feat: apply TLS profile to COO

simonpasquier · simonpasquier · commit 7b71dde1a0c2 · 2026-05-13T11:40:16.000+02:00
This commit passes the TLS configuration read from the cluster TLS
profile to the operator's HTTPS server.

Signed-off-by: Simon Pasquier &lt;spasquie@redhat.com&gt;
diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go
@@ -68,6 +68,7 @@ type OperatorConfiguration struct {
 	UIPlugins              uictrl.UIPluginsConfiguration
 	FeatureGates           FeatureGates
 	ObservabilityInstaller ObservabilityInstallerConfiguration
+	TLSProfile             configv1.TLSProfileSpec
 	// CancelFunc is called to trigger graceful shutdown (e.g., on TLS profile change).
 	CancelFunc context.CancelFunc
 }
@@ -155,13 +156,15 @@ func WithCancelFunc(cancel context.CancelFunc) func(*OperatorConfiguration) {
 
 func WithTLSProfile(tlsProfile configv1.TLSProfileSpec) func(*OperatorConfiguration) {
 	return func(oc *OperatorConfiguration) {
+		oc.TLSProfile = tlsProfile
 		oc.UIPlugins.TLSProfile = tlsProfile
 	}
 }
 
 func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
 	restConfig := ctrl.GetConfigOrDie()
 	scheme := NewScheme(cfg)
+	setupLog := ctrl.Log.WithName("setup")
 
 	metricsOpts := metricsserver.Options{
 		BindAddress: cfg.MetricsAddr,
@@ -226,10 +229,16 @@ func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
 			ctrl.Log.WithName("events").Info(fmt.Sprintf(format, args...))
 		})
 
+		var tlsConfig tls.Config
+		tlsConfigFn, unsupportedCiphers := openshifttls.NewTLSConfigFromProfile(cfg.TLSProfile)
+		if len(unsupportedCiphers) > 0 {
+			setupLog.Info("Some ciphers from TLS profile are not supported", "ciphers", unsupportedCiphers)
+		}
+		tlsConfigFn(&tlsConfig)
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+
 		servingCertController = dynamiccertificates.NewDynamicServingCertificateController(
-			&tls.Config{
-				ClientAuth: tls.RequireAndVerifyClientCert,
-			},
+			&tlsConfig,
 			clientCAController,
 			certKeyProvider,
 			nil,
@@ -322,11 +331,10 @@ func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
 	}
 
 	if cfg.FeatureGates.OpenShift.Enabled {
-		setupLog := ctrl.Log.WithName("setup")
 
 		watcher := &openshifttls.SecurityProfileWatcher{
 			Client:                mgr.GetClient(),
-			InitialTLSProfileSpec: cfg.UIPlugins.TLSProfile,
+			InitialTLSProfileSpec: cfg.TLSProfile,
 			OnProfileChange: func(_ context.Context, _, _ configv1.TLSProfileSpec) {
 				setupLog.Info("TLS security profile changed, triggering graceful restart")
 				if cfg.CancelFunc != nil {
@@ -342,7 +350,6 @@ func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
 			return nil, fmt.Errorf("unable to register observability-ui-plugin controller: %w", err)
 		}
 	} else {
-		setupLog := ctrl.Log.WithName("setup")
 		setupLog.Info("OpenShift feature gate is disabled, UIPlugins are not enabled")
 	}
 
@@ -351,7 +358,6 @@ func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
 			return nil, fmt.Errorf("unable to register operator controller: %w", err)
 		}
 	} else {
-		setupLog := ctrl.Log.WithName("setup")
 		setupLog.Info("OpenShift feature gate is disabled, Operator controller is not enabled")
 	}
 
@@ -374,7 +380,6 @@ func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
 			return nil, fmt.Errorf("unable to register cluster observability controller: %w", err)
 		}
 	} else {
-		setupLog := ctrl.Log.WithName("setup")
 		setupLog.Info("OpenShift feature gate is disabled, cluster observability controller is not enabled")
 	}
 
