resources, volumes).
GCP component code control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.go, .../gcp/config.go	New component (ComponentName, NewComponent) with a GCP-only predicate; adaptConfig populates cloud.conf using HostedControlPlane GCP fields (project, network, infraID→node-tags).
GCP component tests & fixtures control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/config_test.go, .../testdata/zz_fixture_TestConfig.yaml	Adds tests for config adaptation, error states, and predicate plus expected ConfigMap fixture.
Testdata: ControlPlaneComponent & Deployments control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/**	Adds many YAML fixtures (ConfigMaps, ControlPlaneComponent objects, Deployments) across provider variants (GCP, IBMCloud, TechPreviewNoUpgrade) to validate manifests and component wiring.
HyperShift GCP credentials & validation hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go, .../gcp/gcp_test.go	Adds CloudControllerCredsSecret() helper, maps CloudController service account to its secret in credentials reconciliation, and requires CloudController service account email in workload-identity validation; test added for missing email.
CLI create command (GCP) cmd/cluster/gcp/create.go, .../create_test.go, cmd/cluster/gcp/testdata/...	Adds --cloud-controller-service-account flag and CloudControllerServiceAccount option, validates it as required, and populates HostedCluster.spec.platform.gcp.workloadIdentity.serviceAccountsEmails.CloudController; tests and fixture updated.
Test adjustments control-plane-operator/controllers/hostedcontrolplane/hostedcontrolplane_controller_test.go	Updates two HCP test fixtures to include a GCPPlatformSpec (project, region, network) to exercise GCP code paths.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@cristianoveiga: This pull request references GCP-367 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Implements the GCP Cloud Controller Manager (CCM) for hosted control planes, replacing the need for a custom ProviderID controller. The CCM handles node initialization (provider ID, zone labels, taint removal) and enables LoadBalancer service support for GCP hosted clusters.

Key implementation details:

• Create CCM component under control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/
• Create CCM assets (deployment, config) under v2/assets/gcp-cloud-controller-manager/
• Configure token minter sidecar for Workload Identity Federation with kube-system/cloud-controller-manager service account
• Deploy CCM with --controllers=*,-nodeipam (nodeipam disabled - handled by cluster network operator)
• Add cloud-controller-manager-creds secret creation to hypershift-operator ReconcileCredentials, reusing existing buildGCPWorkloadIdentityCredentials function

The CCM uses the pre-created cloud-controller-manager-creds secret from the hypershift-operator, following the same pattern as node-management-creds and control-plane-operator-creds for consistent credential management.

Which issue(s) this PR fixes:

Fixes GCP-367

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cristianoveiga]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go`:
- Around line 343-347: ReconcileCredentials is syncing a
cloud-controller-manager secret using
hcluster.Spec.Platform.GCP.WorkloadIdentity.ServiceAccountsEmails.CloudController
even though validateWorkloadIdentityConfiguration does not require that field;
add an explicit validation in validateWorkloadIdentityConfiguration to return an
error when wif.ServiceAccountsEmails.CloudController == "" so the
ValidGCPWorkloadIdentity condition fails early and ReconcileCredentials won't
proceed to sync a missing CloudController secret. Update
validateWorkloadIdentityConfiguration to check
ServiceAccountsEmails.CloudController, return a descriptive error (e.g., "cloud
controller service account email is required"), and ensure callers handle that
error to prevent later failure in ReconcileCredentials.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go (1)

343-351: ⚠️ Potential issue | 🟠 Major

Avoid map key collisions when multiple roles share the same GSA.

The map-based iteration silently collapses duplicate email entries. If a user configures the same service account email for multiple roles, only one secret will be synced and the others will be skipped without error. Use an ordered slice of pairs instead to ensure all role credentials are reconciled.

🔧 Proposed fix

-	for email, secret := range map[string]*corev1.Secret{
-		hcluster.Spec.Platform.GCP.WorkloadIdentity.ServiceAccountsEmails.NodePool:        NodePoolManagementCredsSecret(controlPlaneNamespace),
-		hcluster.Spec.Platform.GCP.WorkloadIdentity.ServiceAccountsEmails.ControlPlane:    ControlPlaneOperatorCredsSecret(controlPlaneNamespace),
-		hcluster.Spec.Platform.GCP.WorkloadIdentity.ServiceAccountsEmails.CloudController: CloudControllerCredsSecret(controlPlaneNamespace),
-	} {
-		if err := syncSecret(secret, email); err != nil {
+	for _, item := range []struct {
+		email  string
+		secret *corev1.Secret
+	}{
+		{hcluster.Spec.Platform.GCP.WorkloadIdentity.ServiceAccountsEmails.NodePool, NodePoolManagementCredsSecret(controlPlaneNamespace)},
+		{hcluster.Spec.Platform.GCP.WorkloadIdentity.ServiceAccountsEmails.ControlPlane, ControlPlaneOperatorCredsSecret(controlPlaneNamespace)},
+		{hcluster.Spec.Platform.GCP.WorkloadIdentity.ServiceAccountsEmails.CloudController, CloudControllerCredsSecret(controlPlaneNamespace)},
+	} {
+		if err := syncSecret(item.secret, item.email); err != nil {
 			errs = append(errs, err)
 		}
 	}

[cristianoveiga]

/retest-required

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In
`@control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml`:
- Around line 88-89: The IBMCloud fixture's container spec only sets
securityContext.readOnlyRootFilesystem and is missing the GCP fixture's
hardening fields and sidecar/volume; update the IBMCloud deployment spec to add
securityContext.allowPrivilegeEscalation: false,
securityContext.capabilities.drop: [ALL], securityContext.runAsNonRoot: true to
the same container spec (or document why platform differences are required), and
add the token-minter sidecar container plus the cloud-token volume mount/volume
definition to mirror the GCP fixture (or add a comment explaining why
token-minter/cloud-token are intentionally omitted).

In
`@control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml`:
- Around line 88-90: The container securityContext only sets
readOnlyRootFilesystem; update the deployment container specs (the containers
that currently have securityContext and terminationMessagePolicy) to add
allowPrivilegeEscalation: false and runAsNonRoot: true (assuming the images
support non-root) alongside the existing readOnlyRootFilesystem setting; ensure
you apply this change to both container blocks present (the one with
securityContext/readOnlyRootFilesystem and the other similar block) so both
containers prevent privilege escalation and run as non-root.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/assets/gcp-cloud-controller-manager/deployment.yaml`:
- Around line 18-51: The cloud-controller-manager container runs as root and
allows privilege escalation; update the Deployment's pod spec for the container
named "cloud-controller-manager" to add a restrictive securityContext: set
runAsNonRoot: true and a non-root runAsUser (e.g., 1000), set
allowPrivilegeEscalation: false, drop ALL capabilities (capabilities.drop:
["ALL"]), enable readOnlyRootFilesystem: true and set a seccompProfile
(RuntimeDefault) and/or restricted SELinux/AppArmor context as available; apply
these changes in the container spec and update any test fixtures that assert on
the old defaults to expect the new securityContext values.

🧹 Nitpick comments (1)

control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/config.go (1)

22-24: Consider validating networkName is not empty.

If gcpPlatform.NetworkConfig.Network.Name is empty, the CCM will receive an empty network-name in cloud.conf, which may cause runtime failures. Consider adding validation or logging a warning.

♻️ Proposed validation

 	projectID := gcpPlatform.Project
 	networkName := gcpPlatform.NetworkConfig.Network.Name
+	if networkName == "" {
+		return fmt.Errorf("network name is required in GCP platform configuration")
+	}
 	subnetworkName := "" // Subnetwork is optional for CCM

[bryan-cox]

/uncc @bryan-cox

[apahim]

/lgtm

[cristianoveiga]

/verified later @cristianoveiga

[cristianoveiga]

/retest-required

[cristianoveiga]

/retest-required

[cristianoveiga]

/verified later @cristianoveiga

[openshift-ci-robot]

@cristianoveiga: This PR has been marked to be verified later by @cristianoveiga.

Details

In response to this:

/verified later @cristianoveiga

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cristianoveiga]

/verified later @cristianoveiga

[openshift-ci-robot]

@cristianoveiga: This PR has been marked to be verified later by @cristianoveiga.

Details

In response to this:

/verified later @cristianoveiga

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ckandag]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-21
/test e2e-aws-4-21
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[cristianoveiga]

/retest-required

[muraee]

/test verify-deps

[openshift-ci]

@cristianoveiga: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.