Rebace on master

Dockerfile

@@ -1,10 +1,10 @@
-FROM registry.svc.ci.openshift.org/ocp/builder:rhel-8-golang-1.15-openshift-4.6 as builder
+FROM registry.svc.ci.openshift.org/ocp/builder:rhel-8-golang-1.15-openshift-4.7 AS builder
 WORKDIR /go/src/github.com/openshift/cloud-credential-operator
 COPY . .
 ENV GO_PACKAGE github.com/openshift/cloud-credential-operator
 RUN go build -ldflags "-X $GO_PACKAGE/pkg/version.versionFromGit=$(git describe --long --tags --abbrev=7 --match 'v[0-9]*')" ./cmd/cloud-credential-operator
 
-FROM registry.svc.ci.openshift.org/ocp/4.6:base
+FROM registry.svc.ci.openshift.org/ocp/4.7:base
 COPY --from=builder /go/src/github.com/openshift/cloud-credential-operator/cloud-credential-operator /usr/bin/
 COPY manifests /manifests
 # Update perms so we can copy updated CA if needed

README.md

@@ -126,6 +126,7 @@ The default and recommended best practice for running OpenShift is to run the in
 Pros:
   * Each cluster component has only the permissions it needs.
   * Automatic on-going reconciliation for cloud credentials including upgrades, which may require additional credentials or permissions.
+
 Cons:
   * Requires admin credential storage in a cluster kube-system secret. (however if a user has access to all secrets in your cluster, you are severely compromised regardless)
 
@@ -139,6 +140,7 @@ Prior to upgrade, the admin credential should be restored. In the future upgrade
 
 Pros:
   * Admin credential is not stored in the cluster permanently and does not need to be long lived.
+
 Cons:
   * Still requires admin credential in the cluster for brief periods of time.
   * Requires manually re-instating the Secret with admin credentials for each upgrade.
@@ -155,6 +157,7 @@ By default the permissions needed only for installation are required, however it
 
 Pros:
   * Does not require installing or running with an admin credential.
+
 Cons:
   * Includes broad permissions only needed at install time, unless manual action is taken to reduce permissions post-install.
   * Credential permissions may need to be manually updated prior to any upgrade.
@@ -169,6 +172,7 @@ In this mode a user manually performs the job of the cloud credential operator.
 Pros:
   * Admin credential never stored in the cluster.
   * Each cluster component has only the permissions it needs.
+
 Cons:
   * Manual process required for install and every upgrade to reconcile permissions with the new release image.
 
@@ -185,6 +189,7 @@ This future enhancement will allow the use of short lived Amazon STS tokens. In
 Pros:
   * Each cluster component has only the permissions it needs.
   * Automatic on-going reconciliation for cloud credentials including upgrades.
+
 Cons:
   * Requires admin credential storage in a cluster kube-system secret. (if this is readable however, your cluster is severely compromised regardless)
 

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/googleapis/gnostic v0.5.1 // indirect
 	github.com/imdario/mergo v0.3.10 // indirect
 	github.com/onsi/ginkgo v1.14.0 // indirect
-	github.com/openshift/api v0.0.0-20200901182017-7ac89ba6b971
+	github.com/openshift/api v0.0.0-20201012140924-16436fa6166b
 	github.com/openshift/build-machinery-go v0.0.0-20200819073603-48aa266c95f7
 	github.com/openshift/client-go v0.0.0-20200827190008-3062137373b5
 	github.com/openshift/library-go v0.0.0-20200911100307-610c6e9e90b8

pkg/apis/cloudcredential/v1/register.go

@@ -58,6 +58,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&AzureProviderStatus{}, &AzureProviderSpec{},
 		&GCPProviderStatus{}, &GCPProviderSpec{},
 		&VSphereProviderStatus{}, &VSphereProviderSpec{},
+		&KubevirtProviderStatus{}, &KubevirtProviderSpec{},
 	)
 
 	return nil

pkg/apis/cloudcredential/v1/types_kubevirt.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2019 The OpenShift Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// TODO: these types should eventually be broken out, along with the actuator,
+// to a separate repo.
+
+// KubevirtProviderSpec the specification of the credentials request in Kubevirt.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type KubevirtProviderSpec struct {
+	metav1.TypeMeta `json:",inline"`
+}
+
+// KubevirtProviderSpec contains the status of the credentials request in Kubevirt.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type KubevirtProviderStatus struct {
+	metav1.TypeMeta `json:",inline"`
+}

pkg/cmd/operator/cmd.go

@@ -139,32 +139,36 @@ func NewOperator() *cobra.Command {
 				},
 			}
 
-			// start the leader election code loop
-			leaderelection.RunOrDie(ctx, leaderelection.LeaderElectionConfig{
-				Lock:            lock,
-				ReleaseOnCancel: true,
-				LeaseDuration:   360 * time.Second,
-				RenewDeadline:   270 * time.Second,
-				RetryPeriod:     90 * time.Second,
-				Callbacks: leaderelection.LeaderCallbacks{
-					OnStartedLeading: func(ctx context.Context) {
-						run(ctx)
+			if os.Getenv("CCO_SKIP_LEADER_ELECTION") != "" {
+				run(ctx)
+			} else {
+				// start the leader election code loop
+				leaderelection.RunOrDie(ctx, leaderelection.LeaderElectionConfig{
+					Lock:            lock,
+					ReleaseOnCancel: true,
+					LeaseDuration:   360 * time.Second,
+					RenewDeadline:   270 * time.Second,
+					RetryPeriod:     90 * time.Second,
+					Callbacks: leaderelection.LeaderCallbacks{
+						OnStartedLeading: func(ctx context.Context) {
+							run(ctx)
+						},
+						OnStoppedLeading: func() {
+							// we can do cleanup here if necessary
+							leLog.Infof("leader lost")
+							os.Exit(0)
+						},
+						OnNewLeader: func(identity string) {
+							if identity == id {
+								// We just became the leader
+								leLog.Info("became leader")
+								return
+							}
+							log.Infof("current leader: %s", identity)
+						},
 					},
-					OnStoppedLeading: func() {
-						// we can do cleanup here if necessary
-						leLog.Infof("leader lost")
-						os.Exit(0)
-					},
-					OnNewLeader: func(identity string) {
-						if identity == id {
-							// We just became the leader
-							leLog.Info("became leader")
-							return
-						}
-						log.Infof("current leader: %s", identity)
-					},
-				},
-			})
+				})
+			}
 		},
 	}