Skip to content

OPRUN-4411: Add APIServer TLS controller for OpenShift cluster-wide TLS configuration #3739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Jan 22, 2026
Merged

OPRUN-4411: Add APIServer TLS controller for OpenShift cluster-wide TLS configuration #3739

openshift-merge-bot merged 1 commit into from
Jan 22, 2026

Conversation

@tmshort
Copy link
Contributor

@tmshort tmshort commented Jan 19, 2026
edited
Loading

Implements a controller that watches the OpenShift APIServer resource and provides thread-safe access to TLS configuration for HTTPS servers/clients.

The controller is modeled after the existing proxy controller.

This is intended to be used by the OLM operator, Catalog operator and marketplace operator (but it will need to be copied). It will also be used by the downstream PSM component.

Assisted-By: Claude

@openshift-ci openshift-ci bot requested review from anik120 and dtfranz January 19, 2026 19:26
@bandrade
Copy link
Contributor

bandrade commented Jan 20, 2026

/label qe-approved
/verified by @bandrade

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Jan 20, 2026
@camilamacedo86
Copy link
Contributor

camilamacedo86 commented Jan 21, 2026

@tmshort we need to rebase

camilamacedo86
camilamacedo86 reviewed Jan 21, 2026
View reviewed changes
pkg/lib/apiserver/querier_test.go
require.NoError(t, err)

// Verify secure defaults
assert.GreaterOrEqual(t, config.MinVersion, uint16(tls.VersionTLS12), "Should use at least TLS 1.2")
Copy link
Contributor

@camilamacedo86 camilamacedo86 Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we not a bug in some specific version / CVE that made we downgrade the version?
See: https://github.com/kubernetes-sigs/kubebuilder/blob/master/testdata/project-v4/cmd/main.go#L96-L105

Isn't it still valid?

Copy link
Contributor Author

@tmshort tmshort Jan 21, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HTTP version is different than TLS version.

What you're talking about is HTTP version, and the config is already done in server.go (lines not modified in this PR).

camilamacedo86
camilamacedo86 reviewed Jan 21, 2026
View reviewed changes
pkg/lib/apiserver/syncer.go
case tls.VersionTLS13:
return "TLS 1.3"
default:
return "unknown"
Copy link
Contributor

@camilamacedo86 camilamacedo86 Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see we fail if not one of those right?

Copy link
Contributor Author

@tmshort tmshort Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct; they specified an unknown TLS version, so we wouldn't know what to do.

@camilamacedo86
Copy link
Contributor

camilamacedo86 commented Jan 21, 2026
edited
Loading

Hi @tmshort

We need to rebase this one.
But overall, I am good with this one.

/lgtm

It would be nice for this one to get a second reviewer as well, maybe @perdasilva

anik120
anik120 requested changes Jan 21, 2026
View reviewed changes
@tmshort
Copy link
Contributor Author

tmshort commented Jan 21, 2026

There was some duplicate code; since @anik120's review requested changes in that area, I consolidated it.

@tmshort tmshort force-pushed the apiserver branch 3 times, most recently from 98ad4dd to 4f0ce11 Compare January 21, 2026 20:54
camilamacedo86
camilamacedo86 reviewed Jan 22, 2026
View reviewed changes
camilamacedo86
camilamacedo86 reviewed Jan 22, 2026
View reviewed changes
camilamacedo86
camilamacedo86 reviewed Jan 22, 2026
View reviewed changes
camilamacedo86
camilamacedo86 reviewed Jan 22, 2026
View reviewed changes
@camilamacedo86
Copy link
Contributor

camilamacedo86 commented Jan 22, 2026

@tmshort

After the changes, many MD files generated by CLAUDE are here.
IM,O they should not get merged.
We should have only a small README with the info consolidated and without emojis.

Can we change that?

anik120
anik120 reviewed Jan 22, 2026
View reviewed changes
pkg/lib/apiserver/querier.go Outdated
)

// NoopQuerier returns an instance of noopQuerier. It's used for upstream where
// we don't have any cluster APIServer configuration.
Copy link
Member

@anik120 anik120 Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
// we don't have any cluster APIServer configuration.
// we don't have any apiserver.config.openshift.io/cluster resource.

pkg/lib/apiserver/syncer.go Outdated
)

const (
// This is the cluster level global APIServer object name.
Copy link
Member

@anik120 anik120 Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
// This is the cluster level global APIServer object name.
// This is the cluster level global apiserver.config.openshift.io/cluster object name.

pkg/lib/apiserver/syncer.go Outdated
defaultSyncInterval = 30 * time.Minute
)

// NewSyncer returns informer and sync functions to enable watch of APIServer type.
Copy link
Member

@anik120 anik120 Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// NewSyncer returns informer and sync functions to enable watch of APIServer type.
// NewSyncer returns informer and sync functions to enable watch of apiserver.config.openshift.io/cluster CRs.

HTTPS_SERVERS.md Outdated
@@ -0,0 +1,387 @@
# HTTPS Servers in OLM Codebase
Copy link
Member

@anik120 anik120 Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These docs are definitely helpful, I like them.

But root is not the right place for them right? docs/design is a more suitable place for them no?

Copy link
Contributor Author

@tmshort tmshort Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They weren't supposed to be committed, they were for code investigation purposes.

@tmshort
Add APIServer TLS controller for OpenShift cluster-wide TLS configura…
cea84a0 
…tion

Implements a controller that watches the OpenShift APIServer resource and
provides thread-safe access to TLS configuration for HTTPS servers/clients.

The controller is modeled after the existing proxy controller.

This is intended to be used by the OLM operator, Catalog operator and
marketplace operator (but it will need to be copied). It will also be
used by the downstream PSM component.

Signed-off-by: Todd Short <todd.short@me.com>
Assisted-By: Claude
@tmshort
Copy link
Contributor Author

tmshort commented Jan 22, 2026

@camilamacedo86

After the changes, many MD files generated by CLAUDE are here. IM,O they should not get merged. We should have only a small README with the info consolidated and without emojis.

Can we change that?

Those files were not supposed to have been included in the PR. They were part of my code investigation.

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 22, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 22, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anik120

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 22, 2026
@anik120
Copy link
Member

anik120 commented Jan 22, 2026

Looks like ci added both the labels as soon as I approved it. I'll hold it for @camilamacedo86 to cancel the hold since she was reviewing it too

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 22, 2026
@openshift-merge-bot openshift-merge-bot bot merged commit 6fc19e0 into operator-framework:master Jan 22, 2026
16 of 21 checks passed
@tmshort tmshort deleted the apiserver branch January 22, 2026 15:29
@tmshort
Copy link
Contributor Author

tmshort commented Jan 22, 2026

Weird how this merged with failing tests... :(

@anik120
Copy link
Member

anik120 commented Jan 22, 2026

woah did the CI bot just totally go rouge here? XD

It added both the labels and didn't even care about the hold XD

Fwiw I was okay with this merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@camilamacedo86 camilamacedo86 camilamacedo86 left review comments

@anik120 anik120 anik120 approved these changes

@dtfranz dtfranz Awaiting requested review from dtfranz

Assignees

@anik120 anik120

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tmshort @bandrade @camilamacedo86 @anik120