HPCASE-208:Add TLSAdherencePolicy helper#2114
HPCASE-208:Add TLSAdherencePolicy helper#2114openshift-merge-bot[bot] merged 1 commit intoopenshift:masterfrom
Conversation
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
This will be a draft diff until openshift/api#2680 is landed. Since 2680 adds the TLSAdherencePolicy type |
richardsonnick
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@richardsonnick: This pull request references HPCASE-208 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
@richardsonnick: This pull request references HPCASE-208 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold |
openshift-ci
Bot
added
the
do-not-merge/hold
|
Tests will not pass until api changes are merged: openshift/api#2680 |
|
/retest-required openshift/api#2680 landed |
|
@rhmdnd @richardsonnick this needs bumping of openshift/api in the go.mod here before being retestable. |
Adds a helper function that encapsulates the logic for determining whether a component should honor the cluster-wide TLS security profile from apiserver.config.openshift.io/cluster. This function handles: - Empty/unset values (treated as LegacyAdheringComponentsOnly) - LegacyAdheringComponentsOnly (returns false) - StrictAllComponents (returns true) - Unknown enum values (returns true for forward compatibility)
richardsonnick
force-pushed
the
tls-adherence-helper
branch
from
f7ed2e2 to
8ede25a
Compare
|
Bumping the deps in #2142 |
|
/label approved |
openshift-ci
Bot
added
the
approved
|
/retest |
|
@richardsonnick: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/tide refresh |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: damdo, richardsonnick The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-ci
Bot
removed
the
approved
|
/unhold |
openshift-ci
Bot
removed
the
do-not-merge/hold
|
/label approved |
openshift-ci
Bot
added
the
approved
The function has been merged upstream in openshift/library-go#2114, so we can now use it directly and remove our local implementation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Nick Fox <nfox@redhat.com>
The function has been merged upstream in openshift/library-go#2114, so we can now use it directly and remove our local implementation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Nick Fox <nfox@redhat.com>
The function has been merged upstream in openshift/library-go#2114, so we can now use it directly and remove our local implementation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Nick Fox <nfox@redhat.com>
The function has been merged upstream in openshift/library-go#2114, so we can now use it directly and remove our local implementation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Nick Fox <nfox@redhat.com>
…hift (#1513) * Sync Istios with APIServer tlsProfile Adds a global TLSConfig for the operator that gets applied to all Istio resources. On OpenShift, when the operator first starts it will fetch TLS settings from the APIServer. When the APIServer TLS settings change the operator process will terminate forcing a restart. Signed-off-by: Nick Fox <nfox@redhat.com> * Use common tls lib to subscribe to APIServer changes Added [controller-runtime-common](https://github.com/openshift/controller-runtime-common) lib to handle watching the APIServer for changes. Signed-off-by: Nick Fox <nfox@redhat.com> * Fix linting errors Added licenses and fixed gosec complaints about minTLSVersion. Signed-off-by: Nick Fox <nfox@redhat.com> * Update to latest cr-common Updates the controller-runtime-common dep. Signed-off-by: Nick Fox <nfox@redhat.com> * Gate TLS profile syncing on APIServer tlsAdherence policy Only honor the cluster-wide TLS security profile when the APIServer's tlsAdherence field is set to StrictAllComponents. When it is unset or set to LegacyAdheringComponentsOnly, skip TLS profile syncing and the SecurityProfileWatcher entirely. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Nick Fox <nfox@redhat.com> * Use library-go ShouldHonorClusterTLSProfile instead of local copy The function has been merged upstream in openshift/library-go#2114, so we can now use it directly and remove our local implementation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Nick Fox <nfox@redhat.com> * Sync operator TLS config with OpenShift APIServer tlsAdherence policy Honor the APIServer tlsAdherence field (OCP 4.22+) to determine whether the operator should apply the cluster TLS profile to Istio and its own metrics server. Refactor TLS initialization into config.NewTLSConfigForOpenShift and add unit tests. Rewrite TLS profile change e2e tests to cover the three key scenarios: no-op when policy is unset, restart on adherence policy change, and restart on profile change under strict mode. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Nick Fox <nfox@redhat.com> * Refactor e2e tests to test for expected ciphers Rather than testing for the operator pod restarting which is just an implementation detail, the e2e tests now test that the Istio resource is properly setting the expected TLS settings when the TLS profile is set. The e2e tests now test the metrics endpoint directly for the same behavior. Signed-off-by: Nick Fox <nfox@redhat.com> * Use typed values Using typed values instead of the unstructred values for better type safety. Signed-off-by: Nick Fox <nfox@redhat.com> * Address copilot feedback Implement some cleanup suggestions by copilot. Signed-off-by: Nick Fox <nfox@redhat.com> --------- Signed-off-by: Nick Fox <nfox@redhat.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
5 participants
Add ShouldHonorClusterTLSProfile helper for TLS adherence policy
Adds a helper function that encapsulates the logic for determining
whether a component should honor the cluster-wide TLS security profile
from apiserver.config.openshift.io/cluster.
This function handles:
Component implementors should use this helper rather than checking
tlsAdherence field values directly, allowing coordinated changes to
the default semantic across all implementations.
See: https://github.com/openshift/enhancements/pull/XXXX
Relevant APIServer changes: openshift/api#2680