feat: override TLS Config via flags

damdo · damdo · commit 0bb07b243b9c · 2026-03-19T17:52:11.000+01:00
diff --git a/go.mod b/go.mod
@@ -113,7 +113,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.35.2 // indirect
-	k8s.io/component-base v0.35.2 // indirect; indirectpackag
+	k8s.io/component-base v0.35.2
 	k8s.io/kube-aggregator v0.35.2 // indirect
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
diff --git a/main.go b/main.go
@@ -30,15 +30,14 @@ import (
 	"github.com/openshift/cluster-machine-approver/pkg/controller"
 	"github.com/openshift/cluster-machine-approver/pkg/metrics"
 	utiltls "github.com/openshift/controller-runtime-common/pkg/tls"
-	libgocrypto "github.com/openshift/library-go/pkg/crypto"
 	flag "github.com/spf13/pflag"
 	certificatesv1 "k8s.io/api/certificates/v1"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
+	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/clock"
 	control "sigs.k8s.io/controller-runtime"
@@ -71,17 +70,14 @@ func main() {
 	var leaderElectResourceName string
 	var leaderElectResourceNamespace string
 	var metricsBindAddress string
+	var tlsMinVersionFlag string
+	var tlsCipherSuitesFlag []string
 
 	flagSet := flag.NewFlagSet("cluster-machine-approver", flag.ExitOnError)
 
 	// Set logger for controller-runtime
 	control.SetLogger(klog.NewKlogr())
 
-	scheme := runtime.NewScheme()
-	if err := configv1.AddToScheme(scheme); err != nil {
-		klog.Fatalf("unable to add configv1 to scheme: %v", err)
-	}
-
 	klog.InitFlags(nil)
 	flagSet.AddGoFlagSet(goflag.CommandLine)
 
@@ -100,6 +96,8 @@ func main() {
 	flagSet.StringVar(&leaderElectResourceName, "leader-elect-resource-name", "cluster-machine-approver-leader", "the name of the resource that leader election will use for holding the leader lock.")
 	flagSet.StringVar(&leaderElectResourceNamespace, "leader-elect-resource-namespace", "openshift-cluster-machine-approver", "the namespace in which the leader election resource will be created.")
 	flagSet.StringVar(&metricsBindAddress, "metrics-bind-address", metrics.DefaultMetricsBindAddress, "the address the metrics endpoint binds to.")
+	flagSet.StringVar(&tlsMinVersionFlag, "tls-min-version", "", "Minimum TLS version supported. When set with --tls-cipher-suites, overrides the cluster-wide TLS profile. Possible values: "+strings.Join(cliflag.TLSPossibleVersions(), ", "))
+	flagSet.StringSliceVar(&tlsCipherSuitesFlag, "tls-cipher-suites", nil, "Comma-separated list of cipher suites for the server. When set with --tls-min-version, overrides the cluster-wide TLS profile. Possible values: "+strings.Join(cliflag.TLSCipherPossibleValues(), ", "))
 
 	// Deprecated options
 	flagSet.StringVar(&apiGroup, "apigroup", "", "API group for machines")
@@ -111,6 +109,11 @@ func main() {
 		klog.Fatal("Cannot set both --apigroup and --api-group-version options together.")
 	}
 
+	tlsOverrideFromFlags := tlsMinVersionFlag != "" || len(tlsCipherSuitesFlag) > 0
+	if tlsOverrideFromFlags && (tlsMinVersionFlag == "" || len(tlsCipherSuitesFlag) == 0) {
+		klog.Fatal("Both --tls-min-version and --tls-cipher-suites must be provided when either is set.")
+	}
+
 	var parsedAPIGroupVersions []schema.GroupVersion
 
 	if len(apiGroupVersions) > 0 {
@@ -151,35 +154,10 @@ func main() {
 		klog.Fatalf("Can't set client configs: %v", err)
 	}
 
-	k8sClient, err := client.New(workloadConfig, client.Options{Scheme: scheme})
-	if err != nil {
-		klog.Fatalf("unable to create Kubernetes client: %v", err)
-	}
-
-	// Fetch the TLS adherence policy from the APIServer resource.
-	// This will be used to determine if the components should honor the cluster-wide TLS profile.
-	tlsAdherencePolicy, err := utiltls.FetchAPIServerTLSAdherencePolicy(context.Background(), k8sClient)
-	if err != nil {
-		klog.Fatalf("unable to get TLS adherence policy from API server: %v", err)
-	}
-
-	// Fetch the TLS profile from the APIServer resource.
-	tlsSecurityProfileSpec, err := utiltls.FetchAPIServerTLSProfile(context.Background(), k8sClient)
+	// Resolve the TLS configuration for the server endpoints.
+	tlsResult, err := resolveTLSConfig(context.Background(), workloadConfig, tlsMinVersionFlag, tlsCipherSuitesFlag)
 	if err != nil {
-		klog.Fatalf("unable to get TLS profile from API server: %v", err)
-	}
-
-	// Create a default TLS configuration function.
-	tlsConfig := func(*tls.Config) {}
-
-	if libgocrypto.ShouldHonorClusterTLSProfile(tlsAdherencePolicy) {
-		var unsupportedCiphers []string
-		// The TLS adherence policy indicates that the components should honor the cluster-wide TLS profile.
-		// Set the TLS configuration function to use the cluster-wide TLS profile.
-		tlsConfig, unsupportedCiphers = utiltls.NewTLSConfigFromProfile(tlsSecurityProfileSpec)
-		if len(unsupportedCiphers) > 0 {
-			klog.Infof("TLS configuration contains unsupported ciphers that will be ignored: %v", unsupportedCiphers)
-		}
+		klog.Fatalf("unable to configure TLS: %v", err)
 	}
 
 	// Create a context that can be cancelled when there is a need to shut down the manager	.
@@ -194,7 +172,7 @@ func main() {
 			BindAddress:    metricsBindAddress,
 			SecureServing:  true,
 			FilterProvider: filters.WithAuthenticationAndAuthorization,
-			TLSOpts:        []func(*tls.Config){tlsConfig},
+			TLSOpts:        []func(*tls.Config){tlsResult.TLSConfig},
 		},
 		LeaderElectionNamespace:       leaderElectResourceNamespace,
 		LeaderElection:                leaderElect,
@@ -283,26 +261,32 @@ func main() {
 
 	// Set up the TLS security profile watcher controller.
 	// This will trigger a graceful shutdown when the TLS profile changes.
-	if err := (&utiltls.SecurityProfileWatcher{
-		Client:                    mgr.GetClient(),
-		InitialTLSAdherencePolicy: tlsAdherencePolicy,
-		InitialTLSProfileSpec:     tlsSecurityProfileSpec,
-		OnAdherencePolicyChange: func(ctx context.Context, oldTLSAdherencePolicy, newTLSAdherencePolicy configv1.TLSAdherencePolicy) {
-			klog.Infof("TLS adherence policy has changed, initiating a shutdown to reload it. %q: %+v, %q: %+v",
-				"old adherence policy", oldTLSAdherencePolicy,
-				"new adherence policy", newTLSAdherencePolicy,
-			)
-			cancel()
-		},
-		OnProfileChange: func(ctx context.Context, oldTLSProfileSpec, newTLSProfileSpec configv1.TLSProfileSpec) {
-			klog.Infof("TLS profile has changed, initiating a shutdown to reload it. %q: %+v, %q: %+v",
-				"old profile", oldTLSProfileSpec,
-				"new profile", newTLSProfileSpec,
-			)
-			cancel()
-		},
-	}).SetupWithManager(mgr); err != nil {
-		klog.Fatalf("unable to create TLS security profile watcher controller: %v", err)
+	// When TLS is overridden via CLI flags, the watcher is not needed since
+	// the component is not reading from apiservers.config.openshift.io/cluster.
+	if tlsOverrideFromFlags {
+		klog.Info("TLS security profile watcher disabled because TLS is configured via CLI flags")
+	} else {
+		if err := (&utiltls.SecurityProfileWatcher{
+			Client:                    mgr.GetClient(),
+			InitialTLSAdherencePolicy: tlsResult.TLSAdherencePolicy,
+			InitialTLSProfileSpec:     tlsResult.TLSProfileSpec,
+			OnAdherencePolicyChange: func(ctx context.Context, oldTLSAdherencePolicy, newTLSAdherencePolicy configv1.TLSAdherencePolicy) {
+				klog.Infof("TLS adherence policy has changed, initiating a shutdown to reload it. %q: %+v, %q: %+v",
+					"old adherence policy", oldTLSAdherencePolicy,
+					"new adherence policy", newTLSAdherencePolicy,
+				)
+				cancel()
+			},
+			OnProfileChange: func(ctx context.Context, oldTLSProfileSpec, newTLSProfileSpec configv1.TLSProfileSpec) {
+				klog.Infof("TLS profile has changed, initiating a shutdown to reload it. %q: %+v, %q: %+v",
+					"old profile", oldTLSProfileSpec,
+					"new profile", newTLSProfileSpec,
+				)
+				cancel()
+			},
+		}).SetupWithManager(mgr); err != nil {
+			klog.Fatalf("unable to create TLS security profile watcher controller: %v", err)
+		}
 	}
 
 	// Start the Cmd
diff --git a/tls.go b/tls.go
@@ -0,0 +1,127 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+
+	configv1 "github.com/openshift/api/config/v1"
+	utiltls "github.com/openshift/controller-runtime-common/pkg/tls"
+	libgocrypto "github.com/openshift/library-go/pkg/crypto"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/rest"
+	cliflag "k8s.io/component-base/cli/flag"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// tlsConfigResult holds the resolved TLS configuration along with the
+// cluster-wide TLS profile metadata needed by the SecurityProfileWatcher.
+type tlsConfigResult struct {
+	// TLSConfig is a function that applies TLS settings to a tls.Config.
+	TLSConfig func(*tls.Config)
+	// TLSAdherencePolicy is the cluster-wide TLS adherence policy.
+	// Only populated when CLI flags are not set.
+	TLSAdherencePolicy configv1.TLSAdherencePolicy
+	// TLSProfileSpec is the cluster-wide TLS profile spec.
+	// Only populated when CLI flags are not set.
+	TLSProfileSpec configv1.TLSProfileSpec
+}
+
+// resolveTLSConfig builds the TLS configuration. When CLI flags are set, they
+// take precedence over the cluster-wide TLS profile. When not set, the profile
+// from apiservers.config.openshift.io/cluster is fetched and applied if the
+// adherence policy requires it.
+func resolveTLSConfig(ctx context.Context, restConfig *rest.Config, tlsMinVersion string, tlsCipherSuites []string) (tlsConfigResult, error) {
+	// If CLI flags are set they take precedence over the cluster-wide TLS profile.
+	if tlsMinVersion != "" || len(tlsCipherSuites) > 0 {
+		klog.Info("TLS configuration overridden via CLI flags, skipping honoring the cluster-wide TLS profile")
+
+		minVersion, err := cliflag.TLSVersion(tlsMinVersion)
+		if err != nil {
+			return tlsConfigResult{}, fmt.Errorf("invalid --tls-min-version value: %w", err)
+		}
+		cipherSuites, err := cliflag.TLSCipherSuites(tlsCipherSuites)
+		if err != nil {
+			return tlsConfigResult{}, fmt.Errorf("invalid --tls-cipher-suites value: %w", err)
+		}
+
+		return tlsConfigResult{
+			TLSConfig: func(cfg *tls.Config) {
+				cfg.MinVersion = minVersion
+				// Only set CipherSuites when MinVersion is below TLS 1.3, as Go's TLS 1.3 implementation
+				// does not allow configuring cipher suites - all TLS 1.3 ciphers are always enabled.
+				// See: https://github.com/golang/go/issues/29349
+				if minVersion != tls.VersionTLS13 {
+					cfg.CipherSuites = cipherSuites
+				} else {
+					klog.Warning("TLS 1.3 cipher suites are not configurable in Go, ignoring --tls-cipher-suites value")
+				}
+			},
+		}, nil
+	}
+
+	scheme := runtime.NewScheme()
+	if err := configv1.AddToScheme(scheme); err != nil {
+		return tlsConfigResult{}, fmt.Errorf("unable to add configv1 to scheme: %w", err)
+	}
+
+	k8sClient, err := client.New(restConfig, client.Options{Scheme: scheme})
+	if err != nil {
+		return tlsConfigResult{}, fmt.Errorf("unable to create Kubernetes client: %w", err)
+	}
+
+	tlsAdherencePolicy, err := utiltls.FetchAPIServerTLSAdherencePolicy(ctx, k8sClient)
+	if err != nil {
+		klog.Errorf("unable to get TLS adherence policy from API server: %v", err)
+		// Default to empty string if the API server is not available or the field is not set.
+		// This is the same behavior as the default value for the field when the field is omitted.
+		// We will still keep a watch on the API server for the field and trigger a restart if the value changes.
+		tlsAdherencePolicy = ""
+	}
+
+	tlsProfileSpec, err := utiltls.FetchAPIServerTLSProfile(ctx, k8sClient)
+	if err != nil {
+		klog.Errorf("unable to get TLS profile from API server: %v", err)
+		// Default to an empty profile if the API server is not available or the field is not set.
+		// We will still keep a watch on the API server for the field and trigger a restart if the value changes.
+		tlsProfileSpec = configv1.TLSProfileSpec{}
+	}
+
+	// Default the TLS configuration to Go's crypto package default values.
+	tlsConfig := func(*tls.Config) {}
+
+	// If the cluster-wide TLS adherence policy is set to honor the cluster-wide TLS profile,
+	// use the cluster-wide TLS profile-based configuration.
+	if libgocrypto.ShouldHonorClusterTLSProfile(tlsAdherencePolicy) {
+		profileTLSConfig, unsupportedCiphers := utiltls.NewTLSConfigFromProfile(tlsProfileSpec)
+		if len(unsupportedCiphers) > 0 {
+			klog.Infof("TLS configuration contains unsupported ciphers that will be ignored: %v", unsupportedCiphers)
+		}
+
+		// Set the TLS configuration to the cluster-wide TLS profile-based configuration.
+		tlsConfig = profileTLSConfig
+	}
+
+	return tlsConfigResult{
+		TLSConfig:          tlsConfig,
+		TLSAdherencePolicy: tlsAdherencePolicy,
+		TLSProfileSpec:     tlsProfileSpec,
+	}, nil
+}
