From a4fd1ec0ded9d9e2faf649c21af6659f6fb6d463 Mon Sep 17 00:00:00 2001
From: Stephen Finucane <stephenfin@redhat.com>
Date: Wed, 21 May 2025 12:46:18 +0100
Subject: [PATCH 1/3] manifests: Rename existing Role, RoleBinding manifests

Reflect their respective namespaces.

Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
---
 ...nfig-role-binding.yaml => 01-config-managed-role-binding.yaml} | 0
 manifests/{01-config-role.yaml => 01-config-managed-role.yaml}    | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename manifests/{01-config-role-binding.yaml => 01-config-managed-role-binding.yaml} (100%)
 rename manifests/{01-config-role.yaml => 01-config-managed-role.yaml} (100%)

diff --git a/manifests/01-config-role-binding.yaml b/manifests/01-config-managed-role-binding.yaml
similarity index 100%
rename from manifests/01-config-role-binding.yaml
rename to manifests/01-config-managed-role-binding.yaml
diff --git a/manifests/01-config-role.yaml b/manifests/01-config-managed-role.yaml
similarity index 100%
rename from manifests/01-config-role.yaml
rename to manifests/01-config-managed-role.yaml

From a625272a1cda496f44df0225fa02eaac08d646cf Mon Sep 17 00:00:00 2001
From: Stephen Finucane <stephenfin@redhat.com>
Date: Wed, 21 May 2025 12:48:46 +0100
Subject: [PATCH 2/3] manifests: Add Role, RoleBinding for
 openshift-config/cloud-provider-config CM

Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
---
 manifests/01-config-role-binding.yaml | 17 +++++++++++++++++
 manifests/01-config-role.yaml         | 20 ++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 manifests/01-config-role-binding.yaml
 create mode 100644 manifests/01-config-role.yaml

diff --git a/manifests/01-config-role-binding.yaml b/manifests/01-config-role-binding.yaml
new file mode 100644
index 0000000000..3f79cbbfa6
--- /dev/null
+++ b/manifests/01-config-role-binding.yaml
@@ -0,0 +1,17 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cloud-credential-operator
+  namespace: openshift-config
+  annotations:
+    capability.openshift.io/name: CloudCredential
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+subjects:
+- kind: ServiceAccount
+  name: cloud-credential-operator
+  namespace: openshift-cloud-credential-operator
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: cloud-credential-operator-role
diff --git a/manifests/01-config-role.yaml b/manifests/01-config-role.yaml
new file mode 100644
index 0000000000..a914914416
--- /dev/null
+++ b/manifests/01-config-role.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cloud-credential-operator-role
+  namespace: openshift-config
+  annotations:
+    capability.openshift.io/name: CloudCredential
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - cloud-provider-config
+  verbs:
+  - get
+  - list
+  - watch

From a87b3b4d09e3d0a12cc87673282a7729048e4c93 Mon Sep 17 00:00:00 2001
From: Stephen Finucane <stephenfin@redhat.com>
Date: Wed, 28 May 2025 14:55:25 +0100
Subject: [PATCH 3/3] openstack: Use a "live client" for fetching config map

Unlike the other clients, this one does not use caching (which requires
the operator have cluster-wide access to config maps). This is the same
thing done for AWS.

Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
---
 pkg/operator/secretannotator/openstack/reconciler.go      | 6 +++++-
 pkg/operator/secretannotator/openstack/reconciler_test.go | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkg/operator/secretannotator/openstack/reconciler.go b/pkg/operator/secretannotator/openstack/reconciler.go
index e677a13278..fed4db31a6 100644
--- a/pkg/operator/secretannotator/openstack/reconciler.go
+++ b/pkg/operator/secretannotator/openstack/reconciler.go
@@ -53,6 +53,7 @@ func NewReconciler(c client.Client, mgr manager.Manager) reconcile.Reconciler {
 	r := &ReconcileCloudCredSecret{
 		Client:         c,
 		RootCredClient: mgr.GetClient(),
+		LiveClient:     utils.LiveClient(mgr),
 		Logger:         log.WithField("controller", constants.SecretAnnotatorControllerName),
 	}
 
@@ -106,6 +107,7 @@ var _ reconcile.Reconciler = &ReconcileCloudCredSecret{}
 type ReconcileCloudCredSecret struct {
 	Client         client.Client
 	RootCredClient client.Client
+	LiveClient     client.Client
 	Logger         log.FieldLogger
 }
 
@@ -150,6 +152,8 @@ func (r *ReconcileCloudCredSecret) Reconcile(ctx context.Context, request reconc
 		return reconcile.Result{}, errors.New(msg)
 	}
 
+	r.Logger.Info("verifying clouds.yaml and syncing cacert (if any)")
+
 	secret := &corev1.Secret{}
 	err = r.RootCredClient.Get(context.Background(), request.NamespacedName, secret)
 	if err != nil {
@@ -168,7 +172,7 @@ func (r *ReconcileCloudCredSecret) Reconcile(ctx context.Context, request reconc
 	// TODO(stephenfin): Remove this syncer in a future release once CCM no longer
 	// relies on the legacy place during bootstrapping.
 	config := &corev1.ConfigMap{}
-	err = r.RootCredClient.Get(context.Background(), types.NamespacedName{Namespace: "openshift-config", Name: "cloud-provider-config"}, config)
+	err = r.LiveClient.Get(context.Background(), types.NamespacedName{Namespace: "openshift-config", Name: "cloud-provider-config"}, config)
 	if err != nil {
 		r.Logger.Debugf("cloud provider config not found: %v", err)
 		return reconcile.Result{}, err
diff --git a/pkg/operator/secretannotator/openstack/reconciler_test.go b/pkg/operator/secretannotator/openstack/reconciler_test.go
index 32aab010c0..6d8f24083c 100644
--- a/pkg/operator/secretannotator/openstack/reconciler_test.go
+++ b/pkg/operator/secretannotator/openstack/reconciler_test.go
@@ -190,10 +190,12 @@ func TestReconcileCloudCredSecret_Reconcile(t *testing.T) {
 				existing := append(tc.existing, infra, testOperatorConfig(tc.mode))
 				fakeClient := fake.NewClientBuilder().WithRuntimeObjects(existing...).Build()
 				fakeRootCredClient := fake.NewClientBuilder().WithRuntimeObjects(secret, ccmConfig).Build()
+				fakeLiveClient := fake.NewClientBuilder().WithRuntimeObjects(ccmConfig).Build()
 
 				r := &ReconcileCloudCredSecret{
 					Client:         fakeClient,
 					RootCredClient: fakeRootCredClient,
+					LiveClient:     fakeLiveClient,
 					Logger:         log.WithField("controller", "testController"),
 				}
 				_, err := r.Reconcile(context.TODO(), reconcile.Request{NamespacedName: types.NamespacedName{
@@ -279,11 +281,13 @@ func TestReconcileCloudCredSecret_Reconcile(t *testing.T) {
 				secret := testSecret(tc.cloudsYAML)
 				fakeClient := fake.NewClientBuilder().WithRuntimeObjects(infra, passthrough).Build()
 				fakeRootCredClient := fake.NewClientBuilder().WithRuntimeObjects(secret, ccmConfig).Build()
+				fakeLiveClient := fake.NewClientBuilder().WithRuntimeObjects(ccmConfig).Build()
 
 				t.Logf("clouds.yaml: %s", tc.cloudsYAML)
 				r := &ReconcileCloudCredSecret{
 					Client:         fakeClient,
 					RootCredClient: fakeRootCredClient,
+					LiveClient:     fakeLiveClient,
 					Logger:         log.WithField("controller", "testController"),
 				}