TLS configurable option for PQC

Signed-off-by: akhil nittala <nakhil@redhat.com>

Author: akhilnittala

Dockerfile

@@ -1,34 +1,37 @@
 # Build the manager binary
-FROM golang:1.25 as builder
+FROM --platform=linux/amd64 golang:1.25 AS builder
 
 WORKDIR /workspace
+
+COPY argocd-operator /workspace/argocd-operator
+
 # Copy the Go Modules manifests
 COPY go.mod go.mod
 COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
+
+# Cache dependencies
 RUN go mod download
 
-# Copy the go source
+# Copy the Go source
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
 COPY controllers/ controllers/
 COPY common/ common/
 COPY version/ version/
 
-# Build - Use TARGETARCH to build for the correct architecture
-ARG TARGETARCH
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -a -o manager ./cmd/main.go
+# Build explicitly for linux/amd64
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager ./cmd/main.go
+
+# Use distroless as minimal base image
+FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot
 
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
 WORKDIR /
+
 COPY --from=builder /workspace/manager /usr/local/bin/manager
 
-# install redis artifacts
+# Install redis artifacts
 COPY build/redis /var/lib/redis
 
 USER 65532:65532
 
-ENTRYPOINT ["/usr/local/bin/manager"]
+ENTRYPOINT ["/usr/local/bin/manager"]

Makefile

@@ -183,8 +183,8 @@ run: manifests generate fmt vet ## Run a controller from your host.
 	CLUSTER_SCOPED_ARGO_ROLLOUTS_NAMESPACES=argo-rollouts,test-rom-ns-1,rom-ns-1,openshift-gitops  ARGOCD_CLUSTER_CONFIG_NAMESPACES="openshift-gitops, argocd-e2e-cluster-config, argocd-test-impersonation-1-046, argocd-agent-principal-1-051, argocd-agent-agent-1-052, appset-argocd, appset-old-ns, appset-new-ns, ns-hosting-principal, ns-hosting-managed-agent, ns-hosting-autonomous-agent, appset-argocd-clusterrole"  REDIS_CONFIG_PATH="build/redis"   go run ./cmd/main.go
 
 .PHONY: docker-build
-docker-build: test ## Build container image with the manager.
-	$(CONTAINER_RUNTIME) build -t ${IMG} .
+docker-build:  ## Build container image with the manager.
+	$(CONTAINER_RUNTIME) build --platform=linux/amd64 -t ${IMG} .
 
 .PHONY: docker-push
 docker-push: ## Push container image with the manager.

cmd/main.go

@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"flag"
 	"fmt"
@@ -46,6 +47,7 @@ import (
 	oauthv1 "github.com/openshift/api/oauth/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	templatev1 "github.com/openshift/api/template/v1"
+	tlspkg "github.com/openshift/controller-runtime-common/pkg/tls"
 	operatorsv1 "github.com/operator-framework/api/pkg/operators/v1"
 	operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
@@ -131,6 +133,8 @@ func main() {
 	flag.Parse()
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+	ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
+	defer cancel()
 
 	if err := util.InspectCluster(); err != nil {
 		setupLog.Info("unable to inspect cluster")
@@ -142,15 +146,40 @@ func main() {
 		}
 		c.NextProtos = []string{"http/1.1"}
 	}
+
+	restConfig := ctrl.GetConfigOrDie()
+	// Register config.openshift.io APIs before creating bootstrap client
+	utilruntime.Must(configv1.Install(scheme))
+	bootstrapClient, err := crclient.New(restConfig, crclient.Options{
+		Scheme: scheme,
+	})
+	if err != nil {
+		setupLog.Error(err, "unable to create bootstrap client")
+		os.Exit(1)
+	}
+	var profile configv1.TLSProfileSpec
+	profile, err = tlspkg.FetchAPIServerTLSProfile(ctx, bootstrapClient)
+	if err != nil {
+		setupLog.Error(err, "unable to fetch cluster TLS profile")
+		os.Exit(1)
+	}
+	tlsOpts := []func(*tls.Config){disableHTTP2}
+	tlsConfigFn, unsupported := tlspkg.NewTLSConfigFromProfile(profile)
+	if len(unsupported) > 0 {
+		setupLog.Info("TLS profile contains unsupported Go cipher suites", "ciphers", unsupported)
+	}
+
+	tlsOpts = append(tlsOpts, tlsConfigFn)
+
 	webhookServerOptions := webhook.Options{
-		TLSOpts: []func(config *tls.Config){disableHTTP2},
+		TLSOpts: tlsOpts,
 		Port:    9443,
 	}
 	webhookServer := webhook.NewServer(webhookServerOptions)
 
 	metricsServerOptions := metricsserver.Options{
 		BindAddress:    metricsAddr,
-		TLSOpts:        []func(*tls.Config){disableHTTP2},
+		TLSOpts:        tlsOpts,
 		FilterProvider: filters.WithAuthenticationAndAuthorization,
 	}
 
@@ -180,15 +209,35 @@ func main() {
 		}
 	}
 
-	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), options)
+	mgr, err := ctrl.NewManager(restConfig, options)
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)
 	}
 
+	watcher := &tlspkg.SecurityProfileWatcher{
+		Client:                mgr.GetClient(),
+		InitialTLSProfileSpec: profile,
+		OnProfileChange: func(_ context.Context, oldProfile, newProfile configv1.TLSProfileSpec) {
+			if reflect.DeepEqual(oldProfile, newProfile) {
+				return
+			}
+			setupLog.Info("cluster TLS profile changed, restarting operator",
+				"oldProfileMinVersion", oldProfile.MinTLSVersion,
+				"newProfileMinVersion", newProfile.MinTLSVersion)
+
+			cancel()
+		},
+	}
+
+	if err := watcher.SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to setup TLS security profile watcher")
+		os.Exit(1)
+	}
+
 	var client crclient.Client
 	if strings.ToLower(os.Getenv("MEMORY_OPTIMIZATION_ENABLED")) != "false" {
-		liveClient, err := crclient.New(ctrl.GetConfigOrDie(), crclient.Options{Scheme: mgr.GetScheme()})
+		liveClient, err := crclient.New(restConfig, crclient.Options{Scheme: mgr.GetScheme()})
 		if err != nil {
 			setupLog.Error(err, "unable to create live client")
 			os.Exit(1)
@@ -266,6 +315,10 @@ func main() {
 		K8sClient:         k8sClient,
 		LocalUsers:        argocdprovisioner.NewLocalUsersInfo(),
 		FipsConfigChecker: argoutil.NewLinuxFipsConfigChecker(),
+		CentralTlsConfigProfile: argocdprovisioner.TlsConfigProfile{
+			MinVersion: profile.MinTLSVersion,
+			Ciphers:    profile.Ciphers,
+		},
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Argo CD")
 		os.Exit(1)
@@ -314,7 +367,7 @@ func main() {
 	}
 
 	setupLog.Info("starting manager")
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+	if err := mgr.Start(ctx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
 	}