OCPBUGS-81836: OCPBUGS-81670: fix(cpo-v2): preserve HCCO modifications to OCM Controllers field

[sjenning]

Manual backport of #8072 without the revert for #7634 since it was not backported to 4.21

CPO v2 was overwriting the entire OCM config on each reconciliation, erasing HCCO's modification to disable the pull secrets controller when the image registry is disabled via managementState: Removed instead of the ImageRegistry capability.

This fix:

• Fetches the actual ConfigMap from the cluster (not just the static asset)
• Preserves the existing Controllers field when ImageRegistry capability is enabled but HCCO has modified it (e.g., via managementState: Removed)
• Only overrides Controllers when ImageRegistry capability is explicitly disabled

This ensures that registry pull secrets are not created when the registry is disabled via managementState: Removed on non-Azure/non-IBM platforms.

---

Note

Medium Risk
Touches control-plane reconciliation logic for the OpenShift Controller Manager ConfigMap; an incorrect merge/preserve decision could unintentionally enable/disable controllers (notably pull-secrets) across upgrades or reconciles.

Overview
Prevents CPO v2 from overwriting HCCO changes to the OpenShift Controller Manager config by fetching the existing in-cluster ConfigMap and reusing its Controllers value when present.

The reconciler now only forces Controllers to disable the pull-secrets controller when the ImageRegistry capability is explicitly disabled; otherwise it preserves the existing cluster-set Controllers. Tests were updated and expanded to cover both preservation and explicit-disable behavior.

^{Written by Cursor Bugbot for commit 0e19951. This will update automatically on new commits. Configure here.}

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0d6d732d-a2d8-41a2-bd46-214d89d519fe

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sjenning]

/jira cherry-pick OCPBUGS-79471

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [sjenning]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@sjenning: Jira Issue OCPBUGS-79471 has been cloned as Jira Issue OCPBUGS-81670. Will retitle bug to link to clone.
/retitle OCPBUGS-81670: fix(cpo-v2): preserve HCCO modifications to OCM Controllers field

Details

In response to this:

/jira cherry-pick OCPBUGS-79471

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sjenning: This pull request references Jira Issue OCPBUGS-81670, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected dependent Jira Issue OCPBUGS-79471 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Manual backport of #8072 without the revert for #7634 since it was not backported to 4.21

CPO v2 was overwriting the entire OCM config on each reconciliation, erasing HCCO's modification to disable the pull secrets controller when the image registry is disabled via managementState: Removed instead of the ImageRegistry capability.

This fix:

• Fetches the actual ConfigMap from the cluster (not just the static asset)
• Preserves the existing Controllers field when ImageRegistry capability is enabled but HCCO has modified it (e.g., via managementState: Removed)
• Only overrides Controllers when ImageRegistry capability is explicitly disabled

This ensures that registry pull secrets are not created when the registry is disabled via managementState: Removed on non-Azure/non-IBM platforms.

---

[!NOTE]
Medium Risk
Touches control-plane reconciliation of the OpenShift Controller Manager config, so mistakes could change which controllers run and impact cluster behavior. Scope is small and guarded (only preserves Controllers when present and registry capability isn’t disabled).

Overview
Prevents CPO v2 from clobbering HCCO-driven changes to the OpenShift Controller Manager config by reading the existing ConfigMap from the cluster and carrying forward its Controllers field.

Reconciliation now only forces the pull-secrets controller to be disabled when the Image Registry capability is explicitly disabled; otherwise it preserves any existing Controllers overrides. Adds unit tests covering both the preservation and explicit-disable paths.

^{Written by Cursor Bugbot for commit 0e19951. This will update automatically on new commits. Configure here.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sjenning]

/jira cherry-pick OCPBUGS-79539

[openshift-ci-robot]

@sjenning: Jira Issue OCPBUGS-79539 has been cloned as Jira Issue OCPBUGS-81836. Will retitle bug to link to clone.
/retitle OCPBUGS-81836: OCPBUGS-81670: fix(cpo-v2): preserve HCCO modifications to OCM Controllers field

Details

In response to this:

/jira cherry-pick OCPBUGS-79539

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sjenning: This pull request references Jira Issue OCPBUGS-81836, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Manual backport of #8072 without the revert for #7634 since it was not backported to 4.21

CPO v2 was overwriting the entire OCM config on each reconciliation, erasing HCCO's modification to disable the pull secrets controller when the image registry is disabled via managementState: Removed instead of the ImageRegistry capability.

This fix:

• Fetches the actual ConfigMap from the cluster (not just the static asset)
• Preserves the existing Controllers field when ImageRegistry capability is enabled but HCCO has modified it (e.g., via managementState: Removed)
• Only overrides Controllers when ImageRegistry capability is explicitly disabled

This ensures that registry pull secrets are not created when the registry is disabled via managementState: Removed on non-Azure/non-IBM platforms.

---

[!NOTE]
Medium Risk
Touches control-plane reconciliation logic for the OpenShift Controller Manager ConfigMap; an incorrect merge/preserve decision could unintentionally enable/disable controllers (notably pull-secrets) across upgrades or reconciles.

Overview
Prevents CPO v2 from overwriting HCCO changes to the OpenShift Controller Manager config by fetching the existing in-cluster ConfigMap and reusing its Controllers value when present.

The reconciler now only forces Controllers to disable the pull-secrets controller when the ImageRegistry capability is explicitly disabled; otherwise it preserves the existing cluster-set Controllers. Tests were updated and expanded to cover both preservation and explicit-disable behavior.

^{Written by Cursor Bugbot for commit 0e19951. This will update automatically on new commits. Configure here.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sjenning]

/jira refresh

[openshift-ci-robot]

@sjenning: This pull request references Jira Issue OCPBUGS-81836, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.z) matches configured target version for branch (4.21.z)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-79539 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-79539 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
• bug has dependents

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sjenning]

/verified later by @sjenning

[openshift-ci-robot]

@sjenning: Only users can be targets for the /verified later command.

Details

In response to this:

/verified later by @sjenning

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sjenning]

/verified later @sjenning

[openshift-ci-robot]

@sjenning: This PR has been marked to be verified later by @sjenning.

Details

In response to this:

/verified later @sjenning

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sjenning]

/test e2e-aws-external-oidc

[zhfeng]

Pre-Merge Analysis: OCPBUGS-81836 — Preserve HCCO modifications to OCM Controllers field

Feature Summary

This PR is a manual backport of #8072 (merged and VERIFIED on main) to release-4.21. It fixes CPO v2 overwriting the OCM ConfigMap on each reconciliation, which erased HCCO's modification to disable the pull-secrets controller when the image registry is disabled via managementState: Removed. The backport correctly includes only the CPO v2 changes — the HCCO OCM config modification logic already exists on release-4.21 because #7634 (which removed it from main) was never backported.

Test Coverage Issues

Category	Finding	Severity
Signature update	All call sites correctly updated (6→7 params)	No issue
Preservation test	TestAdaptConfig_PreservesExistingControllers covers happy path	Adequate
Explicit disable test	TestAdaptConfig_DisabledImageRegistryCapability covers override path	Adequate
adaptConfigMap() integration	No test with fake client for end-to-end flow (fetch existing CM → adapt → serialize)	Medium gap
New cluster (no existing CM)	Client.Get error → existingControllers=nil → correct default behavior (untested but trivial)	Low gap

Fix Feasibility

Match assessment: EXACT_MATCH — the fix correctly intercepts the CPO v2 reconciliation path that was erasing HCCO's Controllers field.

Scenario	Before Fix	After Fix	Runtime Outcome
managementState=Removed, no capability disable	CPO v2 erases HCCO's Controllers	CPO v2 preserves HCCO's Controllers	Pull secrets NOT created (correct)
ImageRegistry capability explicitly disabled	Pull-secrets controller disabled	Pull-secrets controller disabled	Unchanged
Normal operation (no registry disable)	Controllers field empty	Controllers field empty	Unchanged
New cluster (no existing ConfigMap)	N/A	existingControllers=nil, default behavior	Correct
Race: CPO v2 reads before HCCO writes	HCCO's write erased every cycle	Preserved on next cycle	Self-healing

Backport correctness: The fix is a correct minimal backport. On release-4.21, HCCO still has OCM config modification logic (introduced in 83bc25125). PR #8072 on main both reverted the HCCO removal (#7634) AND added CPO v2 preservation — but on release-4.21, only the CPO v2 preservation is needed since the HCCO code was never removed.

Recommendations

1. Ready to merge — fix is correct, well-scoped, minimal, and the parent PR is already VERIFIED
2. Low risk — worst-case race condition (CPO v2 reads stale CM) is self-healing within one reconcile cycle
3. Pre-existing gap — no e2e test coverage for managementState-based registry disable exists (not introduced by this PR)
4. Needs /lgtm from a reviewer to merge

---

Analysis generated via /workflows:pre-merging-tests review-only path

[muraee]

/lgtm

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 56547cc and 2 for PR HEAD 0e19951 in total

[openshift-ci]

@sjenning: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@sjenning: Jira Issue OCPBUGS-81836: All pull requests linked via external trackers have merged:

• openshift/hypershift#8157

This pull request has the verified-later tag and will need to be manually moved to VERIFIED after testing. Jira Issue OCPBUGS-81836 has been moved to the MODIFIED state.

Details

In response to this:

Manual backport of #8072 without the revert for #7634 since it was not backported to 4.21

CPO v2 was overwriting the entire OCM config on each reconciliation, erasing HCCO's modification to disable the pull secrets controller when the image registry is disabled via managementState: Removed instead of the ImageRegistry capability.

This fix:

• Fetches the actual ConfigMap from the cluster (not just the static asset)
• Preserves the existing Controllers field when ImageRegistry capability is enabled but HCCO has modified it (e.g., via managementState: Removed)
• Only overrides Controllers when ImageRegistry capability is explicitly disabled

This ensures that registry pull secrets are not created when the registry is disabled via managementState: Removed on non-Azure/non-IBM platforms.

---

[!NOTE]
Medium Risk
Touches control-plane reconciliation logic for the OpenShift Controller Manager ConfigMap; an incorrect merge/preserve decision could unintentionally enable/disable controllers (notably pull-secrets) across upgrades or reconciles.

Overview
Prevents CPO v2 from overwriting HCCO changes to the OpenShift Controller Manager config by fetching the existing in-cluster ConfigMap and reusing its Controllers value when present.

The reconciler now only forces Controllers to disable the pull-secrets controller when the ImageRegistry capability is explicitly disabled; otherwise it preserves the existing cluster-set Controllers. Tests were updated and expanded to cover both preservation and explicit-disable behavior.

^{Written by Cursor Bugbot for commit 0e19951. This will update automatically on new commits. Configure here.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sjenning]

/cherry-pick release-4.20

[openshift-cherrypick-robot]

@sjenning: new pull request created: #8177

Details

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.