Merge pull request #1948 from tesshuflower/tls_profile_compliance

Controller setup & metrics - OpenShift Tls profile compliance

Author: openshift-merge-bot[bot]

.ci-scripts/yamlconfig.yaml

@@ -5,8 +5,7 @@ extends: default
 ignore: |
   bundle/**
   config/**
-  internal/controller/test/scc-crd.yml
-  internal/controller/test/populator.storage.k8s.io_volumepopulators.yaml
+  internal/controller/test/**
   custom-scorecard-tests/**
   hack/crds/*
   helm/volsync/**

bundle/manifests/volsync.clusterserviceversion.yaml

@@ -55,7 +55,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    createdAt: "2026-02-10T17:09:35Z"
+    createdAt: "2026-03-13T15:41:32Z"
     olm.skipRange: '>=0.4.0 <0.16.0'
     operators.operatorframework.io/builder: operator-sdk-v1.42.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
@@ -219,6 +219,14 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - config.openshift.io
+          resources:
+          - apiservers
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - populator.storage.k8s.io
           resources:

cmd/main.go

@@ -37,6 +37,7 @@ import (
 
 	snapv1 "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumesnapshot/v1"
 	volumepopulatorv1beta1 "github.com/kubernetes-csi/volume-data-source-validator/client/apis/volumepopulator/v1beta1"
+	ocpconfigv1 "github.com/openshift/api/config/v1"
 	ocpsecurityv1 "github.com/openshift/api/security/v1"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
@@ -80,6 +81,7 @@ func init() {
 	utilruntime.Must(volsyncv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(ocpsecurityv1.AddToScheme(scheme))
 	utilruntime.Must(volumepopulatorv1beta1.AddToScheme(scheme))
+	utilruntime.Must(ocpconfigv1.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 
@@ -165,16 +167,10 @@ func addCommandFlags(probeAddr *string, metricsAddr *string, enableLeaderElectio
 }
 
 // Prereq CRs we want to always be present in certain environments but do not want to reconcile often (just at startup)
-func ensureCRs(cfg *rest.Config) {
-	setupClient, err := client.New(cfg, client.Options{Scheme: scheme})
-	if err != nil {
-		setupLog.Error(err, "error creating client")
-		os.Exit(1)
-	}
-
+func ensureCRs(setupClient client.Client) {
 	// Privileged mover SCC required in OpenShift envs
 	setupLog.Info("Privileged Mover SCC", "scc-name", utils.SCCName)
-	err = platform.EnsureVolSyncMoverSCCIfOpenShift(context.Background(), setupClient, setupLog,
+	err := platform.EnsureVolSyncMoverSCCIfOpenShift(context.Background(), setupClient, setupLog,
 		utils.SCCName, volsyncMoverSCCYamlRaw)
 	if err != nil {
 		setupLog.Error(err, "unable to reconcile volsync mover scc", "scc-name", utils.SCCName)
@@ -223,6 +219,18 @@ func main() {
 	renewDeadline := 107 * time.Second
 	retryPeriod := 26 * time.Second
 
+	cfg := ctrl.GetConfigOrDie()
+	setupClient, err := client.New(cfg, client.Options{Scheme: scheme})
+	if err != nil {
+		setupLog.Error(err, "error creating client")
+		os.Exit(1)
+	}
+
+	// Create a context that can be cancelled when there is a need to shut down the manager	.
+	ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
+	// Ensure the context is cancelled when the program exits.
+	defer cancel()
+
 	// if the enable-http2 flag is false (the default), http/2 should be disabled
 	// due to its vulnerabilities. More specifically, disabling http/2 will
 	// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
@@ -233,11 +241,21 @@ func main() {
 		setupLog.Info("disabling http/2")
 		c.NextProtos = []string{"http/1.1"}
 	}
-
 	if !enableHTTP2 {
 		tlsOpts = append(tlsOpts, disableHTTP2)
 	}
 
+	// Fetch the TLS profile from the APIServer resource (OpenShift only)
+	tlsSecurityProfileSpec, err := platform.GetTLSProfileIfOpenShift(ctx, setupClient, setupLog)
+	if err != nil {
+		setupLog.Error(err, "Unable to get TLS Security Profile from OpenShift")
+		os.Exit(1)
+	}
+	if tlsSecurityProfileSpec != nil {
+		tlsConfig := platform.GetTLSConfigFromProfile(*tlsSecurityProfileSpec, setupLog)
+		tlsOpts = append(tlsOpts, tlsConfig)
+	}
+
 	// Create watchers for metrics and webhooks certificates
 	var metricsCertWatcher *certwatcher.CertWatcher
 	//var webhookCertWatcher *certwatcher.CertWatcher
@@ -320,7 +338,6 @@ func main() {
 		})
 	}
 
-	cfg := ctrl.GetConfigOrDie()
 	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
 		Scheme:                 scheme,
 		Metrics:                metricsServerOptions,
@@ -342,8 +359,20 @@ func main() {
 		os.Exit(1)
 	}
 
+	if tlsSecurityProfileSpec != nil {
+		// Will only be true for OpenShift clusters
+		// Setup TLS Security Profile Watcher to monitor for TLS profile changes.
+		// When the cluster's TLS profile changes, the operator will gracefully shutdown
+		// and restart to pick up the new configuration.
+		err = platform.InitTLSSecurityProfileWatcherWithManager(mgr, *tlsSecurityProfileSpec, setupLog, cancel)
+		if err != nil {
+			setupLog.Error(err, "unable to set up TLS security profile watcher")
+			os.Exit(1)
+		}
+	}
+
 	// Before starting controllers - create or patch volsync mover SCC and VolumePopulator CR if necessary
-	ensureCRs(cfg)
+	ensureCRs(setupClient)
 
 	initPodLogsClient(cfg)
 
@@ -408,7 +437,7 @@ func main() {
 		os.Exit(1)
 	}
 	setupLog.Info("starting manager")
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+	if err := mgr.Start(ctx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
 	}

config/rbac/role.yaml

@@ -88,6 +88,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - populator.storage.k8s.io
   resources:

go.mod

@@ -11,7 +11,8 @@ require (
 	github.com/kubernetes-csi/volume-data-source-validator/client v0.0.0-20250919142814-90ffb8220766
 	github.com/onsi/ginkgo/v2 v2.28.1
 	github.com/onsi/gomega v1.39.1
-	github.com/openshift/api v0.0.0-20230918105526-6488b1202507 // release-4.14
+	github.com/openshift/api v0.0.0-20260213155647-8fe9fe363807 // release-4.14
+	github.com/openshift/controller-runtime-common v0.0.0-20260307102856-5db94f69ad3a
 	github.com/prometheus/client_golang v1.23.2
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/spf13/cobra v1.10.2
@@ -28,7 +29,7 @@ require (
 	k8s.io/component-helpers v0.35.2
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubectl v0.35.2
-	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570
 	sigs.k8s.io/controller-runtime v0.23.3
 )
 
@@ -84,6 +85,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/openshift/library-go v0.0.0-20260213153706-03f1709971c5 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect

go.sum

@@ -212,8 +212,12 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
 github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
 github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28=
 github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg=
-github.com/openshift/api v0.0.0-20230918105526-6488b1202507 h1:WcJnVswQUi7BEq1fsRkGU3iqVpID3lpOlYjFNND8tXI=
-github.com/openshift/api v0.0.0-20230918105526-6488b1202507/go.mod h1:yimSGmjsI+XF1mr+AKBs2//fSXIOhhetHGbMlBEfXbs=
+github.com/openshift/api v0.0.0-20260213155647-8fe9fe363807 h1:coR/haF16EW8KS1E/PwJfDzMSy4mU9K0H1rcHejqYDY=
+github.com/openshift/api v0.0.0-20260213155647-8fe9fe363807/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/openshift/controller-runtime-common v0.0.0-20260307102856-5db94f69ad3a h1:EQfdaEHOOBDkbvyHAn69u6eZDMuHPK3CTr1i89eEmss=
+github.com/openshift/controller-runtime-common v0.0.0-20260307102856-5db94f69ad3a/go.mod h1:9HQZbBpikedL8l9mQpaDB4C15FNgLlnNuLP5ADrkVOI=
+github.com/openshift/library-go v0.0.0-20260213153706-03f1709971c5 h1:9Pe6iVOMjt9CdA/vaKBNUSoEIjIe1po5Ha3ABRYXLJI=
+github.com/openshift/library-go v0.0.0-20260213153706-03f1709971c5/go.mod h1:K3FoNLgNBFYbFuG+Kr8usAnQxj1w84XogyUp2M8rK8k=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=
@@ -479,8 +483,8 @@ k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZ
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
 k8s.io/kubectl v0.35.2 h1:aSmqhSOfsoG9NR5oR8OD5eMKpLN9x8oncxfqLHbJJII=
 k8s.io/kubectl v0.35.2/go.mod h1:+OJC779UsDJGxNPbHxCwvb4e4w9Eh62v/DNYU2TlsyM=
-k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
-k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY=
+k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
 sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4iqwZ80=

helm/volsync/templates/clusterrole-manager.yaml

@@ -157,6 +157,14 @@ rules:
   - create
   - patch
   - update
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - populator.storage.k8s.io
   resources:

internal/controller/platform/properties.go

@@ -21,9 +21,9 @@ import (
 	"context"
 
 	"github.com/go-logr/logr"
+	ocpconfigv1 "github.com/openshift/api/config/v1"
 	ocpsecurityv1 "github.com/openshift/api/security/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -32,42 +32,77 @@ import (
 )
 
 // Properties contains properties about the environment in which we are running
+var properties *Properties
+
 type Properties struct {
-	IsOpenShift        bool // True if we are running on OpenShift
-	HasSCCRestrictedV2 bool // True if the SecurityContextConstraints "restricted-v2" exists
+	IsOpenShift            bool                        // True if we are running on OpenShift
+	TLSSecurityProfileSpec *ocpconfigv1.TLSProfileSpec // Will be nil if not on OpenShift
 }
 
 //nolint:lll
 //+kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=get;list;watch;create;patch;update
+//+kubebuilder:rbac:groups=config.openshift.io,resources=apiservers,verbs=get;list;watch
 
 // Retrieves properties of the running cluster
-func GetProperties(ctx context.Context, client client.Client, logger logr.Logger) (Properties, error) {
-	if err := ocpsecurityv1.AddToScheme(client.Scheme()); err != nil {
+func GetProperties(ctx context.Context, k8sClient client.Client, logger logr.Logger) (Properties, error) {
+	if properties != nil {
+		// Use cached value if it's set
+		return *properties, nil
+	}
+
+	if err := ocpsecurityv1.AddToScheme(k8sClient.Scheme()); err != nil {
 		logger.Error(err, "unable to add scheme for security.openshift.io")
 		return Properties{}, err
 	}
+	if err := ocpconfigv1.AddToScheme(k8sClient.Scheme()); err != nil {
+		logger.Error(err, "unable to add scheme for config.openshift.io")
+		return Properties{}, err
+	}
 
 	var err error
 	p := Properties{}
 
-	if p.IsOpenShift, err = isOpenShift(ctx, client, logger); err != nil {
+	if p.IsOpenShift, err = isOpenShift(ctx, k8sClient, logger); err != nil {
 		return Properties{}, err
 	}
 	if p.IsOpenShift {
-		if p.HasSCCRestrictedV2, err = hasSCCRestrictedV2(ctx, client, logger); err != nil {
+		if p.TLSSecurityProfileSpec, err = getTLSProfile(ctx, k8sClient, logger); err != nil {
 			return Properties{}, err
 		}
 	}
+
+	// Cache properties for subsequent calls
+	properties = &p
+
 	return p, nil
 }
 
+// For test usage, clear out our cached properties
+func clearProperties() {
+	properties = nil
+}
+
+// Checks to determine whether this is OpenShift by looking for any SecurityContextConstraint objects
+func isOpenShift(ctx context.Context, k8sClient client.Client, logger logr.Logger) (bool, error) {
+	SCCs := ocpsecurityv1.SecurityContextConstraintsList{}
+	err := k8sClient.List(ctx, &SCCs)
+	if len(SCCs.Items) > 0 {
+		return true, nil
+	}
+	if err == nil || utils.IsCRDNotPresentError(err) {
+		return false, nil
+	}
+	logger.Error(err, "error while looking for SCCs")
+	return false, err
+}
+
 func EnsureVolSyncMoverSCCIfOpenShift(ctx context.Context, k8sClient client.Client, logger logr.Logger,
 	sccName string, sccRaw []byte) error {
-	openShift, err := isOpenShift(ctx, k8sClient, logger)
+	p, err := GetProperties(ctx, k8sClient, logger)
 	if err != nil {
 		return err
 	}
-	if !openShift {
+	if !p.IsOpenShift {
 		return nil // Not OpenShift, nothing to do here
 	}
 
@@ -115,35 +150,3 @@ func EnsureVolSyncMoverSCCIfOpenShift(ctx context.Context, k8sClient client.Clie
 	// Patch currentScc with our volsync mover scc
 	return k8sClient.Patch(ctx, volsyncMoverScc, client.MergeFrom(currentScc))
 }
-
-// Checks to determine whether this is OpenShift by looking for any SecurityContextConstraint objects
-func isOpenShift(ctx context.Context, c client.Client, l logr.Logger) (bool, error) {
-	SCCs := ocpsecurityv1.SecurityContextConstraintsList{}
-	err := c.List(ctx, &SCCs)
-	if len(SCCs.Items) > 0 {
-		return true, nil
-	}
-	if err == nil || utils.IsCRDNotPresentError(err) {
-		return false, nil
-	}
-	l.Error(err, "error while looking for SCCs")
-	return false, err
-}
-
-func hasSCCRestrictedV2(ctx context.Context, c client.Client, l logr.Logger) (bool, error) {
-	scc := ocpsecurityv1.SecurityContextConstraints{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "restricted-v2",
-		},
-	}
-	// The following assumes SCC is a valid type (i.e., it's OpenShift)
-	err := c.Get(ctx, client.ObjectKeyFromObject(&scc), &scc)
-	if err == nil {
-		return true, nil
-	}
-	if kerrors.IsNotFound(err) {
-		return false, nil
-	}
-	l.Error(err, "error while looking for restricted-v2 SCC")
-	return false, err
-}