PSAP-2185: Support centralized TLS security profile configuration

[jmencak]

Add support for the OpenShift centralized TLS security profile feature, allowing the operator to dynamically configure its webhook and metrics servers based on the cluster's APIServer TLS settings.

The operator now:

• Fetches the TLS security profile from the cluster's APIServer resource at startup
• Applies the TLS configuration to both the webhook and metrics servers
• Watches for changes to the APIServer TLS profile and gracefully restarts to apply updates

This ensures the operator respects cluster-wide TLS policy for all its server endpoints.

The implementation works for both classic OpenShift clusters and HyperShift hosted clusters. In HyperShift mode, the operator fetches the TLS profile from the hosted cluster's APIServer.

Changes:

• Import controller-runtime-common library for TLS profile utilities.
• Add SecurityProfileWatcher controller to monitor APIServer changes.
• Update RBAC to allow access to "config.openshift.io/apiservers".
• Configure metrics/webhook servers with central TLS settings.
• Add fallback to default profile on errors.

Resolves: PSAP-2185; also see: OCPSTRAT-2611

Summary by CodeRabbit

• New Features

  • Operator now supports dynamic TLS profile management with graceful reloads when profiles change.

• Chores

  • Updated test framework to v2.28.1.
  • Added new controller-runtime utilities dependency.
  • Enhanced RBAC permissions for API server configuration access.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 87294aa2-2117-4bf4-b10c-cc043476db48

📥 Commits

Reviewing files that changed from the base of the PR and between 8454836 and 1eef509.

⛔ Files ignored due to path filters (5)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/controller-runtime-common/LICENSE is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (4)

• cmd/cluster-node-tuning-operator/main.go
• go.mod
• manifests/40-rbac.yaml
• pkg/metrics/server.go

---

Walkthrough

The PR implements dynamic TLS profile loading in the cluster node tuning operator. It introduces initial TLS profile fetching from the API server with a fallback mechanism, adds a TLS profile watcher for detecting changes, and enables graceful context-based lifecycle management. The metrics server gains an injectable TLS configuration hook, and RBAC rules are updated to permit API server access.

Changes

Cohort / File(s)	Summary
Dynamic TLS Profile Loading cmd/cluster-node-tuning-operator/main.go	Introduces getInitialTLSProfile() to fetch TLS profile from API server with fallback to defaults, and setupTLSProfileWatcher() to trigger context cancellation on profile changes. Replaces signal-handler startup with cancellable context management tied to TLS profile updates.
Metrics Server TLS Configuration pkg/metrics/server.go	Adds tlsConfigFunc field and SetTLSConfigFunc() to enable external TLS configuration injection. Allows customization of TLS settings before NextProtos finalization, replacing hard-coded TLS policies.
RBAC and Dependencies manifests/40-rbac.yaml, go.mod	Adds RBAC rule for get/list/watch on config.openshift.io/apiservers. Updates ginkgo/v2 from v2.28.0 to v2.28.1 and adds new dependency on github.com/openshift/controller-runtime-common.

Sequence Diagram(s)

sequenceDiagram
    participant Startup as Operator Startup
    participant APIServer as API Server
    participant TLSFetch as getInitialTLSProfile
    participant Manager as Manager
    participant Watcher as TLS Profile Watcher
    participant Context as Cancellable Context

    Startup->>TLSFetch: Initiate TLS profile loading
    TLSFetch->>APIServer: Fetch TLSProfileSpec
    APIServer-->>TLSFetch: Return TLS profile or fallback
    TLSFetch->>TLSFetch: Build TLS config
    TLSFetch-->>Startup: Return profile & config
    Startup->>Watcher: setupTLSProfileWatcher()
    Watcher->>APIServer: Watch config.openshift.io/apiservers
    Startup->>Manager: Start manager with context
    Manager-->>Startup: Manager running
    APIServer->>Watcher: TLS profile changed
    Watcher->>Context: Cancel context
    Context->>Manager: Context cancelled
    Manager->>Startup: Manager stops for reload

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	No Ginkgo test files were found in the repository, and no tests were added in this PR. The repository contains test dependencies but has not implemented Ginkgo test suites.	Clarify whether tests should exist for the new TLS profile functions. If tests are required, add Ginkgo test cases following the specified quality criteria.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Support centralized TLS security profile configuration' accurately reflects the main objective of the pull request, which adds support for OpenShift's centralized TLS security profile feature.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo test files were modified or added in this PR, making the stable test names check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/RHsyseng/operator-utils@v1.4.13: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/coreos/go-systemd@v0.0.0-20191104093116-d3cd4ed1dbcf: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/coreos/ignition@v0.35.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/coreos/ignition/v2@v2.26.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/docker/go-units@v0.5.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/go-logr/stdr@v1.2.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/google/go-cmp@v0.7.0

... [truncated 19339 characters] ...

is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/legacy-cloud-providers: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/metrics: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/mount-utils: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/pod-security-admission: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-apiserver: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tgithub.com/onsi/ginkgo/v2: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jmencak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jmencak]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jmencak]

/retest

[openshift-ci]

@jmencak: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@jmencak: An error was encountered searching for bug PSAP-2185 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

Add support for the OpenShift centralized TLS security profile feature, allowing the operator to dynamically configure its webhook and metrics servers based on the cluster's APIServer TLS settings.

The operator now:

• Fetches the TLS security profile from the cluster's APIServer resource at startup
• Applies the TLS configuration to both the webhook and metrics servers
• Watches for changes to the APIServer TLS profile and gracefully restarts to apply updates

This ensures the operator respects cluster-wide TLS policy for all its server endpoints.

The implementation works for both classic OpenShift clusters and HyperShift hosted clusters. In HyperShift mode, the operator fetches the TLS profile from the hosted cluster's APIServer.

Changes:

• Import controller-runtime-common library for TLS profile utilities.
• Add SecurityProfileWatcher controller to monitor APIServer changes.
• Update RBAC to allow access to "config.openshift.io/apiservers".
• Configure metrics/webhook servers with central TLS settings.
• Add fallback to default profile on errors.

Resolves: PSAP-2185; also see: OCPSTRAT-2611

Summary by CodeRabbit

• New Features

• Operator now supports dynamic TLS profile management with graceful reloads when profiles change.

• Chores

• Updated test framework to v2.28.1.

• Added new controller-runtime utilities dependency.

• Enhanced RBAC permissions for API server configuration access.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jmencak]

/jira refresh

[openshift-ci-robot]

@jmencak: An error was encountered searching for bug PSAP-2185 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message.

request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jmencak: The referenced Jira(s) [PSAP-2185] could not be located, all automatically applied jira labels will be removed.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jmencak]

@yanirq / @MarSik PTAL, this is an important 4.22 item. Thank you!

[yanirq]

/cc @swatisehgal @shajmakh PTAL as well

[openshift-ci]

@yanirq: GitHub didn't allow me to request PR reviews from the following users: PTAL, as, well.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @swatisehgal @shajmakh PTAL as well

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.