remove etc-pki-entitlement cruft

Author: djoshy

devex/cmd/onclustertesting/README.md

@@ -87,10 +87,8 @@ feature is implemented in OCL, this should no longer be a problem.
 ### RHEL entitlements
 
 If your cluster has the `etc-pki-entitlement` secret in the
-`openshift-config-managed` namespace, you can use the
-`--copy-etc-pki-entitlement-secret` flag with the `setup` command. This will
-clone the secret into the MCO namespace. This copy will be removed during the
-teardown process.
+`openshift-config-managed` namespace, the operator will automatically
+copy it into the MCO namespace, when a build is required.
 
 ### /etc/yum.repos.d and /etc/pki/rpm-gpg
 

devex/cmd/onclustertesting/ci.go

@@ -21,10 +21,6 @@ const (
 func runCiSetupCmd(setupOpts opts) error {
 	utils.ParseFlags()
 
-	if setupOpts.injectYumRepos && setupOpts.copyEtcPkiEntitlementSecret {
-		return fmt.Errorf("flags --inject-yum-repos and --copy-etc-pki-entitlement cannot be combined")
-	}
-
 	if err := utils.CheckForBinaries([]string{"oc"}); err != nil {
 		return err
 	}

devex/cmd/onclustertesting/machineosconfigs.go

@@ -44,7 +44,7 @@ func newMachineOSConfig(opts moscOpts) *mcfgv1.MachineOSConfig {
 			},
 			RenderedImagePushSpec: mcfgv1.ImageTagFormat(opts.finalImagePullspec),
 			ImageBuilder: mcfgv1.MachineOSImageBuilder{
-				ImageBuilderType: mcfgv1.MachineOSImageBuilderType("PodImageBuilder"),
+				ImageBuilderType: mcfgv1.JobBuilder,
 			},
 			Containerfile: []mcfgv1.MachineOSContainerfile{
 				{

devex/cmd/onclustertesting/opts.go

@@ -9,36 +9,34 @@ import (
 )
 
 type opts struct {
-	pushSecretName              string
-	pullSecretName              string
-	finalImagePullSecretName    string
-	pushSecretPath              string
-	pullSecretPath              string
-	finalImagePullspec          string
-	containerfilePath           string
-	containerfileContents       string
-	poolName                    string
-	injectYumRepos              bool
-	waitForBuildInfo            bool
-	copyEtcPkiEntitlementSecret bool
-	enableFeatureGate           bool
+	pushSecretName           string
+	pullSecretName           string
+	finalImagePullSecretName string
+	pushSecretPath           string
+	pullSecretPath           string
+	finalImagePullspec       string
+	containerfilePath        string
+	containerfileContents    string
+	poolName                 string
+	injectYumRepos           bool
+	waitForBuildInfo         bool
+	enableFeatureGate        bool
 }
 
 func (o *opts) deepCopy() opts {
 	return opts{
-		pushSecretName:              o.pushSecretName,
-		pullSecretName:              o.pullSecretName,
-		pushSecretPath:              o.pushSecretPath,
-		pullSecretPath:              o.pullSecretPath,
-		finalImagePullspec:          o.finalImagePullspec,
-		finalImagePullSecretName:    o.finalImagePullSecretName,
-		containerfilePath:           o.containerfilePath,
-		containerfileContents:       o.containerfileContents,
-		poolName:                    o.poolName,
-		injectYumRepos:              o.injectYumRepos,
-		waitForBuildInfo:            o.waitForBuildInfo,
-		copyEtcPkiEntitlementSecret: o.copyEtcPkiEntitlementSecret,
-		enableFeatureGate:           o.enableFeatureGate,
+		pushSecretName:           o.pushSecretName,
+		pullSecretName:           o.pullSecretName,
+		pushSecretPath:           o.pushSecretPath,
+		pullSecretPath:           o.pullSecretPath,
+		finalImagePullspec:       o.finalImagePullspec,
+		finalImagePullSecretName: o.finalImagePullSecretName,
+		containerfilePath:        o.containerfilePath,
+		containerfileContents:    o.containerfileContents,
+		poolName:                 o.poolName,
+		injectYumRepos:           o.injectYumRepos,
+		waitForBuildInfo:         o.waitForBuildInfo,
+		enableFeatureGate:        o.enableFeatureGate,
 	}
 }
 

devex/cmd/onclustertesting/secrets.go

@@ -39,32 +39,6 @@ func copyGlobalPullSecret(cs *framework.ClientSet) error {
 	return utils.CloneSecretWithLabels(cs, src, dst, labels)
 }
 
-func copyEtcPkiEntitlementSecret(cs *framework.ClientSet) error {
-	name := "etc-pki-entitlement"
-
-	src := utils.SecretRef{
-		Name:      name,
-		Namespace: "openshift-config-managed",
-	}
-
-	dst := utils.SecretRef{
-		Name:      name,
-		Namespace: ctrlcommon.MCONamespace,
-	}
-
-	labels := map[string]string{
-		createdByOnClusterBuildsHelper: "",
-	}
-
-	err := utils.CloneSecretWithLabels(cs, src, dst, labels)
-	if apierrs.IsNotFound(err) {
-		klog.Warningf("Secret %s not found, cannot copy", src.String())
-		return nil
-	}
-
-	return fmt.Errorf("could not copy secret %s to %s: %w", src.String(), dst.String(), err)
-}
-
 func getSecretNameFromFile(path string) (string, error) {
 	secret, err := loadSecretFromFile(path)
 

devex/cmd/onclustertesting/setup.go

@@ -55,7 +55,6 @@ func init() {
 	setupCmd.PersistentFlags().StringVar(&setupOpts.containerfilePath, "containerfile-path", "", "Optional Containerfile to inject for the build.")
 	setupCmd.PersistentFlags().BoolVar(&setupOpts.enableFeatureGate, "enable-feature-gate", false, "Enables the required featuregates if not already enabled.")
 	setupCmd.PersistentFlags().BoolVar(&setupOpts.injectYumRepos, "inject-yum-repos", false, fmt.Sprintf("Injects contents from the /etc/yum.repos.d and /etc/pki/rpm-gpg directories found in %s into the %s namespace.", yumReposContainerImagePullspec, ctrlcommon.MCONamespace))
-	setupCmd.PersistentFlags().BoolVar(&setupOpts.copyEtcPkiEntitlementSecret, "copy-etc-pki-entitlement-secret", false, fmt.Sprintf("Copies etc-pki-entitlement into the %s namespace, assuming it exists.", ctrlcommon.MCONamespace))
 
 	rootCmd.AddCommand(setupCmd)
 }
@@ -84,10 +83,6 @@ func runSetupCmd(setupOpts opts) error {
 		return fmt.Errorf("flags --push-secret-name and --push-secret-path cannot be combined")
 	}
 
-	if setupOpts.injectYumRepos && setupOpts.copyEtcPkiEntitlementSecret {
-		return fmt.Errorf("flags --inject-yum-repos and --copy-etc-pki-entitlement cannot be combined")
-	}
-
 	if err := utils.CheckForBinaries([]string{"oc"}); err != nil {
 		return err
 	}
@@ -99,15 +94,14 @@ func runSetupCmd(setupOpts opts) error {
 	}
 
 	return mobSetup(cs, opts{
-		pushSecretName:              setupOpts.pushSecretName,
-		pullSecretName:              setupOpts.pullSecretName,
-		pushSecretPath:              setupOpts.pushSecretPath,
-		pullSecretPath:              setupOpts.pullSecretPath,
-		finalImagePullspec:          setupOpts.finalImagePullspec,
-		containerfilePath:           setupOpts.containerfilePath,
-		poolName:                    setupOpts.poolName,
-		injectYumRepos:              setupOpts.injectYumRepos,
-		copyEtcPkiEntitlementSecret: setupOpts.copyEtcPkiEntitlementSecret,
+		pushSecretName:     setupOpts.pushSecretName,
+		pullSecretName:     setupOpts.pullSecretName,
+		pushSecretPath:     setupOpts.pushSecretPath,
+		pullSecretPath:     setupOpts.pullSecretPath,
+		finalImagePullspec: setupOpts.finalImagePullspec,
+		containerfilePath:  setupOpts.containerfilePath,
+		poolName:           setupOpts.poolName,
+		injectYumRepos:     setupOpts.injectYumRepos,
 	})
 }
 
@@ -118,10 +112,6 @@ func runInClusterRegistrySetupCmd(setupOpts opts) error {
 		return err
 	}
 
-	if setupOpts.injectYumRepos && setupOpts.copyEtcPkiEntitlementSecret {
-		return fmt.Errorf("flags --inject-yum-repos and --copy-etc-pki-entitlement cannot be combined")
-	}
-
 	cs := framework.NewClientSet("")
 
 	if err := checkForRequiredFeatureGates(cs, setupOpts); err != nil {
@@ -215,12 +205,6 @@ func createSecrets(cs *framework.ClientSet, opts opts) error {
 
 	}
 
-	if opts.copyEtcPkiEntitlementSecret {
-		eg.Go(func() error {
-			return copyEtcPkiEntitlementSecret(cs)
-		})
-	}
-
 	if opts.injectYumRepos {
 		eg.Go(func() error {
 			return extractAndInjectYumEpelRepos(cs)

pkg/controller/build/buildrequest/machineosbuild_test.go

@@ -28,7 +28,7 @@ func TestMachineOSBuild(t *testing.T) {
 	}
 
 	// Some of the test cases expect the hash name to be the same. This is that hash value.
-	expectedCommonHashName := "worker-e945ec808b468c07f6a2cf1936c23a13"
+	expectedCommonHashName := "worker-55592464e51104dcc274a300565fec9e"
 
 	testCases := []struct {
 		name         string

test/e2e-ocl/helpers_test.go

@@ -20,6 +20,7 @@ import (
 	"github.com/distribution/reference"
 	imagev1 "github.com/openshift/api/image/v1"
 	mcfgv1 "github.com/openshift/api/machineconfiguration/v1"
+	"github.com/openshift/machine-config-operator/pkg/controller/build/constants"
 	"github.com/openshift/machine-config-operator/pkg/controller/build/utils"
 	ctrlcommon "github.com/openshift/machine-config-operator/pkg/controller/common"
 	"github.com/openshift/machine-config-operator/test/framework"
@@ -35,10 +36,6 @@ import (
 	"sigs.k8s.io/yaml"
 )
 
-const (
-	clonedSecretLabelKey string = "machineconfiguration.openshift.io/cloned-secret"
-)
-
 func applyMC(t *testing.T, cs *framework.ClientSet, mc *mcfgv1.MachineConfig) func() {
 	cleanupFunc := helpers.ApplyMC(t, cs, mc)
 	t.Logf("Created new MachineConfig %q", mc.Name)
@@ -696,34 +693,17 @@ func convertFilesFromContainerImageToBytesMap(t *testing.T, pullspec, containerF
 	return out
 }
 
-// Copy the entitlement certificates into the MCO namespace. If the secrets
-// cannot be found, calls t.Skip() to skip the test.
-//
-// Registers and returns a cleanup function to remove the certificate(s) after test completion.
-func copyEntitlementCerts(t *testing.T, cs *framework.ClientSet) func() {
-	src := metav1.ObjectMeta{
-		Name:      "etc-pki-entitlement",
-		Namespace: "openshift-config-managed",
-	}
-
-	dst := metav1.ObjectMeta{
-		Name:      src.Name,
-		Namespace: ctrlcommon.MCONamespace,
-	}
-
-	_, err := cs.CoreV1Interface.Secrets(src.Namespace).Get(context.TODO(), src.Name, metav1.GetOptions{})
-	if err == nil {
-		return cloneSecret(t, cs, src, dst)
-	}
+// Skips the test if the entitlement secret is not present.
+func skipIfEntitlementNotPresent(t *testing.T, cs *framework.ClientSet) {
 
+	_, err := cs.CoreV1Interface.Secrets(constants.EtcPkiEntitlementSecretName).Get(context.TODO(), ctrlcommon.OpenshiftConfigManagedNamespace, metav1.GetOptions{})
 	if k8serrors.IsNotFound(err) {
-		t.Logf("Secret %q not found in %q, skipping test", src.Name, src.Namespace)
+		t.Logf("Secret %q not found in %q, skipping test", constants.EtcPkiEntitlementSecretName, ctrlcommon.OpenshiftConfigManagedNamespace)
 		t.Skip()
-		return func() {}
+		return
 	}
-
-	t.Fatalf("could not get %q from %q: %s", src.Name, src.Namespace, err)
-	return func() {}
+	// No other errors are expected.
+	require.NoError(t, err)
 }
 
 // Uses the centos stream 9 container and extracts the contents of both the
@@ -768,34 +748,6 @@ func injectYumRepos(t *testing.T, cs *framework.ClientSet) func() {
 	})
 }
 
-// Clones a given secret from a given namespace into the MCO namespace.
-// Registers and returns a cleanup function to delete the secret upon test
-// completion.
-func cloneSecret(t *testing.T, cs *framework.ClientSet, src, dst metav1.ObjectMeta) func() {
-	secret, err := cs.CoreV1Interface.Secrets(src.Namespace).Get(context.TODO(), src.Name, metav1.GetOptions{})
-	require.NoError(t, err)
-
-	secretCopy := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      dst.Name,
-			Namespace: dst.Namespace,
-			Labels: map[string]string{
-				clonedSecretLabelKey: "",
-			},
-		},
-		Data: secret.Data,
-		Type: secret.Type,
-	}
-
-	cleanup := createSecret(t, cs, secretCopy)
-	t.Logf("Cloned \"%s/%s\" to \"%s/%s\"", src.Namespace, src.Name, dst.Namespace, dst.Name)
-
-	return makeIdempotentAndRegister(t, func() {
-		cleanup()
-		t.Logf("Deleted cloned secret \"%s/%s\"", dst.Namespace, dst.Name)
-	})
-}
-
 func newMachineConfig(name, pool string) *mcfgv1.MachineConfig {
 	mode := 420
 	testfiledata := fmt.Sprintf("data:,%s-%s", name, pool)

test/e2e-ocl/onclusterlayering_test.go

@@ -86,7 +86,7 @@ type onClusterLayeringTestOpts struct {
 	poolName string
 
 	// Use RHEL entitlements
-	useEtcPkiEntitlement bool
+	entitlementRequired bool
 
 	// Inject YUM repo information from a Centos 9 stream container
 	useYumRepos bool
@@ -211,9 +211,8 @@ func TestYumReposBuilds(t *testing.T) {
 	})
 }
 
-// Clones the etc-pki-entitlement certificate from the openshift-config-managed
-// namespace into the MCO namespace. Then performs an on-cluster layering build
-// which should consume the entitlement certificates.
+// Then performs an on-cluster layering build which should consume the
+// etc-pki-entitlement certificates.
 func TestEntitledBuilds(t *testing.T) {
 	skipOnOKD(t)
 
@@ -222,7 +221,7 @@ func TestEntitledBuilds(t *testing.T) {
 		customDockerfiles: map[string]string{
 			layeredMCPName: entitledDockerfile,
 		},
-		useEtcPkiEntitlement: true,
+		entitlementRequired: true,
 	})
 }
 
@@ -786,10 +785,10 @@ func assertBuildJobIsAsExpected(t *testing.T, cs *framework.ClientSet, mosb *mcf
 // Returns a MachineOSConfig object for the caller to create to begin the build
 // process.
 func prepareForOnClusterLayeringTest(t *testing.T, cs *framework.ClientSet, testOpts onClusterLayeringTestOpts) *mcfgv1.MachineOSConfig {
-	// If the test requires RHEL entitlements, clone them from
-	// "etc-pki-entitlement" in the "openshift-config-managed" namespace.
-	if testOpts.useEtcPkiEntitlement {
-		copyEntitlementCerts(t, cs)
+	// If the test requires RHEL entitlements, ensure they are present
+	// in the test cluster. If not found, the test is skipped.
+	if testOpts.entitlementRequired {
+		skipIfEntitlementNotPresent(t, cs)
 	}
 
 	// If the test requires /etc/yum.repos.d and /etc/pki/rpm-gpg, pull a Centos

test/helpers/machineosconfigbuilder.go

@@ -26,7 +26,7 @@ func NewMachineOSConfigBuilder(name string) *MachineOSConfigBuilder {
 
 				Containerfile: []mcfgv1.MachineOSContainerfile{},
 				ImageBuilder: mcfgv1.MachineOSImageBuilder{
-					ImageBuilderType: mcfgv1.MachineOSImageBuilderType("PodImageBuilder"),
+					ImageBuilderType: mcfgv1.JobBuilder,
 				},
 				BaseImagePullSecret:     nil,
 				RenderedImagePushSecret: mcfgv1.ImageSecretObjectReference{},