feat: fall back to kube-system/global-pull-secret for Insights token

[judexzhu]

Summary

On ARO HCP clusters, openshift-config/pull-secret only contains the ACR registry credential — no cloud.openshift.com token. Customers add their Red Hat pull secret (including cloud.openshift.com) day-2 via kube-system/additional-pull-secret, which HCCO merges into kube-system/global-pull-secret. The Insights Operator currently only checks openshift-config/pull-secret, so it reports NoToken / GatheringDisabled even though the token exists on the cluster.

This change makes updateToken() check kube-system/global-pull-secret as a read-only fallback when openshift-config/pull-secret has no cloud.openshift.com token.

Changes:

• Generalize fetchSecret() to accept a namespace parameter
• Add fallback lookup to kube-system/global-pull-secret in updateToken()
• Add read-only RBAC (get only, no update/patch) for global-pull-secret in kube-system
• Include namespace in fetchSecret log/error messages for debuggability
• Add tests for fallback and primary-wins-over-fallback precedence

Behavior:

• On standard OpenShift clusters: no change — openshift-config/pull-secret has the token, fallback is never reached
• On ARO HCP clusters: finds the token in kube-system/global-pull-secret when primary lacks cloud.openshift.com
• global-pull-secret is read-only — the operator does not manage, write, or claim ownership of this secret
• If global-pull-secret doesn't exist (NotFound) or is inaccessible (Forbidden), the fallback is silently skipped

Test plan

• make test — all unit tests pass
• make lint — 0 issues
• New test: fallback finds token from kube-system/global-pull-secret when primary lacks cloud.openshift.com
• New test: primary openshift-config/pull-secret takes precedence when both have cloud.openshift.com
• Verify on ARO HCP test cluster that operator picks up token from global-pull-secret

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Configuration
  • Updated pull secret access permissions and retrieval logic with fallback support.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a7232c5d-0eea-48a5-9892-45ecb092ad0c

📥 Commits

Reviewing files that changed from the base of the PR and between 7c39d49 and 2af70f3.

📒 Files selected for processing (3)

• manifests/03-clusterrole.yaml
• pkg/config/configobserver/secretconfigobserver.go
• pkg/config/configobserver/secretconfigobserver_test.go

---

📝 Walkthrough

Walkthrough

The PR adds fallback token resolution by enabling the insights-operator to read a global pull secret from kube-system when the primary pull secret is unavailable. RBAC permissions are added, secret fetching is generalized to support namespace-aware lookups, token fallback logic is implemented, and token selection is tested for both presence and precedence scenarios.

Changes

Global Pull Secret Fallback

Layer / File(s)	Summary
RBAC role and binding for global pull secret access manifests/03-clusterrole.yaml	New Role insights-operator-pull-secret in kube-system grants get permission on the global-pull-secret Secret, with matching RoleBinding binding it to openshift-insights/operator ServiceAccount.
Generalized secret fetching and token fallback pkg/config/configobserver/secretconfigobserver.go	fetchSecret is refactored to accept namespace and name; updateToken attempts primary pull secret first, then falls back to global-pull-secret if token remains empty; updateConfig is updated to use the new signature.
Token selection test coverage pkg/config/configobserver/secretconfigobserver_test.go	New globalPullSecretKey constant and two test cases validate token fallback behavior and precedence: global pull secret is used as fallback, and primary pull secret takes precedence when both are present.

Sequence Diagram

sequenceDiagram
  participant updateToken
  participant fetchSecret
  participant nextConfig
  updateToken->>fetchSecret: fetch openshift-config/pull-secret
  fetchSecret-->>updateToken: token or empty
  alt Token found
    updateToken->>nextConfig: set Token, enable Report
  else Token empty
    updateToken->>fetchSecret: fetch kube-system/global-pull-secret
    fetchSecret-->>updateToken: token or empty
    alt Global token found
      updateToken->>nextConfig: set Token, enable Report
    else Global token empty
      updateToken->>nextConfig: leave Token empty
    end
  end

Loading

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Assertions lack meaningful failure messages (lines 193-194, 198 in secretconfigobserver_test.go have no messages). All assertions should include descriptive messages for debugging.	Add meaningful failure messages to all assert calls, e.g., assert.Error(t, err, "failed to update token") instead of assert.Error(t, err).
Description check	❓ Inconclusive	The PR description provides comprehensive context, change details, and behavioral expectations, though it does not follow the repository's required template structure with explicit sections for categories, sample archive, documentation, unit tests, privacy, changelog, breaking changes, and references.	Reformat the description to match the repository template with explicit section headings for Categories, Sample Archive, Documentation, Unit Tests, Privacy, Changelog, Breaking Changes, and References.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a fallback mechanism to read the Insights token from kube-system/global-pull-secret when the primary location lacks it.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in secretconfigobserver_test.go are static and deterministic with no dynamic information (pod names, timestamps, UUIDs, node names, IPs, or random identifiers).
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes consist of RBAC configuration and unit tests using Go's standard testing package, which are not subject to MicroShift API compatibility requirements.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are present in this PR. The repository uses standard Go unit tests (testing.T), not Ginkgo BDD framework. Check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds RBAC and fallback secret-reading logic only. No scheduling constraints, affinity rules, topology assumptions, or deployment changes that would break SNO/TNF/TNA/HyperShift.
Ote Binary Stdout Contract	✅ Passed	PR contains no stdout writes in process-level code (main, init, TestMain, suite functions, or top-level initializers); all klog output configured to stderr via alsologtostderr=true in main.go.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added. Changes are standard Go unit tests using the testing package with fake Kubernetes clients, not Ginkgo e2e tests.
No-Weak-Crypto	✅ Passed	No weak crypto algorithms, custom crypto implementations, or non-constant-time secret comparisons found in the PR changes.
Container-Privileges	✅ Passed	PR adds read-only RBAC for secrets without privilege escalation. Main operator has allowPrivilegeEscalation: false, runAsNonRoot: true, no privileged/hostPID/SYS_ADMIN.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposed in logs. All logging statements log only safe information: secret names, namespaces, error messages, and token presence as boolean.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: judexzhu
Once this PR has been reviewed and has the lgtm label, please assign ncaak for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[judexzhu]

/retest-required

[opokornyy]

/retest

[openshift-ci]

@judexzhu: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/insights-operator-e2e-tests	2af70f3	link	true	/test insights-operator-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[opokornyy]

/cc

[judexzhu]

Seems the failed job not relate to my PR change?

identical failure: Got an unexpected keyword argument 'watch' to method read_namespaced_pod_log and TypeError: 'NoneType' object is not iterable