feat(tls): inject centrally managed TLS config into pipelines-as-code deployment and webhook

Extend the OpenShift TLS centralization pattern (introduced for Tekton
Pipelines and Triggers webhooks) to the Pipelines-as-Code webhook.

The openshiftpipelinesascode extension now resolves the cluster-wide
APIServer TLS security profile in PreReconcile and injects the resulting
TLS_MIN_VERSION and TLS_CIPHER_SUITES environment variables into the
pipelines-as-code-webhook deployment (pac-webhook container) via the
Transformers step, identical to the approach used for tekton-triggers-webhook.

PlatformDataHashKey propagation is wired through
EnsureOpenShiftPipelinesAsCodeExists / createOPAC / updateOPAC so that
any change to the cluster APIServer TLS profile automatically re-reconciles
the OpenShiftPipelinesAsCode CR and redeploys the webhook with the updated
settings.

Resolves: SRVKP-9616
Made-with: Cursor

Author: jkhelil

pkg/reconciler/kubernetes/tektonconfig/extension.go

@@ -61,7 +61,7 @@ func (oe kubernetesExtension) PostReconcile(ctx context.Context, comp v1alpha1.T
 
 	pacSpec := configInstance.Spec.PipelinesAsCodeForCurrentPlatform()
 	if pacSpec != nil && pacSpec.Enable != nil && *pacSpec.Enable {
-		if _, err := pac.EnsureOpenShiftPipelinesAsCodeExists(ctx, oe.operatorClientSet.OperatorV1alpha1().OpenShiftPipelinesAsCodes(), configInstance, configInstance.Status.Version); err != nil {
+		if _, err := pac.EnsureOpenShiftPipelinesAsCodeExists(ctx, oe.operatorClientSet.OperatorV1alpha1().OpenShiftPipelinesAsCodes(), configInstance, configInstance.Status.Version, ""); err != nil {
 			configInstance.Status.MarkComponentNotReady(fmt.Sprintf("OpenShiftPipelinesAsCode: %s", err.Error()))
 			return v1alpha1.REQUEUE_EVENT_AFTER
 		}

pkg/reconciler/kubernetes/tektoninstallerset/client/check.go

@@ -135,7 +135,7 @@ func verifyMeta(resourceKind, isType string, logger *zap.SugaredLogger, set v1al
 	// Spec Hash Check
 	logger.Debugf("%v/%v: spec hash check", resourceKind, isType)
 
-	expectedHash, err := hash.Compute(specHashInput(comp))
+	expectedHash, err := hash.Compute(comp.GetSpec())
 	if err != nil {
 		return err
 	}
@@ -149,17 +149,3 @@ func verifyMeta(resourceKind, isType string, logger *zap.SugaredLogger, set v1al
 
 	return nil
 }
-
-// specHashInput is the canonical input for computing an InstallerSet's spec hash.
-// Including PlatformDataHashKey means that operator-injected platform config
-// (e.g. OpenShift APIServer TLS profile) causes InstallerSets to be refreshed
-// when that config changes, without requiring the component's spec to change.
-func specHashInput(comp v1alpha1.TektonComponent) interface{} {
-	return struct {
-		Spec         interface{}
-		PlatformData string
-	}{
-		Spec:         comp.GetSpec(),
-		PlatformData: comp.GetAnnotations()[v1alpha1.PlatformDataHashKey],
-	}
-}

pkg/reconciler/openshift/openshiftpipelinesascode/extension.go

@@ -25,8 +25,10 @@ import (
 	mf "github.com/manifestival/manifestival"
 	"github.com/tektoncd/operator/pkg/apis/operator/v1alpha1"
 	operatorclient "github.com/tektoncd/operator/pkg/client/injection/client"
+	tektonConfiginformer "github.com/tektoncd/operator/pkg/client/injection/informers/operator/v1alpha1/tektonconfig"
 	"github.com/tektoncd/operator/pkg/reconciler/common"
 	"github.com/tektoncd/operator/pkg/reconciler/kubernetes/tektoninstallerset/client"
+	occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
 	"go.uber.org/zap"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -37,7 +39,13 @@ import (
 )
 
 const (
-	openshiftNS = "openshift"
+	openshiftNS                = "openshift"
+	pacControllerDeployment    = "pipelines-as-code-controller"
+	pacControllerContainerName = "pac-controller"
+	pacWatcherDeployment       = "pipelines-as-code-watcher"
+	pacWatcherContainerName    = "pac-watcher"
+	pacWebhookDeployment       = "pipelines-as-code-webhook"
+	pacWebhookContainerName    = "pac-webhook"
 )
 
 func OpenShiftExtension(ctx context.Context) common.Extension {
@@ -68,13 +76,14 @@ func OpenShiftExtension(ctx context.Context) common.Extension {
 	}
 
 	tisClient := operatorclient.Get(ctx).OperatorV1alpha1().TektonInstallerSets()
-	return openshiftExtension{
+	return &openshiftExtension{
 		// component version is used for metrics, passing a dummy
 		// value through extension not going to affect execution
 		installerSetClient:   client.NewInstallerSetClient(tisClient, operatorVer, "pipelines-as-code-ext", v1alpha1.KindOpenShiftPipelinesAsCode, nil),
 		pacManifest:          &pacManifest,
 		pipelineRunTemplates: prTemplates,
 		kubeClientSet:        kubeclient.Get(ctx),
+		tektonConfigLister:   tektonConfiginformer.Get(ctx).Lister(),
 	}
 }
 
@@ -83,17 +92,48 @@ type openshiftExtension struct {
 	pacManifest          *mf.Manifest
 	pipelineRunTemplates *mf.Manifest
 	kubeClientSet        kubernetes.Interface
+	tektonConfigLister   occommon.TektonConfigLister
+	resolvedTLSConfig    *occommon.TLSEnvVars
 }
 
-func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Transformer {
-	return []mf.Transformer{
+func (oe *openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Transformer {
+	trns := []mf.Transformer{
 		InjectNamespaceOwnerForPACWebhook(oe.kubeClientSet, comp.GetSpec().GetTargetNamespace()),
 	}
+
+	// Inject APIServer TLS profile env vars into all three PAC deployments so that
+	// they apply the cluster-wide TLS version and cipher suite policy (PQC readiness).
+	if oe.resolvedTLSConfig != nil {
+		trns = append(trns,
+			// pac-webhook uses sharedmain.WebhookMainWithConfig (Knative webhook framework) which
+			// calls knativetls.DefaultConfigFromEnv("WEBHOOK_") → reads WEBHOOK_TLS_* env vars.
+			occommon.InjectTLSEnvVars(oe.resolvedTLSConfig, "Deployment", pacWebhookDeployment, []string{pacWebhookContainerName}, occommon.WebhookEnvVarPrefix),
+			// pac-controller and pac-watcher do not serve a TLS endpoint that reads these env vars;
+			// injecting with no prefix is harmless and keeps them consistent for future use.
+			occommon.InjectTLSEnvVars(oe.resolvedTLSConfig, "Deployment", pacControllerDeployment, []string{pacControllerContainerName}, ""),
+			occommon.InjectTLSEnvVars(oe.resolvedTLSConfig, "Deployment", pacWatcherDeployment, []string{pacWatcherContainerName}, ""),
+		)
+	}
+
+	return trns
 }
-func (oe openshiftExtension) PreReconcile(context.Context, v1alpha1.TektonComponent) error {
+
+func (oe *openshiftExtension) PreReconcile(ctx context.Context, _ v1alpha1.TektonComponent) error {
+	logger := logging.FromContext(ctx)
+
+	resolvedTLS, err := occommon.ResolveCentralTLSToEnvVars(ctx, oe.tektonConfigLister)
+	if err != nil {
+		return err
+	}
+	oe.resolvedTLSConfig = resolvedTLS
+	if oe.resolvedTLSConfig != nil {
+		logger.Infof("Injecting central TLS config into PAC deployments: MinVersion=%s", oe.resolvedTLSConfig.MinVersion)
+	}
+
 	return nil
 }
-func (oe openshiftExtension) PostReconcile(ctx context.Context, comp v1alpha1.TektonComponent) error {
+
+func (oe *openshiftExtension) PostReconcile(ctx context.Context, comp v1alpha1.TektonComponent) error {
 	logger := logging.FromContext(ctx)
 
 	if err := oe.installerSetClient.PostSet(ctx, comp, oe.pipelineRunTemplates, extFilterAndTransform()); err != nil {
@@ -107,11 +147,12 @@ func (oe openshiftExtension) PostReconcile(ctx context.Context, comp v1alpha1.Te
 	}
 	return nil
 }
-func (oe openshiftExtension) Finalize(context.Context, v1alpha1.TektonComponent) error {
+
+func (oe *openshiftExtension) Finalize(context.Context, v1alpha1.TektonComponent) error {
 	return nil
 }
 
-func (oe openshiftExtension) GetPlatformData() string {
+func (oe *openshiftExtension) GetPlatformData() string {
 	return ""
 }
 

pkg/reconciler/openshift/openshiftpipelinesascode/extension_test.go

@@ -0,0 +1,204 @@
+/*
+Copyright 2026 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package openshiftpipelinesascode
+
+import (
+	"testing"
+
+	mf "github.com/manifestival/manifestival"
+	"github.com/tektoncd/operator/pkg/apis/operator/v1alpha1"
+	occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// makePACDeployment returns an unstructured PAC Deployment for transformer tests.
+func makePACDeployment(t *testing.T, deploymentName, containerName string) unstructured.Unstructured {
+	t.Helper()
+
+	d := &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      deploymentName,
+			Namespace: "openshift-pipelines",
+		},
+		Spec: appsv1.DeploymentSpec{
+			Template: corev1.PodTemplateSpec{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{Name: containerName},
+					},
+				},
+			},
+		},
+	}
+	obj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(d)
+	if err != nil {
+		t.Fatalf("failed to convert deployment to unstructured: %v", err)
+	}
+	u := unstructured.Unstructured{Object: obj}
+	u.SetKind("Deployment")
+	u.SetAPIVersion("apps/v1")
+	return u
+}
+
+func makePACWebhookDeployment(t *testing.T) unstructured.Unstructured {
+	t.Helper()
+	return makePACDeployment(t, pacWebhookDeployment, pacWebhookContainerName)
+}
+
+func TestPACTransformers_NoTLSConfig(t *testing.T) {
+	ext := &openshiftExtension{
+		resolvedTLSConfig: nil,
+	}
+
+	transformers := ext.Transformers(&v1alpha1.OpenShiftPipelinesAsCode{})
+
+	u := makePACWebhookDeployment(t)
+	manifest, err := mf.ManifestFrom(mf.Slice([]unstructured.Unstructured{u}))
+	if err != nil {
+		t.Fatalf("failed to build manifest: %v", err)
+	}
+
+	transformed, err := manifest.Transform(transformers...)
+	if err != nil {
+		t.Fatalf("transform failed: %v", err)
+	}
+
+	d := &appsv1.Deployment{}
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(transformed.Resources()[0].Object, d); err != nil {
+		t.Fatalf("failed to convert back: %v", err)
+	}
+	for _, c := range d.Spec.Template.Spec.Containers {
+		if c.Name != pacWebhookContainerName {
+			continue
+		}
+		for _, e := range c.Env {
+			if e.Name == occommon.WebhookEnvVarPrefix+occommon.TLSMinVersionEnvVar ||
+				e.Name == occommon.WebhookEnvVarPrefix+occommon.TLSCipherSuitesEnvVar {
+				t.Errorf("unexpected TLS env var %s set when resolvedTLSConfig is nil", e.Name)
+			}
+		}
+	}
+}
+
+func TestPACTransformers_WithTLSConfig_InjectsEnvVarsIntoWebhook(t *testing.T) {
+	tlsConfig := &occommon.TLSEnvVars{
+		MinVersion:   "1.2",
+		CipherSuites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_128_GCM_SHA256",
+	}
+	// pac-webhook uses the Knative webhook framework → reads WEBHOOK_TLS_* env vars.
+	assertTLSInjected(t, &openshiftExtension{resolvedTLSConfig: tlsConfig}, pacWebhookDeployment, pacWebhookContainerName, occommon.WebhookEnvVarPrefix, tlsConfig)
+}
+
+// assertTLSInjected runs the Transformers against a single-resource manifest and
+// checks that TLS env vars are present in the named container.
+// envVarPrefix is prepended to the standard env var names (e.g. occommon.WebhookEnvVarPrefix
+// for deployments using the Knative webhook framework, "" for everything else).
+func assertTLSInjected(t *testing.T, ext *openshiftExtension, deploymentName, containerName, envVarPrefix string, tlsConfig *occommon.TLSEnvVars) {
+	t.Helper()
+
+	u := makePACDeployment(t, deploymentName, containerName)
+	manifest, err := mf.ManifestFrom(mf.Slice([]unstructured.Unstructured{u}))
+	if err != nil {
+		t.Fatalf("failed to build manifest: %v", err)
+	}
+
+	transformed, err := manifest.Transform(ext.Transformers(&v1alpha1.OpenShiftPipelinesAsCode{})...)
+	if err != nil {
+		t.Fatalf("transform failed: %v", err)
+	}
+
+	d := &appsv1.Deployment{}
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(transformed.Resources()[0].Object, d); err != nil {
+		t.Fatalf("failed to convert back: %v", err)
+	}
+
+	envMap := map[string]string{}
+	for _, c := range d.Spec.Template.Spec.Containers {
+		if c.Name != containerName {
+			continue
+		}
+		for _, e := range c.Env {
+			envMap[e.Name] = e.Value
+		}
+	}
+
+	minVersionKey := envVarPrefix + occommon.TLSMinVersionEnvVar
+	cipherSuitesKey := envVarPrefix + occommon.TLSCipherSuitesEnvVar
+
+	if got := envMap[minVersionKey]; got != tlsConfig.MinVersion {
+		t.Errorf("[%s/%s] %s = %q, want %q", deploymentName, containerName, minVersionKey, got, tlsConfig.MinVersion)
+	}
+	if got := envMap[cipherSuitesKey]; got != tlsConfig.CipherSuites {
+		t.Errorf("[%s/%s] %s = %q, want %q", deploymentName, containerName, cipherSuitesKey, got, tlsConfig.CipherSuites)
+	}
+}
+
+func TestPACTransformers_WithTLSConfig_InjectsEnvVarsIntoController(t *testing.T) {
+	tlsConfig := &occommon.TLSEnvVars{
+		MinVersion:   "1.2",
+		CipherSuites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_128_GCM_SHA256",
+	}
+	// pac-controller uses the Knative eventing adapter — no TLS version env var support; no prefix.
+	assertTLSInjected(t, &openshiftExtension{resolvedTLSConfig: tlsConfig}, pacControllerDeployment, pacControllerContainerName, "", tlsConfig)
+}
+
+func TestPACTransformers_WithTLSConfig_InjectsEnvVarsIntoWatcher(t *testing.T) {
+	tlsConfig := &occommon.TLSEnvVars{
+		MinVersion:   "1.2",
+		CipherSuites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_AES_128_GCM_SHA256",
+	}
+	// pac-watcher is a plain Knative controller — no TLS server; no prefix.
+	assertTLSInjected(t, &openshiftExtension{resolvedTLSConfig: tlsConfig}, pacWatcherDeployment, pacWatcherContainerName, "", tlsConfig)
+}
+
+func TestPACTransformers_WithTLSConfig_DoesNotInjectIntoUnknownDeployment(t *testing.T) {
+	tlsConfig := &occommon.TLSEnvVars{
+		MinVersion:   "1.3",
+		CipherSuites: "TLS_AES_128_GCM_SHA256",
+	}
+	ext := &openshiftExtension{resolvedTLSConfig: tlsConfig}
+	transformers := ext.Transformers(&v1alpha1.OpenShiftPipelinesAsCode{})
+
+	// An unrelated deployment must not receive TLS env vars.
+	u := makePACDeployment(t, "some-other-deployment", "some-container")
+	manifest, err := mf.ManifestFrom(mf.Slice([]unstructured.Unstructured{u}))
+	if err != nil {
+		t.Fatalf("failed to build manifest: %v", err)
+	}
+	transformed, err := manifest.Transform(transformers...)
+	if err != nil {
+		t.Fatalf("transform failed: %v", err)
+	}
+
+	result := &appsv1.Deployment{}
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(transformed.Resources()[0].Object, result); err != nil {
+		t.Fatalf("failed to convert back: %v", err)
+	}
+	for _, c := range result.Spec.Template.Spec.Containers {
+		for _, e := range c.Env {
+			if e.Name == occommon.TLSMinVersionEnvVar || e.Name == occommon.TLSCipherSuitesEnvVar ||
+				e.Name == occommon.WebhookEnvVarPrefix+occommon.TLSMinVersionEnvVar ||
+				e.Name == occommon.WebhookEnvVarPrefix+occommon.TLSCipherSuitesEnvVar {
+				t.Errorf("unexpected TLS env var %s injected into unrelated deployment", e.Name)
+			}
+		}
+	}
+}

pkg/reconciler/openshift/tektonconfig/extension.go

@@ -191,7 +191,7 @@ func (oe openshiftExtension) PostReconcile(ctx context.Context, comp v1alpha1.Te
 
 	pacSpec := configInstance.Spec.PipelinesAsCodeForCurrentPlatform()
 	if pacSpec != nil && pacSpec.Enable != nil && *pacSpec.Enable {
-		if _, err := pac.EnsureOpenShiftPipelinesAsCodeExists(ctx, oe.operatorClientSet.OperatorV1alpha1().OpenShiftPipelinesAsCodes(), configInstance, oe.operatorVersion); err != nil {
+		if _, err := pac.EnsureOpenShiftPipelinesAsCodeExists(ctx, oe.operatorClientSet.OperatorV1alpha1().OpenShiftPipelinesAsCodes(), configInstance, oe.operatorVersion, oe.GetPlatformData()); err != nil {
 			configInstance.Status.MarkComponentNotReady(fmt.Sprintf("OpenShiftPipelinesAsCode: %s", err.Error()))
 			return v1alpha1.REQUEUE_EVENT_AFTER
 		}