OPRUN-4411: Add APIServer TLS controller for OpenShift cluster-wide TLS configuration #3739

camilamacedo86 · 2026-01-21T17:44:01Z

Have we not a bug in some specific version / CVE that made we downgrade the version?
See: https://github.com/kubernetes-sigs/kubebuilder/blob/master/testdata/project-v4/cmd/main.go#L96-L105

Isn't it still valid?

HTTP version is different than TLS version.

What you're talking about is HTTP version, and the config is already done in server.go (lines not modified in this PR).

camilamacedo86 · 2026-01-21T17:44:49Z

I see we fail if not one of those right?

Correct; they specified an unknown TLS version, so we wouldn't know what to do.

-Original file line number
+Diff line change
@@ Expand Up / @@ -20,6 +20,7 @@ require ( @@
     	github.com/onsi/gomega v1.39.0
     	github.com/openshift/api v0.0.0-20251111193948-50e2ece149d7
     	github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235
+    	github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462
     	github.com/operator-framework/api v0.37.0
     	github.com/operator-framework/operator-registry v1.61.0
     	github.com/otiai10/copy v1.14.1
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
     github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
     github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+    github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
     github.com/hashicorp/golang-lru/arc/v2 v2.0.7 h1:QxkVTxwColcduO+LP7eJO56r2hFiG8zEbfAAzRv52KQ=
     github.com/hashicorp/golang-lru/arc/v2 v2.0.7/go.mod h1:Pe7gBlGdc8clY5LJ0LpJXMt5AmgmWNH1g+oFFVUHOEc=
     github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ Expand Down Expand Up @@
     github.com/openshift/api v0.0.0-20251111193948-50e2ece149d7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
     github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235 h1:9JBeIXmnHlpXTQPi7LPmu1jdxznBhAE7bb1K+3D8gxY=
     github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
+    github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462 h1:zX9Od4Jg8sVmwQLwk6Vd+BX7tcyC/462FVvDdzHEPPk=
+    github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462/go.mod h1:nIzWQQE49XbiKizVnVOip9CEB7HJ0hoJwNi3g3YKnKc=
     github.com/operator-framework/api v0.37.0 h1:2XCMWitBnumtJTqzip6LQKUwpM2pXVlt3gkpdlkbaCE=
     github.com/operator-framework/api v0.37.0/go.mod h1:NZs4vB+Jiamyv3pdPDjZtuC4U7KX0eq4z2r5hKY5fUA=
     github.com/operator-framework/operator-registry v1.61.0 h1:LgX6lP5hUHfpMTMygsnySc7PKxibzqIoqWUm6NPWl2M=
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -57,6 +57,7 @@ import ( @@
     	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/event"
     	index "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/index"
     	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/labeler"
+    	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/openshiftconfig"
     	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
     	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorlister"
     	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
@@ Expand Down Expand Up @@
     		return nil, err
     	}
-    	// setup proxy env var injection policies
+    	// Check if OpenShift config API is available (used by proxy and apiserver controllers)
     	discovery := config.operatorClient.KubernetesInterface().Discovery()
-    	proxyAPIExists, err := proxy.IsAPIAvailable(discovery)
+    	openshiftConfigAPIExists, err := openshiftconfig.IsAPIAvailable(discovery)
     	if err != nil {
-    		op.logger.Errorf("error happened while probing for Proxy API support - %v", err)
+    		op.logger.Errorf("error happened while probing for OpenShift config API support - %v", err)
     		return nil, err
     	}
+    	// setup proxy env var injection policies
     	proxyQuerierInUse := proxy.NoopQuerier()
-    	if proxyAPIExists {
+    	if openshiftConfigAPIExists {
     		op.logger.Info("OpenShift Proxy API  available - setting up watch for Proxy type")
-    		proxyInformer, proxySyncer, proxyQuerier, err := proxy.NewSyncer(op.logger, config.configClient, discovery)
+    		proxyInformer, proxySyncer, proxyQuerier, err := proxy.NewSyncer(op.logger, config.configClient)
     		if err != nil {
     			err = fmt.Errorf("failed to initialize syncer for Proxy type - %v", err)
     			return nil, err
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -0,0 +1,35 @@
+    package apiserver
+    import (
+    	"crypto/tls"
+    	"fmt"
+    )
+    // NoopQuerier returns an instance of noopQuerier. It's used for upstream where
+    // we don't have any apiserver.config.openshift.io/cluster resource.
+    func NoopQuerier() Querier {
+    	return &noopQuerier{}
+    }
+    // Querier is an interface that wraps the QueryTLSConfig method.
+    //
+    // QueryTLSConfig updates the provided TLS configuration with cluster-wide
+    // TLS security profile settings (MinVersion, CipherSuites, PreferServerCipherSuites).
+    type Querier interface {
+    	QueryTLSConfig(config *tls.Config) error
+    }
+    type noopQuerier struct {
+    }
+    // QueryTLSConfig applies secure default TLS settings to the provided config.
+    // This is used on non-OpenShift clusters where there is no apiserver.config.openshift.io/cluster resource,
+    // but we still want to ensure secure TLS configuration.
+    func (*noopQuerier) QueryTLSConfig(config *tls.Config) error {
+    	if config == nil {
+    		return fmt.Errorf("tls.Config cannot be nil")
+    	}
+    	// Apply secure defaults for non-OpenShift clusters
+    	return ApplySecureDefaults(config)
+    }

-Original file line number
+Diff line change
@@ -0,0 +1,86 @@
+    package apiserver_test
+    import (
+    	"crypto/tls"
+    	"testing"
+    	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/apiserver"
+    	"github.com/stretchr/testify/assert"
+    	"github.com/stretchr/testify/require"
+    )
+    func TestNoopQuerier_QueryTLSConfig(t *testing.T) {
+    	tests := []struct {
+    		name        string
+    		config      *tls.Config
+    		expectError bool
+    		errorMsg    string
+    	}{
+    		{
+    			name:        "WithNilConfig",
+    			config:      nil,
+    			expectError: true,
+    			errorMsg:    "tls.Config cannot be nil",
+    		},
+    		{
+    			name:        "WithEmptyConfig",
+    			config:      &tls.Config{},
+    			expectError: false,
+    		},
+    		{
+    			name: "WithPartialConfig",
+    			config: &tls.Config{
+    				MinVersion: tls.VersionTLS12,
+    			},
+    			expectError: false,
+    		},
+    	}
+    	for _, tt := range tests {
+    		t.Run(tt.name, func(t *testing.T) {
+    			querier := apiserver.NoopQuerier()
+    			err := querier.QueryTLSConfig(tt.config)
+    			if tt.expectError {
+    				require.Error(t, err)
+    				assert.Contains(t, err.Error(), tt.errorMsg)
+    			} else {
+    				require.NoError(t, err)
+    				// Verify secure defaults are applied
+    				assert.NotZero(t, tt.config.MinVersion, "MinVersion should be set to a default")
+    				assert.NotEmpty(t, tt.config.CipherSuites, "CipherSuites should be set to defaults")
+    				assert.True(t, tt.config.PreferServerCipherSuites, "PreferServerCipherSuites should be true")
+    			}
+    		})
+    	}
+    }
+    func TestNoopQuerier_AppliesSecureDefaults(t *testing.T) {
+    	querier := apiserver.NoopQuerier()
+    	config := &tls.Config{}
+    	err := querier.QueryTLSConfig(config)
+    	require.NoError(t, err)
+    	// Verify secure defaults
+    	assert.GreaterOrEqual(t, config.MinVersion, uint16(tls.VersionTLS12), "Should use at least TLS 1.2")
+    	assert.NotEmpty(t, config.CipherSuites, "Should have cipher suites configured")
+    	// Verify cipher suites are valid
+    	for _, cipher := range config.CipherSuites {
+    		assert.NotZero(t, cipher, "Cipher suite should not be zero")
+    	}
+    }
+    func TestNoopQuerier_DoesNotOverwriteNonZeroMinVersion(t *testing.T) {
+    	querier := apiserver.NoopQuerier()
+    	config := &tls.Config{
+    		MinVersion: tls.VersionTLS13,
+    	}
+    	err := querier.QueryTLSConfig(config)
+    	require.NoError(t, err)
+    	// MinVersion should be preserved if already set
+    	assert.Equal(t, uint16(tls.VersionTLS13), config.MinVersion, "Should preserve existing MinVersion")
+    }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OPRUN-4411: Add APIServer TLS controller for OpenShift cluster-wide TLS configuration #3739

Uh oh!

Diff view

Diff view

There are no files selected for viewing

camilamacedo86 Jan 21, 2026

Uh oh!

tmshort Jan 21, 2026 •

edited

Loading

Uh oh!

camilamacedo86 Jan 21, 2026

Uh oh!

tmshort Jan 21, 2026

Uh oh!

Uh oh!

Uh oh!

-Original file line number
+Diff line change
@@ -0,0 +1,212 @@
+    package apiserver
+    import (
+    	"crypto/tls"
+    	"fmt"
+    	"sync"
+    	"time"
+    	"github.com/openshift/client-go/config/informers/externalversions"
+    	apiconfigv1 "github.com/openshift/api/config/v1"
+    	configv1client "github.com/openshift/client-go/config/clientset/versioned"
+    	configv1 "github.com/openshift/client-go/config/informers/externalversions/config/v1"
+    	"github.com/sirupsen/logrus"
+    	"k8s.io/client-go/tools/cache"
+    )
+    const (
+    	// This is the cluster level global apiserver.config.openshift.io/cluster object name.
+    	globalAPIServerName = "cluster"
+    	// default sync interval
+    	defaultSyncInterval = 30 * time.Minute
+    )
+    // NewSyncer returns informer and sync functions to enable watch of the apiserver.config.openshift.io/cluster resource.
+    func NewSyncer(logger *logrus.Logger, client configv1client.Interface) (apiServerInformer configv1.APIServerInformer, syncer *Syncer, querier Querier, factory externalversions.SharedInformerFactory, err error) {
+    	factory = externalversions.NewSharedInformerFactoryWithOptions(client, defaultSyncInterval)
+    	apiServerInformer = factory.Config().V1().APIServers()
+    	s := &Syncer{
+    		logger:        logger,
+    		currentConfig: newTLSConfigHolder(),
+    	}
+    	syncer = s
+    	querier = s
+    	return
+    }
+    // RegisterEventHandlers registers event handlers for apiserver.config.openshift.io/cluster resource changes.
+    // This is a convenience function to set up Add/Update/Delete handlers that call
+    // the syncer's SyncAPIServer and HandleAPIServerDelete methods.
+    func RegisterEventHandlers(informer configv1.APIServerInformer, syncer *Syncer) {
+    	informer.Informer().AddEventHandler(&cache.ResourceEventHandlerFuncs{
+    		AddFunc: func(obj interface{}) {
+    			if err := syncer.SyncAPIServer(obj); err != nil {
+    				syncer.logger.WithError(err).Error("error syncing APIServer on add")
+    			}
+    		},
+    		UpdateFunc: func(_, newObj interface{}) {
+    			if err := syncer.SyncAPIServer(newObj); err != nil {
+    				syncer.logger.WithError(err).Error("error syncing APIServer on update")
+    			}
+    		},
+    		DeleteFunc: func(obj interface{}) {
+    			syncer.HandleAPIServerDelete(obj)
+    		},
+    	})
+    }
+    // Syncer deals with watching APIServer type(s) on the cluster and let the caller
+    // query for cluster scoped APIServer TLS configuration.
+    type Syncer struct {
+    	logger        *logrus.Logger
+    	currentConfig *tlsConfigHolder
+    }
+    // tlsConfigHolder holds TLS configuration in a thread-safe manner.
+    // It always contains a valid configuration with secure defaults.
+    type tlsConfigHolder struct {
+    	mu     sync.RWMutex
+    	config tls.Config
+    }
+    // newTLSConfigHolder creates a new holder initialized with secure defaults.
+    func newTLSConfigHolder() *tlsConfigHolder {
+    	h := &tlsConfigHolder{}
+    	// Initialize with secure defaults
+    	_ = ApplySecureDefaults(&h.config)
+    	return h
+    }
+    // update atomically updates the stored TLS configuration.
+    func (h *tlsConfigHolder) update(minVersion uint16, cipherSuites []uint16) {
+    	h.mu.Lock()
+    	defer h.mu.Unlock()
+    	h.config.MinVersion = minVersion
+    	// Make a defensive copy of the slice
+    	h.config.CipherSuites = make([]uint16, len(cipherSuites))
+    	copy(h.config.CipherSuites, cipherSuites)
+    	h.config.PreferServerCipherSuites = true
+    }
+    // copyTo atomically copies the cached TLS settings to the provided config.
+    // All reading and copying happens under the read lock, ensuring thread safety.
+    func (h *tlsConfigHolder) copyTo(config *tls.Config) {
+    	h.mu.RLock()
+    	defer h.mu.RUnlock()
+    	// Copy all fields while holding the lock
+    	config.MinVersion = h.config.MinVersion
+    	config.CipherSuites = make([]uint16, len(h.config.CipherSuites))
+    	copy(config.CipherSuites, h.config.CipherSuites)
+    	config.PreferServerCipherSuites = h.config.PreferServerCipherSuites
+    }
+    // QueryTLSConfig queries the global cluster level APIServer object and updates
+    // the provided TLS configuration with the cluster-wide security profile settings.
+    func (w *Syncer) QueryTLSConfig(config *tls.Config) error {
+    	if config == nil {
+    		return fmt.Errorf("tls.Config cannot be nil")
+    	}
+    	// Copy the current cached config atomically
+    	// This always succeeds because currentConfig always has a valid value
+    	w.currentConfig.copyTo(config)
+    	return nil
+    }
+    // SyncAPIServer is invoked when a cluster scoped APIServer object is added or modified.
+    func (w *Syncer) SyncAPIServer(object interface{}) error {
+    	apiserver, ok := object.(*apiconfigv1.APIServer)
+    	if !ok {
+    		w.logger.Error("wrong type in APIServer syncer")
+    		return nil
+    	}
+    	// Convert the TLS security profile to get new settings
+    	minVersion, cipherSuites := GetSecurityProfileConfig(apiserver.Spec.TLSSecurityProfile)
+    	// Check if configuration changed (before updating)
+    	changed := w.hasConfigChanged(minVersion, cipherSuites)
+    	// Update the stored configuration atomically
+    	w.currentConfig.update(minVersion, cipherSuites)
+    	// Log if configuration changed
+    	if changed {
+    		profileName := getProfileName(apiserver.Spec.TLSSecurityProfile)
+    		w.logger.Infof("APIServer TLS configuration changed: profile=%s, minVersion=%s, cipherCount=%d",
+    			profileName,
+    			tlsVersionToString(minVersion),
+    			len(cipherSuites))
+    	}
+    	return nil
+    }
+    // HandleAPIServerDelete is invoked when a cluster scoped APIServer object is deleted.
+    func (w *Syncer) HandleAPIServerDelete(object interface{}) {
+    	_, ok := object.(*apiconfigv1.APIServer)
+    	if !ok {
+    		w.logger.Error("wrong type in APIServer delete syncer")
+    		return
+    	}
+    	// Reset to secure defaults (Intermediate profile)
+    	w.currentConfig.update(GetSecurityProfileConfig(nil))
+    	w.logger.Info("APIServer TLS configuration deleted, reverted to secure defaults")
+    	return
+    }
+    // hasConfigChanged checks if the new TLS settings differ from the current cached settings.
+    func (w *Syncer) hasConfigChanged(minVersion uint16, cipherSuites []uint16) bool {
+    	w.currentConfig.mu.RLock()
+    	defer w.currentConfig.mu.RUnlock()
+    	if w.currentConfig.config.MinVersion != minVersion {
+    		return true
+    	}
+    	if len(w.currentConfig.config.CipherSuites) != len(cipherSuites) {
+    		return true
+    	}
+    	for i := range cipherSuites {
+    		if w.currentConfig.config.CipherSuites[i] != cipherSuites[i] {
+    			return true
+    		}
+    	}
+    	return false
+    }
+    // getProfileName returns the TLS security profile name for logging.
+    func getProfileName(profile *apiconfigv1.TLSSecurityProfile) string {
+    	if profile == nil {
+    		return "Intermediate (default)"
+    	}
+    	profileType := string(profile.Type)
+    	if profileType == "" {
+    		return "Intermediate (default)"
+    	}
+    	return profileType
+    }
+    // tlsVersionToString converts a TLS version number to a string
+    func tlsVersionToString(version uint16) string {
+    	switch version {
+    	case tls.VersionTLS10:
+    		return "TLS 1.0"
+    	case tls.VersionTLS11:
+    		return "TLS 1.1"
+    	case tls.VersionTLS12:
+    		return "TLS 1.2"
+    	case tls.VersionTLS13:
+    		return "TLS 1.3"
+    	default:
+    		return "unknown"
+    	}
+    }

OPRUN-4411: Add APIServer TLS controller for OpenShift cluster-wide TLS configuration #3739

Uh oh!

OPRUN-4411: Add APIServer TLS controller for OpenShift cluster-wide TLS configuration #3739

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

camilamacedo86 Jan 21, 2026

Choose a reason for hiding this comment

Uh oh!

tmshort Jan 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

camilamacedo86 Jan 21, 2026

Choose a reason for hiding this comment

Uh oh!

tmshort Jan 21, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

tmshort Jan 21, 2026 •

edited

Loading