Skip to content

CNTRLPLANE-2620: propagate global tls config to operand#407

Open
ricardomaraschini wants to merge 3 commits intoopenshift:masterfrom
ricardomaraschini:cntrlplane-2620
Open

CNTRLPLANE-2620: propagate global tls config to operand#407
ricardomaraschini wants to merge 3 commits intoopenshift:masterfrom
ricardomaraschini:cntrlplane-2620

Conversation

@ricardomaraschini
Copy link
Contributor

@ricardomaraschini ricardomaraschini commented Feb 3, 2026
edited
Loading

Observe the global apiserver tls config and propagates it to the operand in case of changes. this seems to affect only liveness and readiness probes in the operand. nonetheless getting this done will avoid a false positive later on if (tls-scanner may flag this as an issue).

This is mostly vendoring.

@ricardomaraschini
CNTRLPLANE-2620: bump github.com/openshift/library-go
44f341c 
bump library-go so we can use the default tls sync controller.
@ricardomaraschini
CNTRLPLANE-2620: vendor github.com/openshift/library-go/pkg/operator/…
5282921 
…configobserver
@ricardomaraschini
CNTRLPLANE-2620: propagate global tls config to operand
2e329e3 
observe the global apiserver tls config and propagates it to the operand
in case of changes. this seems to affect only liveness and readiness
probes in the operand. nonetheless getting this done will avoid a
"false" positive later on if (tls-scanner may flag this as an issue).
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 3, 2026
edited by openshift-ci bot
Loading

@ricardomaraschini: This pull request references CNTRLPLANE-2620 which is a valid jira issue.

Details

In response to this:

Observe the global apiserver tls config and propagates it to the operand in case of changes. this seems to affect only liveness and readiness probes in the operand. nonetheless getting this done will avoid a false positive later on if (tls-scanner may flag this as an issue).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 3, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 3, 2026
edited by openshift-ci bot
Loading

@ricardomaraschini: This pull request references CNTRLPLANE-2620 which is a valid jira issue.

Details

In response to this:

Observe the global apiserver tls config and propagates it to the operand in case of changes. this seems to affect only liveness and readiness probes in the operand. nonetheless getting this done will avoid a false positive later on if (tls-scanner may flag this as an issue).

This is mostly vendoring.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from bparees and divyansh42 February 3, 2026 11:37
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 3, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ricardomaraschini
Once this PR has been reviewed and has the lgtm label, please assign sayan-biswas for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ingvagabund
Copy link
Member

ingvagabund commented Feb 3, 2026
edited
Loading

From https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-openshift-controller-manager-operator/407/pull-ci-openshift-cluster-openshift-controller-manager-operator-master-e2e-aws-operator/2018649198425018368/artifacts/e2e-aws-operator/gather-extra/artifacts/configmaps.json:

$ cat configmaps.json | jq '.items[] | select(has("metadata")) | select(.metadata!=null) | select(.metadata.name=="config") | select(.metadata.namespace=="openshift-controller-manager") '
{
  "apiVersion": "v1",
  "data": {
    "config.yaml": "{\"apiVersion\":\"openshiftcontrolplane.config.openshift.io/v1\",\"build\":{\"buildDefaults\":{\"resources\":{}},\"imageTemplateFormat\":{\"format\":\"quay-proxy.ci.openshift.org/openshift/ci@sha256:d3e7c4f338ae4f7069bce17a000e349c04a752a4ec5c9db05a70b27fac1ede7e\"}},\"controllers\":[\"openshift.io/build\",\"openshift.io/build-config-change\",\"openshift.io/builder-rolebindings\",\"openshift.io/builder-serviceaccount\",\"-openshift.io/default-rolebindings\",\"openshift.io/deployer\",\"openshift.io/deployer-rolebindings\",\"openshift.io/deployer-serviceaccount\",\"openshift.io/deploymentconfig\",\"openshift.io/image-import\",\"openshift.io/image-puller-rolebindings\",\"openshift.io/image-signature-import\",\"openshift.io/image-trigger\",\"openshift.io/ingress-ip\",\"openshift.io/ingress-to-route\",\"openshift.io/origin-namespace\",\"openshift.io/serviceaccount\",\"openshift.io/serviceaccount-pull-secrets\",\"openshift.io/templateinstance\",\"openshift.io/templateinstancefinalizer\",\"openshift.io/unidling\"],\"deployer\":{\"imageTemplateFormat\":{\"format\":\"quay-proxy.ci.openshift.org/openshift/ci@sha256:ac4d202b22059dbfeab08696433edc22f837b28a05ffbdc6f23d97640c632ed2\"}},\"dockerPullSecret\":{\"internalRegistryHostname\":\"image-registry.openshift-image-registry.svc:5000\"},\"featureGates\":[\"BuildCSIVolumes=true\"],\"ingress\":{\"ingressIPNetworkCIDR\":\"\"},\"kind\":\"OpenShiftControllerManagerConfig\",\"leaderElection\":{\"name\":\"openshift-master-controllers\"},\"servingInfo\":{\"cipherSuites\":[\"TLS_AES_128_GCM_SHA256\",\"TLS_AES_256_GCM_SHA384\",\"TLS_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"],\"minTLSVersion\":\"VersionTLS12\"}}\n",
    "openshift-controller-manager.client-ca.configmap": "es-xvA==",
    "openshift-controller-manager.openshift-global-ca.configmap": "b3aTLg==",
    "openshift-controller-manager.serving-cert.secret": "RQeeBQ=="
  },
  "kind": "ConfigMap",
  "metadata": {
    "creationTimestamp": "2026-02-03T12:19:21Z",
    "name": "config",
    "namespace": "openshift-controller-manager",
    "resourceVersion": "32438",
    "uid": "4a2625f2-d3ce-4998-b15c-15d1b1ecda44"
  }
}

TLS config injected:

$ cat configmaps.json | jq '.items[] | select(has("metadata")) | select(.metadata!=null) | select(.metadata.name=="config") | select(.metadata.namespace=="openshift-controller-manager") | .data["config.yaml"]' | jq 'fromjson | .servingInfo '
{
  "cipherSuites": [
    "TLS_AES_128_GCM_SHA256",
    "TLS_AES_256_GCM_SHA384",
    "TLS_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
  ],
  "minTLSVersion": "VersionTLS12"
}

@ricardomaraschini
Copy link
Contributor Author

ricardomaraschini commented Feb 3, 2026

Faulty CI does not seem to be related to the change.

/retest

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 3, 2026

@ricardomaraschini: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bparees bparees Awaiting requested review from bparees

@divyansh42 divyansh42 Awaiting requested review from divyansh42

Assignees

No one assigned

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ricardomaraschini @openshift-ci-robot @ingvagabund