Skip to content

WIP: OCPNODE-3918: Implement centralized TLS security profile support#998

Open
harche wants to merge 3 commits intoopenshift:nextfrom
harche:tls-pqs
Open

WIP: OCPNODE-3918: Implement centralized TLS security profile support#998
harche wants to merge 3 commits intoopenshift:nextfrom
harche:tls-pqs

Conversation

@harche
Copy link
Contributor

@harche harche commented Feb 3, 2026
edited by openshift-ci bot
Loading

Summary

This PR implements configurable TLS security profiles for the DAS Operator to comply with OCPSTRAT-2611, which mandates all OpenShift components support centralized TLS profile configuration by OCP 4.22 GA.

Key changes:

  • Add TLS observer controller using informer/lister pattern to watch APIServer.spec.tlsSecurityProfile for cluster-wide TLS configuration
  • Create TLS helper package (pkg/tlsconfig) for profile resolution and cipher suite conversion using library-go
  • Apply TLS configuration to controller webhook and metrics servers
  • Apply TLS configuration to daemonset metrics server
  • Inject TLS config via CLI args to webhook, operator, and daemonset components
  • Integrate TLS observer with target config reconciler for dynamic updates
  • Add RBAC permissions to get/list/watch config.openshift.io/apiservers
  • Add CSV annotation: features.operators.openshift.io/tls-profiles: "true"
  • Add comprehensive unit tests for TLS profile resolution
  • Add E2E tests for TLS security profile verification

TLS Profile Resolution Order:

  1. APIServer.spec.tlsSecurityProfile (cluster-wide setting)
  2. Intermediate profile (default fallback)

Supported profiles: Old, Intermediate, Modern (PQC-ready), and Custom.

Test plan

  • Unit tests pass (go test ./pkg/tlsconfig/... ./pkg/controller/tlsobserver/...)
  • E2E tests for TLS security profile verification
  • Manual verification with different TLS profiles (Old, Intermediate, Modern, Custom)
  • tls-scanner verification

References

🤖 Generated with Claude Code

@harche @claude
OCPNODE-3918: Implement centralized TLS security profile support
9f792a2 
This change implements configurable TLS security profiles for the DAS Operator
to comply with OCPSTRAT-2611, which mandates all OpenShift components support
centralized TLS profile configuration by OCP 4.22 GA.

Key changes:
- Add TLS observer controller using informer/lister pattern to watch
  APIServer.spec.tlsSecurityProfile for cluster-wide TLS configuration
- Create TLS helper package (pkg/tlsconfig) for profile resolution and
  cipher suite conversion using library-go
- Apply TLS configuration to controller webhook and metrics servers
- Apply TLS configuration to daemonset metrics server
- Inject TLS config via CLI args to webhook, operator, and daemonset components
- Integrate TLS observer with target config reconciler for dynamic updates
- Add RBAC permissions to get/list/watch config.openshift.io/apiservers
- Add CSV annotation: features.operators.openshift.io/tls-profiles: "true"
- Add comprehensive unit tests for TLS profile resolution
- Add E2E tests for TLS security profile verification

TLS Profile Resolution Order:
1. APIServer.spec.tlsSecurityProfile (cluster-wide setting)
2. Intermediate profile (default fallback)

Supported profiles: Old, Intermediate, Modern (PQC-ready), and Custom.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 3, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 3, 2026
edited by openshift-ci bot
Loading

@harche: This pull request references OCPNODE-3918 which is a valid jira issue.

Details

In response to this:

Summary

This PR implements configurable TLS security profiles for the DAS Operator to comply with OCPSTRAT-2611, which mandates all OpenShift components support centralized TLS profile configuration by OCP 4.22 GA.

Key changes:

  • Add TLS observer controller using informer/lister pattern to watch APIServer.spec.tlsSecurityProfile for cluster-wide TLS configuration
  • Create TLS helper package (pkg/tlsconfig) for profile resolution and cipher suite conversion using library-go
  • Apply TLS configuration to controller webhook and metrics servers
  • Apply TLS configuration to daemonset metrics server
  • Inject TLS config via CLI args to webhook, operator, and daemonset components
  • Integrate TLS observer with target config reconciler for dynamic updates
  • Add RBAC permissions to get/list/watch config.openshift.io/apiservers
  • Add CSV annotation: features.operators.openshift.io/tls-profiles: "true"
  • Add comprehensive unit tests for TLS profile resolution
  • Add E2E tests for TLS security profile verification

TLS Profile Resolution Order:

  1. APIServer.spec.tlsSecurityProfile (cluster-wide setting)
  2. Intermediate profile (default fallback)

Supported profiles: Old, Intermediate, Modern (PQC-ready), and Custom.

Test plan

  • Unit tests pass (go test ./pkg/tlsconfig/... ./pkg/controller/tlsobserver/...)
  • E2E tests for TLS security profile verification
  • Manual verification with different TLS profiles (Old, Intermediate, Modern, Custom)
  • tls-scanner verification

References

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Feb 3, 2026
@openshift-ci openshift-ci bot requested review from cpmeadors and rphillips February 3, 2026 18:29
@openshift-ci
Copy link

openshift-ci bot commented Feb 3, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: harche

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 3, 2026
@rphillips
Copy link
Contributor

rphillips commented Feb 3, 2026

It would be easier to review if there was a commit of the changes, and a commit of the vendor update.

harche and others added 2 commits February 3, 2026 15:42
@harche @claude
OCPNODE-3918: Fix missing TypeMeta in GenericOperatorConfig
6d3df40 
The controllercmd library requires Kubernetes-style TypeMeta fields
(apiVersion and kind) when deserializing the operator config JSON.
Without these fields, the operator crashes with:
  "Object 'Kind' is missing in '{"servingInfo":{...}}'"

Add TypeMeta to GenericOperatorConfig in both operator and daemonset
commands to fix the CI e2e-bundle tests.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@harche @claude
OCPNODE-3918: Fix daemonset name in TLS E2E tests
a016fdd 
The TLS E2E tests were using incorrect daemonset name "das-operator-daemonset"
but the actual daemonset is named "das-daemonset" as defined in:
- bindata/assets/instaslice-operator/daemonset.yaml
- pkg/cmd/daemonset/cmd.go

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@harche
Copy link
Contributor Author

harche commented Feb 4, 2026

/test unit

@harche harche mentioned this pull request Feb 4, 2026
Merged
@openshift-ci
Copy link

openshift-ci bot commented Feb 4, 2026
edited
Loading

@harche: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-bundle-runc a016fdd link true /test e2e-bundle-runc
ci/prow/e2e-bundle-4-19-runc a016fdd link true /test e2e-bundle-4-19-runc
ci/prow/e2e-bundle-4-20-runc a016fdd link true /test e2e-bundle-4-20-runc

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@harche
Copy link
Contributor Author

harche commented Feb 18, 2026

/test unit

rphillips
rphillips reviewed Mar 2, 2026
View reviewed changes
pkg/cmd/operator/cmd.go
return cmd
}

// createTLSConfigFile fetches the cluster TLS profile and creates a temp config file
Copy link
Contributor

@rphillips rphillips Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorta confused why we need a config file? The command line arguments should be passed to the operator.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpmeadors cpmeadors Awaiting requested review from cpmeadors

1 more reviewer

@rphillips rphillips rphillips left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@harche @openshift-ci-robot @rphillips