Skip to content

STOR-2954: Inject TLS from CVO to operators, update hypershift TLS based on CVO#712

Open
dfajmon wants to merge 3 commits into
openshift:mainfrom
dfajmon:STOR-2954-tls-compliance
Open

STOR-2954: Inject TLS from CVO to operators, update hypershift TLS based on CVO#712
dfajmon wants to merge 3 commits into
openshift:mainfrom
dfajmon:STOR-2954-tls-compliance

Conversation

@dfajmon

@dfajmon dfajmon commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

Release Notes

  • New Features
    • Added operator configuration management for CSI drivers (AWS EBS, Azure Disk, Azure File, GCP PD, IBM VPC Block, OpenStack Cinder, OpenStack Manila, PowerVS Block, vSphere).
    • Enabled TLS security profile management for HyperShift deployments.
    • Added support for dynamic operator configuration reloads.
    • Exposed metrics endpoints for CSI driver operators.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 12, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

@dfajmon: This pull request references STOR-2594 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "5.0." or "openshift-5.0.", but it targets "openshift-4.21" instead.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 12, 2026
@openshift-ci

openshift-ci Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds a GenericOperatorConfig ConfigMap asset for each CSI driver operator (aws-ebs, azure-disk, azure-file, gcp-pd, ibm-vpc-block, openstack-cinder, openstack-manila, powervs-block, vsphere). Extends CSIOperatorConfig with MgmtOperatorConfigAsset, wires both asset fields in all driver clients, updates every deployment manifest to mount and consume the config, and implements TLS profile reconciliation into those ConfigMaps for standalone (via cluster APIServer) and HyperShift (via HostedControlPlane) controllers.

Changes

CSI Operator ConfigMap TLS injection

Layer / File(s) Summary
CSIOperatorConfig type and per-driver asset wiring
pkg/operator/csidriveroperator/csioperatorclient/types.go, pkg/operator/csidriveroperator/csioperatorclient/aws.go, pkg/operator/csidriveroperator/csioperatorclient/azure-disk.go, pkg/operator/csidriveroperator/csioperatorclient/azure-file.go, pkg/operator/csidriveroperator/csioperatorclient/gcp-pd.go, pkg/operator/csidriveroperator/csioperatorclient/ibm-vpc-block.go, pkg/operator/csidriveroperator/csioperatorclient/cinder.go, pkg/operator/csidriveroperator/csioperatorclient/manila.go, pkg/operator/csidriveroperator/csioperatorclient/powervs-block.go, pkg/operator/csidriveroperator/csioperatorclient/vsphere.go
CSIOperatorConfig gains MgmtOperatorConfigAsset; every driver's Get*Config function sets StandaloneOperatorConfigAsset and (where applicable) MgmtOperatorConfigAsset to the corresponding generated ConfigMap YAML paths.
GenericOperatorConfig ConfigMap manifests and kustomizations
assets/csidriveroperators/*/03_configmap.yaml, assets/csidriveroperators/*/kustomization.yaml, assets/csidriveroperators/openstack-cinder/hypershift/mgmt/kustomization.yaml, assets/csidriveroperators/openstack-manila/hypershift/mgmt/kustomization.yaml
Adds 03_configmap.yaml for every driver embedding a minimal GenericOperatorConfig stub; registers each in the corresponding kustomization.yaml; adds JSON6902 patches in HyperShift mgmt kustomizations for cinder and manila to remove the storage.openshift.io/remove-from annotation.
Deployment manifest updates across all drivers
assets/csidriveroperators/aws-ebs/base/09_deployment.yaml, assets/csidriveroperators/azure-disk/base/08_deployment.yaml, assets/csidriveroperators/azure-file/base/08_deployment.yaml, assets/csidriveroperators/gcp-pd/07_deployment.yaml, assets/csidriveroperators/ibm-vpc-block/08_deployment.yaml, assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml, assets/csidriveroperators/openstack-manila/base/07_deployment.yaml, assets/csidriveroperators/powervs-block/..., assets/csidriveroperators/vsphere/08_deployment.yaml
All operator Deployment manifests add --config and --terminate-on-files args pointing to /var/run/configmaps/config/config.yaml, expose a metrics port on 8443, and mount the operator-config ConfigMap volume at /var/run/configmaps/config.
Standalone deployment controller TLS reconciliation
pkg/operator/csidriveroperator/deploymentcontroller.go
Adds apiServerLister to CommonCSIDeploymentController, wires the APIServers informer, and in Sync calls reconcileOperatorConfigMap when StandaloneOperatorConfigAsset is set. reconcileOperatorConfigMap reads the asset, derives TLS settings from the cluster APIServer TLS security profile (with Intermediate fallback), marshals a GenericOperatorConfig, and applies the ConfigMap.
HyperShift controller TLS reconciliation and tests
pkg/operator/csidriveroperator/hypershift_deployment_controller.go, pkg/operator/csidriveroperator/hypershift_deployment_controller_test.go
Sync conditionally calls reconcileOperatorConfigMap when MgmtOperatorConfigAsset is set; tlsSettingsFromHCP extracts TLS profile from the HostedControlPlane (custom, named, or Intermediate default) and converts OpenSSL to IANA cipher names. TestTLSSettingsFromHCP covers empty, intermediate, modern, custom, and unknown profile cases.
HyperShift starter metrics call
pkg/operator/operator_starter.go
Adds metrics.CountStorageClasses call before VAC mismatch metrics initialization in HyperShiftStarter.StartOperator.

Sequence Diagram(s)

sequenceDiagram
  rect rgba(70, 130, 180, 0.5)
    note over DeploymentController,ConfigMap: Standalone mode
    DeploymentController->>APIServerLister: Get("cluster") for TLS profile
    APIServerLister-->>DeploymentController: APIServer (or empty fallback)
    DeploymentController->>DeploymentController: tlsSettingsFromAPIServer (Intermediate default)
    DeploymentController->>DeploymentController: marshal GenericOperatorConfig YAML
    DeploymentController->>ConfigMap: Apply cm.Data["config.yaml"]
  end
  rect rgba(60, 179, 113, 0.5)
    note over HyperShiftController,MgmtConfigMap: HyperShift mode
    HyperShiftController->>HostedControlPlane: Get HCP unstructured
    HostedControlPlane-->>HyperShiftController: HCP (or empty on error)
    HyperShiftController->>HyperShiftController: tlsSettingsFromHCP (OpenSSL→IANA, Intermediate default)
    HyperShiftController->>HyperShiftController: marshal GenericOperatorConfig YAML
    HyperShiftController->>MgmtConfigMap: Apply cm.Data["config.yaml"]
  end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

  • gnufied
  • stephenfin
🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality ⚠️ Warning Test assertions lack meaningful failure messages. Lines 95-97 use assert.NoError(), assert.Equal() without descriptive messages. Custom check requires messages like 'failed to parse TLS settings fr... Add descriptive messages to all assertions (e.g., assert.NoError(t, err, "failed to parse HCP TLS settings") and assert.Equal(t, want, got, "TLS version mismatch")).
✅ Passed checks (13 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: injecting TLS configuration from the Cluster Version Operator to CSI drivers and updating TLS handling in HyperShift environments.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All test names in the PR are stable and deterministic. The new TestTLSSettingsFromHCP test uses standard Go testing with hardcoded, descriptive test case names that never change between runs.
Microshift Test Compatibility ✅ Passed No Ginkgo e2e tests are added in this PR. The only new tests added are standard Go unit tests using the testing package (TestTLSSettingsFromHCP), which are not subject to this MicroShift compatibil...
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR does not add any Ginkgo e2e tests. The only new test file added is hypershift_deployment_controller_test.go, which uses standard Go unit testing with the testing package and testify ass...
Topology-Aware Scheduling Compatibility ✅ Passed PR introduces no new topology-breaking scheduling constraints. All deployments use 1 replica (compatible with all topologies). The controller includes topology-aware logic that clears control-plane...
Ote Binary Stdout Contract ✅ Passed No OTE Binary Stdout Contract violations found. All logging uses k8s.io/klog/v2 (stderr), no fmt.Print to stdout, and all logging calls are inside method bodies, not process-level code.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in this PR. The only new test is TestTLSSettingsFromHCP, a standard Go unit test with no networking assumptions or external connectivity requirements.
No-Weak-Crypto ✅ Passed PR does not use weak crypto algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB). Only usage is github.com/openshift/library-go/pkg/crypto.OpenSSLToIANACipherSuites for cipher name conversion; no...
Container-Privileges ✅ Passed All 10 modified deployment manifests have secure security contexts without privileged: true, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation: true. All enforce non-root, dropped capabil...
No-Sensitive-Data-In-Logs ✅ Passed No sensitive data exposure in logs. All logging statements in modified files (hypershift_deployment_controller.go, deploymentcontroller.go) only log safe, non-sensitive data: sync lifecycle message...

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@dfajmon dfajmon changed the title STOR-2594: Inject TLS from CVO to operators, update hypershift TLS based on CVO STOR-2954: Inject TLS from CVO to operators, update hypershift TLS based on CVO Jun 12, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

@dfajmon: This pull request references STOR-2954 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dfajmon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 12, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml (1)

29-99: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin the restricted security context in the HyperShift overlay.

This management-cluster deployment still relies on ambient SCC defaults, while assets/csidriveroperators/powervs-block/standalone/06_deployment.yaml explicitly sets readOnlyRootFilesystem, allowPrivilegeEscalation: false, capabilities.drop: [ALL], runAsNonRoot, and seccompProfile. That leaves the HyperShift variant with weaker manifest-level guarantees for the same operator.

As per coding guidelines, Kubernetes manifests should set securityContext: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, and Drop ALL capabilities, add only what is required.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml`
around lines 29 - 99, The HyperShift management deployment is missing the
restricted container securityContext present in the standalone variant; update
the container named powervs-block-csi-driver-operator (and optionally the pod
spec) to set container.securityContext with readOnlyRootFilesystem: true,
allowPrivilegeEscalation: false, runAsNonRoot: true (and a non-zero runAsUser if
used in standalone), capabilities.drop: ["ALL"], and seccompProfile: { type:
"RuntimeDefault" } so the HyperShift overlay matches the hardened manifest-level
guarantees in the standalone/06_deployment.yaml.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml`:
- Around line 81-84: The pod template for the Deployment that adds the new
containerPort 8443 (named metrics) must include the network-policy label
openshift.storage.network-policy.operator-metrics-range: allow so the metrics
endpoint is scrappable; edit the Deployment resource (the podTemplateSpec for
the openstack-cinder-csi-driver-operator deployment) and add that label under
metadata.labels in the spec.template section to match the other operators that
expose metrics.

In `@pkg/operator/csidriveroperator/hypershift_deployment_controller.go`:
- Around line 258-286: tlsSettingsFromHCP currently defaults empty or
unrecognized TLS profile types to Modern (TLS 1.3) which contradicts the
fallback behavior in getHostedControlPlaneTLSSettings; update tlsSettingsFromHCP
so that when profileType is empty it sets pt =
configv1.TLSProfileIntermediateType and when profileSpec lookup fails (ok ==
false or profileSpec == nil) it falls back to
configv1.TLSProfiles[configv1.TLSProfileIntermediateType] instead of Modern;
ensure you only change the defaulting logic inside tlsSettingsFromHCP
(references: getHostedControlPlaneTLSSettings and tlsSettingsFromHCP) so tests
expecting Intermediate become correct.

---

Outside diff comments:
In `@assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml`:
- Around line 29-99: The HyperShift management deployment is missing the
restricted container securityContext present in the standalone variant; update
the container named powervs-block-csi-driver-operator (and optionally the pod
spec) to set container.securityContext with readOnlyRootFilesystem: true,
allowPrivilegeEscalation: false, runAsNonRoot: true (and a non-zero runAsUser if
used in standalone), capabilities.drop: ["ALL"], and seccompProfile: { type:
"RuntimeDefault" } so the HyperShift overlay matches the hardened manifest-level
guarantees in the standalone/06_deployment.yaml.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 737cfc09-102c-4580-9bb4-134faa48d093

📥 Commits

Reviewing files that changed from the base of the PR and between 1e36024 and ed53370.

⛔ Files ignored due to path filters (21)
  • assets/csidriveroperators/aws-ebs/hypershift/mgmt/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/hypershift/mgmt/generated/v1_configmap_aws-ebs-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/standalone/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/standalone/generated/v1_configmap_aws-ebs-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/hypershift/mgmt/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/hypershift/mgmt/generated/v1_configmap_azure-disk-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/standalone/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/standalone/generated/v1_configmap_azure-disk-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/hypershift/mgmt/generated/apps_v1_deployment_azure-file-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/hypershift/mgmt/generated/v1_configmap_azure-file-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/standalone/generated/apps_v1_deployment_azure-file-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/standalone/generated/v1_configmap_azure-file-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/v1_configmap_openstack-cinder-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/standalone/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/standalone/generated/v1_configmap_openstack-cinder-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/guest/generated/default_operator.openshift.io_v1_clustercsidriver_manila.csi.openstack.org.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/apps_v1_deployment_manila-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/v1_configmap_manila-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_apps_v1_deployment_manila-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_v1_configmap_manila-csi-driver-operator-config.yaml is excluded by !**/generated/**
📒 Files selected for processing (38)
  • assets/csidriveroperators/aws-ebs/base/03_configmap.yaml
  • assets/csidriveroperators/aws-ebs/base/09_deployment.yaml
  • assets/csidriveroperators/aws-ebs/base/kustomization.yaml
  • assets/csidriveroperators/azure-disk/base/03_configmap.yaml
  • assets/csidriveroperators/azure-disk/base/08_deployment.yaml
  • assets/csidriveroperators/azure-disk/base/kustomization.yaml
  • assets/csidriveroperators/azure-file/base/03_configmap.yaml
  • assets/csidriveroperators/azure-file/base/08_deployment.yaml
  • assets/csidriveroperators/azure-file/base/kustomization.yaml
  • assets/csidriveroperators/gcp-pd/03_configmap.yaml
  • assets/csidriveroperators/gcp-pd/07_deployment.yaml
  • assets/csidriveroperators/ibm-vpc-block/03_configmap.yaml
  • assets/csidriveroperators/ibm-vpc-block/08_deployment.yaml
  • assets/csidriveroperators/openstack-cinder/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml
  • assets/csidriveroperators/openstack-cinder/base/kustomization.yaml
  • assets/csidriveroperators/openstack-manila/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-manila/base/07_deployment.yaml
  • assets/csidriveroperators/openstack-manila/base/kustomization.yaml
  • assets/csidriveroperators/powervs-block/hypershift/mgmt/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml
  • assets/csidriveroperators/powervs-block/standalone/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/standalone/06_deployment.yaml
  • assets/csidriveroperators/vsphere/03_configmap.yaml
  • assets/csidriveroperators/vsphere/08_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/aws.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-disk.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-file.go
  • pkg/operator/csidriveroperator/csioperatorclient/cinder.go
  • pkg/operator/csidriveroperator/csioperatorclient/gcp-pd.go
  • pkg/operator/csidriveroperator/csioperatorclient/ibm-vpc-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/manila.go
  • pkg/operator/csidriveroperator/csioperatorclient/powervs-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/types.go
  • pkg/operator/csidriveroperator/csioperatorclient/vsphere.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller_test.go
  • pkg/operator/operator_starter.go

Comment on lines +81 to +84
ports:
- containerPort: 8443
name: metrics
protocol: TCP

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add the metrics NetworkPolicy allow-label with the new 8443 listener.

This deployment now exposes the metrics port, but unlike gcp-pd and ibm-vpc-block in the same PR, its pod template still lacks openshift.storage.network-policy.operator-metrics-range: allow. That leaves openstack-cinder-csi-driver-operator as the outlier and can block scraping of the new endpoint.

💡 Suggested fix
       labels:
         name: openstack-cinder-csi-driver-operator
+        openshift.storage.network-policy.operator-metrics-range: allow
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml` around
lines 81 - 84, The pod template for the Deployment that adds the new
containerPort 8443 (named metrics) must include the network-policy label
openshift.storage.network-policy.operator-metrics-range: allow so the metrics
endpoint is scrappable; edit the Deployment resource (the podTemplateSpec for
the openstack-cinder-csi-driver-operator deployment) and add that label under
metadata.labels in the spec.template section to match the other operators that
expose metrics.

Comment thread pkg/operator/csidriveroperator/hypershift_deployment_controller.go Outdated
@dfajmon dfajmon force-pushed the STOR-2954-tls-compliance branch from ed53370 to 9473ccf Compare June 15, 2026 14:27
@dfajmon dfajmon marked this pull request as ready for review June 15, 2026 14:28
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 15, 2026
@openshift-ci openshift-ci Bot requested review from mandre and stephenfin June 15, 2026 14:28
@dfajmon dfajmon force-pushed the STOR-2954-tls-compliance branch from 9473ccf to 55a8b32 Compare June 15, 2026 15:23

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml (2)

64-67: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set CPU/memory limits for the operator container.

Line 64 currently sets only requests. Missing limits can allow noisy-neighbor behavior and reduce scheduling/runtime predictability on management clusters.

Suggested patch
           resources:
             requests:
               memory: 50Mi
               cpu: 10m
+            limits:
+              memory: 250Mi
+              cpu: 200m

As per coding guidelines, every container in Kubernetes/OpenShift manifests should define CPU and memory resource limits.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml`
around lines 64 - 67, The resources section for the operator container currently
defines only requests for memory and cpu, but is missing the corresponding
limits. Add a limits subsection under resources that specifies both cpu and
memory limits (in addition to the existing requests) to prevent noisy-neighbor
behavior and ensure predictable scheduling and runtime behavior on management
clusters, as required by the coding guidelines for Kubernetes/OpenShift
manifests.

Source: Coding guidelines


29-79: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden pod/container securityContext before merge.

Line 29 onward defines the operator container without explicit allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, dropped capabilities, and runAsNonRoot at pod level. This leaves a weaker security baseline than the other driver deployments.

Suggested patch
       containers:
         - args:
@@
           resources:
             requests:
               memory: 50Mi
               cpu: 10m
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
@@
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       priorityClassName: hypershift-control-plane

As per coding guidelines, Kubernetes/OpenShift manifests must enforce securityContext hardening (runAsNonRoot, allowPrivilegeEscalation: false, and least-privilege capability posture).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml`
around lines 29 - 79, The container specification for
powervs-block-csi-driver-operator in the deployment lacks required security
hardening. Add a securityContext block at the pod spec level (before containers)
with runAsNonRoot set to true, and add a securityContext block within the
powervs-block-csi-driver-operator container specification with
allowPrivilegeEscalation set to false, readOnlyRootFilesystem set to true, and
capabilities drop set to ALL. This ensures the container runs with non-root
privileges, prevents privilege escalation, uses a read-only root filesystem, and
drops all unnecessary capabilities in alignment with security hardening
standards.

Sources: Coding guidelines, Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml`:
- Around line 64-67: The resources section for the operator container currently
defines only requests for memory and cpu, but is missing the corresponding
limits. Add a limits subsection under resources that specifies both cpu and
memory limits (in addition to the existing requests) to prevent noisy-neighbor
behavior and ensure predictable scheduling and runtime behavior on management
clusters, as required by the coding guidelines for Kubernetes/OpenShift
manifests.
- Around line 29-79: The container specification for
powervs-block-csi-driver-operator in the deployment lacks required security
hardening. Add a securityContext block at the pod spec level (before containers)
with runAsNonRoot set to true, and add a securityContext block within the
powervs-block-csi-driver-operator container specification with
allowPrivilegeEscalation set to false, readOnlyRootFilesystem set to true, and
capabilities drop set to ALL. This ensures the container runs with non-root
privileges, prevents privilege escalation, uses a read-only root filesystem, and
drops all unnecessary capabilities in alignment with security hardening
standards.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f694e5e1-4423-45b6-8f67-157b8e6babb3

📥 Commits

Reviewing files that changed from the base of the PR and between 9473ccf and 55a8b32.

⛔ Files ignored due to path filters (25)
  • assets/csidriveroperators/aws-ebs/hypershift/mgmt/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/hypershift/mgmt/generated/v1_configmap_aws-ebs-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/standalone/generated/apps_v1_deployment_aws-ebs-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/aws-ebs/standalone/generated/v1_configmap_aws-ebs-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/hypershift/mgmt/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/hypershift/mgmt/generated/v1_configmap_azure-disk-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/standalone/generated/apps_v1_deployment_azure-disk-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/standalone/generated/v1_configmap_azure-disk-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/hypershift/mgmt/generated/apps_v1_deployment_azure-file-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/hypershift/mgmt/generated/v1_configmap_azure-file-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/standalone/generated/apps_v1_deployment_azure-file-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/standalone/generated/v1_configmap_azure-file-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/v1_configmap_openstack-cinder-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/v1_service_openstack-cinder-csi-driver-operator-metrics.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/standalone/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/standalone/generated/v1_configmap_openstack-cinder-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/apps_v1_deployment_manila-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/rbac.authorization.k8s.io_v1_role_manila-csi-driver-operator-role.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/rbac.authorization.k8s.io_v1_rolebinding_manila-csi-driver-operator-rolebinding.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/v1_configmap_manila-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/v1_service_manila-csi-driver-operator-metrics.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/v1_serviceaccount_manila-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_apps_v1_deployment_manila-csi-driver-operator.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_v1_configmap_manila-csi-driver-operator-config.yaml is excluded by !**/generated/**
📒 Files selected for processing (43)
  • assets/csidriveroperators/aws-ebs/base/03_configmap.yaml
  • assets/csidriveroperators/aws-ebs/base/09_deployment.yaml
  • assets/csidriveroperators/aws-ebs/base/kustomization.yaml
  • assets/csidriveroperators/aws-ebs/hypershift/mgmt/kustomization.yaml
  • assets/csidriveroperators/azure-disk/base/03_configmap.yaml
  • assets/csidriveroperators/azure-disk/base/08_deployment.yaml
  • assets/csidriveroperators/azure-disk/base/kustomization.yaml
  • assets/csidriveroperators/azure-disk/hypershift/mgmt/kustomization.yaml
  • assets/csidriveroperators/azure-file/base/03_configmap.yaml
  • assets/csidriveroperators/azure-file/base/08_deployment.yaml
  • assets/csidriveroperators/azure-file/base/kustomization.yaml
  • assets/csidriveroperators/azure-file/hypershift/mgmt/kustomization.yaml
  • assets/csidriveroperators/gcp-pd/03_configmap.yaml
  • assets/csidriveroperators/gcp-pd/07_deployment.yaml
  • assets/csidriveroperators/ibm-vpc-block/03_configmap.yaml
  • assets/csidriveroperators/ibm-vpc-block/08_deployment.yaml
  • assets/csidriveroperators/openstack-cinder/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml
  • assets/csidriveroperators/openstack-cinder/base/kustomization.yaml
  • assets/csidriveroperators/openstack-cinder/hypershift/mgmt/kustomization.yaml
  • assets/csidriveroperators/openstack-manila/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-manila/base/07_deployment.yaml
  • assets/csidriveroperators/openstack-manila/base/kustomization.yaml
  • assets/csidriveroperators/openstack-manila/hypershift/mgmt/kustomization.yaml
  • assets/csidriveroperators/powervs-block/hypershift/mgmt/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/hypershift/mgmt/06_deployment.yaml
  • assets/csidriveroperators/powervs-block/standalone/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/standalone/06_deployment.yaml
  • assets/csidriveroperators/vsphere/03_configmap.yaml
  • assets/csidriveroperators/vsphere/08_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/aws.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-disk.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-file.go
  • pkg/operator/csidriveroperator/csioperatorclient/cinder.go
  • pkg/operator/csidriveroperator/csioperatorclient/gcp-pd.go
  • pkg/operator/csidriveroperator/csioperatorclient/ibm-vpc-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/manila.go
  • pkg/operator/csidriveroperator/csioperatorclient/powervs-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/types.go
  • pkg/operator/csidriveroperator/csioperatorclient/vsphere.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller_test.go
  • pkg/operator/operator_starter.go
✅ Files skipped from review due to trivial changes (10)
  • assets/csidriveroperators/aws-ebs/base/kustomization.yaml
  • assets/csidriveroperators/vsphere/03_configmap.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/gcp-pd.go
  • assets/csidriveroperators/openstack-manila/base/kustomization.yaml
  • assets/csidriveroperators/openstack-cinder/base/kustomization.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/vsphere.go
  • assets/csidriveroperators/openstack-manila/base/03_configmap.yaml
  • pkg/operator/operator_starter.go
  • assets/csidriveroperators/azure-file/base/kustomization.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/azure-file.go
🚧 Files skipped from review as they are similar to previous changes (25)
  • assets/csidriveroperators/openstack-cinder/base/03_configmap.yaml
  • assets/csidriveroperators/azure-file/base/03_configmap.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/ibm-vpc-block.go
  • assets/csidriveroperators/azure-disk/base/kustomization.yaml
  • assets/csidriveroperators/ibm-vpc-block/03_configmap.yaml
  • assets/csidriveroperators/aws-ebs/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/cinder.go
  • assets/csidriveroperators/ibm-vpc-block/08_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/types.go
  • assets/csidriveroperators/azure-file/base/08_deployment.yaml
  • assets/csidriveroperators/powervs-block/standalone/03_configmap.yaml
  • assets/csidriveroperators/gcp-pd/03_configmap.yaml
  • assets/csidriveroperators/azure-disk/base/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/hypershift/mgmt/03_configmap.yaml
  • assets/csidriveroperators/azure-disk/base/08_deployment.yaml
  • assets/csidriveroperators/gcp-pd/07_deployment.yaml
  • assets/csidriveroperators/openstack-manila/base/07_deployment.yaml
  • assets/csidriveroperators/vsphere/08_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/azure-disk.go
  • assets/csidriveroperators/powervs-block/standalone/06_deployment.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/aws.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller_test.go
  • pkg/operator/csidriveroperator/csioperatorclient/powervs-block.go
  • pkg/operator/csidriveroperator/hypershift_deployment_controller.go

@dfajmon

dfajmon commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/retest

Comment on lines +71 to +74
ports:
- containerPort: 8443
name: metrics
protocol: TCP

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why exactly is the port now exposed?

@dfajmon dfajmon Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my understanding, it was just missing the definition here, but runs the metrics exposed anyway.
https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-tls-scanner-main-periodic-tls13-adherence/2066954802713071616

aws-ebs-csi-driver-operator-6fdf8c8694-k7l8c: [TLS Profile] 10.129.0.49:8443 - ssl/tls expand_less 	0s
{TLS Compliance Failed TLSComplianceCheck API Server TLS config is not compliant.}

@jsafrane

Copy link
Copy Markdown
Contributor

Looking at azure-file-csi test results, I can see both azure-file and azure-disk did not get their TLS injected into the ConfigMap (search for azure-file-csi-driver-operator-config:

        {
            "apiVersion": "v1",
            "data": {
                "config.yaml": "apiVersion: operator.openshift.io/v1alpha1\nkind: GenericOperatorConfig\n"
            },
            "kind": "ConfigMap",
            "metadata": {
                "annotations": {
                    "config.openshift.io/inject-tls": "true",
                    "storage.openshift.io/remove-from": "guest"
                },
                "creationTimestamp": "2026-06-16T08:48:23Z",
                "name": "azure-file-csi-driver-operator-config",
                "namespace": "openshift-cluster-csi-drivers",
                "resourceVersion": "10141",
                "uid": "8707d7f8-5296-4aaa-bfeb-ab4be43d414e"
            }
        },

Is that expected? Does the feature need a feature gate?
I can see the config maps have some content on hypershift , the CM.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
pkg/operator/csidriveroperator/deploymentcontroller.go (1)

319-339: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Consider adding unit tests for the standalone TLS derivation logic.

The tlsSettingsFromAPIServer function implements critical TLS profile fallback behavior (defaulting to Intermediate for nil/empty/unknown profiles), but unit test coverage is not visible in this cohort. The HyperShift equivalent tlsSettingsFromHCP has comprehensive table-driven tests in hypershift_deployment_controller_test.go (lines 45-95 in context snippets). Adding parallel test coverage for the standalone path would improve confidence and prevent regressions.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/csidriveroperator/deploymentcontroller.go` around lines 319 -
339, Add unit test coverage for the tlsSettingsFromAPIServer function following
the table-driven test pattern used in the existing tlsSettingsFromHCP tests.
Create tests that verify the fallback behavior to the Intermediate profile when
the TLSSecurityProfile is nil, empty, or invalid, as well as tests for custom
profiles and predefined profile types to ensure the function correctly handles
all conditional branches and returns appropriate TLS versions and cipher suites.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/csidriveroperator/deploymentcontroller.go`:
- Around line 210-215: The condition checking
`c.csiOperatorConfig.StandaloneOperatorConfigAsset` before calling
`c.reconcileOperatorConfigMap(ctx)` prevents TLS config injection for six of
nine CSI drivers because their StandaloneOperatorConfigAsset field is not set.
Populate the StandaloneOperatorConfigAsset configuration field for the missing
drivers (aws, azure-disk, azure-file, cinder, manila, and powervs-block) to
match the implementation of the three drivers that already have it set (gcp-pd,
ibm-vpc-block, and vsphere), ensuring reconcileOperatorConfigMap is called for
all drivers to properly inject TLS configuration.

---

Nitpick comments:
In `@pkg/operator/csidriveroperator/deploymentcontroller.go`:
- Around line 319-339: Add unit test coverage for the tlsSettingsFromAPIServer
function following the table-driven test pattern used in the existing
tlsSettingsFromHCP tests. Create tests that verify the fallback behavior to the
Intermediate profile when the TLSSecurityProfile is nil, empty, or invalid, as
well as tests for custom profiles and predefined profile types to ensure the
function correctly handles all conditional branches and returns appropriate TLS
versions and cipher suites.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: aba52edb-b6b5-4508-ae58-2a204276ef55

📥 Commits

Reviewing files that changed from the base of the PR and between 55a8b32 and 9d96d5c.

⛔ Files ignored due to path filters (5)
  • assets/csidriveroperators/aws-ebs/standalone/generated/v1_configmap_aws-ebs-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-disk/standalone/generated/v1_configmap_azure-disk-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/azure-file/standalone/generated/v1_configmap_azure-file-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-cinder/standalone/generated/v1_configmap_openstack-cinder-csi-driver-operator-config.yaml is excluded by !**/generated/**
  • assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_v1_configmap_manila-csi-driver-operator-config.yaml is excluded by !**/generated/**
📒 Files selected for processing (20)
  • assets/csidriveroperators/aws-ebs/base/03_configmap.yaml
  • assets/csidriveroperators/azure-disk/base/03_configmap.yaml
  • assets/csidriveroperators/azure-file/base/03_configmap.yaml
  • assets/csidriveroperators/gcp-pd/03_configmap.yaml
  • assets/csidriveroperators/ibm-vpc-block/03_configmap.yaml
  • assets/csidriveroperators/openstack-cinder/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-manila/base/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/standalone/03_configmap.yaml
  • assets/csidriveroperators/vsphere/03_configmap.yaml
  • pkg/operator/csidriveroperator/csioperatorclient/aws.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-disk.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-file.go
  • pkg/operator/csidriveroperator/csioperatorclient/cinder.go
  • pkg/operator/csidriveroperator/csioperatorclient/gcp-pd.go
  • pkg/operator/csidriveroperator/csioperatorclient/ibm-vpc-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/manila.go
  • pkg/operator/csidriveroperator/csioperatorclient/powervs-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/types.go
  • pkg/operator/csidriveroperator/csioperatorclient/vsphere.go
  • pkg/operator/csidriveroperator/deploymentcontroller.go
💤 Files with no reviewable changes (9)
  • assets/csidriveroperators/azure-disk/base/03_configmap.yaml
  • assets/csidriveroperators/vsphere/03_configmap.yaml
  • assets/csidriveroperators/azure-file/base/03_configmap.yaml
  • assets/csidriveroperators/aws-ebs/base/03_configmap.yaml
  • assets/csidriveroperators/openstack-cinder/base/03_configmap.yaml
  • assets/csidriveroperators/powervs-block/standalone/03_configmap.yaml
  • assets/csidriveroperators/ibm-vpc-block/03_configmap.yaml
  • assets/csidriveroperators/gcp-pd/03_configmap.yaml
  • assets/csidriveroperators/openstack-manila/base/03_configmap.yaml
🚧 Files skipped from review as they are similar to previous changes (5)
  • pkg/operator/csidriveroperator/csioperatorclient/azure-disk.go
  • pkg/operator/csidriveroperator/csioperatorclient/powervs-block.go
  • pkg/operator/csidriveroperator/csioperatorclient/aws.go
  • pkg/operator/csidriveroperator/csioperatorclient/azure-file.go
  • pkg/operator/csidriveroperator/csioperatorclient/types.go

Comment thread pkg/operator/csidriveroperator/deploymentcontroller.go
@dfajmon dfajmon force-pushed the STOR-2954-tls-compliance branch from 9d96d5c to 86a594e Compare June 22, 2026 13:02
@dfajmon dfajmon force-pushed the STOR-2954-tls-compliance branch 2 times, most recently from 078216b to beb3552 Compare June 29, 2026 21:39
dfajmon and others added 2 commits June 30, 2026 12:13
CSO reads TLS settings (minTLSVersion, cipherSuites) from APIServer/cluster
and writes them as a GenericOperatorConfig into each CSI driver operator's
config ConfigMap on every reconcile. Operators load this config via --config.

- Add StandaloneOperatorConfigAsset to CSIOperatorConfig (asset path for the config ConfigMap)
- Add config ConfigMap assets for all standalone CSI drivers
- Add --config arg and volume mount to all standalone operator deployment assets
- Add reconcileOperatorConfigMap() + tlsSettingsFromAPIServer() to DeploymentController
- Subscribe to APIServer informer to trigger resync on TLS profile changes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Same pattern as standalone: reads TLS settings from
HostedControlPlane.spec.configuration.apiServer.tlsSecurityProfile
and writes GenericOperatorConfig into the mgmt-cluster operator ConfigMap.

- Add MgmtOperatorConfigAsset to CSIOperatorConfig (HyperShift-capable drivers only)
- Add reconcileOperatorConfigMap() + tlsSettingsFromHCP() to HyperShiftDeploymentController
- Unit tests for tlsSettingsFromHCP covering all TLS profile types

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@dfajmon dfajmon force-pushed the STOR-2954-tls-compliance branch 3 times, most recently from 4dfab16 to c0e905d Compare June 30, 2026 13:49
tlsSettingsFromAPIServer and tlsSettingsFromHCP both duplicated the same
TLS profile -> minTLSVersion/cipherSuites conversion logic. Extract to:

- tlsSettingsFromProfile: shared core, defaults to Intermediate
- operatorConfigYAML: serializes GenericOperatorConfig with given TLS settings

tlsSettingsFromAPIServer and tlsSettingsFromHCP now delegate to these.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@dfajmon dfajmon force-pushed the STOR-2954-tls-compliance branch from c0e905d to 0417c73 Compare June 30, 2026 14:19
@dfajmon

dfajmon commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

/retest-required

Comment on lines +260 to +261
ciphers, _, _ := unstructured.NestedStringSlice(hcp.UnstructuredContent(), "spec", "configuration", "apiServer", "tlsSecurityProfile", "custom", "ciphers")
minVersion, _, _ := unstructured.NestedString(hcp.UnstructuredContent(), "spec", "configuration", "apiServer", "tlsSecurityProfile", "custom", "minTLSVersion")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please log returned errors, just in case.

Comment on lines +243 to +247
hcp, err := c.getHostedControlPlane()
if err != nil {
klog.Warningf("Failed to get HostedControlPlane, falling back to Intermediate TLS profile: %v", err)
hcp = &unstructured.Unstructured{}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should surface the error above (and into Degraded condition) instead of blindly applying the defaults.

Comment on lines +283 to +287
apiServer, err := c.apiServerLister.Get("cluster")
if err != nil {
klog.Warningf("Failed to get APIServer cluster, using Intermediate TLS profile: %v", err)
apiServer = &configv1.APIServer{}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return error to the caller to Degrade the operator

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@dfajmon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/hypershift-e2e-aks 0417c73 link false /test hypershift-e2e-aks
ci/prow/e2e-aws-csi 0417c73 link true /test e2e-aws-csi

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants