openshift
diff --git a/‎manifests/arbiter.machineconfigpool.yaml‎
Lines changed: 15 additions & 0 deletions b/‎manifests/arbiter.machineconfigpool.yaml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎manifests/machineconfigcontroller/custom-machine-config-pool-selector-validatingadmissionpolicy.yaml‎
Lines changed: 2 additions & 0 deletions b/‎manifests/machineconfigcontroller/custom-machine-config-pool-selector-validatingadmissionpolicy.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎pkg/controller/common/constants.go‎
Lines changed: 3 additions & 0 deletions b/‎pkg/controller/common/constants.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎pkg/controller/kubelet-config/kubelet_config_nodes.go‎
Lines changed: 1 addition & 1 deletion b/‎pkg/controller/kubelet-config/kubelet_config_nodes.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/controller/template/render.go‎
Lines changed: 6 additions & 1 deletion b/‎pkg/controller/template/render.go‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎pkg/controller/template/render_test.go‎
Lines changed: 13 additions & 0 deletions b/‎pkg/controller/template/render_test.go‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎pkg/controller/template/test_data/controller_config_baremetal_arbiter.yaml‎
Lines changed: 37 additions & 0 deletions b/‎pkg/controller/template/test_data/controller_config_baremetal_arbiter.yaml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎pkg/daemon/daemon.go‎
Lines changed: 2 additions & 0 deletions b/‎pkg/daemon/daemon.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎pkg/operator/bootstrap.go‎
Lines changed: 8 additions & 1 deletion b/‎pkg/operator/bootstrap.go‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎pkg/operator/sync.go‎
Lines changed: 12 additions & 4 deletions b/‎pkg/operator/sync.go‎
Lines changed: 12 additions & 4 deletions
@@ -0,0 +1,15 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfigPool
+metadata:
+  name: arbiter
+  labels:
+    "operator.machineconfiguration.openshift.io/required-for-upgrade": ""
+    "machineconfiguration.openshift.io/mco-built-in": ""
+    "pools.operator.machineconfiguration.openshift.io/arbiter": ""
+spec:
+  machineConfigSelector:
+    matchLabels:
+      "machineconfiguration.openshift.io/role": "arbiter"
+  nodeSelector:
+    matchLabels:
+      node-role.kubernetes.io/arbiter: ""
@@ -22,6 +22,8 @@ spec:
             (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "master")
             ||
             (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "worker")
+            ||
+            (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "arbiter")
           )
         )
         ||
 
@@ -52,6 +52,9 @@ const (
 	// APIServerInstanceName is a singleton name for APIServer configuration
 	APIServerBootstrapFileLocation = "/etc/mcs/bootstrap/api-server/api-server.yaml"
 
+	// MachineConfigPoolArbiter is the MachineConfigPool name given to the arbiter
+	MachineConfigPoolArbiter = "arbiter"
+
 	// MachineConfigPoolMaster is the MachineConfigPool name given to the master
 	MachineConfigPoolMaster = "master"
 
 
@@ -133,7 +133,7 @@ func (ctrl *Controller) syncNodeConfigHandler(key string) error {
 			}
 		}
 		// The following code updates the MC with the relevant CGroups version
-		if role == ctrlcommon.MachineConfigPoolWorker || role == ctrlcommon.MachineConfigPoolMaster {
+		if role == ctrlcommon.MachineConfigPoolWorker || role == ctrlcommon.MachineConfigPoolMaster || role == ctrlcommon.MachineConfigPoolArbiter {
 			err = updateMachineConfigwithCgroup(nodeConfig, mc)
 			if err != nil {
 				return err
 
@@ -80,6 +80,11 @@ func generateTemplateMachineConfigs(config *RenderConfig, templateDir string) ([
 			continue
 		}
 
+		// Avoid creating resources for non arbiter deployments
+		if role == "arbiter" && config.Infra.Status.ControlPlaneTopology != configv1.HighlyAvailableArbiterMode {
+			continue
+		}
+
 		roleConfigs, err := GenerateMachineConfigsForRole(config, role, templateDir)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create MachineConfig for role %s: %w", role, err)
@@ -102,7 +107,7 @@ func generateTemplateMachineConfigs(config *RenderConfig, templateDir string) ([
 func GenerateMachineConfigsForRole(config *RenderConfig, role, templateDir string) ([]*mcfgv1.MachineConfig, error) {
 	rolePath := role
 	//nolint:goconst
-	if role != "worker" && role != "master" {
+	if role != "worker" && role != "master" && role != "arbiter" {
 		// custom pools are only allowed to be worker's children
 		// and can reuse the worker templates
 		rolePath = "worker"
 
@@ -203,6 +203,7 @@ var (
 	configs = map[string]string{
 		"aws":                    "./test_data/controller_config_aws.yaml",
 		"baremetal":              "./test_data/controller_config_baremetal.yaml",
+		"baremetal-arbiter":      "./test_data/controller_config_baremetal_arbiter.yaml",
 		"gcp":                    "./test_data/controller_config_gcp.yaml",
 		"openstack":              "./test_data/controller_config_openstack.yaml",
 		"libvirt":                "./test_data/controller_config_libvirt.yaml",
@@ -303,6 +304,18 @@ func TestGenerateMachineConfigs(t *testing.T) {
 					foundMTUMigrationWorker = findIgnFile(ign.Storage.Files, "/usr/local/bin/mtu-migration.sh", t)
 					foundMTUMigrationWorker = foundMTUMigrationWorker || findIgnFile(ign.Storage.Files, "/etc/systemd/system/mtu-migration.service", t)
 				}
+			} else if role == "arbiter" {
+				// arbiter role currently follows master output
+				if !foundPullSecretMaster {
+					foundPullSecretMaster = findIgnFile(ign.Storage.Files, "/var/lib/kubelet/config.json", t)
+				}
+				if !foundKubeletUnitMaster {
+					foundKubeletUnitMaster = findIgnUnit(ign.Systemd.Units, "kubelet.service", t)
+				}
+				if !foundMTUMigrationMaster {
+					foundMTUMigrationMaster = findIgnFile(ign.Storage.Files, "/usr/local/bin/mtu-migration.sh", t)
+					foundMTUMigrationMaster = foundMTUMigrationMaster || findIgnFile(ign.Storage.Files, "/etc/systemd/system/mtu-migration.service", t)
+				}
 			} else {
 				t.Fatalf("Unknown role %s", role)
 			}
 
@@ -0,0 +1,37 @@
+apiVersion: "machineconfigurations.openshift.io/v1"
+kind: "ControllerConfig"
+spec:
+  clusterDNSIP: "10.3.0.10"
+  cloudProviderConfig: ""
+  etcdInitialCount: 3
+  etcdCAData: ZHVtbXkgZXRjZC1jYQo=
+  rootCAData: ZHVtbXkgcm9vdC1jYQo=
+  pullSecret:
+    data: ZHVtbXkgZXRjZC1jYQo=
+  images:
+    etcd: image/etcd:1
+    setupEtcdEnv: image/setupEtcdEnv:1
+    infraImage: image/infraImage:1
+    kubeClientAgentImage: image/kubeClientAgentImage:1
+  infra:
+    apiVersion: config.openshift.io/v1
+    kind: Infrastructure
+    spec:
+      cloudConfig:
+        key: config
+        name: cloud-provider-config
+    status:
+      apiServerInternalURI: https://api-int.my-test-cluster.installer.team.coreos.systems:6443
+      apiServerURL: https://api.my-test-cluster.installer.team.coreos.systems:6443
+      etcdDiscoveryDomain: my-test-cluster.installer.team.coreos.systems
+      infrastructureName: my-test-cluster
+      controlPlaneTopology: HighlyAvailableArbiter
+      platformStatus:
+        type: "BareMetal"
+        baremetal:
+          apiServerInternalIP: 10.0.0.1
+          ingressIP: 10.0.0.2
+          nodeDNSIP: 10.0.0.3
+  dns:
+    spec:
+      baseDomain: my-test-cluster.installer.team.coreos.systems
@@ -2728,6 +2728,8 @@ func (dn *Daemon) getControlPlaneTopology() configv1.TopologyMode {
 		return configv1.SingleReplicaTopologyMode
 	case configv1.HighlyAvailableTopologyMode:
 		return configv1.HighlyAvailableTopologyMode
+	case configv1.HighlyAvailableArbiterMode:
+		return configv1.HighlyAvailableArbiterMode
 	default:
 		// for any unhandled case, default to HighlyAvailableTopologyMode
 		return configv1.HighlyAvailableTopologyMode
 
@@ -155,7 +155,7 @@ func RenderBootstrap(
 		templatectrl.KubeRbacProxyKey:       imgs.KubeRbacProxy,
 	}
 
-	config := getRenderConfig("", string(filesData[kubeAPIServerServingCA]), spec, &imgs.RenderConfigImages, infra.Status.APIServerInternalURL, nil, []*mcfgv1alpha1.MachineOSConfig{}, nil)
+	config := getRenderConfig("", string(filesData[kubeAPIServerServingCA]), spec, &imgs.RenderConfigImages, infra, nil, []*mcfgv1alpha1.MachineOSConfig{}, nil)
 
 	manifests := []manifest{
 		{
@@ -182,6 +182,13 @@ func RenderBootstrap(
 		},
 	}
 
+	if infra.Status.ControlPlaneTopology == configv1.HighlyAvailableArbiterMode {
+		manifests = append(manifests, manifest{
+			name:     "manifests/arbiter.machineconfigpool.yaml",
+			filename: "bootstrap/manifests/arbiter.machineconfigpool.yaml",
+		})
+	}
+
 	manifests = appendManifestsByPlatform(manifests, *infra)
 
 	for _, m := range manifests {
 
@@ -641,9 +641,9 @@ func (optr *Operator) syncRenderConfig(_ *renderConfig, _ *configv1.ClusterOpera
 		}
 
 		// create renderConfig
-		optr.renderConfig = getRenderConfig(optr.namespace, string(kubeAPIServerServingCABytes), spec, &imgs.RenderConfigImages, infra.Status.APIServerInternalURL, pointerConfigData, moscs, apiServer)
+		optr.renderConfig = getRenderConfig(optr.namespace, string(kubeAPIServerServingCABytes), spec, &imgs.RenderConfigImages, infra, pointerConfigData, moscs, apiServer)
 	} else {
-		optr.renderConfig = getRenderConfig(optr.namespace, string(kubeAPIServerServingCABytes), spec, &imgs.RenderConfigImages, infra.Status.APIServerInternalURL, pointerConfigData, nil, apiServer)
+		optr.renderConfig = getRenderConfig(optr.namespace, string(kubeAPIServerServingCABytes), spec, &imgs.RenderConfigImages, infra, pointerConfigData, nil, apiServer)
 	}
 
 	return nil
@@ -682,6 +682,11 @@ func (optr *Operator) syncMachineConfigPools(config *renderConfig, _ *configv1.C
 		"manifests/master.machineconfigpool.yaml",
 		"manifests/worker.machineconfigpool.yaml",
 	}
+
+	if config.Infra.Status.ControlPlaneTopology == configv1.HighlyAvailableArbiterMode {
+		mcps = append(mcps, "manifests/arbiter.machineconfigpool.yaml")
+	}
+
 	for _, mcp := range mcps {
 		mcpBytes, err := renderAsset(config, mcp)
 		if err != nil {
@@ -778,6 +783,8 @@ func (optr *Operator) syncMachineConfigNodes(_ *renderConfig, _ *configv1.Cluste
 			pool = "worker"
 		} else if _, ok = node.Labels["node-role.kubernetes.io/master"]; ok {
 			pool = "master"
+		} else if _, ok = node.Labels["node-role.kubernetes.io/arbiter"]; ok {
+			pool = "arbiter"
 		}
 		newMCS := &v1alpha1.MachineConfigNode{
 			Spec: v1alpha1.MachineConfigNodeSpec{
@@ -2035,7 +2042,7 @@ func setGVK(obj runtime.Object, scheme *runtime.Scheme) error {
 	return nil
 }
 
-func getRenderConfig(tnamespace, kubeAPIServerServingCA string, ccSpec *mcfgv1.ControllerConfigSpec, imgs *ctrlcommon.RenderConfigImages, apiServerURL string, pointerConfigData []byte, moscs []*mcfgv1alpha1.MachineOSConfig, apiServer *configv1.APIServer) *renderConfig {
+func getRenderConfig(tnamespace, kubeAPIServerServingCA string, ccSpec *mcfgv1.ControllerConfigSpec, imgs *ctrlcommon.RenderConfigImages, infra *configv1.Infrastructure, pointerConfigData []byte, moscs []*mcfgv1alpha1.MachineOSConfig, apiServer *configv1.APIServer) *renderConfig {
 	tlsMinVersion, tlsCipherSuites := ctrlcommon.GetSecurityProfileCiphersFromAPIServer(apiServer)
 	return &renderConfig{
 		TargetNamespace:        tnamespace,
@@ -2044,8 +2051,9 @@ func getRenderConfig(tnamespace, kubeAPIServerServingCA string, ccSpec *mcfgv1.C
 		ControllerConfig:       *ccSpec,
 		Images:                 imgs,
 		KubeAPIServerServingCA: kubeAPIServerServingCA,
-		APIServerURL:           apiServerURL,
+		APIServerURL:           infra.Status.APIServerInternalURL,
 		PointerConfig:          string(pointerConfigData),
+		Infra:                  *infra,
 		MachineOSConfigs:       moscs,
 		TLSMinVersion:          tlsMinVersion,
 		TLSCipherSuites:        tlsCipherSuites,
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@ spec:`
`22`	`22`	`(object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "master")`
`23`	`23`	`\|\|`
`24`	`24`	`(object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "worker")`
	`25`	`+ \|\|`
	`26`	`+ (object.spec.machineConfigSelector.matchLabels["machineconfiguration.openshift.io/role"] == "arbiter")`
`25`	`27`	`)`
`26`	`28`	`)`
`27`	`29`	`\|\|`
Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,7 @@ func (ctrl *Controller) syncNodeConfigHandler(key string) error {`
`133`	`133`	`}`
`134`	`134`	`}`
`135`	`135`	`// The following code updates the MC with the relevant CGroups version`
`136`		`- if role == ctrlcommon.MachineConfigPoolWorker \|\| role == ctrlcommon.MachineConfigPoolMaster {`
	`136`	`+ if role == ctrlcommon.MachineConfigPoolWorker \|\| role == ctrlcommon.MachineConfigPoolMaster \|\| role == ctrlcommon.MachineConfigPoolArbiter {`
`137`	`137`	`err = updateMachineConfigwithCgroup(nodeConfig, mc)`
`138`	`138`	`if err != nil {`
`139`	`139`	`return err`
Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,7 @@ func RenderBootstrap(`
`155`	`155`	`templatectrl.KubeRbacProxyKey: imgs.KubeRbacProxy,`
`156`	`156`	`}`
`157`	`157`
`158`		`- config := getRenderConfig("", string(filesData[kubeAPIServerServingCA]), spec, &imgs.RenderConfigImages, infra.Status.APIServerInternalURL, nil, []*mcfgv1alpha1.MachineOSConfig{}, nil)`
	`158`	`+ config := getRenderConfig("", string(filesData[kubeAPIServerServingCA]), spec, &imgs.RenderConfigImages, infra, nil, []*mcfgv1alpha1.MachineOSConfig{}, nil)`
`159`	`159`
`160`	`160`	`manifests := []manifest{`
`161`	`161`	`{`
`@@ -182,6 +182,13 @@ func RenderBootstrap(`
`182`	`182`	`},`
`183`	`183`	`}`
`184`	`184`
	`185`	`+ if infra.Status.ControlPlaneTopology == configv1.HighlyAvailableArbiterMode {`
	`186`	`+ manifests = append(manifests, manifest{`
	`187`	`+ name: "manifests/arbiter.machineconfigpool.yaml",`
	`188`	`+ filename: "bootstrap/manifests/arbiter.machineconfigpool.yaml",`
	`189`	`+ })`
	`190`	`+ }`
	`191`	`+`
`185`	`192`	`manifests = appendManifestsByPlatform(manifests, *infra)`
`186`	`193`
`187`	`194`	`for _, m := range manifests {`