Skip to content

CNTRLPLANE-3424: Document tls injection#2044

Open
vincentdephily wants to merge 2 commits into
openshift:masterfrom
vincentdephily:vdp-tls-inject
Open

CNTRLPLANE-3424: Document tls injection#2044
vincentdephily wants to merge 2 commits into
openshift:masterfrom
vincentdephily:vdp-tls-inject

Conversation

@vincentdephily

Copy link
Copy Markdown

This builds on top of #2020

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 18, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 18, 2026

Copy link
Copy Markdown

@vincentdephily: This pull request references CNTRLPLANE-3424 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This builds on top of #2020

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from moadz and wking June 18, 2026 11:12
@openshift-ci

openshift-ci Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign pavolloffay for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

@vincentdephily: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.


### How the TLS stack uses this config

Although this config gives a lot of control, operators often ignore some of te nuance. In particular, operators using the Go TLS stack (all upstream OpenShift ones) ignore the ciphersuites preference order, and with TLS 1.3 ignore the ciphersuite list completely.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

te -> the?


### Workflow

The TLS injection is implemented as a ConfigMap modifier in the resource builder (`lib/resourcebuilder/core.go`). When the resource builder processes a ConfigMap manifest from the release image, it calls `modifyConfigMap` before applying the ConfigMap to the cluster.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Private methods can drift a lot or get removed in the future. Making the description less useful. It's more practical to mention the flow in an abstract way rather than referring to private symbols.


It then looks for `data` configmaps of the right kind (currently `GenericOperatorConfig` and `GenericControllerConfig`) and corresponding API version. Those `data` nodes are updated with the observed `servingInfo.minTLSVersion` and `servingInfo.cipherSuites`.

The ressourcebuilder will then apply the configmap, if it actually differs from the original one.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/ressourcebuilder/resourcebuilder/

## Operator Implementations

Operators (or more generally controllers) only need to
* Be based on `library-go`:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need -> strongly recommended

- Only supports `GenericOperatorConfig` and `GenericControllerConfg` formats
- Only injects `servingInfo.minTLSVersion` and `servingInfo.cipherSuites`
- Requires the operator to watch and reload its ConfigMap when it changes
- Only available for ConfigMaps in the release image (not for user-created ConfigMaps) No newline at end of file

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: release -> payload. I think mentioning "payload" keyword makes it more precise.


### Cluster configuration

See [TLS security profile](https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/security_and_compliance/tls-security-profiles) to set the cluster-wide config.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/4.21/latest (latest will get redirected to the latest version, 4.22 atm)


TLS injection occurs when applying or reconciling the configmap

1. During installation, apply the ConfigMap from the release image

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto: release -> payload

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants