openshift
diff --git a/‎config/v1/types_apiserver.go‎
Lines changed: 38 additions & 0 deletions b/‎config/v1/types_apiserver.go‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml‎
Lines changed: 24 additions & 0 deletions b/‎config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎config/v1/zz_generated.featuregated-crd-manifests.yaml‎
Lines changed: 1 addition & 0 deletions b/‎config/v1/zz_generated.featuregated-crd-manifests.yaml‎
Lines changed: 1 addition & 0 deletions
@@ -62,6 +62,27 @@ type APIServerSpec struct {
 	// The current default is the Intermediate profile.
 	// +optional
 	TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
+	// tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
+	// configured on this APIServer resource.
+	//
+	// Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+	//
+	// When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor
+	// the configured TLS profile but may fall back to their individual defaults if conflicts arise.
+	// This mode is intended for clusters that need to maintain compatibility with existing
+	// configurations during migration.
+	//
+	// When set to "StrictAllComponents", all components must strictly honor the configured TLS profile.
+	// This mode is recommended for security-conscious deployments and is required for
+	// certain compliance frameworks.
+	//
+	// Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+	// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+	//
+	// When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+	// +openshift:enable:FeatureGate=TLSAdherence
+	// +optional
+	TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`
 	// audit specifies the settings for audit configuration to be applied to all OpenShift-provided
 	// API servers in the cluster.
 	// +optional
@@ -237,6 +258,23 @@ const (
 type APIServerStatus struct {
 }
 
+// TLSAdherencePolicy defines how strictly components adhere to the TLS security profile.
+// +kubebuilder:validation:Enum=LegacyExternalAPIServerComponentsOnly;StrictAllComponents
+type TLSAdherencePolicy string
+
+const (
+	// TLSAdherenceLegacyExternalAPIServerComponentsOnly provides backward-compatible behavior
+	// where components attempt to honor the configured TLS profile but may fall back to their
+	// individual defaults if conflicts arise. This mode is intended for clusters that need to
+	// maintain compatibility with existing configurations during migration.
+	TLSAdherenceLegacyExternalAPIServerComponentsOnly TLSAdherencePolicy = "LegacyExternalAPIServerComponentsOnly"
+
+	// TLSAdherenceStrictAllComponents enforces strict adherence to the TLS configuration.
+	// All components must honor the configured profile. This mode is recommended for
+	// security-conscious deployments and is required for certain compliance frameworks.
+	TLSAdherenceStrictAllComponents TLSAdherencePolicy = "StrictAllComponents"
+)
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 
@@ -292,6 +292,30 @@ spec:
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object
+              tlsAdherence:
+                description: |-
+                  tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
+                  configured on this APIServer resource.
+
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+                  When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor
+                  the configured TLS profile but may fall back to their individual defaults if conflicts arise.
+                  This mode is intended for clusters that need to maintain compatibility with existing
+                  configurations during migration.
+
+                  When set to "StrictAllComponents", all components must strictly honor the configured TLS profile.
+                  This mode is recommended for security-conscious deployments and is required for
+                  certain compliance frameworks.
+
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+                  and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+                  When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+                enum:
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
+                type: string
               tlsSecurityProfile:
                 description: |-
                   tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
 
@@ -8,6 +8,7 @@ apiservers.config.openshift.io:
   FeatureGates:
   - KMSEncryption
   - KMSEncryptionProvider
+  - TLSAdherence
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_10"