🐛 Failed to sync sa work-controller-sa in cluster manger hosted mode

deploy/cluster-manager/config/rbac/cluster_role.yaml

@@ -19,6 +19,7 @@ rules:
     - "work-webhook-sa-kubeconfig"
     - "placement-controller-sa-kubeconfig"
     - "work-controller-sa-kubeconfig"
+    - "addon-manager-controller-sa-kubeconfig"
     - "external-hub-kubeconfig"
 - apiGroups: [""]
   resources: ["secrets"]

deploy/cluster-manager/olm-catalog/cluster-manager/manifests/cluster-manager.clusterserviceversion.yaml

@@ -137,6 +137,7 @@ spec:
           - work-webhook-sa-kubeconfig
           - placement-controller-sa-kubeconfig
           - work-controller-sa-kubeconfig
+          - addon-manager-controller-sa-kubeconfig
           - external-hub-kubeconfig
           resources:
           - secrets

pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_controller.go

@@ -55,7 +55,8 @@ type clusterManagerController struct {
 	cache                resourceapply.ResourceCache
 	// For testcases which don't need these functions, we could set fake funcs
 	ensureSAKubeconfigs func(ctx context.Context, clusterManagerName, clusterManagerNamespace string,
-		hubConfig *rest.Config, hubClient, managementClient kubernetes.Interface, recorder events.Recorder) error
+		hubConfig *rest.Config, hubClient, managementClient kubernetes.Interface, recorder events.Recorder,
+		mwctrEnabled, addonManagerEnabled bool) error
 	generateHubClusterClients func(hubConfig *rest.Config) (kubernetes.Interface, apiextensionsclient.Interface,
 		migrationclient.StorageVersionMigrationsGetter, error)
 	skipRemoveCRDs bool
@@ -298,8 +299,9 @@ func generateHubClients(hubKubeConfig *rest.Config) (kubernetes.Interface, apiex
 // We create a ServiceAccount with a rolebinding on the hub cluster, and then use the token of the ServiceAccount as the user of the kubeconfig.
 // Finally, a deployment on the management cluster would use the kubeconfig to access resources on the hub cluster.
 func ensureSAKubeconfigs(ctx context.Context, clusterManagerName, clusterManagerNamespace string,
-	hubKubeConfig *rest.Config, hubClient, managementClient kubernetes.Interface, recorder events.Recorder) error {
-	for _, sa := range getSAs() {
+	hubKubeConfig *rest.Config, hubClient, managementClient kubernetes.Interface, recorder events.Recorder,
+	mwctrEnabled, addonManagerEnabled bool) error {
+	for _, sa := range getSAs(mwctrEnabled, addonManagerEnabled) {
 		tokenGetter := helpers.SATokenCreater(ctx, sa, clusterManagerNamespace, hubClient)
 		err := helpers.SyncKubeConfigSecret(ctx, sa+"-kubeconfig", clusterManagerNamespace, "/var/run/secrets/hub/kubeconfig", &rest.Config{
 			Host: hubKubeConfig.Host,

pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_controller_test.go

@@ -263,7 +263,10 @@ func setup(t *testing.T, tc *testController, cd []runtime.Object, crds ...runtim
 	tc.clusterManagerController.generateHubClusterClients = func(hubKubeConfig *rest.Config) (kubernetes.Interface, apiextensionsclient.Interface, migrationclient.StorageVersionMigrationsGetter, error) {
 		return fakeHubKubeClient, fakeAPIExtensionClient, fakeMigrationClient.MigrationV1alpha1(), nil
 	}
-	tc.clusterManagerController.ensureSAKubeconfigs = func(ctx context.Context, clusterManagerName, clusterManagerNamespace string, hubConfig *rest.Config, hubClient, managementClient kubernetes.Interface, recorder events.Recorder) error {
+	tc.clusterManagerController.ensureSAKubeconfigs = func(ctx context.Context,
+		clusterManagerName, clusterManagerNamespace string, hubConfig *rest.Config,
+		hubClient, managementClient kubernetes.Interface, recorder events.Recorder,
+		mwctrEnabled, addonManagerEnabled bool) error {
 		return nil
 	}
 }

pkg/operator/operators/clustermanager/controllers/clustermanagercontroller/clustermanager_runtime_reconcile.go

@@ -48,7 +48,8 @@ type runtimeReconcile struct {
 	hubKubeConfig *rest.Config
 
 	ensureSAKubeconfigs func(ctx context.Context, clusterManagerName, clusterManagerNamespace string,
-		hubConfig *rest.Config, hubClient, managementClient kubernetes.Interface, recorder events.Recorder) error
+		hubConfig *rest.Config, hubClient, managementClient kubernetes.Interface, recorder events.Recorder,
+		mwctrEnabled, addonManagerEnabled bool) error
 
 	cache    resourceapply.ResourceCache
 	recorder events.Recorder
@@ -77,7 +78,9 @@ func (c *runtimeReconcile) reconcile(ctx context.Context, cm *operatorapiv1.Clus
 	// Before this step, the serviceaccounts in the hub cluster and the namespace in the management cluster should be applied first.
 	if cm.Spec.DeployOption.Mode == operatorapiv1.InstallModeHosted {
 		clusterManagerNamespace := helpers.ClusterManagerNamespace(cm.Name, cm.Spec.DeployOption.Mode)
-		err := c.ensureSAKubeconfigs(ctx, cm.Name, clusterManagerNamespace, c.hubKubeConfig, c.hubKubeClient, c.kubeClient, c.recorder)
+		err := c.ensureSAKubeconfigs(ctx, cm.Name, clusterManagerNamespace,
+			c.hubKubeConfig, c.hubKubeClient, c.kubeClient, c.recorder,
+			config.MWReplicaSetEnabled, config.AddOnManagerEnabled)
 		if err != nil {
 			meta.SetStatusCondition(&cm.Status.Conditions, metav1.Condition{
 				Type:    clusterManagerApplied,
@@ -190,12 +193,18 @@ func (c *runtimeReconcile) clean(ctx context.Context, cm *operatorapiv1.ClusterM
 }
 
 // getSAs return serviceaccount names of all hub components
-func getSAs() []string {
-	return []string{
+func getSAs(mwctrEnabled, addonManagerEnabled bool) []string {
+	sas := []string{
 		"registration-controller-sa",
 		"registration-webhook-sa",
 		"work-webhook-sa",
 		"placement-controller-sa",
-		"work-controller-sa",
 	}
+	if mwctrEnabled {
+		sas = append(sas, "work-controller-sa")
+	}
+	if addonManagerEnabled {
+		sas = append(sas, "addon-manager-controller-sa")
+	}
+	return sas
 }