Add centrally managed TLS configuration for console-plugin nginx

Author: jkhelil

pkg/reconciler/openshift/tektonconfig/console_plugin_reconciler.go

@@ -65,6 +65,15 @@ type consolePluginReconciler struct {
 	operatorVersion             string
 	pipelinesConsolePluginImage string
 	manifest                    mf.Manifest
+	// tlsConfig holds the centrally resolved TLS profile (set on every reconcile).
+	// nil means central TLS is disabled; the nginx.conf is left unmodified.
+	tlsConfig *occommon.TLSEnvVars
+}
+
+// SetTLSConfig stores the resolved central TLS configuration for use during the
+// next reconcile cycle. Call this before reconcile() on every reconcile loop.
+func (cpr *consolePluginReconciler) SetTLSConfig(tlsEnvVars *occommon.TLSEnvVars) {
+	cpr.tlsConfig = tlsEnvVars
 }
 
 // reconcile steps
@@ -184,6 +193,7 @@ func (cpr *consolePluginReconciler) updateOnce(ctx context.Context) {
 				"environmentVariable", envKey,
 			)
 		}
+
 	})
 }
 
@@ -221,6 +231,8 @@ func (cpr *consolePluginReconciler) transform(ctx context.Context, manifest *mf.
 		// updates "metadata.namespace" to targetNamespace
 		common.ReplaceNamespace(tektonConfigCR.Spec.TargetNamespace),
 		cpr.transformerConsolePlugin(tektonConfigCR.Spec.TargetNamespace),
+		// Add nginx TLS configuration transformer
+		cpr.transformerNginxTLS(),
 		common.AddConfiguration(tektonConfigCR.Spec.Config),
 	}
 
@@ -249,3 +261,113 @@ func (cpr *consolePluginReconciler) transformerConsolePlugin(targetNamespace str
 		return unstructured.SetNestedField(u.Object, targetNamespace, "spec", "backend", "service", "namespace")
 	}
 }
+
+// transformerNginxTLS updates the nginx.conf ConfigMap with TLS directives
+func (cpr *consolePluginReconciler) transformerNginxTLS() mf.Transformer {
+	return func(u *unstructured.Unstructured) error {
+		if u.GetKind() != "ConfigMap" || u.GetName() != "pipelines-console-plugin" {
+			return nil
+		}
+
+		// Get the current nginx.conf
+		data, found, err := unstructured.NestedString(u.Object, "data", "nginx.conf")
+		if err != nil || !found {
+			return err
+		}
+
+		// Generate the updated nginx.conf with TLS directives
+		updatedConf := cpr.generateNginxConfWithTLS(data)
+
+		// Set the updated nginx.conf back
+		return unstructured.SetNestedField(u.Object, updatedConf, "data", "nginx.conf")
+	}
+}
+
+// generateNginxConfWithTLS injects TLS directives into nginx configuration.
+// Directives are always produced (ssl_protocols + ML-KEM ssl_conf_command) so
+// this function never returns the unmodified base configuration.
+func (cpr *consolePluginReconciler) generateNginxConfWithTLS(baseConf string) string {
+	tlsDirectives := cpr.buildNginxTLSDirectives()
+
+	// Inject TLS directives into the server block
+	// Find "server {" and inject after it
+	lines := strings.Split(baseConf, "\n")
+	var result strings.Builder
+
+	for _, line := range lines {
+		result.WriteString(line)
+		result.WriteString("\n")
+
+		// After "server {", inject TLS directives
+		if strings.Contains(line, "server {") {
+			// Add TLS directives with proper indentation
+			result.WriteString(tlsDirectives)
+		}
+	}
+
+	return result.String()
+}
+
+// buildNginxTLSDirectives generates nginx TLS directives from the centrally resolved
+// TLS profile. When no explicit profile is configured (cluster uses the "Default"
+// profile), secure Intermediate-equivalent defaults are applied so that PQC
+// directives are always present regardless of cluster configuration.
+func (cpr *consolePluginReconciler) buildNginxTLSDirectives() string {
+	var directives strings.Builder
+
+	// ssl_protocols – derived from the minimum TLS version in the APIServer profile.
+	// Fall back to "1.2" (Intermediate) when no central TLS config is present, which
+	// is the OpenShift default for clusters without an explicit tlsSecurityProfile.
+	minVersion := "1.2"
+	if cpr.tlsConfig != nil && cpr.tlsConfig.MinVersion != "" {
+		minVersion = cpr.tlsConfig.MinVersion
+	}
+	protocols := convertTLSVersionToNginx(minVersion)
+	directives.WriteString(fmt.Sprintf("    ssl_protocols %s;\n", protocols))
+
+	// Always enable ML-KEM (X25519MLKEM768) hybrid key exchange for PQC readiness.
+	// ssl_conf_command passes OpenSSL configuration directly and is the only nginx
+	// mechanism that supports the post-quantum hybrid groups introduced in OpenSSL 3.x;
+	// ssl_ecdh_curve does not cover these groups.
+	// X25519MLKEM768 is tried first (PQC); X25519 is the classical fallback for
+	// clients that do not yet support ML-KEM.
+	directives.WriteString("    ssl_conf_command Groups X25519MLKEM768:X25519;\n")
+
+	// NOTE: IANA cipher suite names (TLS_ECDHE_RSA_…) cannot be used directly in
+	// nginx's ssl_ciphers directive (which uses OpenSSL names) or ssl_conf_command
+	// (which uses a different format). Relying on nginx's own TLS 1.3 defaults is
+	// simpler and equally secure; we intentionally skip cipher configuration here.
+	if cpr.tlsConfig != nil && cpr.tlsConfig.CipherSuites != "" {
+		cpr.logger.Debugw("TLS cipher suites provided but not applied to nginx (using nginx defaults)",
+			"reason", "IANA names are not directly usable in nginx ssl_ciphers",
+		)
+	}
+
+	// ssl_ecdh_curve – comma-separated curve names become colon-separated for nginx.
+	// This covers TLS 1.2 classical curves; ML-KEM hybrid groups are handled above
+	// via ssl_conf_command Groups.
+	if cpr.tlsConfig != nil && cpr.tlsConfig.CurvePreferences != "" {
+		curves := strings.ReplaceAll(cpr.tlsConfig.CurvePreferences, ",", ":")
+		directives.WriteString(fmt.Sprintf("    ssl_ecdh_curve %s;\n", curves))
+	}
+
+	return directives.String()
+}
+
+// convertTLSVersionToNginx converts the Go crypto/tls minimum version string
+// ("1.2" or "1.3", as stored in TLSEnvVars.MinVersion) to the corresponding
+// nginx ssl_protocols value.
+func convertTLSVersionToNginx(minVersion string) string {
+	switch minVersion {
+	case "1.3":
+		return "TLSv1.3"
+	case "1.2":
+		return "TLSv1.2 TLSv1.3"
+	case "1.1":
+		return "TLSv1.1 TLSv1.2 TLSv1.3"
+	case "1.0":
+		return "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
+	default:
+		return "TLSv1.2 TLSv1.3"
+	}
+}