OCPBUGS-84652: Include RootCA in the temporal CC

[pablintino]

Closes: #OCPBUGS-84652

- What I did

This change includes the MCS CA bundle as part of the OS Image Stream temporal CC to allow the logic to pull images from the temporal IRI registry that uses a certificate signed with the MCS CA cert.

- How to verify it

TBD

- Description for the changelog

Include the MCS CA bundle in the OS Image Stream temporal CC.

Summary by CodeRabbit

• Bug Fixes
  • OS image stream inspection now properly includes the Machine Config Server Root CA certificate bundle.
  • Certificate bundle retrieval now fails early with clearer, wrapped error context when the CA bundle cannot be obtained.
  • Lookup behavior for the CA bundle is more robust, trying the managed source first and falling back to the cluster root CA only when appropriate.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@pablintino: No Jira issue with key OCBPUGS-84652 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Closes: #OCPBUGS-84652

- What I did

This change includes the MCS CA bundle as part of the OS Image Stream temporal CC to allow the logic to pull images from the temporal IRI registry that uses a certificate signed with the MCS CA cert.

- How to verify it

TBD

- Description for the changelog

Include the MCS CA bundle in the OS Image Stream temporal CC.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8bb8178d-601c-4079-8293-bb4996ec1d0c

📥 Commits

Reviewing files that changed from the base of the PR and between 0366f6a and 5b83dbd.

📒 Files selected for processing (2)

• pkg/operator/osimagestream_ocp.go
• pkg/operator/sync.go

---

Walkthrough

Centralizes retrieval of the Machine Config Server (MCS) Root CA into a new getMCSCABundle() helper. Both sync render config and OS image stream controller config now call this helper and fail early if the CA bundle cannot be obtained.

Changes

Cohort / File(s)	Summary
MCS CA Bundle Helper pkg/operator/sync.go	Adds func (optr *Operator) getMCSCABundle() ([]byte, error) which attempts to read the managed MCO ConfigMap first, falls back to the unmanaged kube-system root CA ConfigMap on NotFound, and returns wrapped/contextualized errors. Refactors syncRenderConfig to use this helper.
OS Image Stream ControllerConfig pkg/operator/osimagestream_ocp.go	Updates buildMinimalControllerConfigForOSImageStream to call getMCSCABundle() and set ControllerConfigSpec.RootCAData with the returned bundle; returns a wrapped error if retrieval fails. All other bundle/proxy logic unchanged.

Sequence Diagram(s)

sequenceDiagram
    participant Caller as "syncRenderConfig / OSImageStream\n(caller)"
    participant Operator as "Operator.getMCSCABundle()"
    participant ManagedCM as "Managed MCO ConfigMap\n(namespace: managed)"
    participant UnmanagedCM as "Unmanaged root CA ConfigMap\n(namespace: kube-system)"

    rect rgba(0,128,255,0.5)
    Caller->>Operator: request MCSC CA bundle
    end

    rect rgba(0,255,128,0.5)
    Operator->>ManagedCM: GET managed configmap
    ManagedCM-->>Operator: 200 + CA bundle / 404 / error
    end

    alt Managed CM returned CA
        Operator-->>Caller: CA bundle
    else Managed CM 404
        rect rgba(255,128,0,0.5)
        Operator->>UnmanagedCM: GET kube-system root CA configmap
        UnmanagedCM-->>Operator: 200 + CA bundle / error
        end
        alt Unmanaged CM returned CA
            Operator-->>Caller: CA bundle
        else Error
            Operator-->>Caller: error (wrapped "could not get MCSC CA bundle: %w")
        end
    else Managed CM error
        Operator-->>Caller: error (wrapped "could not get MCSC CA bundle: %w")
    end

    rect rgba(128,0,255,0.5)
    Caller->>Caller: integrate CA bundle into ControllerConfig / render config
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: including the MCS Root CA in the OS Image Stream temporal ControllerConfig, which aligns with the primary modifications across both modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only non-test source files implementing MCS CA bundle handling; no test files or test names were added or changed.
Test Structure And Quality	✅ Passed	No Ginkgo test files were modified in this PR; only production code changes were made.
Microshift Test Compatibility	✅ Passed	This PR modifies only production code files (osimagestream_ocp.go and sync.go) to add MCS CA bundle handling. No Ginkgo e2e tests are added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only operator implementation files with no new Ginkgo e2e tests added, making the SNO compatibility check inapplicable.
Topology-Aware Scheduling Compatibility	✅ Passed	The pull request changes retrieve MCS CA certificate data from ConfigMaps and store it in configuration objects for image inspection, with no scheduling constraints or topology assumptions.
Ote Binary Stdout Contract	✅ Passed	Code changes introduce operator sync methods that retrieve MCS CA bundles without writing to stdout or containing process-level initialization code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The pull request modifies operator implementation files (sync.go, osimagestream_ocp.go) containing standard Go code for machine config and CA bundle management, not Ginkgo e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[andfasano]

This patch should also fix https://redhat.atlassian.net/browse/OCPBUGS-84652, thanks a lot @pablintino !

[openshift-ci-robot]

@pablintino: No Jira issue with key OCBPUGS-84652 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Closes: #OCPBUGS-84652

- What I did

This change includes the MCS CA bundle as part of the OS Image Stream temporal CC to allow the logic to pull images from the temporal IRI registry that uses a certificate signed with the MCS CA cert.

- How to verify it

TBD

- Description for the changelog

Include the MCS CA bundle in the OS Image Stream temporal CC.

Summary by CodeRabbit

• Bug Fixes
• OS image stream inspection now properly includes MachineConfig Server Root CA certificate bundle
• Enhanced error context when certificate bundle retrieval fails

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/operator/sync.go`:
- Around line 658-667: The getMCSCABundle function currently swallows
non-NotFound errors from getCAsFromConfigMap which can lead to returning nil,
nil; change the error handling in getMCSCABundle so that after calling
optr.getCAsFromConfigMap(ctrlcommon.MCONamespace,
ctrlcommon.MachineConfigServerCAName, "ca-bundle.crt") any error that is not
apierrors.IsNotFound(err) is returned immediately (return nil, err), and only
when IsNotFound should you call and return the result of
optr.getCAsFromConfigMap("kube-system", ctrlcommon.RootCAConfigMapName,
"ca.crt"); otherwise return the successfully read machineConfigServerCABundle
and nil.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1e4ffb29-9bc4-4ff1-99e5-88ec253d3b74

📥 Commits

Reviewing files that changed from the base of the PR and between 89245a0 and 0366f6a.

📒 Files selected for processing (2)

• pkg/operator/osimagestream_ocp.go
• pkg/operator/sync.go

[pablintino]

/retitle OCPBUGS-84652: Include RootCA in the temporal CC

[openshift-ci-robot]

@pablintino: This pull request references Jira Issue OCPBUGS-84652, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Closes: #OCPBUGS-84652

- What I did

This change includes the MCS CA bundle as part of the OS Image Stream temporal CC to allow the logic to pull images from the temporal IRI registry that uses a certificate signed with the MCS CA cert.

- How to verify it

TBD

- Description for the changelog

Include the MCS CA bundle in the OS Image Stream temporal CC.

Summary by CodeRabbit

• Bug Fixes
• OS image stream inspection now properly includes MachineConfig Server Root CA certificate bundle
• Enhanced error context when certificate bundle retrieval fails

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@pablintino: This pull request references Jira Issue OCPBUGS-84652, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

Closes: #OCPBUGS-84652

- What I did

This change includes the MCS CA bundle as part of the OS Image Stream temporal CC to allow the logic to pull images from the temporal IRI registry that uses a certificate signed with the MCS CA cert.

- How to verify it

TBD

- Description for the changelog

Include the MCS CA bundle in the OS Image Stream temporal CC.

Summary by CodeRabbit

• Bug Fixes
• OS image stream inspection now properly includes the Machine Config Server Root CA certificate bundle.
• Certificate bundle retrieval now fails early with clearer, wrapped error context when the CA bundle cannot be obtained.
• Lookup behavior for the CA bundle is more robust, trying the managed source first and falling back to the cluster root CA only when appropriate.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bfournie]

/lgtm

I tested this fix with TechPreview/ISONoRegistryInstall and it works well.

$ oc get nodes
NAME       STATUS   ROLES                         AGE   VERSION
master-0   Ready    control-plane,master,worker   20m   v1.35.3
master-1   Ready    control-plane,master,worker   40m   v1.35.3
master-2   Ready    control-plane,master,worker   40m   v1.35.3

$ oc get featuregate cluster -o jsonpath='{.spec.featureSet}{"\n"}'
TechPreviewNoUpgrade

$ oc get internalreleaseimage
NAME      AGE
cluster   49m

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-upgrade
/test e2e-gcp-op-part1
/test e2e-gcp-op-part2
/test e2e-gcp-op-single-node
/test e2e-hypershift

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bfournie, pablintino

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pablintino]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[andfasano]

note: once landed, we'll need to backport it to 4.22

[bfournie]

Adding verified label as tested with Agent-based installer using TechPreviewNoUpgrade
/verified by @bfournie

[openshift-ci-robot]

@bfournie: This PR has been marked as verified by @bfournie.

Details

In response to this:

Adding verified label as tested with Agent-based installer using TechPreviewNoUpgrade
/verified by @bfournie

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 19bf44b and 2 for PR HEAD 5b83dbd in total

[bfournie]

/retest-required

[pablintino]

/test e2e-aws-ovn-upgrade
/test e2e-hypershift

[bfournie]

/retest-required

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD b9964db and 1 for PR HEAD 5b83dbd in total

[pablintino]

/retest-required

[openshift-ci]

@pablintino: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@pablintino: Jira Issue Verification Checks: Jira Issue OCPBUGS-84652
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-84652 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Closes: #OCPBUGS-84652

- What I did

This change includes the MCS CA bundle as part of the OS Image Stream temporal CC to allow the logic to pull images from the temporal IRI registry that uses a certificate signed with the MCS CA cert.

- How to verify it

TBD

- Description for the changelog

Include the MCS CA bundle in the OS Image Stream temporal CC.

Summary by CodeRabbit

• Bug Fixes
• OS image stream inspection now properly includes the Machine Config Server Root CA certificate bundle.
• Certificate bundle retrieval now fails early with clearer, wrapped error context when the CA bundle cannot be obtained.
• Lookup behavior for the CA bundle is more robust, trying the managed source first and falling back to the cluster root CA only when appropriate.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[andfasano]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@andfasano: new pull request created: #5904

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sadasu]

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-agent-iso-no-registry-conformance-techpreview

[openshift-ci]

@sadasu: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-05-01-010944