From e4e1f7eff5239f57625760f044c1243538d58de6 Mon Sep 17 00:00:00 2001
From: Aditi Sahay <asahay@redhat.com>
Date: Fri, 6 Mar 2026 18:53:09 +0530
Subject: [PATCH] OCPNODE-4114: Update TLSSecurityProfile doc to reflect CRI-O
 propagation and TLS 1.3 support

Signed-off-by: Aditi Sahay <asahay@redhat.com>
---
 machineconfiguration/v1/types.go                             | 5 ++++-
 .../0000_80_machine-config_01_kubeletconfigs.crd.yaml        | 5 ++++-
 .../AAA_ungated.yaml                                         | 5 ++++-
 .../v1/zz_generated.swagger_doc_generated.go                 | 2 +-
 .../crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml   | 5 ++++-
 5 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/machineconfiguration/v1/types.go b/machineconfiguration/v1/types.go
index 7ffad174fb1..afc1cdf09c5 100644
--- a/machineconfiguration/v1/types.go
+++ b/machineconfiguration/v1/types.go
@@ -757,7 +757,10 @@ type KubeletConfigSpec struct {
 
 	// If unset, the default is based on the apiservers.config.openshift.io/cluster resource.
 	// Note that only Old and Intermediate profiles are currently supported, and
-	// the maximum available minTLSVersion is VersionTLS12.
+	// the maximum available minTLSVersion is VersionTLS13.
+	// When set, this TLS configuration is applied to both the kubelet and CRI-O
+	// on nodes matching the pool selector. CRI-O receives the minimum TLS version
+	// via a drop-in configuration file managed by the ContainerRuntimeConfig controller.
 	// +optional
 	TLSSecurityProfile *configv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
 }
diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml
index ceaa0024acd..e69ff74710b 100644
--- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml
+++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml
@@ -111,7 +111,10 @@ spec:
                 description: |-
                   If unset, the default is based on the apiservers.config.openshift.io/cluster resource.
                   Note that only Old and Intermediate profiles are currently supported, and
-                  the maximum available minTLSVersion is VersionTLS12.
+                  the maximum available minTLSVersion is VersionTLS13.
+                  When set, this TLS configuration is applied to both the kubelet and CRI-O
+                  on nodes matching the pool selector. CRI-O receives the minimum TLS version
+                  via a drop-in configuration file managed by the ContainerRuntimeConfig controller.
                 properties:
                   custom:
                     description: |-
diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml
index 35d9248e5b0..980cfa27e8d 100644
--- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml
+++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml
@@ -112,7 +112,10 @@ spec:
                 description: |-
                   If unset, the default is based on the apiservers.config.openshift.io/cluster resource.
                   Note that only Old and Intermediate profiles are currently supported, and
-                  the maximum available minTLSVersion is VersionTLS12.
+                  the maximum available minTLSVersion is VersionTLS13.
+                  When set, this TLS configuration is applied to both the kubelet and CRI-O
+                  on nodes matching the pool selector. CRI-O receives the minimum TLS version
+                  via a drop-in configuration file managed by the ContainerRuntimeConfig controller.
                 properties:
                   custom:
                     description: |-
diff --git a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go
index 0391fcdd86d..0542db24edb 100644
--- a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go
+++ b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go
@@ -247,7 +247,7 @@ var map_KubeletConfigSpec = map[string]string{
 	"":                          "KubeletConfigSpec defines the desired state of KubeletConfig",
 	"machineConfigPoolSelector": "machineConfigPoolSelector selects which pools the KubeletConfig shoud apply to. A nil selector will result in no pools being selected.",
 	"kubeletConfig":             "kubeletConfig fields are defined in kubernetes upstream. Please refer to the types defined in the version/commit used by OpenShift of the upstream kubernetes. It's important to note that, since the fields of the kubelet configuration are directly fetched from upstream the validation of those values is handled directly by the kubelet. Please refer to the upstream version of the relevant kubernetes for the valid values of these fields. Invalid values of the kubelet configuration fields may render cluster nodes unusable.",
-	"tlsSecurityProfile":        "If unset, the default is based on the apiservers.config.openshift.io/cluster resource. Note that only Old and Intermediate profiles are currently supported, and the maximum available minTLSVersion is VersionTLS12.",
+	"tlsSecurityProfile":        "If unset, the default is based on the apiservers.config.openshift.io/cluster resource. Note that only Old and Intermediate profiles are currently supported, and the maximum available minTLSVersion is VersionTLS13. When set, this TLS configuration is applied to both the kubelet and CRI-O on nodes matching the pool selector. CRI-O receives the minimum TLS version via a drop-in configuration file managed by the ContainerRuntimeConfig controller.",
 }
 
 func (KubeletConfigSpec) SwaggerDoc() map[string]string {
diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml
index ceaa0024acd..e69ff74710b 100644
--- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml
+++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml
@@ -111,7 +111,10 @@ spec:
                 description: |-
                   If unset, the default is based on the apiservers.config.openshift.io/cluster resource.
                   Note that only Old and Intermediate profiles are currently supported, and
-                  the maximum available minTLSVersion is VersionTLS12.
+                  the maximum available minTLSVersion is VersionTLS13.
+                  When set, this TLS configuration is applied to both the kubelet and CRI-O
+                  on nodes matching the pool selector. CRI-O receives the minimum TLS version
+                  via a drop-in configuration file managed by the ContainerRuntimeConfig controller.
                 properties:
                   custom:
                     description: |-