Skip to content

Commit 534fc37

Browse files
jkhelilcursoragent
authored andcommitted
feat(webhook/tls): read OpenShift APIServer TLS profile at startup, inject as WEBHOOK_TLS_* env vars
At startup the webhook calls occommon.SetupAPIServerTLSWatch (the same helper used by the TektonConfig controller) to initialise the shared APIServer lister and register a watcher. When the cluster TLS profile changes the webhook exits with code 1; Kubernetes restartPolicy: Always restarts it so the new instance picks up the updated profile. After the watch is set up, GetTLSProfileFromAPIServer + TLSEnvVarsFromProfile convert the current profile into "1.2"/"1.3" + comma-separated IANA cipher strings and inject them as WEBHOOK_TLS_MIN_VERSION / WEBHOOK_TLS_CIPHER_SUITES / WEBHOOK_TLS_CURVE_PREFERENCES before Knative bootstraps. Knative's DefaultConfigFromEnv("WEBHOOK_") inside webhook.New() picks them up automatically. No changes to kwebhook.Options, Deployment manifests, or the Kubernetes webhook. Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent e1484f9 commit 534fc37

1 file changed

Lines changed: 49 additions & 3 deletions

File tree

cmd/openshift/webhook/main.go

Lines changed: 49 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,10 @@ package main
1818

1919
import (
2020
"context"
21+
"log"
2122
"os"
2223

24+
occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
2325
"github.com/tektoncd/operator/pkg/webhook"
2426
"knative.dev/pkg/injection"
2527
"knative.dev/pkg/injection/sharedmain"
@@ -39,13 +41,57 @@ func main() {
3941
secretName = "tekton-operator-webhook-certs"
4042
}
4143

42-
//Set up a signal context with our webhook options
43-
ctx := kwebhook.WithOptions(signals.NewContext(), kwebhook.Options{
44+
// cfg is obtained before signals.NewContext so it's available for the TLS watch setup.
45+
cfg := injection.ParseAndGetRESTConfigOrDie()
46+
signalCtx := signals.NewContext()
47+
48+
// Set up the APIServer TLS watch using the same helper as the TektonConfig controller.
49+
// - Populates the shared lister so GetTLSProfileFromAPIServer works below.
50+
// - Calls os.Exit(1) when the TLS profile changes; Kubernetes restartPolicy: Always
51+
// restarts the container so the new instance picks up the updated profile.
52+
if err := occommon.SetupAPIServerTLSWatch(signalCtx, cfg, func() {
53+
log.Println("APIServer TLS profile changed — restarting webhook to apply updated settings")
54+
os.Exit(1)
55+
}); err != nil {
56+
// On OpenShift clusters the APIServer resource should always exist.
57+
// SKIP_APISERVER_TLS_WATCH=true is an escape hatch for tests/edge cases —
58+
// same pattern as the TektonConfig controller.
59+
if os.Getenv(occommon.SkipAPIServerTLSWatch) == "true" {
60+
log.Printf("WARNING: APIServer TLS watch not available, using Knative defaults: %v", err)
61+
} else {
62+
log.Fatalf("Failed to set up APIServer TLS watch: %v", err)
63+
}
64+
}
65+
66+
// Read the current TLS profile and inject as WEBHOOK_TLS_* env vars.
67+
// Knative's DefaultConfigFromEnv("WEBHOOK_") inside webhook.New() reads these automatically.
68+
// TLSEnvVarsFromProfile produces "1.2"/"1.3" and comma-separated IANA cipher names —
69+
// exactly the format Knative expects.
70+
if tlsProfile, err := occommon.GetTLSProfileFromAPIServer(signalCtx); err != nil {
71+
log.Printf("WARNING: could not read APIServer TLS profile, using Knative defaults: %v", err)
72+
} else if tlsProfile != nil {
73+
if envVars, err := occommon.TLSEnvVarsFromProfile(tlsProfile); err != nil {
74+
log.Printf("WARNING: could not convert TLS profile, using Knative defaults: %v", err)
75+
} else if envVars != nil {
76+
if envVars.MinVersion != "" {
77+
os.Setenv("WEBHOOK_TLS_MIN_VERSION", envVars.MinVersion)
78+
}
79+
if envVars.CipherSuites != "" {
80+
os.Setenv("WEBHOOK_TLS_CIPHER_SUITES", envVars.CipherSuites)
81+
}
82+
if envVars.CurvePreferences != "" {
83+
os.Setenv("WEBHOOK_TLS_CURVE_PREFERENCES", envVars.CurvePreferences)
84+
}
85+
}
86+
}
87+
88+
// kwebhook.Options is unchanged — no TLS fields needed.
89+
// Knative reads the WEBHOOK_TLS_* env vars we just set inside webhook.New().
90+
ctx := kwebhook.WithOptions(signalCtx, kwebhook.Options{
4491
ServiceName: serviceName,
4592
Port: 8443,
4693
SecretName: secretName,
4794
})
48-
cfg := injection.ParseAndGetRESTConfigOrDie()
4995
ctx, _ = injection.EnableInjectionOrDie(ctx, cfg)
5096
webhook.CreateWebhookResources(ctx)
5197
webhook.SetTypes("openshift")

0 commit comments

Comments
 (0)