Add TLSAdherence field to APIServer API

This adds a new TLSAdherence field to the APIServer spec that controls
how strictly TLS settings are enforced across cluster components.

- Add TLSAdherencePolicy enum with StrictAllComponents and
  LegacyExternalAPIServerComponentsOnly values
- Add CEL validation to prevent removing tlsAdherence once set
- Add TLSAdherence feature gate (enabled in DevPreview/TechPreview)
- Add integration tests for the new field

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: richardsonnick

config/v1/tests/apiservers.config.openshift.io/TLSAdherence.yaml

@@ -0,0 +1,88 @@
+apiVersion: apiextensions.k8s.io/v1
+name: "APIServer"
+crdName: apiservers.config.openshift.io
+featureGates:
+- TLSAdherence
+tests:
+  onCreate:
+    - name: Should be able to create with tlsAdherence set to LegacyExternalAPIServerComponentsOnly
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: LegacyExternalAPIServerComponentsOnly
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          tlsAdherence: LegacyExternalAPIServerComponentsOnly
+    - name: Should be able to create with tlsAdherence set to StrictAllComponents
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: StrictAllComponents
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          tlsAdherence: StrictAllComponents
+    - name: Should reject invalid tlsAdherence value
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: InvalidValue
+      expectedError: 'spec.tlsAdherence: Unsupported value: "InvalidValue": supported values: "LegacyExternalAPIServerComponentsOnly", "StrictAllComponents"'
+  onUpdate:
+    - name: Should be able to update tlsAdherence from LegacyExternalAPIServerComponentsOnly to StrictAllComponents
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: LegacyExternalAPIServerComponentsOnly
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: StrictAllComponents
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          tlsAdherence: StrictAllComponents
+    - name: Should be able to update tlsAdherence from StrictAllComponents to LegacyExternalAPIServerComponentsOnly
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: StrictAllComponents
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: LegacyExternalAPIServerComponentsOnly
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          tlsAdherence: LegacyExternalAPIServerComponentsOnly
+    - name: Should not allow removing tlsAdherence once set
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: StrictAllComponents
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec: {}
+      expectedError: "tlsAdherence may not be removed once set"

config/v1/types_apiserver.go

@@ -34,6 +34,7 @@ type APIServer struct {
 	Status APIServerStatus `json:"status"`
 }
 
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=TLSAdherence,rule="has(oldSelf.tlsAdherence) ? has(self.tlsAdherence) : true",message="tlsAdherence may not be removed once set"
 type APIServerSpec struct {
 	// servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
 	// will be used for serving secure traffic.
@@ -62,6 +63,37 @@ type APIServerSpec struct {
 	// The current default is the Intermediate profile.
 	// +optional
 	TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
+	// tlsAdherence controls which components in the cluster adhere to the TLS security profile
+	// configured on this APIServer resource.
+	//
+	// Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+	//
+	// When set to "LegacyExternalAPIServerComponentsOnly", only the externally exposed
+	// API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+	// TLS profile. Other components continue to use their individual TLS configurations.
+	//
+	// When set to "StrictAllComponents", all components must honor the configured TLS profile
+	// unless they have a component-specific TLS configuration that overrides it.
+	// This mode is recommended for security-conscious deployments and is required for
+	// certain compliance frameworks.
+	//
+	// Note: Some components such as Kubelet and IngressController have their own dedicated TLS
+	// configuration mechanisms via KubeletConfig and IngressController CRs respectively. When these
+	// component-specific TLS configurations are set, they take precedence over the cluster-wide
+	// tlsSecurityProfile. When not set, these components fall back to the cluster-wide default.
+	//
+	// Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+	// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+	//
+	// This field is optional.
+	// When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults.
+	// These defaults are subject to change over time.
+	// The current default is LegacyExternalAPIServerComponentsOnly.
+	//
+	// Once set, this field may be changed to a different value, but may not be removed.
+	// +openshift:enable:FeatureGate=TLSAdherence
+	// +optional
+	TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`
 	// audit specifies the settings for audit configuration to be applied to all OpenShift-provided
 	// API servers in the cluster.
 	// +optional
@@ -237,6 +269,32 @@ const (
 type APIServerStatus struct {
 }
 
+// TLSAdherencePolicy defines which components adhere to the TLS security profile.
+// Implementors should use the ShouldAllComponentsAdhere helper function from library-go
+// rather than checking these values directly.
+// +kubebuilder:validation:Enum=LegacyExternalAPIServerComponentsOnly;StrictAllComponents
+type TLSAdherencePolicy string
+
+const (
+	// TLSAdherencePolicyNoOpinion represents an empty/unset value for tlsAdherence.
+	// This value cannot be explicitly set and is only present when the field is omitted.
+	// When the field is omitted, the cluster defaults to LegacyExternalAPIServerComponentsOnly
+	// behavior. Components should treat this the same as LegacyExternalAPIServerComponentsOnly.
+	TLSAdherencePolicyNoOpinion TLSAdherencePolicy = ""
+
+	// TLSAdherencePolicyLegacyExternalAPIServerComponentsOnly means only the externally exposed
+	// API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor
+	// the configured TLS profile. Other components continue to use their individual TLS
+	// configurations.
+	TLSAdherencePolicyLegacyExternalAPIServerComponentsOnly TLSAdherencePolicy = "LegacyExternalAPIServerComponentsOnly"
+
+	// TLSAdherencePolicyStrictAllComponents means all components must honor the configured TLS
+	// profile unless they have a component-specific TLS configuration that overrides it.
+	// This mode is recommended for security-conscious deployments and is required
+	// for certain compliance frameworks.
+	TLSAdherencePolicyStrictAllComponents TLSAdherencePolicy = "StrictAllComponents"
+)
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

@@ -292,6 +292,40 @@ spec:
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object
+              tlsAdherence:
+                description: |-
+                  tlsAdherence controls which components in the cluster adhere to the TLS security profile
+                  configured on this APIServer resource.
+
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+                  When set to "LegacyExternalAPIServerComponentsOnly", only the externally exposed
+                  API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+                  TLS profile. Other components continue to use their individual TLS configurations.
+
+                  When set to "StrictAllComponents", all components must honor the configured TLS profile
+                  unless they have a component-specific TLS configuration that overrides it.
+                  This mode is recommended for security-conscious deployments and is required for
+                  certain compliance frameworks.
+
+                  Note: Some components such as Kubelet and IngressController have their own dedicated TLS
+                  configuration mechanisms via KubeletConfig and IngressController CRs respectively. When these
+                  component-specific TLS configurations are set, they take precedence over the cluster-wide
+                  tlsSecurityProfile. When not set, these components fall back to the cluster-wide default.
+
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+                  and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+                  This field is optional.
+                  When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults.
+                  These defaults are subject to change over time.
+                  The current default is LegacyExternalAPIServerComponentsOnly.
+
+                  Once set, this field may be changed to a different value, but may not be removed.
+                enum:
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
+                type: string
               tlsSecurityProfile:
                 description: |-
                   tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
@@ -427,6 +461,9 @@ spec:
                     type: string
                 type: object
             type: object
+            x-kubernetes-validations:
+            - message: tlsAdherence may not be removed once set
+              rule: 'has(oldSelf.tlsAdherence) ? has(self.tlsAdherence) : true'
           status:
             description: status holds observed values from the cluster. They may not
               be overridden.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

@@ -292,6 +292,40 @@ spec:
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object
+              tlsAdherence:
+                description: |-
+                  tlsAdherence controls which components in the cluster adhere to the TLS security profile
+                  configured on this APIServer resource.
+
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+                  When set to "LegacyExternalAPIServerComponentsOnly", only the externally exposed
+                  API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+                  TLS profile. Other components continue to use their individual TLS configurations.
+
+                  When set to "StrictAllComponents", all components must honor the configured TLS profile
+                  unless they have a component-specific TLS configuration that overrides it.
+                  This mode is recommended for security-conscious deployments and is required for
+                  certain compliance frameworks.
+
+                  Note: Some components such as Kubelet and IngressController have their own dedicated TLS
+                  configuration mechanisms via KubeletConfig and IngressController CRs respectively. When these
+                  component-specific TLS configurations are set, they take precedence over the cluster-wide
+                  tlsSecurityProfile. When not set, these components fall back to the cluster-wide default.
+
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+                  and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+                  This field is optional.
+                  When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults.
+                  These defaults are subject to change over time.
+                  The current default is LegacyExternalAPIServerComponentsOnly.
+
+                  Once set, this field may be changed to a different value, but may not be removed.
+                enum:
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
+                type: string
               tlsSecurityProfile:
                 description: |-
                   tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
@@ -427,6 +461,9 @@ spec:
                     type: string
                 type: object
             type: object
+            x-kubernetes-validations:
+            - message: tlsAdherence may not be removed once set
+              rule: 'has(oldSelf.tlsAdherence) ? has(self.tlsAdherence) : true'
           status:
             description: status holds observed values from the cluster. They may not
               be overridden.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

@@ -224,6 +224,40 @@ spec:
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object
+              tlsAdherence:
+                description: |-
+                  tlsAdherence controls which components in the cluster adhere to the TLS security profile
+                  configured on this APIServer resource.
+
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+                  When set to "LegacyExternalAPIServerComponentsOnly", only the externally exposed
+                  API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+                  TLS profile. Other components continue to use their individual TLS configurations.
+
+                  When set to "StrictAllComponents", all components must honor the configured TLS profile
+                  unless they have a component-specific TLS configuration that overrides it.
+                  This mode is recommended for security-conscious deployments and is required for
+                  certain compliance frameworks.
+
+                  Note: Some components such as Kubelet and IngressController have their own dedicated TLS
+                  configuration mechanisms via KubeletConfig and IngressController CRs respectively. When these
+                  component-specific TLS configurations are set, they take precedence over the cluster-wide
+                  tlsSecurityProfile. When not set, these components fall back to the cluster-wide default.
+
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+                  and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+                  This field is optional.
+                  When omitted, this means the user has no opinion and the platform is left to choose reasonable defaults.
+                  These defaults are subject to change over time.
+                  The current default is LegacyExternalAPIServerComponentsOnly.
+
+                  Once set, this field may be changed to a different value, but may not be removed.
+                enum:
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
+                type: string
               tlsSecurityProfile:
                 description: |-
                   tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
@@ -359,6 +393,9 @@ spec:
                     type: string
                 type: object
             type: object
+            x-kubernetes-validations:
+            - message: tlsAdherence may not be removed once set
+              rule: 'has(oldSelf.tlsAdherence) ? has(self.tlsAdherence) : true'
           status:
             description: status holds observed values from the cluster. They may not
               be overridden.

config/v1/zz_generated.featuregated-crd-manifests.yaml

@@ -8,6 +8,7 @@ apiservers.config.openshift.io:
   FeatureGates:
   - KMSEncryption
   - KMSEncryptionProvider
+  - TLSAdherence
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_10"