[release-4.19] OCPBUGS-67208: Fix whereabouts-token-watcher DaemonSet improvements

[openshift-cherrypick-robot]

This is an automated cherry-pick of #2850

/assign pliurh

[coderabbitai]

Walkthrough

Updated the whereabouts-token-watcher DaemonSet: enabled hostNetwork, added a hostPath CNI config volume and mount, refactored the watcher startup script (logging helpers, token read from service account file, kubeconfig generation), adjusted TLS/CA handling, and increased watch loop sleep to 60s.

Changes

Cohort / File(s)	Summary
whereabouts-token-watcher DaemonSet bindata/network/multus/multus.yaml	Added hostNetwork: true. Mounted cni-net-dir at /host/etc/cni/net.d and added hostPath volume pointing to {{ .SystemCNIConfDir }}. Minor metadata description edits.
whereabouts-token-watcher startup script (in the DaemonSet container) bindata/network/multus/multus.yaml (container command/script)	Added logging helpers (log, warn, error), introduced WHEREABOUTS_KUBECONFIG env var, changed token retrieval to read from SERVICE_ACCOUNT_TOKEN_PATH file and updated kubeconfig token usage, refined TLS/CA presence and verification condition grouping, replaced immediate echoes with log, and increased watch loop sleep from 1s to 60s.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Verify token file reading and kubeconfig token placement in the generated kubeconfig.
• Review TLS/CA conditional logic to ensure intended verification behavior.
• Validate hostNetwork implications and security considerations.
• Confirm hostPath SystemCNIConfDir path and mount usage inside the container.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 9e24c8a and 5d9bd03.

📒 Files selected for processing (1)

• bindata/network/multus/multus.yaml (7 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/network/multus/multus.yaml

🔇 Additional comments (1)

bindata/network/multus/multus.yaml (1)

957-957: Well-designed improvements to whereabouts-token-watcher; note sleep interval trade-off.

The refactoring improves the token watcher significantly:

• Dynamic token reading from file (line 1026) correctly picks up token rotations
• Explicit TLS verification logic (line 1063) is clearer and more robust
• Logging helpers (lines 975-978) follow established patterns in the codebase
• Volume mount addition (lines 1081-1082, 1098-1101) properly enables kubeconfig writes to host

The sleep interval increase from 1s to 60s (line 1070) is a meaningful performance optimization that reduces polling overhead. However, this introduces up to a 60-second delay in detecting token/CA changes. For token rotation scenarios requiring faster detection, this trade-off should be acceptable given the reduced system load, but monitoring for actual impact in production is recommended.

Also applies to: 975-978, 1026-1026, 1063-1063, 1070-1070

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@openshift-cherrypick-robot: Jira Issue OCPBUGS-66412 has been cloned as Jira Issue OCPBUGS-67208. Will retitle bug to link to clone.
/retitle [release-4.19] OCPBUGS-67208: Fix whereabouts-token-watcher DaemonSet improvements

Details

In response to this:

This is an automated cherry-pick of #2850

/assign pliurh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-67208, which is invalid:

• expected dependent Jira Issue OCPBUGS-66412 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated cherry-pick of #2850

/assign pliurh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-cherrypick-robot
Once this PR has been reviewed and has the lgtm label, please assign kyrtapz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pliurh]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[pliurh]

@coderabbitai help

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
  • @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
  • @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit configuration file (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[pliurh]

@coderabbitai configuration

[coderabbitai]

CodeRabbit configuration

language: en-US
tone_instructions: ''
early_access: false
enable_free_tier: true
reviews:
  profile: chill
  request_changes_workflow: false
  high_level_summary: false
  high_level_summary_instructions: ''
  high_level_summary_placeholder: '@coderabbitai summary'
  high_level_summary_in_walkthrough: false
  auto_title_placeholder: '@coderabbitai'
  auto_title_instructions: ''
  review_status: true
  commit_status: true
  fail_commit_status: false
  collapse_walkthrough: false
  changed_files_summary: true
  sequence_diagrams: false
  estimate_code_review_effort: true
  assess_linked_issues: true
  related_issues: true
  related_prs: true
  suggested_labels: true
  labeling_instructions: []
  auto_apply_labels: false
  suggested_reviewers: true
  auto_assign_reviewers: false
  in_progress_fortune: true
  poem: false
  path_filters:
    - '!vendor/**'
    - '!**/vendor/**'
  path_instructions:
    - path: '**'
      instructions: >-
        -Focus on major issues impacting performance, readability,
        maintainability and security. Avoid nitpicks and avoid verbosity.
  abort_on_close: true
  disable_cache: false
  auto_review:
    enabled: true
    auto_incremental_review: true
    ignore_title_keywords:
      - WIP
      - do-not-merge
      - work-in-progress
    labels:
      - '!do-not-merge/work-in-progress'
    drafts: false
    base_branches: []
    ignore_usernames: []
  finishing_touches:
    docstrings:
      enabled: true
    unit_tests:
      enabled: true
  pre_merge_checks:
    docstrings:
      mode: 'off'
      threshold: 80
    title:
      mode: 'off'
      requirements: ''
    description:
      mode: 'off'
    issue_assessment:
      mode: 'off'
    custom_checks: []
  tools:
    ast-grep:
      rule_dirs: []
      util_dirs: []
      essential_rules: true
      packages: []
    shellcheck:
      enabled: true
    ruff:
      enabled: true
    markdownlint:
      enabled: true
    github-checks:
      enabled: true
      timeout_ms: 90000
    languagetool:
      enabled: true
      enabled_rules: []
      disabled_rules: []
      enabled_categories: []
      disabled_categories: []
      enabled_only: false
      level: default
    biome:
      enabled: true
    hadolint:
      enabled: true
    swiftlint:
      enabled: true
    phpstan:
      enabled: true
      level: default
    phpmd:
      enabled: true
    phpcs:
      enabled: true
    golangci-lint:
      enabled: true
    yamllint:
      enabled: true
    gitleaks:
      enabled: true
    checkov:
      enabled: true
    detekt:
      enabled: true
    eslint:
      enabled: true
    flake8:
      enabled: true
    rubocop:
      enabled: true
    buf:
      enabled: true
    regal:
      enabled: true
    actionlint:
      enabled: true
    pmd:
      enabled: true
    clang:
      enabled: true
    cppcheck:
      enabled: true
    semgrep:
      enabled: true
    circleci:
      enabled: true
    clippy:
      enabled: true
    sqlfluff:
      enabled: true
    prismaLint:
      enabled: true
    pylint:
      enabled: true
    oxc:
      enabled: true
    shopifyThemeCheck:
      enabled: true
    luacheck:
      enabled: true
    brakeman:
      enabled: true
    dotenvLint:
      enabled: true
    htmlhint:
      enabled: true
    checkmake:
      enabled: true
    osvScanner:
      enabled: true
chat:
  art: true
  auto_reply: true
  integrations:
    jira:
      usage: disabled
    linear:
      usage: disabled
knowledge_base:
  opt_out: true
  web_search:
    enabled: true
  code_guidelines:
    enabled: true
    filePatterns: []
  learnings:
    scope: local
  issues:
    scope: auto
  jira:
    usage: disabled
    project_keys: []
  linear:
    usage: disabled
    team_keys: []
  pull_requests:
    scope: auto
  mcp:
    usage: disabled
    disabled_servers: []
code_generation:
  docstrings:
    language: en-US
    path_instructions: []
  unit_tests:
    path_instructions: []
issue_enrichment:
  auto_enrich:
    enabled: true
  planning:
    enabled: true
  labeling:
    labeling_instructions: []
    auto_apply_labels: false

[pliurh]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[pliurh]

/retest

[openshift-ci]

@openshift-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	5d9bd03	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pliurh]

@yingwang-0320 can you help with the pre-merge test?

[pliurh]

/jira refresh

[openshift-ci-robot]

@pliurh: This pull request references Jira Issue OCPBUGS-67208, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-66412 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-66412 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (weliang@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pliurh]

/retest-required