Skip to content

OCPCLOUD-3348,OCPBUGS-62176: tls: use centralized TLS profile #433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
damdo wants to merge 4 commits into
base: main
Choose a base branch
from
Open

OCPCLOUD-3348,OCPBUGS-62176: tls: use centralized TLS profile #433

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
43c946f
tls: use centralized TLS profile, remove kube-rbac-proxy
damdo Jan 22, 2026
97db847
tls: use centralized TLS profile, remove kube-rbac-proxy: vendor
damdo Feb 4, 2026
a5f54bf
inject TLS config to the CCM operands needing one
damdo Jan 23, 2026
2e68975
inject TLS config to all the CCM operands
damdo Jan 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
76 changes: 65 additions & 11 deletions cmd/cluster-cloud-controller-manager-operator/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ limitations under the License.
package main

import (
"context"
"crypto/tls"
"errors"
"flag"
"os"
Expand Down Expand Up @@ -47,6 +49,7 @@ import (
operatorv1 "github.com/openshift/api/operator/v1"
configv1client "github.com/openshift/client-go/config/clientset/versioned"
configinformers "github.com/openshift/client-go/config/informers/externalversions"
utiltls "github.com/openshift/controller-runtime-common/pkg/tls"
"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
"github.com/openshift/library-go/pkg/operator/events"
rbacv1 "k8s.io/api/rbac/v1"
Expand Down Expand Up @@ -84,10 +87,16 @@ func main() {

metricsAddr := flag.String(
"metrics-bind-address",
":8080",
":9258",
"Address for hosting metrics",
)

webhookPort := flag.Int(
"webhook-port",
9443,
"Webhook Server port",
)

healthAddr := flag.String(
"health-addr",
":9440",
Expand Down Expand Up @@ -121,13 +130,38 @@ func main() {
LeaseDuration: leaderElectionConfig.LeaseDuration,
})

ctx := ctrl.SetupSignalHandler()
// Create a cancellable context so the TLS controller can trigger a shutdown
ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
// Ensure the context is cancelled when the program exits.
defer cancel()

k8sClient, err := client.New(restConfig, client.Options{Scheme: scheme})
if err != nil {
setupLog.Error(err, "unable to create Kubernetes client")
os.Exit(1)
}

// Fetch the TLS profile from the APIServer resource.
tlsProfileSpec, err := utiltls.FetchAPIServerTLSProfile(ctx, k8sClient)
if err != nil {
setupLog.Error(err, "unable to get TLS profile from API server")
os.Exit(1)
}

// Create the TLS configuration function for the server endpoints.
tlsConfigFunc, unsupportedCiphers := utiltls.NewTLSConfigFromProfile(tlsProfileSpec)
if len(unsupportedCiphers) > 0 {
setupLog.Info("Some ciphers from TLS profile are not supported", "unsupportedCiphers", unsupportedCiphers)
}
tlsOpts := []func(*tls.Config){tlsConfigFunc}

syncPeriod := 10 * time.Minute
mgr, err := ctrl.NewManager(restConfig, ctrl.Options{
Scheme: scheme,
Metrics: metricsserver.Options{
BindAddress: *metricsAddr,
BindAddress: *metricsAddr,
SecureServing: true,
TLSOpts: tlsOpts,
},
Cache: cache.Options{
// For roles/rolebindings specifically, we need to also watch kube-system.
Expand All @@ -152,16 +186,18 @@ func main() {
},
WebhookServer: &webhook.DefaultServer{
Options: webhook.Options{
Port: 9443,
Port: *webhookPort,
TLSOpts: tlsOpts,
},
},
HealthProbeBindAddress: *healthAddr,
LeaderElectionNamespace: leaderElectionConfig.ResourceNamespace,
LeaderElection: leaderElectionConfig.LeaderElect,
LeaderElectionID: leaderElectionConfig.ResourceName,
LeaseDuration: &le.LeaseDuration.Duration,
RetryPeriod: &le.RetryPeriod.Duration,
RenewDeadline: &le.RenewDeadline.Duration,
HealthProbeBindAddress: *healthAddr,
LeaderElectionReleaseOnCancel: true,
LeaderElectionNamespace: leaderElectionConfig.ResourceNamespace,
LeaderElection: leaderElectionConfig.LeaderElect,
LeaderElectionID: leaderElectionConfig.ResourceName,
LeaseDuration: &le.LeaseDuration.Duration,
RetryPeriod: &le.RetryPeriod.Duration,
RenewDeadline: &le.RenewDeadline.Duration,
})
if err != nil {
setupLog.Error(err, "unable to start manager")
Expand Down Expand Up @@ -227,10 +263,28 @@ func main() {
Scheme: mgr.GetScheme(),
ImagesFile: *imagesFile,
FeatureGateAccess: featureGateAccessor,
TLSProfileSpec: tlsProfileSpec,
}).SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "ClusterOperator")
os.Exit(1)
}

// Set up the TLS security profile watcher to watch for TLS config changes
if err = (&utiltls.SecurityProfileWatcher{
Client: mgr.GetClient(),
InitialTLSProfileSpec: tlsProfileSpec,
OnProfileChange: func(oldTLSProfileSpec, newTLSProfileSpec configv1.TLSProfileSpec) {
klog.Infof("TLS profile has changed, initiating a shutdown to reload it. %q: %+v, %q: %+v",
"old profile", oldTLSProfileSpec,
"new profile", newTLSProfileSpec,
)
cancel()
},
}).SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "TLSSecurityProfileWatcher")
os.Exit(1)
}

// +kubebuilder:scaffold:builder

if err := mgr.AddHealthzCheck("health", healthz.Ping); err != nil {
Expand Down
15 changes: 8 additions & 7 deletions cmd/config-sync-controllers/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,13 +130,14 @@ func main() {
restmapper.OpenshiftConfigGroup,
),
),
LeaderElectionNamespace: leaderElectionConfig.ResourceNamespace,
LeaderElection: leaderElectionConfig.LeaderElect,
LeaderElectionID: leaderElectionConfig.ResourceName,
LeaseDuration: &le.LeaseDuration.Duration,
RetryPeriod: &le.RetryPeriod.Duration,
RenewDeadline: &le.RenewDeadline.Duration,
Cache: cacheOptions,
LeaderElectionReleaseOnCancel: true,
LeaderElectionNamespace: leaderElectionConfig.ResourceNamespace,
LeaderElection: leaderElectionConfig.LeaderElect,
LeaderElectionID: leaderElectionConfig.ResourceName,
LeaseDuration: &le.LeaseDuration.Duration,
RetryPeriod: &le.RetryPeriod.Duration,
RenewDeadline: &le.RenewDeadline.Duration,
Cache: cacheOptions,
})
if err != nil {
setupLog.Error(err, "unable to start manager")
Expand Down
57 changes: 29 additions & 28 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,31 +6,32 @@ require (
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
github.com/go-logr/logr v1.4.3
github.com/golangci/golangci-lint v1.62.2
github.com/onsi/ginkgo/v2 v2.25.1
github.com/onsi/gomega v1.38.1
github.com/openshift/api v0.0.0-20251015095338-264e80a2b6e7
github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235
github.com/onsi/ginkgo/v2 v2.28.1
github.com/onsi/gomega v1.39.1
github.com/openshift/api v0.0.0-20260130140113-71e91db96ffc
github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13
github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250122171707-86066d47a264
github.com/openshift/library-go v0.0.0-20251029104758-277736d6f195
github.com/openshift/controller-runtime-common v0.0.0-20260204183245-642129afd14f
github.com/openshift/library-go v0.0.0-20260204111611-b7d4fa0e292a
github.com/spf13/cobra v1.9.1
github.com/spf13/pflag v1.0.7
github.com/spf13/pflag v1.0.9
github.com/stretchr/testify v1.11.1
gopkg.in/gcfg.v1 v1.2.3
gopkg.in/ini.v1 v1.67.0
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.34.1
k8s.io/apiextensions-apiserver v0.34.1
k8s.io/apimachinery v0.34.1
k8s.io/client-go v0.34.1
k8s.io/api v0.34.3
k8s.io/apiextensions-apiserver v0.34.3
k8s.io/apimachinery v0.34.3
k8s.io/client-go v0.34.3
k8s.io/cloud-provider-aws v1.34.1-0.20250912204608-8a0025b4efb1
k8s.io/cloud-provider-vsphere v1.34.0
k8s.io/component-base v0.34.1
k8s.io/component-base v0.34.3
k8s.io/controller-manager v0.34.0
k8s.io/klog/v2 v2.130.1
k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d
k8s.io/utils v0.0.0-20260108192941-914a6e750570
sigs.k8s.io/cloud-provider-azure v1.34.1
sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.9.2
sigs.k8s.io/controller-runtime v0.22.4
sigs.k8s.io/controller-runtime v0.22.5
sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20251103140007-7a1b16d039d2
sigs.k8s.io/controller-tools v0.17.1
sigs.k8s.io/yaml v1.6.0
Expand Down Expand Up @@ -145,7 +146,7 @@ require (
github.com/google/btree v1.1.3 // indirect
github.com/google/gnostic-models v0.7.0 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 // indirect
github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/gordonklaus/ineffassign v0.1.0 // indirect
github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
Expand Down Expand Up @@ -199,9 +200,9 @@ require (
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/polyfloyd/go-errorlint v1.7.0 // indirect
github.com/prometheus/client_golang v1.23.0 // indirect
github.com/prometheus/client_golang v1.23.2 // indirect
github.com/prometheus/client_model v0.6.2 // indirect
github.com/prometheus/common v0.65.0 // indirect
github.com/prometheus/common v0.66.1 // indirect
github.com/prometheus/procfs v0.17.0 // indirect
github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1 // indirect
github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
Expand Down Expand Up @@ -260,35 +261,35 @@ require (
go.uber.org/mock v0.6.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.42.0 // indirect
golang.org/x/crypto v0.47.0 // indirect
golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b // indirect
golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f // indirect
golang.org/x/mod v0.27.0 // indirect
golang.org/x/net v0.43.0 // indirect
golang.org/x/mod v0.32.0 // indirect
golang.org/x/net v0.49.0 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/sync v0.17.0 // indirect
golang.org/x/sys v0.36.0 // indirect
golang.org/x/term v0.35.0 // indirect
golang.org/x/text v0.29.0 // indirect
golang.org/x/sync v0.19.0 // indirect
golang.org/x/sys v0.40.0 // indirect
golang.org/x/term v0.39.0 // indirect
golang.org/x/text v0.33.0 // indirect
golang.org/x/time v0.12.0 // indirect
golang.org/x/tools v0.36.0 // indirect
golang.org/x/tools v0.41.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/protobuf v1.36.8 // indirect
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
honnef.co/go/tools v0.5.1 // indirect
k8s.io/apiserver v0.34.1 // indirect
k8s.io/apiserver v0.34.3 // indirect
k8s.io/kube-aggregator v0.34.1 // indirect
k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 // indirect
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
mvdan.cc/gofumpt v0.7.0 // indirect
mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.8.4 // indirect
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect
)
Loading