tests: switch to custom FCOS image with CRI-O via coreos-assembler

Build a custom FCOS qcow2 with CRI-O and Kubernetes packages baked in
using coreos-assembler. This replaces the vanilla FCOS + containerd
approach, eliminating the SELinux permissive workaround (CRI-O has
native SELinux support and properly labels privileged containers).

The test VM image build is now a multi-stage Containerfile:
1. Build a bootable container (FROM fcos, add K8s + CRI-O repos, dnf
   install) via inner podman build
2. Use cosa import + cosa osbuild qemu to produce the qcow2
3. Copy the qcow2 into the final test harness image

The config.bu is simplified: no more K8s binary downloads, containerd
config, CNI plugins install, or SELinux permissive hack.

Also fix daemon DaemonSet ServiceAccount name mismatch with kustomize
namePrefix by making it configurable via DAEMON_SERVICE_ACCOUNT env
var, and removing the operator-managed ServiceAccount (now deployed by
kustomize). Fix DAEMON_SERVICE_ACCOUNT substitution in build-installer.

Assisted-by: OpenCode (Claude Opus 4.6)

Author: jlebon

.gitignore

@@ -5,3 +5,4 @@
 # kubebuilder build artifacts
 /bin/
 /cover.out
+/dist/

Makefile

@@ -171,6 +171,12 @@ build-installer: manifests generate kustomize ## Generate a consolidated YAML wi
 	cd config/manager && "$(KUSTOMIZE)" edit set image controller=${IMG}
 	@sed -i 's|value: daemon:latest|value: $(DAEMON_IMG)|' config/manager/manager.yaml
 	"$(KUSTOMIZE)" build config/default > dist/install.yaml
+	@# Kustomize applies namePrefix to resource names (including the
+	@# ServiceAccount) but not to env var values. Patch the generated
+	@# install.yaml so DAEMON_SERVICE_ACCOUNT matches the actual SA name.
+	@grep -q 'namePrefix' config/default/kustomization.yaml && \
+		prefix=$$(grep 'namePrefix:' config/default/kustomization.yaml | awk '{print $$2}') && \
+		sed -i "s|value: bootc-daemon|value: $${prefix}bootc-daemon|" dist/install.yaml || true
 	@sed -i 's|value: $(DAEMON_IMG)|value: daemon:latest|' config/manager/manager.yaml
 
 ##@ Deployment

cmd/operator/main.go

@@ -202,6 +202,11 @@ func main() {
 		os.Exit(1)
 	}
 
+	daemonServiceAccount := os.Getenv("DAEMON_SERVICE_ACCOUNT")
+	if daemonServiceAccount == "" {
+		daemonServiceAccount = "bootc-daemon"
+	}
+
 	if err := (&controller.BootcNodePoolReconciler{
 		Client:            mgr.GetClient(),
 		Scheme:            mgr.GetScheme(),
@@ -218,10 +223,11 @@ func main() {
 	// The reconciler ensures the DaemonSet exists with the correct
 	// image and watches for drift.
 	dsReconciler := &controller.DaemonSetReconciler{
-		Client:    mgr.GetClient(),
-		Scheme:    mgr.GetScheme(),
-		Namespace: operatorNamespace,
-		Image:     daemonImage,
+		Client:         mgr.GetClient(),
+		Scheme:         mgr.GetScheme(),
+		Namespace:      operatorNamespace,
+		Image:          daemonImage,
+		ServiceAccount: daemonServiceAccount,
 	}
 	if err := dsReconciler.SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "Failed to create controller", "controller", "DaemonSet")

config/manager/manager.yaml

@@ -68,6 +68,8 @@ spec:
         env:
           - name: DAEMON_IMAGE
             value: daemon:latest
+          - name: DAEMON_SERVICE_ACCOUNT
+            value: bootc-daemon
           - name: OPERATOR_NAMESPACE
             valueFrom:
               fieldRef:

config/rbac/role.yaml

@@ -36,17 +36,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - ""
   - events.k8s.io

internal/controller/daemonset.go

@@ -52,13 +52,13 @@ const (
 // The DaemonSet is a cluster-singleton owned by the operator.
 type DaemonSetReconciler struct {
 	client.Client
-	Scheme    *runtime.Scheme
-	Namespace string
-	Image     string
+	Scheme         *runtime.Scheme
+	Namespace      string
+	Image          string
+	ServiceAccount string
 }
 
 // +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch
 
 // Reconcile ensures the daemon DaemonSet exists and has the correct
 // image. It creates the DaemonSet if it does not exist, and updates
@@ -71,11 +71,6 @@ func (r *DaemonSetReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		return ctrl.Result{}, nil
 	}
 
-	// Ensure the ServiceAccount exists.
-	if err := r.ensureServiceAccount(ctx); err != nil {
-		return ctrl.Result{}, fmt.Errorf("ensuring ServiceAccount: %w", err)
-	}
-
 	// Check if the DaemonSet already exists.
 	existing := &appsv1.DaemonSet{}
 	err := r.Get(ctx, types.NamespacedName{Name: daemonSetName, Namespace: r.Namespace}, existing)
@@ -105,11 +100,6 @@ func (r *DaemonSetReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 func (r *DaemonSetReconciler) EnsureDaemonSet(ctx context.Context) error {
 	log := logf.FromContext(ctx).WithName("daemonset")
 
-	// Ensure the ServiceAccount exists first.
-	if err := r.ensureServiceAccount(ctx); err != nil {
-		return fmt.Errorf("ensuring ServiceAccount: %w", err)
-	}
-
 	existing := &appsv1.DaemonSet{}
 	err := r.Get(ctx, types.NamespacedName{Name: daemonSetName, Namespace: r.Namespace}, existing)
 	if errors.IsNotFound(err) {
@@ -128,24 +118,6 @@ func (r *DaemonSetReconciler) EnsureDaemonSet(ctx context.Context) error {
 	return r.updateDaemonSetIfNeeded(ctx, existing)
 }
 
-// ensureServiceAccount creates the daemon ServiceAccount if it does
-// not exist.
-func (r *DaemonSetReconciler) ensureServiceAccount(ctx context.Context) error {
-	sa := &corev1.ServiceAccount{}
-	err := r.Get(ctx, types.NamespacedName{Name: daemonSetName, Namespace: r.Namespace}, sa)
-	if errors.IsNotFound(err) {
-		sa = &corev1.ServiceAccount{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      daemonSetName,
-				Namespace: r.Namespace,
-				Labels:    daemonLabels(),
-			},
-		}
-		return r.Create(ctx, sa)
-	}
-	return err
-}
-
 // updateDaemonSetIfNeeded updates the DaemonSet's daemon container
 // image if it differs from the desired image.
 func (r *DaemonSetReconciler) updateDaemonSetIfNeeded(ctx context.Context, existing *appsv1.DaemonSet) error {
@@ -190,7 +162,7 @@ func (r *DaemonSetReconciler) buildDaemonSet() *appsv1.DaemonSet {
 					},
 				},
 				Spec: corev1.PodSpec{
-					ServiceAccountName: daemonSetName,
+					ServiceAccountName: r.ServiceAccount,
 					// Run on all nodes except those with the skip label.
 					Affinity: &corev1.Affinity{
 						NodeAffinity: &corev1.NodeAffinity{

internal/controller/daemonset_test.go

@@ -43,10 +43,11 @@ var _ = Describe("DaemonSet Reconciler", func() {
 	BeforeEach(func() {
 		ctx = context.Background()
 		reconciler = &DaemonSetReconciler{
-			Client:    k8sClient,
-			Scheme:    k8sClient.Scheme(),
-			Namespace: testNamespace,
-			Image:     testDaemonImg,
+			Client:         k8sClient,
+			Scheme:         k8sClient.Scheme(),
+			Namespace:      testNamespace,
+			Image:          testDaemonImg,
+			ServiceAccount: daemonSetName,
 		}
 	})
 
@@ -61,15 +62,6 @@ var _ = Describe("DaemonSet Reconciler", func() {
 			_ = k8sClient.Delete(ctx, ds)
 		}
 
-		// Clean up the ServiceAccount if it exists.
-		sa := &corev1.ServiceAccount{}
-		err = k8sClient.Get(ctx, types.NamespacedName{
-			Name:      daemonSetName,
-			Namespace: testNamespace,
-		}, sa)
-		if err == nil {
-			_ = k8sClient.Delete(ctx, sa)
-		}
 	})
 
 	Context("EnsureDaemonSet", func() {
@@ -114,13 +106,8 @@ var _ = Describe("DaemonSet Reconciler", func() {
 			Expect(ds.Spec.Template.Spec.Tolerations).To(HaveLen(1))
 			Expect(string(ds.Spec.Template.Spec.Tolerations[0].Operator)).To(Equal(string(corev1.TolerationOpExists)))
 
-			// Verify ServiceAccount was created.
-			sa := &corev1.ServiceAccount{}
-			Expect(k8sClient.Get(ctx, types.NamespacedName{
-				Name:      daemonSetName,
-				Namespace: testNamespace,
-			}, sa)).To(Succeed())
-			Expect(sa.Labels["app.kubernetes.io/name"]).To(Equal(daemonSetName))
+			// Verify ServiceAccountName is set on the pod spec.
+			Expect(ds.Spec.Template.Spec.ServiceAccountName).To(Equal(daemonSetName))
 		})
 
 		It("should be idempotent when DaemonSet already exists", func() {

tests/k8s/Containerfile

@@ -1,20 +1,42 @@
-FROM quay.io/fedora/fedora-minimal
-
+# Stage 1: runtime tools for running the test VM
+FROM quay.io/fedora/fedora-minimal AS base
 ARG DNF_FLAGS="-y --setopt=install_weak_deps=False"
 RUN dnf install ${DNF_FLAGS} \
         qemu-system-x86-core qemu-img butane virtiofsd \
         openssh-clients curl xz jq && \
     dnf clean all
 
-# Download the latest stable FCOS qemu qcow2 image.
-RUN STREAM=https://builds.coreos.fedoraproject.org/streams/stable.json && \
-    URL=$(curl -sSfL "${STREAM}" | \
-      jq -r '.architectures.x86_64.artifacts.qemu.formats["qcow2.xz"].disk.location') && \
-    mkdir -p /usr/share/fcos && \
-    curl -sSfL "${URL}" | xzcat > /usr/share/fcos/image.qcow2
+# Stage 2: build a custom FCOS qcow2 with CRI-O + Kubernetes baked in.
+# This stage requires --device /dev/kvm and --security-opt label=disable
+# at build time (passed by run.sh).
+FROM quay.io/coreos-assembler/coreos-assembler:latest AS qcow2-builder
+USER root
+COPY Containerfile.fcos /tmp/Containerfile.fcos
+# Build the bootable container image using an inner podman build.
+# Run as root to avoid user namespace issues inside the build container.
+# Save as OCI archive so the builder user (cosa) can access it.
+RUN podman build --storage-driver overlay \
+        -t localhost/fcos-k8s:latest -f /tmp/Containerfile.fcos /tmp && \
+    podman save --format oci-archive -o /tmp/fcos-k8s.ociarchive \
+        localhost/fcos-k8s:latest && \
+    podman rmi localhost/fcos-k8s:latest
+# Import the OCI archive into cosa and build a qcow2.
+# cosa needs builds/ and tmp/ dirs; we skip `cosa init` since we don't
+# need a config git repo for the import-only workflow.
+USER builder
+WORKDIR /srv
+RUN mkdir -p builds tmp cache && \
+    cosa import oci-archive:/tmp/fcos-k8s.ociarchive && \
+    cosa osbuild qemu
 
+# Stage 3: final test harness image
+FROM base
+RUN mkdir -p /usr/share/fcos
+# Copy the qcow2 from the cosa build. The exact filename depends on the
+# FCOS version, so use a glob.
+COPY --from=qcow2-builder /srv/builds/latest/x86_64/*-qemu.x86_64.qcow2 \
+     /usr/share/fcos/image.qcow2
 COPY config.bu /usr/share/fcos/config.bu
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
-
 ENTRYPOINT ["/entrypoint.sh"]

tests/k8s/Containerfile.fcos

@@ -0,0 +1,28 @@
+# Bootable container image: FCOS + CRI-O + Kubernetes
+# Built during `podman build` of the test harness and converted to a qcow2
+# by coreos-assembler.
+FROM quay.io/fedora/fedora-coreos:stable
+
+# Kubernetes v1.35 repo
+RUN cat > /etc/yum.repos.d/kubernetes.repo <<'EOF'
+[kubernetes]
+name=Kubernetes
+baseurl=https://pkgs.k8s.io/core:/stable:/v1.35/rpm/
+enabled=1
+gpgcheck=1
+gpgkey=https://pkgs.k8s.io/core:/stable:/v1.35/rpm/repodata/repomd.xml.key
+EOF
+
+# CRI-O v1.35 repo
+RUN cat > /etc/yum.repos.d/cri-o.repo <<'EOF'
+[cri-o]
+name=CRI-O
+baseurl=https://download.opensuse.org/repositories/isv:/cri-o:/stable:/v1.35/rpm/
+enabled=1
+gpgcheck=1
+gpgkey=https://download.opensuse.org/repositories/isv:/cri-o:/stable:/v1.35/rpm/repodata/repomd.xml.key
+EOF
+
+RUN dnf install -y kubectl kubelet kubeadm cri-o cri-tools && \
+    dnf clean all && \
+    systemctl enable crio