openshift · stephenfin · Jun 9, 2025 · Jun 9, 2025 · Jun 9, 2025 · Jun 9, 2025
diff --git a/manifests/01-config-role.yaml b/manifests/01-config-role.yaml
@@ -16,5 +16,3 @@ rules:
   - cloud-provider-config
   verbs:
   - get
-  - list
-  - watch
diff --git a/pkg/aws/actuator/actuator.go b/pkg/aws/actuator/actuator.go
@@ -71,16 +71,14 @@ var _ actuatoriface.Actuator = (*AWSActuator)(nil)
 type AWSActuator struct {
 	Client           client.Client
 	RootCredClient   client.Client
-	LiveClient       client.Client
 	AWSClientBuilder func(accessKeyID, secretAccessKey []byte, c client.Client) (ccaws.Client, error)
 	Scheme           *runtime.Scheme
 }
 
 // NewAWSActuator creates a new AWSActuator.
-func NewAWSActuator(client, rootCredClient, liveClient client.Client, scheme *runtime.Scheme) (*AWSActuator, error) {
+func NewAWSActuator(client, rootCredClient client.Client, scheme *runtime.Scheme) (*AWSActuator, error) {
 	return &AWSActuator{
 		Client:           client,
-		LiveClient:       liveClient,
 		RootCredClient:   rootCredClient,
 		AWSClientBuilder: awsutils.ClientBuilder,
 		Scheme:           scheme,
@@ -158,7 +156,7 @@ func (a *AWSActuator) needsUpdate(ctx context.Context, cr *minterv1.CredentialsR
 
 	// Various checks for the kinds of reasons that would trigger a needed update
 	_, existingAccessKey, existingSecretKey, existingCredentialsKey := a.loadExistingSecret(cr)
-	awsClient, err := a.AWSClientBuilder([]byte(existingAccessKey), []byte(existingSecretKey), a.LiveClient)
+	awsClient, err := a.AWSClientBuilder([]byte(existingAccessKey), []byte(existingSecretKey), a.RootCredClient)
 	if err != nil {
 		return true, err
 	}
@@ -471,7 +469,7 @@ func (a *AWSActuator) syncPassthrough(ctx context.Context, cr *minterv1.Credenti
 		}
 
 		// build client with root secret and verify that the creds are good enough to pass through
-		awsClient, err := a.AWSClientBuilder([]byte(accessKeyID), []byte(secretAccessKey), a.LiveClient)
+		awsClient, err := a.AWSClientBuilder([]byte(accessKeyID), []byte(secretAccessKey), a.RootCredClient)
 		if err != nil {
 			msg := "error building AWS client"
 			logger.WithError(err).Error(msg)
@@ -957,7 +955,7 @@ func (a *AWSActuator) buildRootAWSClient(cr *minterv1.CredentialsRequest) (minte
 	}
 
 	logger.Debug("creating root AWS client")
-	return a.AWSClientBuilder(accessKeyID, secretAccessKey, a.LiveClient)
+	return a.AWSClientBuilder(accessKeyID, secretAccessKey, a.RootCredClient)
 }
 
 // buildReadAWSClient will return an AWS client using the the scaled down read only AWS creds
@@ -987,7 +985,7 @@ func (a *AWSActuator) buildReadAWSClient(cr *minterv1.CredentialsRequest) (minte
 	}
 
 	logger.Debug("creating read AWS client")
-	client, err := a.AWSClientBuilder(accessKeyID, secretAccessKey, a.LiveClient)
+	client, err := a.AWSClientBuilder(accessKeyID, secretAccessKey, a.RootCredClient)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/cmd/operator/cmd.go b/pkg/cmd/operator/cmd.go
@@ -202,6 +202,9 @@ func NewOperator() *cobra.Command {
 							&corev1.Secret{}: {
 								Field: selectorForRootCredential(platformType),
 							},
+							&corev1.ConfigMap{}: {
+								Field: selectorForCloudConfig(platformType),
+							},
 						},
 					},
 				})
@@ -359,6 +362,26 @@ func selectorForRootCredential(platformType configv1.PlatformType) fields.Select
 	return selector
 }
 
+func selectorForCloudConfig(platformType configv1.PlatformType) fields.Selector {
+	var name, namespace string
+	switch platformType {
+	case configv1.AWSPlatformType:
+		namespace = "openshift-config-managed"
+		name = "kube-cloud-config"
+	case configv1.OpenStackPlatformType:
+		namespace = "openshift-config"
+		name = "cloud-provider-config"
+	default:
+		return fields.Nothing()
+	}
+	selector := fields.SelectorFromSet(fields.Set{
+		"metadata.namespace": namespace,
+		"metadata.name":      name,
+	})
+	log.WithField("selector", selector.String()).Info("setting up field selector for cloud config ConfigMap")
+	return selector
+}
+
 func initializeGlog(flags *pflag.FlagSet) {
 	golog.SetOutput(glogWriter{}) // Redirect all regular go log output to glog
 	golog.SetFlags(0)

diff --git a/pkg/operator/controller.go b/pkg/operator/controller.go
@@ -32,7 +32,6 @@ import (
 	"github.com/openshift/cloud-credential-operator/pkg/operator/podidentity"
 	"github.com/openshift/cloud-credential-operator/pkg/operator/secretannotator"
 	"github.com/openshift/cloud-credential-operator/pkg/operator/status"
-	"github.com/openshift/cloud-credential-operator/pkg/operator/utils"
 	"github.com/openshift/cloud-credential-operator/pkg/ovirt"
 	"github.com/openshift/cloud-credential-operator/pkg/util"
 	vsphereactuator "github.com/openshift/cloud-credential-operator/pkg/vsphere/actuator"
@@ -86,7 +85,7 @@ func AddToManager(m, rootM manager.Manager, explicitKubeconfig string, coreClien
 		switch platformType {
 		case configv1.AWSPlatformType:
 			log.Info("initializing AWS actuator")
-			a, err = awsactuator.NewAWSActuator(m.GetClient(), rootM.GetClient(), utils.LiveClient(m), m.GetScheme())
+			a, err = awsactuator.NewAWSActuator(m.GetClient(), rootM.GetClient(), m.GetScheme())
 			if err != nil {
 				return err
 			}

diff --git a/pkg/operator/secretannotator/aws/reconciler.go b/pkg/operator/secretannotator/aws/reconciler.go
@@ -38,16 +38,15 @@ const (
 	AwsSecretAccessKeyName = "aws_secret_access_key"
 )
 
-func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler {
+func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler {
 	r := &ReconcileCloudCredSecret{
-		Client:           c,
-		RootCredClient:   mgr.GetClient(),
-		LiveClient:       utils.LiveClient(mgr),
+		Client:           client,
+		RootCredClient:   rootCredClient,
 		Logger:           log.WithField("controller", constants.SecretAnnotatorControllerName),
 		AWSClientBuilder: awsutils.ClientBuilder,
 	}
 
-	s := status.NewSecretStatusHandler(c)
+	s := status.NewSecretStatusHandler(client)
 	statuscontroller.AddHandler(constants.SecretAnnotatorControllerName, s)
 
 	return r
@@ -97,7 +96,6 @@ var _ reconcile.Reconciler = &ReconcileCloudCredSecret{}
 type ReconcileCloudCredSecret struct {
 	Client           client.Client
 	RootCredClient   client.Client
-	LiveClient       client.Client
 	Logger           log.FieldLogger
 	AWSClientBuilder func(accessKeyID, secretAccessKey []byte, c client.Client) (ccaws.Client, error)
 }
@@ -185,7 +183,7 @@ func (r *ReconcileCloudCredSecret) validateCloudCredsSecret(secret *corev1.Secre
 		return r.updateSecretAnnotations(secret, constants.InsufficientAnnotation)
 	}
 
-	awsClient, err := r.AWSClientBuilder(accessKey, secretKey, r.LiveClient)
+	awsClient, err := r.AWSClientBuilder(accessKey, secretKey, r.RootCredClient)
 	if err != nil {
 		return fmt.Errorf("error creating aws client: %v", err)
 	}

diff --git a/pkg/operator/secretannotator/azure/reconciler.go b/pkg/operator/secretannotator/azure/reconciler.go
@@ -38,14 +38,14 @@ type ReconcileCloudCredSecret struct {
 	Logger         log.FieldLogger
 }
 
-func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler {
+func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler {
 	r := &ReconcileCloudCredSecret{
-		Client:         c,
-		RootCredClient: mgr.GetClient(),
+		Client:         client,
+		RootCredClient: rootCredClient,
 		Logger:         log.WithField("controller", constants.SecretAnnotatorControllerName),
 	}
 
-	s := status.NewSecretStatusHandler(c)
+	s := status.NewSecretStatusHandler(client)
 	statuscontroller.AddHandler(constants.SecretAnnotatorControllerName, s)
 
 	return r

diff --git a/pkg/operator/secretannotator/gcp/reconciler.go b/pkg/operator/secretannotator/gcp/reconciler.go
@@ -40,16 +40,16 @@ const (
 	GCPAuthJSONKey = "service_account.json"
 )
 
-func NewReconciler(c client.Client, mgr manager.Manager, projectName string) reconcile.Reconciler {
+func NewReconciler(client, rootCredClient client.Client, projectName string) reconcile.Reconciler {
 	r := &ReconcileCloudCredSecret{
-		Client:           c,
-		RootCredClient:   mgr.GetClient(),
+		Client:           client,
+		RootCredClient:   rootCredClient,
 		Logger:           log.WithField("controller", constants.SecretAnnotatorControllerName),
 		GCPClientBuilder: ccgcp.NewClientFromJSON,
 		ProjectName:      projectName,
 	}
 
-	s := status.NewSecretStatusHandler(c)
+	s := status.NewSecretStatusHandler(client)
 	statuscontroller.AddHandler(controllerName, s)
 
 	return r

diff --git a/pkg/operator/secretannotator/openstack/reconciler.go b/pkg/operator/secretannotator/openstack/reconciler.go
@@ -49,15 +49,14 @@ import (
 	"github.com/openshift/cloud-credential-operator/pkg/operator/utils"
 )
 
-func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler {
+func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler {
 	r := &ReconcileCloudCredSecret{
-		Client:         c,
-		RootCredClient: mgr.GetClient(),
-		LiveClient:     utils.LiveClient(mgr),
+		Client:         client,
+		RootCredClient: rootCredClient,
 		Logger:         log.WithField("controller", constants.SecretAnnotatorControllerName),
 	}
 
-	s := status.NewSecretStatusHandler(c)
+	s := status.NewSecretStatusHandler(client)
 	statuscontroller.AddHandler(constants.SecretAnnotatorControllerName, s)
 
 	return r
@@ -107,7 +106,6 @@ var _ reconcile.Reconciler = &ReconcileCloudCredSecret{}
 type ReconcileCloudCredSecret struct {
 	Client         client.Client
 	RootCredClient client.Client
-	LiveClient     client.Client
 	Logger         log.FieldLogger
 }
 
@@ -172,7 +170,7 @@ func (r *ReconcileCloudCredSecret) Reconcile(ctx context.Context, request reconc
 	// TODO(stephenfin): Remove this syncer in a future release once CCM no longer
 	// relies on the legacy place during bootstrapping.
 	config := &corev1.ConfigMap{}
-	err = r.LiveClient.Get(context.Background(), types.NamespacedName{Namespace: "openshift-config", Name: "cloud-provider-config"}, config)
+	err = r.RootCredClient.Get(context.Background(), types.NamespacedName{Namespace: "openshift-config", Name: "cloud-provider-config"}, config)
 	if err != nil {
 		r.Logger.Debugf("cloud provider config not found: %v", err)
 		return reconcile.Result{}, err

diff --git a/pkg/operator/secretannotator/openstack/reconciler_test.go b/pkg/operator/secretannotator/openstack/reconciler_test.go
@@ -190,12 +190,10 @@ func TestReconcileCloudCredSecret_Reconcile(t *testing.T) {
 				existing := append(tc.existing, infra, testOperatorConfig(tc.mode))
 				fakeClient := fake.NewClientBuilder().WithRuntimeObjects(existing...).Build()
 				fakeRootCredClient := fake.NewClientBuilder().WithRuntimeObjects(secret, ccmConfig).Build()
-				fakeLiveClient := fake.NewClientBuilder().WithRuntimeObjects(ccmConfig).Build()
 
 				r := &ReconcileCloudCredSecret{
 					Client:         fakeClient,
 					RootCredClient: fakeRootCredClient,
-					LiveClient:     fakeLiveClient,
 					Logger:         log.WithField("controller", "testController"),
 				}
 				_, err := r.Reconcile(context.TODO(), reconcile.Request{NamespacedName: types.NamespacedName{
@@ -281,13 +279,11 @@ func TestReconcileCloudCredSecret_Reconcile(t *testing.T) {
 				secret := testSecret(tc.cloudsYAML)
 				fakeClient := fake.NewClientBuilder().WithRuntimeObjects(infra, passthrough).Build()
 				fakeRootCredClient := fake.NewClientBuilder().WithRuntimeObjects(secret, ccmConfig).Build()
-				fakeLiveClient := fake.NewClientBuilder().WithRuntimeObjects(ccmConfig).Build()
 
 				t.Logf("clouds.yaml: %s", tc.cloudsYAML)
 				r := &ReconcileCloudCredSecret{
 					Client:         fakeClient,
 					RootCredClient: fakeRootCredClient,
-					LiveClient:     fakeLiveClient,
 					Logger:         log.WithField("controller", "testController"),
 				}
 

diff --git a/pkg/operator/secretannotator/secretannotator_controller.go b/pkg/operator/secretannotator/secretannotator_controller.go
@@ -40,19 +40,19 @@ func Add(mgr, rootCredentialManager manager.Manager, kubeconfig string) error {
 
 	switch platformType {
 	case configv1.AzurePlatformType:
-		return azure.Add(mgr, rootCredentialManager, azure.NewReconciler(mgr.GetClient(), rootCredentialManager))
+		return azure.Add(mgr, rootCredentialManager, azure.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient()))
 	case configv1.AWSPlatformType:
-		return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager))
+		return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient()))
 	case configv1.GCPPlatformType:
 		if infraStatus.PlatformStatus == nil || infraStatus.PlatformStatus.GCP == nil {
 			log.Fatalf("Missing GCP configuration in infrastructure platform status")
 		}
-		return gcp.Add(mgr, rootCredentialManager, gcp.NewReconciler(mgr.GetClient(), rootCredentialManager, infraStatus.PlatformStatus.GCP.ProjectID))
+		return gcp.Add(mgr, rootCredentialManager, gcp.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient(), infraStatus.PlatformStatus.GCP.ProjectID))
 	case configv1.VSpherePlatformType:
-		return vsphere.Add(mgr, rootCredentialManager, vsphere.NewReconciler(mgr.GetClient(), rootCredentialManager))
+		return vsphere.Add(mgr, rootCredentialManager, vsphere.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient()))
 	case configv1.OpenStackPlatformType:
-		return openstack.Add(mgr, rootCredentialManager, openstack.NewReconciler(mgr.GetClient(), rootCredentialManager))
+		return openstack.Add(mgr, rootCredentialManager, openstack.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient()))
 	default: // returning the AWS implementation for default to avoid changing any behavior
-		return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager))
+		return aws.Add(mgr, rootCredentialManager, aws.NewReconciler(mgr.GetClient(), rootCredentialManager.GetClient()))
 	}
 }
diff --git a/pkg/operator/secretannotator/vsphere/reconciler.go b/pkg/operator/secretannotator/vsphere/reconciler.go
@@ -58,10 +58,10 @@ type ReconcileCloudCredSecret struct {
 }
 
 // NewReconciler will return a reconciler for handling vSphere cloud cred secrets.
-func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler {
+func NewReconciler(client, rootCredClient client.Client) reconcile.Reconciler {
 	return &ReconcileCloudCredSecret{
-		Client:         c,
-		RootCredClient: mgr.GetClient(),
+		Client:         client,
+		RootCredClient: rootCredClient,
 		Logger:         log.WithField("controller", constants.SecretAnnotatorControllerName),
 	}
 }

diff --git a/pkg/operator/utils/client.go b/pkg/operator/utils/client.go
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,5 +16,3 @@ rules: @@
       - cloud-provider-config
       verbs:
       - get
-      - list
-      - watch