Skip to content

CNTRLPLANE-3423: feat: have CVO inject the centralized TLS configuration into the operator's config#359

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
ingvagabund:cvo-injected-tls-configuration
Jun 29, 2026
Merged

CNTRLPLANE-3423: feat: have CVO inject the centralized TLS configuration into the operator's config#359
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
ingvagabund:cvo-injected-tls-configuration

Conversation

@ingvagabund

@ingvagabund ingvagabund commented May 28, 2026

Copy link
Copy Markdown
Member

Also, have the operator restart whenever the config changes.

wip-docs: openshift/enhancements#2020

Summary by CodeRabbit

Summary by CodeRabbit

  • Improvements
    • Enabled TLS certificate injection for the service operator using a configuration annotation.
    • The service operator now terminates and restarts when its operator configuration files are updated, helping ensure new configuration and certificate material is applied promptly.

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5625d680-e5a8-4cdc-a11a-69a00341626a

📥 Commits

Reviewing files that changed from the base of the PR and between 1a5f8e5 and 6b9cb8c.

📒 Files selected for processing (3)
  • manifests/03_cm.yaml
  • manifests/05_deploy-ibm-cloud-managed.yaml
  • manifests/05_deploy.yaml
✅ Files skipped from review due to trivial changes (1)
  • manifests/03_cm.yaml

Walkthrough

The PR adds a TLS injection annotation to the operator ConfigMap and adds a file-change termination argument to both service-ca-operator Deployment manifests.

Changes

Service-ca operator manifest updates

Layer / File(s) Summary
ConfigMap TLS injection
manifests/03_cm.yaml
service-ca-operator-config gains the config.openshift.io/inject-tls: "true" annotation.
Deployment file termination
manifests/05_deploy.yaml, manifests/05_deploy-ibm-cloud-managed.yaml
The service-ca-operator container arguments add --terminate-on-files for /var/run/configmaps/config/operator-config.yaml.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Ipv6 And Disconnected Network Test Compatibility ⚠️ Warning New Ginkgo e2e tests use registry.k8s.io/e2e-test-images/agnhost:2.45, a public image pull that breaks disconnected CI. Use a mirrored/internal agnhost image, or mark the affected e2e tests [Skipped:Disconnected] so they skip in disconnected jobs.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: enabling CVO-injected centralized TLS config in the operator config.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only changes manifests; no Ginkgo test titles were added or edited, so the naming rule is not applicable.
Test Structure And Quality ✅ Passed PR only updates manifests; no Ginkgo test files were changed, and the relevant e2e rotation helper already uses bounded polling and deferred cleanup.
Microshift Test Compatibility ✅ Passed No Ginkgo tests were added or changed; the PR only updates manifests, so MicroShift API compatibility is not implicated.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the PR only updates manifests and operator config, so SNO test compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Touched manifests only add TLS injection and terminate-on-files; no new anti-affinity, spread, nodeSelector, or replica changes were introduced.
Ote Binary Stdout Contract ✅ Passed Only manifests changed; no main/TestMain/Ginkgo setup code or stdout writes were introduced, so the stdout contract is unaffected.
No-Weak-Crypto ✅ Passed Only manifest changes; first-party code search found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token equality checks.
Container-Privileges ✅ Passed No added privileged settings found; both deployments keep non-root, allowPrivilegeEscalation:false, and drop ALL, while the ConfigMap change is annotation-only.
No-Sensitive-Data-In-Logs ✅ Passed The PR only updates manifests to add a TLS annotation and a restart-on-config-change arg; no new logging or sensitive data exposure appears in the touched files.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@ingvagabund ingvagabund changed the title feat: have CVO inject the centralized TLS configuration into the operator's config CNTRLPLANE-3423: feat: have CVO inject the centralized TLS configuration into the operator's config May 28, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 28, 2026
@openshift-ci-robot

openshift-ci-robot commented May 28, 2026

Copy link
Copy Markdown
Contributor

@ingvagabund: This pull request references CNTRLPLANE-3423 which is a valid jira issue.

Details

In response to this:

Also, have the operator restart whenever the config changes.

Summary by CodeRabbit

  • Improvements
  • Enabled TLS certificate injection for the service operator via configuration annotation.
  • Operator now automatically restarts when configuration or TLS certificate files are updated, ensuring fresh configurations are loaded promptly.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Actionable comments posted: 0

@ricardomaraschini

Copy link
Copy Markdown

/approve

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 29, 2026
@ingvagabund

Copy link
Copy Markdown
Member Author

From https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_service-ca-operator/359/pull-ci-openshift-service-ca-operator-main-e2e-aws-operator/2060135376353234944/artifacts/e2e-aws-operator/gather-extra/artifacts/configmaps.json:

        {
            "apiVersion": "v1",
            "data": {
                "operator-config.yaml": "apiVersion: operator.openshift.io/v1alpha1\nkind: GenericOperatorConfig\nservingInfo:\n  cipherSuites:\n  - TLS_AES_128_GCM_SHA256\n  - TLS_AES_256_GCM_SHA384\n  - TLS_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n  minTLSVersion: VersionTLS12\n"
            },
            "kind": "ConfigMap",
            "metadata": {
                "annotations": {
                    "config.openshift.io/inject-tls": "true",
                    "include.release.openshift.io/hypershift": "true",
                    "include.release.openshift.io/ibm-cloud-managed": "true",
                    "include.release.openshift.io/self-managed-high-availability": "true",
                    "include.release.openshift.io/single-node-developer": "true"
                },
                "creationTimestamp": "2026-05-28T23:28:07Z",
                "name": "service-ca-operator-config",
                "namespace": "openshift-service-ca-operator",
                "ownerReferences": [
                    {
                        "apiVersion": "config.openshift.io/v1",
                        "controller": true,
                        "kind": "ClusterVersion",
                        "name": "version",
                        "uid": "59dc4be5-781d-49b4-bde5-5c6abb5797fc"
                    }
                ],
                "resourceVersion": "1647",
                "uid": "c87b5362-b170-4931-88db-78e3dff12236"
            }
        },

TLS injected

Comment thread manifests/05_deploy-ibm-cloud-managed.yaml Outdated
…ator's config

Also, have the operator restart whenever the config changes.
@ingvagabund ingvagabund force-pushed the cvo-injected-tls-configuration branch from 1a5f8e5 to 6b9cb8c Compare June 24, 2026 10:04
@ingvagabund

Copy link
Copy Markdown
Member Author

/retest-required

3 similar comments
@ingvagabund

Copy link
Copy Markdown
Member Author

/retest-required

@ingvagabund

Copy link
Copy Markdown
Member Author

/retest-required

@ingvagabund

Copy link
Copy Markdown
Member Author

/retest-required

@ricardomaraschini

Copy link
Copy Markdown

/retest
/lgtm
/approve

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 29, 2026
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ricardomaraschini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ingvagabund

Copy link
Copy Markdown
Member Author

/verified by CI

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 29, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@ingvagabund: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 6391e07 into openshift:main Jun 29, 2026
12 checks passed
@ingvagabund ingvagabund deleted the cvo-injected-tls-configuration branch June 29, 2026 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants