Fix error with update

Signed-off-by: Jian Qiu <[email protected]>

go.mod

@@ -1,8 +1,6 @@
 module open-cluster-management.io/multicluster-controlplane
 
-go 1.22.5
-
-toolchain go1.22.8
+go 1.22.8
 
 require (
 	github.com/onsi/ginkgo/v2 v2.20.0
@@ -30,9 +28,10 @@ require (
 	k8s.io/metrics v0.30.3
 	k8s.io/utils v0.0.0-20240310230437-4693a0247e57
 	open-cluster-management.io/api v0.15.0
-	open-cluster-management.io/managed-serviceaccount v0.6.0
+	open-cluster-management.io/managed-serviceaccount v0.7.0
 	open-cluster-management.io/ocm v0.15.0
 	open-cluster-management.io/sdk-go v0.15.0
+	sigs.k8s.io/cluster-inventory-api v0.0.0-20240730014211-ef0154379848
 	sigs.k8s.io/controller-runtime v0.18.5
 )
 
@@ -180,7 +179,6 @@ require (
 	k8s.io/pod-security-admission v0.30.3 // indirect
 	open-cluster-management.io/addon-framework v0.11.0 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect
-	sigs.k8s.io/cluster-inventory-api v0.0.0-20240730014211-ef0154379848 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect

go.sum

@@ -566,8 +566,8 @@ open-cluster-management.io/addon-framework v0.11.0 h1:ZJxphgHQ36VUJF0RIag+nzcEn5
 open-cluster-management.io/addon-framework v0.11.0/go.mod h1:ruMU8i/dciz3qCv2CQ46Cu1b7rkK7TpvB+W4bRwHf+I=
 open-cluster-management.io/api v0.15.0 h1:lRee1KOlGHZb2scTA7ff9E9Fxt2hJc7jpkHnaCbvkOU=
 open-cluster-management.io/api v0.15.0/go.mod h1:9erZEWEn4bEqh0nIX2wA7f/s3KCuFycQdBrPrRzi0QM=
-open-cluster-management.io/managed-serviceaccount v0.6.0 h1:qIi5T9WQJBuoGqnYGIktXbtqfQoiN2H9XU2P/6lAQiw=
-open-cluster-management.io/managed-serviceaccount v0.6.0/go.mod h1:G4LUTbZiyrB8c0+rqi/xnDmGlsg7Rdr4T7MPLCWhyQI=
+open-cluster-management.io/managed-serviceaccount v0.7.0 h1:OShodBB3i+rMXjR9xEF6ySp9yBeiiLlEOAKvPA2v3i4=
+open-cluster-management.io/managed-serviceaccount v0.7.0/go.mod h1:NNKqC+cePQ9HH0r7mb9CYSk/hXGsNYu9+K4YfcZTwAk=
 open-cluster-management.io/ocm v0.15.0 h1:anXQzvQUhM/DT8FcKVi4n8AY97IA5DVI0mb8R1wsvbs=
 open-cluster-management.io/ocm v0.15.0/go.mod h1:d6ubRiBaouiQ+yV+wFAmarpU7I77nXhkJnQJf8gLZC4=
 open-cluster-management.io/sdk-go v0.15.0 h1:2IAJnPfUoY6rPC5w7LhqAnvIlgekPoVW03LdZO1unIM=

pkg/agent/agent.go

@@ -125,7 +125,8 @@ func (o *AgentOptions) WithWorkloadSourceDriverConfig(hubKubeConfigFile string)
 }
 
 func (o *AgentOptions) RunAgent(ctx context.Context) error {
-	config := singletonspoke.NewAgentConfig(o.CommonOpts, o.RegistrationAgentOpts, o.WorkAgentOpts)
+	cancleCtx, cancel := context.WithCancel(ctx)
+	config := singletonspoke.NewAgentConfig(o.CommonOpts, o.RegistrationAgentOpts, o.WorkAgentOpts, cancel)
 	inClusterKubeConfig, err := rest.InClusterConfig()
 	if err != nil {
 		klog.Warningf("failed to get kubeconfig from cluster inside, will use '--kubeconfig' to build client")
@@ -156,9 +157,9 @@ func (o *AgentOptions) RunAgent(ctx context.Context) error {
 		OperatorNamespace: "open-cluster-management-agent",
 	}
 
-	go utilruntime.Must(config.RunSpokeAgent(ctx, controllerContext))
+	go utilruntime.Must(config.RunSpokeAgent(cancleCtx, controllerContext))
 
-	<-ctx.Done()
+	<-cancleCtx.Done()
 	return nil
 }
 

pkg/certificate/certchains/signers.go

@@ -336,7 +336,7 @@ func (s *CertificateSigner) SignServingCertificate(signInfo *ServingCertificateS
 	tlsConfig, _, err := s.signerConfig.EnsureServerCert(
 		ServingCertPath(certDir),
 		ServingKeyPath(certDir),
-		sets.NewString(signInfo.Hostnames...),
+		sets.New[string](signInfo.Hostnames...),
 		signInfo.ValidityDays,
 	)
 
@@ -354,7 +354,7 @@ func (s *CertificateSigner) SignServingCertificate(signInfo *ServingCertificateS
 func (s *CertificateSigner) SignPeerCertificate(signInfo *PeerCertificateSigningRequestInfo) error {
 	certDir := filepath.Join(s.signerDir, signInfo.Name)
 
-	hostnameSet := sets.NewString(signInfo.Hostnames...)
+	hostnameSet := sets.New[string](signInfo.Hostnames...)
 	if _, err := crypto.GetServerCert(
 		PeerCertPath(certDir),
 		PeerKeyPath(certDir),

pkg/controllers/bootstrap/crds.go

@@ -36,6 +36,7 @@ var baseCRDs = []string{
 	"crds/0000_03_clusters.open-cluster-management.io_placementdecisions.crd.yaml",
 	"crds/0000_05_clusters.open-cluster-management.io_addonplacementscores.crd.yaml",
 	"crds/0000_06_authentication.open-cluster-management.io_managedserviceaccounts_crd.yaml",
+	"crds/multicluster.x-k8s.io_clusterprofiles.yaml",
 }
 
 var ocmCRDs = []string{

pkg/controllers/bootstrap/crds/multicluster.x-k8s.io_clusterprofiles.yaml

@@ -0,0 +1,184 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: clusterprofiles.multicluster.x-k8s.io
+spec:
+  group: multicluster.x-k8s.io
+  names:
+    kind: ClusterProfile
+    listKind: ClusterProfileList
+    plural: clusterprofiles
+    singular: clusterprofile
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: ClusterProfile represents a single cluster in a multi-cluster
+            deployment.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ClusterProfileSpec defines the desired state of ClusterProfile.
+              properties:
+                clusterManager:
+                  description: ClusterManager defines which cluster manager owns this
+                    ClusterProfile resource
+                  properties:
+                    name:
+                      description: Name defines the name of the cluster manager
+                      type: string
+                  required:
+                    - name
+                  type: object
+                  x-kubernetes-validations:
+                    - message: ClusterManager is immutable
+                      rule: self == oldSelf
+                displayName:
+                  description: DisplayName defines a human-readable name of the ClusterProfile
+                  type: string
+              required:
+                - clusterManager
+              type: object
+            status:
+              description: ClusterProfileStatus defines the observed state of ClusterProfile.
+              properties:
+                conditions:
+                  description: Conditions contains the different condition statuses
+                    for this cluster.
+                  items:
+                    description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                    properties:
+                      lastTransitionTime:
+                        description: |-
+                          lastTransitionTime is the last time the condition transitioned from one status to another.
+                          This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                        format: date-time
+                        type: string
+                      message:
+                        description: |-
+                          message is a human readable message indicating details about the transition.
+                          This may be an empty string.
+                        maxLength: 32768
+                        type: string
+                      observedGeneration:
+                        description: |-
+                          observedGeneration represents the .metadata.generation that the condition was set based upon.
+                          For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                          with respect to the current state of the instance.
+                        format: int64
+                        minimum: 0
+                        type: integer
+                      reason:
+                        description: |-
+                          reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                          Producers of specific condition types may define expected values and meanings for this field,
+                          and whether the values are considered a guaranteed API.
+                          The value should be a CamelCase string.
+                          This field may not be empty.
+                        maxLength: 1024
+                        minLength: 1
+                        pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                        type: string
+                      status:
+                        description: status of the condition, one of True, False, Unknown.
+                        enum:
+                          - "True"
+                          - "False"
+                          - Unknown
+                        type: string
+                      type:
+                        description: |-
+                          type of condition in CamelCase or in foo.example.com/CamelCase.
+                          ---
+                          Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                          useful (see .node.status.conditions), the ability to deconflict is important.
+                          The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                        maxLength: 316
+                        pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                        type: string
+                    required:
+                      - lastTransitionTime
+                      - message
+                      - reason
+                      - status
+                      - type
+                    type: object
+                  type: array
+                properties:
+                  description: |-
+                    Properties defines name/value pairs to represent properties of a cluster.
+                    It could be a collection of ClusterProperty (KEP-2149) resources,
+                    but could also be info based on other implementations.
+                    The names of the properties can be predefined names from ClusterProperty resources
+                    and is allowed to be customized by different cluster managers.
+                  items:
+                    description: |-
+                      Property defines a name/value pair to represent a property of a cluster.
+                      It could be a ClusterProperty (KEP-2149) resource,
+                      but could also be info based on other implementations.
+                      The name of the property can be predefined name from a ClusterProperty resource
+                      and is allowed to be customized by different cluster managers.
+                      This property can store various configurable details and metrics of a cluster,
+                      which may include information such as the number of nodes, total and free CPU,
+                      and total and free memory, among other potential attributes.
+                    properties:
+                      name:
+                        description: |-
+                          Name is the name of a property resource on cluster. It's a well-known
+                          or customized name to identify the property.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      value:
+                        description: Value is a property-dependent string
+                        maxLength: 1024
+                        minLength: 1
+                        type: string
+                    required:
+                      - name
+                      - value
+                    type: object
+                  type: array
+                version:
+                  description: Version defines the version information of the cluster.
+                  properties:
+                    kubernetes:
+                      description: Kubernetes is the kubernetes version of the cluster.
+                      type: string
+                  type: object
+              type: object
+          required:
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

pkg/controllers/kubecontroller/core.go

@@ -87,6 +87,7 @@ func startGarbageCollectorController(ctx context.Context, controllerContext Cont
 		ignoredResources[schema.GroupResource{Group: r.Group, Resource: r.Resource}] = struct{}{}
 	}
 	garbageCollector, err := garbagecollector.NewGarbageCollector(
+		ctx,
 		gcClientset,
 		metadataClient,
 		controllerContext.RESTMapper,

pkg/controllers/ocmcontroller/ocmcontroller.go

@@ -3,6 +3,8 @@ package ocmcontroller
 
 import (
 	"context"
+	cpclientset "sigs.k8s.io/cluster-inventory-api/client/clientset/versioned"
+	cpinformerv1alpha1 "sigs.k8s.io/cluster-inventory-api/client/informers/externalversions"
 	"time"
 
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
@@ -125,8 +127,14 @@ func runControllers(ctx context.Context,
 		return err
 	}
 
+	clusterProfileClient, err := cpclientset.NewForConfig(controllerContext.KubeConfig)
+	if err != nil {
+		return err
+	}
+
 	clusterInformers := clusterv1informers.NewSharedInformerFactory(clusterClient, 10*time.Minute)
 	workInformers := workinformers.NewSharedInformerFactory(workClient, 10*time.Minute)
+	clusterProfileInformers := cpinformerv1alpha1.NewSharedInformerFactory(clusterProfileClient, 30*time.Minute)
 	addOnInformers := addoninformers.NewSharedInformerFactory(addOnClient, 10*time.Minute)
 	dynamicInformers := dynamicinformer.NewDynamicSharedInformerFactory(dynamicClient, 10*time.Minute)
 
@@ -137,9 +145,11 @@ func runControllers(ctx context.Context,
 			kubeClient,
 			metadataClient,
 			clusterClient,
+			clusterProfileClient,
 			addOnClient,
 			kubeInformers,
 			clusterInformers,
+			clusterProfileInformers,
 			workInformers,
 			addOnInformers,
 		); err != nil {

pkg/servers/kubeapiserver.go

@@ -6,6 +6,7 @@ package servers
 import (
 	"crypto/tls"
 	"fmt"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"net/http"
 	"net/url"
 	"time"
@@ -264,6 +265,8 @@ func buildGenericConfig(
 		return
 	}
 
+	ctx := wait.ContextForChannel(genericConfig.DrainedNotify())
+
 	authorizationConfig := options.Authorization.ToAuthorizationConfig(versionedInformers)
 	if genericConfig.EgressSelector != nil {
 		egressDialer, err := genericConfig.EgressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())
@@ -273,7 +276,7 @@ func buildGenericConfig(
 		}
 		authorizationConfig.CustomDial = egressDialer
 	}
-	genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = authorizationConfig.New()
+	genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = authorizationConfig.New(ctx, genericConfig.APIServerID)
 	if err != nil {
 		lastErr = fmt.Errorf("invalid authorization config: %v", err)
 		return
@@ -292,7 +295,7 @@ func buildGenericConfig(
 		LoopbackClientConfig: genericConfig.LoopbackClientConfig,
 	}
 	serviceResolver = buildServiceResolver(options.EnableAggregatorRouting, genericConfig.LoopbackClientConfig.Host, versionedInformers)
-	pluginInitializers, admissionPostStartHook, err = admissionConfig.New(proxyTransport, genericConfig.EgressSelector,
+	pluginInitializers, err = admissionConfig.New(proxyTransport, genericConfig.EgressSelector,
 		serviceResolver, genericConfig.TracerProvider)
 	if err != nil {
 		lastErr = fmt.Errorf("failed to create admission plugin initializer: %v", err)

pkg/servers/options/authentication.go

@@ -495,7 +495,7 @@ func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat
 	}
 
 	if ret.AuthenticationConfig != nil {
-		if err := apiservervalidation.ValidateAuthenticationConfiguration(ret.AuthenticationConfig).ToAggregate(); err != nil {
+		if err := apiservervalidation.ValidateAuthenticationConfiguration(ret.AuthenticationConfig, []string{}).ToAggregate(); err != nil {
 			return kubeauthenticator.Config{}, err
 		}
 	}
@@ -603,7 +603,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen
 	authenticators := []authenticator.Request{}
 
 	// var openAPIV3SecuritySchemes spec3.SecuritySchemes
-	authenticator, openAPIV2SecurityDefinitions, openAPIV3SecuritySchemes, err := authenticatorConfig.New()
+	authenticator, _, openAPIV2SecurityDefinitions, openAPIV3SecuritySchemes, err := authenticatorConfig.New(context.Background())
 	if err != nil {
 		return err
 	}

pkg/servers/options/plugins.go

@@ -7,6 +7,7 @@ package options
 // This should probably be part of some configuration fed into the build for a
 // given binary target.
 import (
+	validatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating"
 	certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval"
 	certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing"
 	certsubjectrestriction "k8s.io/kubernetes/plugin/pkg/admission/certificates/subjectrestriction"
@@ -49,9 +50,10 @@ var AllOrderedPlugins = []string{
 	// new admission plugins should generally be inserted above here
 	// webhook, resourcequota, and deny plugins must go at the end
 
-	mutatingwebhook.PluginName,   // MutatingAdmissionWebhook
-	validatingwebhook.PluginName, // ValidatingAdmissionWebhook
-	resourcequota.PluginName,     // ResourceQuota
+	mutatingwebhook.PluginName,           // MutatingAdmissionWebhook
+	validatingwebhook.PluginName,         // ValidatingAdmissionWebhook
+	validatingadmissionpolicy.PluginName, // ValidatingAdmissionPolicy
+	resourcequota.PluginName,             // ResourceQuota
 }
 
 // RegisterAllAdmissionPlugins registers all admission plugins.