tls: use centralized TLS profile + operands

damdo · damdo · commit feb04b236b72 · 2026-01-23T16:35:56.000+01:00
diff --git a/cmd/cluster-capi-operator/main.go b/cmd/cluster-capi-operator/main.go
@@ -15,6 +15,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"os"
@@ -65,6 +66,7 @@ import (
 	"github.com/openshift/cluster-capi-operator/pkg/operatorstatus"
 	"github.com/openshift/cluster-capi-operator/pkg/util"
 	"github.com/openshift/cluster-capi-operator/pkg/webhook"
+	utiltls "github.com/openshift/library-go/pkg/controllerruntime/tls"
 )
 
 const (
@@ -148,6 +150,29 @@ func main() {
 	capiflags.AddManagerOptions(pflag.CommandLine, &capiManagerOptions)
 	pflag.Parse()
 
+	cfg := ctrl.GetConfigOrDie()
+
+	k8sClient, err := client.New(cfg, client.Options{Scheme: scheme})
+	if err != nil {
+		klog.Error(err, "unable to create Kubernetes client")
+		os.Exit(1)
+	}
+
+	// Fetch the TLS profile from the APIServer resource.
+	tlsSecurityProfileSpec, err := utiltls.FetchAPIServerTLSProfile(context.Background(), k8sClient)
+	if err != nil {
+		klog.Error(err, "unable to get TLS profile from API server")
+		os.Exit(1)
+	}
+
+	// Create the TLS configuration function for the server endpoints.
+	tlsConfig, unsupportedCiphers := utiltls.NewTLSConfigFromProfile(tlsSecurityProfileSpec)
+	if len(unsupportedCiphers) > 0 {
+		klog.Info("TLS configuration contains unsupported ciphers that will be ignored",
+			"unsupportedCiphers", unsupportedCiphers,
+		)
+	}
+
 	if err := setFeatureGatesEnvVars(); err != nil {
 		klog.Error(err, "unable to set feature gates environment variables")
 		os.Exit(1)
@@ -157,21 +182,23 @@ func main() {
 		klog.LogToStderr(*logToStderr)
 	}
 
-	_, diagnosticsOpts, err := capiflags.GetManagerOptions(capiManagerOptions)
+	_, metricsOptions, err := capiflags.GetManagerOptions(capiManagerOptions)
 	if err != nil {
 		klog.Error(err, "unable to get manager options")
 		os.Exit(1)
 	}
 
+	// Override the TLS options for the metrics server with the ones specified centrally in the APIServer resource.
+	tlsOptions := []func(config *tls.Config){tlsConfig}
+	metricsOptions.TLSOpts = tlsOptions
+
 	syncPeriod := 10 * time.Minute
 
 	cacheOpts := getDefaultCacheOptions(*managedNamespace, syncPeriod)
 
-	cfg := ctrl.GetConfigOrDie()
-
 	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
 		Scheme:                  scheme,
-		Metrics:                 *diagnosticsOpts,
+		Metrics:                 *metricsOptions,
 		HealthProbeBindAddress:  *healthAddr,
 		LeaderElectionNamespace: leaderElectionConfig.ResourceNamespace,
 		LeaderElection:          leaderElectionConfig.LeaderElect,
@@ -183,6 +210,7 @@ func main() {
 		WebhookServer: crwebhook.NewServer(crwebhook.Options{
 			Port:    *webhookPort,
 			CertDir: *webhookCertDir,
+			TLSOpts: tlsOptions,
 		}),
 	})
 	if err != nil {
@@ -220,7 +248,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	setupPlatformReconcilers(mgr, infra, platform, containerImages, applyClient, apiextensionsClient, *managedNamespace)
+	setupPlatformReconcilers(mgr, infra, platform, containerImages, applyClient, apiextensionsClient, *managedNamespace, tlsOptions)
 
 	// +kubebuilder:scaffold:builder
 
@@ -252,17 +280,17 @@ func getClusterOperatorStatusClient(mgr manager.Manager, controller string, plat
 	}
 }
 
-func setupPlatformReconcilers(mgr manager.Manager, infra *configv1.Infrastructure, platform configv1.PlatformType, containerImages map[string]string, applyClient *kubernetes.Clientset, apiextensionsClient *apiextensionsclient.Clientset, managedNamespace string) {
+func setupPlatformReconcilers(mgr manager.Manager, infra *configv1.Infrastructure, platform configv1.PlatformType, containerImages map[string]string, applyClient *kubernetes.Clientset, apiextensionsClient *apiextensionsclient.Clientset, managedNamespace string, tlsOptions []func(config *tls.Config)) {
 	// Only setup reconcile controllers and webhooks when the platform is supported.
 	// This avoids unnecessary CAPI providers discovery, installs and reconciles when the platform is not supported.
 	isUnsupportedPlatform := false
 
 	switch platform {
 	case configv1.AWSPlatformType:
-		setupReconcilers(mgr, infra, platform, &awsv1.AWSCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace)
+		setupReconcilers(mgr, infra, platform, &awsv1.AWSCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace, tlsOptions)
 		setupWebhooks(mgr)
 	case configv1.GCPPlatformType:
-		setupReconcilers(mgr, infra, platform, &gcpv1.GCPCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace)
+		setupReconcilers(mgr, infra, platform, &gcpv1.GCPCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace, tlsOptions)
 		setupWebhooks(mgr)
 	case configv1.AzurePlatformType:
 		azureCloudEnvironment := getAzureCloudEnvironment(infra.Status.PlatformStatus)
@@ -272,20 +300,20 @@ func setupPlatformReconcilers(mgr manager.Manager, infra *configv1.Infrastructur
 			isUnsupportedPlatform = true
 		} else {
 			// The ClusterOperator Controller must run in all cases.
-			setupReconcilers(mgr, infra, platform, &azurev1.AzureCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace)
+			setupReconcilers(mgr, infra, platform, &azurev1.AzureCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace, tlsOptions)
 			setupWebhooks(mgr)
 		}
 	case configv1.PowerVSPlatformType:
-		setupReconcilers(mgr, infra, platform, &ibmpowervsv1.IBMPowerVSCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace)
+		setupReconcilers(mgr, infra, platform, &ibmpowervsv1.IBMPowerVSCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace, tlsOptions)
 		setupWebhooks(mgr)
 	case configv1.VSpherePlatformType:
-		setupReconcilers(mgr, infra, platform, &vspherev1.VSphereCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace)
+		setupReconcilers(mgr, infra, platform, &vspherev1.VSphereCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace, tlsOptions)
 		setupWebhooks(mgr)
 	case configv1.OpenStackPlatformType:
-		setupReconcilers(mgr, infra, platform, &openstackv1.OpenStackCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace)
+		setupReconcilers(mgr, infra, platform, &openstackv1.OpenStackCluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace, tlsOptions)
 		setupWebhooks(mgr)
 	case configv1.BareMetalPlatformType:
-		setupReconcilers(mgr, infra, platform, &metal3v1.Metal3Cluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace)
+		setupReconcilers(mgr, infra, platform, &metal3v1.Metal3Cluster{}, containerImages, applyClient, apiextensionsClient, managedNamespace, tlsOptions)
 		setupWebhooks(mgr)
 	default:
 		klog.Infof("Detected platform %q is not supported, skipping capi controllers setup", platform)
@@ -297,7 +325,7 @@ func setupPlatformReconcilers(mgr manager.Manager, infra *configv1.Infrastructur
 	setupClusterOperatorController(mgr, platform, managedNamespace, isUnsupportedPlatform)
 }
 
-func setupReconcilers(mgr manager.Manager, infra *configv1.Infrastructure, platform configv1.PlatformType, infraClusterObject client.Object, containerImages map[string]string, applyClient *kubernetes.Clientset, apiextensionsClient *apiextensionsclient.Clientset, managedNamespace string) {
+func setupReconcilers(mgr manager.Manager, infra *configv1.Infrastructure, platform configv1.PlatformType, infraClusterObject client.Object, containerImages map[string]string, applyClient *kubernetes.Clientset, apiextensionsClient *apiextensionsclient.Clientset, managedNamespace string, tlsOptions []func(config *tls.Config)) {
 	if err := (&corecluster.CoreClusterController{
 		ClusterOperatorStatusClient: getClusterOperatorStatusClient(mgr, "cluster-capi-operator-cluster-resource-controller", platform, managedNamespace),
 		Cluster:                     &clusterv1.Cluster{},
@@ -333,6 +361,7 @@ func setupReconcilers(mgr manager.Manager, infra *configv1.Infrastructure, platf
 		Platform:                    platform,
 		ApplyClient:                 applyClient,
 		APIExtensionsClient:         apiextensionsClient,
+		TLSOpts:                     tlsOptions,
 	}).SetupWithManager(mgr); err != nil {
 		klog.Error(err, "unable to create capi installer controller", "controller", "CAPIInstaller")
 		os.Exit(1)
diff --git a/cmd/machine-api-migration/main.go b/cmd/machine-api-migration/main.go
@@ -125,7 +125,7 @@ func main() {
 		klog.LogToStderr(*logToStderr)
 	}
 
-	_, diagnosticsOpts, err := capiflags.GetManagerOptions(capiManagerOptions)
+	_, metricsOpts, err := capiflags.GetManagerOptions(capiManagerOptions)
 	if err != nil {
 		klog.Error(err, "unable to get manager options")
 		os.Exit(1)
@@ -139,7 +139,7 @@ func main() {
 
 	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
 		Scheme:                  scheme,
-		Metrics:                 *diagnosticsOpts,
+		Metrics:                 *metricsOpts,
 		HealthProbeBindAddress:  *healthAddr,
 		LeaderElectionNamespace: leaderElectionConfig.ResourceNamespace,
 		LeaderElection:          leaderElectionConfig.LeaderElect,
diff --git a/pkg/controllers/capiinstaller/capi_installer_controller.go b/pkg/controllers/capiinstaller/capi_installer_controller.go
@@ -17,6 +17,7 @@ package capiinstaller
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"regexp"
@@ -25,6 +26,8 @@ import (
 	"github.com/drone/envsubst/v2"
 	"github.com/go-logr/logr"
 
+	openshiftcrypto "github.com/openshift/library-go/pkg/crypto"
+
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -87,6 +90,7 @@ type CapiInstallerController struct {
 	Platform            configv1.PlatformType
 	ApplyClient         *kubernetes.Clientset
 	APIExtensionsClient *apiextensionsclient.Clientset
+	TLSOpts             []func(config *tls.Config)
 }
 
 // Reconcile reconciles the cluster-api ClusterOperator object.
@@ -234,6 +238,8 @@ func (r *CapiInstallerController) applyProviderComponents(ctx context.Context, c
 			return fmt.Errorf("error casting object to Deployment: %w", err)
 		}
 
+		injectTLSConfigIntoDeployment(deployment, r.TLSOpts)
+
 		if _, _, err := resourceapply.ApplyDeployment(
 			ctx,
 			r.ApplyClient.AppsV1(),
@@ -530,3 +536,28 @@ func yamlToUnstructured(sch *runtime.Scheme, m string) (*unstructured.Unstructur
 
 	return u, nil
 }
+
+// injectTLSConfigIntoDeployment injects TLS configuration into the deployment spec,
+// setting --tls-min-version and --tls-cipher-suites on the container named "manager"
+// as described in https://github.com/kubernetes-sigs/cluster-api/blob/55e16f424c0ed8d3739070125d4c32a036997465/util/flags/manager.go#L59-L71.
+func injectTLSConfigIntoDeployment(deployment *appsv1.Deployment, tlsOpts []func(*tls.Config)) {
+	tlsConfig := &tls.Config{}
+	for _, tlsOpt := range tlsOpts {
+		tlsOpt(tlsConfig)
+	}
+
+	for i := range deployment.Spec.Template.Spec.Containers {
+		if deployment.Spec.Template.Spec.Containers[i].Name == "manager" {
+			deployment.Spec.Template.Spec.Containers[i].Args = append(
+				deployment.Spec.Template.Spec.Containers[i].Args,
+				fmt.Sprintf("--tls-min-version=%s", openshiftcrypto.TLSVersionToNameOrDie(tlsConfig.MinVersion)),
+			)
+			if len(tlsConfig.CipherSuites) > 0 {
+				deployment.Spec.Template.Spec.Containers[i].Args = append(
+					deployment.Spec.Template.Spec.Containers[i].Args,
+					fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(openshiftcrypto.CipherSuitesToNamesOrDie(tlsConfig.CipherSuites), ",")),
+				)
+			}
+		}
+	}
+}
