OCPBUGS-84955: bootstrap serving certs at hypershift operator startup

[clebs]

What this PR does / why we need it:

The webhook server requires TLS certs on disk before it can start listening. Previously, certs were only created via hypershift install manifests, meaning the operator would fail to start if the serving cert secret was not yet present like it is the case when running hyperhsift install render without the --render-sensitive flag.

This is used in a scenario where the rendered manifests are pushed to a gitops workflow and, therefore, secrets can not be rendered.

By adding bootstrap cert generation at startup, the operator is self-sufficient: if the secret exists, the volume mount delivers certs normally; if it is missing or empty, certs are generated, persisted, and written to disk. The secret volume is now marked optional so the pod can start without it.

Which issue(s) this PR fixes:

Followup to OCPBUGS-84955

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • Operator can bootstrap webhook CA and serving certificates at startup when a certificate directory is configured; installer no longer embeds or propagates webhook CA/certs into rendered assets.
  • Webhook configurations no longer include an embedded CA bundle.

• Bug Fixes

  • Webhook serving-certificate secret is now optional so the operator can start without pre-provisioned certs.

• Tests

  • Added tests covering certificate bootstrapping, creation, regeneration, and existing-secret behaviors.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@clebs: This pull request references Jira Issue OCPBUGS-84955, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

The webhook server requires TLS certs on disk before it can start listening. Previously, certs were only created via hypershift install manifests, meaning the operator would fail to start if the serving cert secret was not yet present like it is the case when running hyperhsift install render without the --render-sensitive flag.

This is used in a scenario where the rendered manifests are pushed to a gitops workflow and, therefore, secrets can not be rendered.

By adding bootstrap cert generation at startup, the operator is self-sufficient: if the secret exists, the volume mount delivers certs normally; if it is missing or empty, certs are generated, persisted, and written to disk. The secret volume is now marked optional so the pod can start without it.

Which issue(s) this PR fixes:

Followup to OCPBUGS-84955

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR adds EnsureWebhookCerts to bootstrap webhook CA and serving TLS Secrets and invokes it at operator startup when a cert directory is configured. Installer-side generation and propagation of webhook CA bundles is removed: webhook asset structs drop CABundle and built webhook ClientConfig.CABundle values are nil. The manager-serving-cert volume is marked optional and installer tests are updated accordingly.

Sequence Diagram(s)

sequenceDiagram
  participant Operator as hypershift-operator (run)
  participant Ensure as webhookcerts.EnsureWebhookCerts
  participant KubeAPI as Kubernetes API (Secrets)
  Operator->>Ensure: call EnsureWebhookCerts(namespace, serviceName)
  Ensure->>KubeAPI: GET Secret ServingCertSecretName
  alt serving secret present and valid
    KubeAPI-->>Ensure: Secret with cert and key
    Ensure-->>Operator: return (no-op)
  else missing/invalid
    Ensure->>Ensure: GenerateInitialWebhookCerts()
    Ensure->>KubeAPI: CREATE/UPDATE CA Secret
    Ensure->>KubeAPI: CREATE/UPDATE serving TLS Secret
    KubeAPI-->>Ensure: created/updated Secrets
    Ensure-->>Operator: return (success)
  end

Loading

Suggested reviewers

• muraee

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	TestEnsureWebhookCerts lacks assertion messages; check requires assertions with meaningful messages to diagnose failures, but none are present.	Add failure messages to all Expect assertions in TestEnsureWebhookCerts (e.g., g.Expect(err).ToNot(HaveOccurred(), "failed to ensure webhook certs") to match install_test.go patterns.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding bootstrap of serving certificates at hypershift operator startup, which is the primary objective across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in the PR are stable, deterministic, and contain no dynamic content. They use clear, static descriptive strings without pod name suffixes, timestamps, UUIDs, node names, or variables.
Microshift Test Compatibility	✅ Passed	This PR adds only standard Go unit tests (func Test*), not Ginkgo e2e tests. The check for Ginkgo e2e test compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The modified test files use Go's standard testing package (func TestXXX(t *testing.T)) for unit tests, not Ginkgo BDD syntax. Check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no new scheduling constraints. Existing anti-affinity is preferred-only (topology-safe). Volume marked optional improves compatibility on SNO/Two-Node/HyperShift.
Ote Binary Stdout Contract	✅ Passed	PR properly handles logging via zap (stderr by default) and error handling via fmt.Fprintf to os.Stderr in main(). New code in run() and EnsureWebhookCerts() uses structured logging, not stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added; PR contains only standard Go unit tests (testing.T pattern) without IPv4 assumptions or external connectivity requirements.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hypershift-operator/controllers/webhookcerts/webhookcerts_controller.go`:
- Around line 402-410: The create+update path can race because when c.Create
returns AlreadyExists you then call c.Update with existingSecret that lacks the
current ResourceVersion; re-fetch the secret from the API server into
existingSecret (e.g., call c.Get(ctx, namespacedName, existingSecret)) inside
the apierrors.IsAlreadyExists branch, copy servingSecret.Data into the freshly
fetched existingSecret, and then call c.Update(ctx, existingSecret); if Update
returns a conflict, retry the get/copy/update a few times or return the conflict
so callers can retry—update the logic around c.Create,
apierrors.IsAlreadyExists, existingSecret, and c.Update accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d0f83117-6c21-45d7-98cf-e7eb54954d13

📥 Commits

Reviewing files that changed from the base of the PR and between cf2b91f and 0fea0fb.

📒 Files selected for processing (3)

• cmd/install/assets/hypershift_operator.go
• hypershift-operator/controllers/webhookcerts/webhookcerts_controller.go
• hypershift-operator/main.go

[clebs]

/jira refresh

[openshift-ci-robot]

@clebs: This pull request references Jira Issue OCPBUGS-84955, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[clebs]

/cc @patjlm @muraee

/assign @enxebre

[codecov]

Codecov Report

❌ Patch coverage is 56.45161% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 40.42%. Comparing base (36dfb1b) to head (e1993ba).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
...ontrollers/webhookcerts/webhookcerts_controller.go	72.09%	8 Missing and 4 partials ⚠️
cmd/install/assets/hypershift_operator.go	8.33%	11 Missing ⚠️
hypershift-operator/main.go	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8545      +/-   ##
==========================================
+ Coverage   40.40%   40.42%   +0.01%     
==========================================
  Files         755      755              
  Lines       93235    93273      +38     
==========================================
+ Hits        37675    37706      +31     
- Misses      52858    52862       +4     
- Partials     2702     2705       +3     

Files with missing lines	Coverage Δ
cmd/install/install.go	62.25% <100.00%> (+0.47%)	⬆️
hypershift-operator/main.go	0.00% <0.00%> (ø)
cmd/install/assets/hypershift_operator.go	48.10% <8.33%> (+<0.01%)	⬆️
...ontrollers/webhookcerts/webhookcerts_controller.go	64.55% <72.09%> (+1.44%)	⬆️

Flag	Coverage Δ
cmd-support	34.45% <26.66%> (+0.01%)	⬆️
cpo-hostedcontrolplane	41.76% <ø> (ø)
cpo-other	40.31% <ø> (ø)
hypershift-operator	50.75% <65.95%> (+0.02%)	⬆️
other	31.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[muraee]

why do we need to write to disk as well?

[clebs]

Because when secrets don't exist yet, volume mount has nothing to deliver. Pod started with Optional: true on the volume, so k8s mounts an empty dir. EnsureWebhookCerts creates the secrets via API, but
Kubernetes doesn't hot-reload secret volumes into an already-running container mid-startup. The webhook server needs certs on disk now to bind the TLS listener.

On next pod restart, secret exists and it works as it normally does therefore EnsureWebhookCerts returns early (no-op path).

[muraee]

controller-runtime certWatcher used by the webhook-server should take care of reloading the certs when the secret exist or changed (it uses fsnotify).
Have you tested without this?

[clebs]

I have not, I will test it out.

[clebs]

@muraee I have removed the writing to disk form the bootstrapping as well as the bootstrapping in the CLI.
All installation paths work, PTAL!

[muraee]

please also remove the code from the CLI generating those secrets.

hypershift/cmd/install/install.go

Lines 759 to 768 in ca519ed

	// Generate self-managed webhook CA and serving cert when any webhook is enabled.
	var webhookCABundle []byte
	if opts.EnableDefaultingWebhook || opts.EnableConversionWebhook || opts.EnableValidatingWebhook || opts.EnableAuditLogPersistence {
	caSecret, servingSecret, caBundle, err := webhookcerts.GenerateInitialWebhookCerts(operatorNamespace.Name, assets.HypershiftOperatorName)
	if err != nil {
	return nil, nil, fmt.Errorf("failed to generate webhook certs: %w", err)
	}
	objects = append(objects, caSecret, servingSecret)
	webhookCABundle = caBundle
	}

[clebs]

@muraee I left the hypershift install path there to not disrupt the other use cases, but will remove it and run some tests.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cmd/install/assets/hypershift_operator.go (1)

856-865: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Use a writable volume for --cert-dir; Secret volumes are always read-only.

Marking manager-serving-cert as optional removes the hard dependency on the Secret existing at startup, but Kubernetes Secret-backed volumes remain read-only regardless of the optional flag. The operator cannot bootstrap-generate certs and write them to /var/run/secrets/serving-cert. Use a writable volume (e.g., emptyDir) for --cert-dir and mount the Secret separately if read-only cert access is needed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/install/assets/hypershift_operator.go` around lines 856 - 865, The
current code appends a Secret volume named "serving-cert" and sets --cert-dir to
/var/run/secrets/serving-cert, but Secret volumes are read-only so the operator
cannot write bootstrap certs there; change to create a writable volume (e.g., an
emptyDir) for the path passed to --cert-dir and, if the Secret must be provided
for initial certs, mount the Secret at a different read-only path (or copy from
the Secret mount into the emptyDir at startup). Update the logic that appends to
volumes (replace or add an emptyDir Volume with the same mount path) and keep
the args append of "--cert-dir=/var/run/secrets/serving-cert" pointing to the
writable mount, while mounting "manager-serving-cert" Secret elsewhere if
needed.

🧹 Nitpick comments (1)

hypershift-operator/controllers/webhookcerts/webhookcerts_controller_test.go (1)

454-480: ⚡ Quick win

Add a case for “CA exists, serving secret invalid” to lock bootstrap behavior.

This is the highest-risk branch for cert consistency. Add a test ensuring serving cert regeneration uses/pairs correctly with the persisted CA.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hypershift-operator/controllers/webhookcerts/webhookcerts_controller_test.go`
around lines 454 - 480, Add a new test case to webhookcerts_controller_test.go
that sets up an existing CA secret (named CASecretName) with valid cert/key data
but an invalid/empty serving secret (ServingCertSecretName with empty Data or
missing TLS keys), then call EnsureWebhookCerts(t.Context(), cl, "hypershift",
"operator") and assert that: 1) the serving secret is regenerated
(updatedServingSecret.Data[corev1.TLSCertKey] and [corev1.TLSPrivateKeyKey] are
not empty), and 2) the CA secret remains the persisted CA
(updatedCASecret.Data[certs.CASignerCertMapKey] and [certs.CASignerKeyMapKey]
are unchanged/unchanged-from-original), ensuring EnsureWebhookCerts uses the
existing CA rather than re-bootstraping it.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/install/install_test.go`:
- Around line 562-589: The subtest "When webhooks are enabled it should not
render webhook cert secrets" can pass vacuously because no sensitive inputs
(pull secret) are provided; update the test to reuse the temp pull-secret setup
used in the table-driven case and supply it to the Options passed to
RenderHyperShiftOperator (ensure RenderSensitive: true and include the pull
secret field used by Options), then after decoding documents assert that at
least one Secret exists whose name is not "webhook-serving-ca" or
"manager-serving-cert" (and fail if zero non-webhook Secrets are found) so the
test actually exercises sensitive-secret rendering.

In
`@hypershift-operator/controllers/webhookcerts/webhookcerts_controller_test.go`:
- Around line 448-451: The test is asserting CA secret contents using TLS keys
(corev1.TLSCertKey/corev1.TLSPrivateKeyKey) which can be nil and hide
regressions; update the assertions on updatedCASecret (and compare to caSecret)
to use the CA signer data keys instead (e.g. "ca.crt" and "ca.key" or the
repository's CA signer constants if defined) so you compare the actual CA signer
cert and key rather than TLS keys.

In `@hypershift-operator/controllers/webhookcerts/webhookcerts_controller.go`:
- Around line 390-406: The current flow calls GenerateInitialWebhookCerts to
produce caSecret and servingSecret and then proceeds even if c.Create(ctx,
caSecret) returns AlreadyExists, which risks persisting a serving cert generated
from a transient CA; change the logic so that when c.Create(ctx, caSecret)
returns an AlreadyExists error you do NOT apply the servingSecret created from
the transient CA. Instead, retrieve the persisted CA secret (e.g., get
existingSecret by name), regenerate the serving cert using the persisted CA (or
use the support/upsert helper to safely reconcile both secrets), and then upsert
the serving secret (use support/upsert to create or update servingSecret) so the
serving cert always matches the stored CA; update references around
GenerateInitialWebhookCerts, caSecret, servingSecret, existingSecret, c.Create
and c.Update accordingly.

---

Outside diff comments:
In `@cmd/install/assets/hypershift_operator.go`:
- Around line 856-865: The current code appends a Secret volume named
"serving-cert" and sets --cert-dir to /var/run/secrets/serving-cert, but Secret
volumes are read-only so the operator cannot write bootstrap certs there; change
to create a writable volume (e.g., an emptyDir) for the path passed to
--cert-dir and, if the Secret must be provided for initial certs, mount the
Secret at a different read-only path (or copy from the Secret mount into the
emptyDir at startup). Update the logic that appends to volumes (replace or add
an emptyDir Volume with the same mount path) and keep the args append of
"--cert-dir=/var/run/secrets/serving-cert" pointing to the writable mount, while
mounting "manager-serving-cert" Secret elsewhere if needed.

---

Nitpick comments:
In
`@hypershift-operator/controllers/webhookcerts/webhookcerts_controller_test.go`:
- Around line 454-480: Add a new test case to webhookcerts_controller_test.go
that sets up an existing CA secret (named CASecretName) with valid cert/key data
but an invalid/empty serving secret (ServingCertSecretName with empty Data or
missing TLS keys), then call EnsureWebhookCerts(t.Context(), cl, "hypershift",
"operator") and assert that: 1) the serving secret is regenerated
(updatedServingSecret.Data[corev1.TLSCertKey] and [corev1.TLSPrivateKeyKey] are
not empty), and 2) the CA secret remains the persisted CA
(updatedCASecret.Data[certs.CASignerCertMapKey] and [certs.CASignerKeyMapKey]
are unchanged/unchanged-from-original), ensuring EnsureWebhookCerts uses the
existing CA rather than re-bootstraping it.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3c7b830c-437f-4fea-a95f-fba702cfa9cc

📥 Commits

Reviewing files that changed from the base of the PR and between 0fea0fb and 7da2d17.

📒 Files selected for processing (6)

• cmd/install/assets/hypershift_operator.go
• cmd/install/install.go
• cmd/install/install_test.go
• hypershift-operator/controllers/webhookcerts/webhookcerts_controller.go
• hypershift-operator/controllers/webhookcerts/webhookcerts_controller_test.go
• hypershift-operator/main.go

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

hypershift-operator/controllers/webhookcerts/webhookcerts_controller.go (1)

375-376: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Re-fetch the serving Secret before the AlreadyExists update path.

EnsureWebhookCerts runs before leader election, and webhook-enabled installs default to two operator replicas. If one pod sees NotFound at Line 376 and another pod creates the Secret first, Line 428 reuses a zero-value existingSecret, so the Update goes out without the current resourceVersion and the loser can fail startup.

🔧 Minimal fix

 	if createErr := c.Create(ctx, servingSecret); createErr != nil {
 		if !apierrors.IsAlreadyExists(createErr) {
 			return fmt.Errorf("failed to create serving cert secret: %w", createErr)
 		}
+		existingSecret = &corev1.Secret{}
+		if err := c.Get(ctx, client.ObjectKey{Namespace: namespace, Name: ServingCertSecretName}, existingSecret); err != nil {
+			return fmt.Errorf("failed to get existing serving cert secret: %w", err)
+		}
+		existingSecret.Type = servingSecret.Type
 		existingSecret.Data = servingSecret.Data
 		if err := c.Update(ctx, existingSecret); err != nil {
 			return fmt.Errorf("failed to update serving cert secret: %w", err)
 		}
 	}

As per coding guidelines, “Use support/upsert/ for safe resource creation and updates”.

Also applies to: 424-430

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hypershift-operator/controllers/webhookcerts/webhookcerts_controller.go`
around lines 375 - 376, EnsureWebhookCerts currently reads existingSecret once
and may reuse a zero-value existingSecret in the AlreadyExists update path;
re-fetch the serving Secret (use c.Get for ServingCertSecretName into
existingSecret) immediately before performing the Update in the AlreadyExists
branch so you have the latest resourceVersion, or switch to the support/upsert
helper to perform a safe create-or-update for ServingCertSecretName; update the
code paths that call c.Get/Update (references: EnsureWebhookCerts,
existingSecret, ServingCertSecretName, c.Get, Update) to always read the current
Secret before updating.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/install/install.go`:
- Around line 820-823: The install-time apply is dropping caBundle from rendered
CRD/webhook manifests (in setupCRDs) which can clear the live bundle when
applying; change setupCRDs (and the similar logic around the other render/apply
block at 949-957) so that when not in render-only/template mode it preserves the
live caBundle by reading the existing resource(s) before apply and copying the
existing .webhooks[*].clientConfig.caBundle (and any CRD conversion webhook
caBundle) into the manifest being applied, or skip removing caBundle entirely
for non-render installs; ensure this logic runs only for real applies (not
render-only) and reference setupCRDs and the apply/render code paths to
implement the fetch-and-merge behavior.

In
`@hypershift-operator/controllers/webhookcerts/webhookcerts_controller_test.go`:
- Around line 454-480: Add a test case that covers the branch where the
persisted CA already exists but the serving cert is missing or empty: create a
pre-seeded CA secret (name CASecretName) with cert/key data
(certs.CASignerCertMapKey and certs.CASignerKeyMapKey), but either omit or
create an empty serving secret (name ServingCertSecretName), call
EnsureWebhookCerts with the fake client, and assert the function does not error
and that the regenerated serving secret contains TLS cert and key
(corev1.TLSCertKey, corev1.TLSPrivateKeyKey) whose chain/signature corresponds
to the existing CA; also assert the CA secret was not overwritten (its cert/key
remain unchanged) to exercise the Create(...CA...) -> AlreadyExists path in
EnsureWebhookCerts.

---

Duplicate comments:
In `@hypershift-operator/controllers/webhookcerts/webhookcerts_controller.go`:
- Around line 375-376: EnsureWebhookCerts currently reads existingSecret once
and may reuse a zero-value existingSecret in the AlreadyExists update path;
re-fetch the serving Secret (use c.Get for ServingCertSecretName into
existingSecret) immediately before performing the Update in the AlreadyExists
branch so you have the latest resourceVersion, or switch to the support/upsert
helper to perform a safe create-or-update for ServingCertSecretName; update the
code paths that call c.Get/Update (references: EnsureWebhookCerts,
existingSecret, ServingCertSecretName, c.Get, Update) to always read the current
Secret before updating.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 13eb008a-01d6-4178-bea4-654aea103a10

📥 Commits

Reviewing files that changed from the base of the PR and between d1b3a26 and dd1bc3d.

📒 Files selected for processing (6)

• cmd/install/assets/hypershift_operator.go
• cmd/install/install.go
• cmd/install/install_test.go
• hypershift-operator/controllers/webhookcerts/webhookcerts_controller.go
• hypershift-operator/controllers/webhookcerts/webhookcerts_controller_test.go
• hypershift-operator/main.go

[muraee]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clebs, muraee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [muraee]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[enxebre]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-22
/test e2e-aws-4-22
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-azure-self-managed | Build: 2057376357519724544 | Cost: $1.5757972500000001 | Failed step: hypershift-azure-run-e2e-self-managed

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[enxebre]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-22
/test e2e-aws-4-22
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[cwbotbot]

Test Results

e2e-aws

• Status: ❌ FAIL
• Started: 2026-05-22T08:38:15Z
• View Job
• View Job History

e2e-aks

• Status: ✅ PASS
• Started: 2026-05-21T13:41:34Z
• View Job
• View Job History

[clebs]

/retest

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2057513893957210112 | Cost: $2.20698425 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[clebs]

/test e2e-aws-4-22 e2e-aks-4-22 e2e-aws

[clebs]

/test e2e-aws

[clebs]

/test e2e-aws

[openshift-ci]

@clebs: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws	e1993ba	link	true	/test e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hypershift-jira-solve-ci]

All 3 pods started at approximately 09:51:21-25Z (within seconds of each other), all have 0 restarts. The DaemonSet uses RollingUpdate strategy. The fact that 1 pod was stuck at "not ready" while the other 2 were ready, and eventually all 3 became ready (at the later check points), strongly suggests this is a transient timing issue — the DaemonSet rolling update was in progress during the test's first When_management-cluster_hostedCluster.Spec.PullSecret_is_updated_in-place check, and one pod's new revision was slow to become ready (potentially due to image pull time or volume mount latency on one specific node).

The critical question: is this PR-related? The PR changes:

1. Webhook cert bootstrapping (moving from install-time to runtime)
2. Removes CABundle from webhook configurations at install
3. Makes the manager-serving-cert secret volume optional

None of these changes touch the global-pull-secret-syncer DaemonSet, the globalps controller, the control-plane-operator, or the pull-secret-syncer logic. The failure is in the hosted cluster data plane, completely separate from the management plane webhook infrastructure the PR modifies.

Let me now compile the final report:

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-e2e-aws
• Build ID: 2057742796860690432
• Target: e2e-aws
• PR: OCPBUGS-84955: bootstrap serving certs at hypershift operator startup #8545 (OCPBUGS-84955: bootstrap serving certs at hypershift operator startup)

Test Failure Analysis

Error

TestCreateCluster/Main/EnsureGlobalPullSecret/When_management-cluster_hostedCluster.Spec.PullSecret_is_updated_in-place_it_should_propagate_to_guest_without_rollout:

failed to wait for DaemonSet global-pull-secret-syncer to be ready: context deadline exceeded

DaemonSet global-pull-secret-syncer not ready: 2/3 pods ready (persisted for ~1220 seconds until timeout)

Summary

The TestCreateCluster/Main/EnsureGlobalPullSecret test failed because the global-pull-secret-syncer DaemonSet in the hosted cluster's kube-system namespace was stuck at 2/3 pods ready for the entire 20-minute test timeout (~1220s) during the first sub-test that patches the management-cluster pull secret. A secondary failure (Check_if_the_config.json_is_correct_in_all_of_the_nodes) occurred because the kubelet-config-verifier DaemonSet was left behind from the timed-out first sub-test. The TestKarpenter/Teardown failure is an independent infrastructure resource cleanup timeout (AWS volumes/LBs not deleted in time) unrelated to the PR. This failure is unrelated to PR #8545 — the PR modifies only webhook cert bootstrapping in the HyperShift operator management plane, while the failing DaemonSet operates in the hosted cluster data plane.

Root Cause

The global-pull-secret-syncer DaemonSet runs on all hosted cluster worker nodes labeled hypershift.openshift.io/nodepool-globalps-enabled: "true" (3 nodes in this test). When the test patches the management-cluster pull secret with a dummy auth entry, the HyperShift control plane propagates the change to the hosted cluster, triggering a DaemonSet spec update (generation bump). The DaemonSet's rolling update then replaces pods one at a time.

During the first sub-test's readiness check, the DaemonSet was transitioning from generation 2 to generation 4 (as shown by "status has not observed generation 4 yet (current 2)"). One of the three pods was slow to reach the ready state during this rolling update — consistently staying at 2/3 ready for the full 20-minute timeout.

The hosted cluster dump (captured after the test) shows all 3 pods (global-pull-secret-syncer-{9l9fm,bhfjb,dtsn5}) at 0 restarts, Running, and ready — confirming the pod eventually became ready, just not within the test's deadline. The DaemonSet reached generation 6 and 3/3 ready by dump time. Pod logs show normal operation with no errors.

This is a transient timing/infrastructure flake — one node was slower than others at processing the DaemonSet rolling update (potentially due to image pull latency, volume mount delays, or node-level scheduling contention from parallel test workloads running on the same management cluster). The fact that later readiness checks in the same test ("first check" at line 3214, "second check" at line 3237) all passed confirms the issue was temporary.

PR #8545 is not implicated: It modifies webhook cert bootstrapping (cmd/install/, hypershift-operator/controllers/webhookcerts/, hypershift-operator/main.go) — none of which affect the global-pull-secret-syncer DaemonSet, the globalps controller, or the hosted cluster data plane. The PR's changes are to the management plane operator startup and webhook configuration, an entirely separate code path.

Recommendations

1. Retest the PR — this failure is a pre-existing flaky test unrelated to the PR changes. A /retest should pass.
2. Consider increasing the DaemonSet readiness timeout in the EnsureGlobalPullSecret sub-test When_management-cluster_hostedCluster.Spec.PullSecret_is_updated_in-place — the current 20-minute deadline may be insufficient when the DaemonSet goes through multiple generation bumps during a pull secret update, especially under node contention from parallel test workloads.
3. The kubelet-config-verifier DaemonSet cleanup bug should be addressed separately — when the first sub-test times out, the DaemonSet is left behind, causing the subsequent Check_if_the_config.json_is_correct_in_all_of_the_nodes sub-test to fail with AlreadyExists. Adding a cleanup or using CreateOrUpdate would prevent this cascading failure.
4. TestKarpenter/Teardown failure (AWS resource cleanup timeout) is a known infrastructure-level flake and is independent of both the PR and the EnsureGlobalPullSecret failure.

Evidence

Evidence	Detail
Primary failure	global-pull-secret-syncer DaemonSet stuck at 2/3 pods ready for 1220s until context deadline exceeded
Test	TestCreateCluster/Main/EnsureGlobalPullSecret/When_management-cluster_hostedCluster.Spec.PullSecret_is_updated_in-place_it_should_propagate_to_guest_without_rollout
DaemonSet generation issue	Log line 3160: "status has not observed generation 4 yet (current 2)" — rolling update in progress
Later checks passed	Lines 3214, 3237, 3265: global-pull-secret-syncer ready: 3/3 pods in subsequent sub-tests
Pod status at dump time	All 3 pods (9l9fm, bhfjb, dtsn5) Running, ready=true, restartCount=0, no errors in logs
DaemonSet final state	Generation 6, observedGeneration 6, 3/3 numberReady, 3/3 numberAvailable
Secondary failure	kubelet-config-verifier DaemonSet "already exists" — cascading from first sub-test timeout leaving stale resource
TestKarpenter/Teardown	Independent infrastructure cleanup timeout (AWS volumes/LBs), all Main/EnsureHostedCluster sub-tests passed
PR scope	Modifies cmd/install/assets/hypershift_operator.go, cmd/install/install.go, hypershift-operator/controllers/webhookcerts/, hypershift-operator/main.go — no overlap with globalps controller or hosted cluster data plane
Operator install	Deployed successfully, no webhook-related errors (hypershift-install log lines 253-300)

---