Skip to content

Commit d0de7d5

Browse files
simonpasquiersimonpasquier
committed
feat: apply TLS profile to COO
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
1 parent d0283f1 commit d0de7d5

1 file changed

Lines changed: 10 additions & 7 deletions

File tree

pkg/operator/operator.go

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,7 @@ func WithTLSProfile(tlsProfile configv1.TLSProfileSpec) func(*OperatorConfigurat
162162
func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
163163
restConfig := ctrl.GetConfigOrDie()
164164
scheme := NewScheme(cfg)
165+
setupLog := ctrl.Log.WithName("setup")
165166

166167
metricsOpts := metricsserver.Options{
167168
BindAddress: cfg.MetricsAddr,
@@ -226,10 +227,16 @@ func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
226227
ctrl.Log.WithName("events").Info(fmt.Sprintf(format, args...))
227228
})
228229

230+
var tlsConfig tls.Config
231+
tlsConfigFn, unsupportedCiphers := openshifttls.NewTLSConfigFromProfile(cfg.UIPlugins.TLSProfile)
232+
if len(unsupportedCiphers) > 0 {
233+
setupLog.Info("Some ciphers from TLS profile are not supported", "ciphers", unsupportedCiphers)
234+
}
235+
tlsConfigFn(&tlsConfig)
236+
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
237+
229238
servingCertController = dynamiccertificates.NewDynamicServingCertificateController(
230-
&tls.Config{
231-
ClientAuth: tls.RequireAndVerifyClientCert,
232-
},
239+
&tlsConfig,
233240
clientCAController,
234241
certKeyProvider,
235242
nil,
@@ -322,7 +329,6 @@ func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
322329
}
323330

324331
if cfg.FeatureGates.OpenShift.Enabled {
325-
setupLog := ctrl.Log.WithName("setup")
326332

327333
watcher := &openshifttls.SecurityProfileWatcher{
328334
Client: mgr.GetClient(),
@@ -342,7 +348,6 @@ func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
342348
return nil, fmt.Errorf("unable to register observability-ui-plugin controller: %w", err)
343349
}
344350
} else {
345-
setupLog := ctrl.Log.WithName("setup")
346351
setupLog.Info("OpenShift feature gate is disabled, UIPlugins are not enabled")
347352
}
348353

@@ -351,7 +356,6 @@ func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
351356
return nil, fmt.Errorf("unable to register operator controller: %w", err)
352357
}
353358
} else {
354-
setupLog := ctrl.Log.WithName("setup")
355359
setupLog.Info("OpenShift feature gate is disabled, Operator controller is not enabled")
356360
}
357361

@@ -374,7 +378,6 @@ func New(ctx context.Context, cfg *OperatorConfiguration) (*Operator, error) {
374378
return nil, fmt.Errorf("unable to register cluster observability controller: %w", err)
375379
}
376380
} else {
377-
setupLog := ctrl.Log.WithName("setup")
378381
setupLog.Info("OpenShift feature gate is disabled, cluster observability controller is not enabled")
379382
}
380383

0 commit comments

Comments
 (0)