@@ -18,19 +18,13 @@ package tektonconfig
1818
1919import (
2020 "context"
21- "fmt"
2221 "os"
23- "time"
2422
25- configv1 "github.com/openshift/api/config/v1"
26- openshiftconfigclient "github.com/openshift/client-go/config/clientset/versioned"
27- configinformers "github.com/openshift/client-go/config/informers/externalversions"
2823 "github.com/tektoncd/operator/pkg/apis/operator/v1alpha1"
2924 openshiftpipelinesascodeinformer "github.com/tektoncd/operator/pkg/client/injection/informers/operator/v1alpha1/openshiftpipelinesascode"
3025 tektonAddoninformer "github.com/tektoncd/operator/pkg/client/injection/informers/operator/v1alpha1/tektonaddon"
3126 occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
3227 "github.com/tektoncd/operator/pkg/reconciler/shared/tektonconfig"
33- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
3428 "k8s.io/apimachinery/pkg/types"
3529 "k8s.io/client-go/tools/cache"
3630 "knative.dev/pkg/configmap"
@@ -59,11 +53,10 @@ func NewController(ctx context.Context, cmw configmap.Watcher) *controller.Impl
5953
6054 // Setup APIServer TLS profile watcher
6155 // When the cluster's TLS security profile changes, enqueue TektonConfig for reconciliation
62- const skipAPIServerWatch = "SKIP_APISERVER_TLS_WATCH"
6356 if err := setupAPIServerTLSWatch (ctx , ctrl ); err != nil {
6457 // On OpenShift clusters the APIServer resource should always exist.
6558 // This env var is an escape hatch for edge cases and must be explicitly enabled.
66- if os .Getenv (skipAPIServerWatch ) == "true" {
59+ if os .Getenv (occommon . SkipAPIServerTLSWatch ) == "true" {
6760 logger .Warnf ("APIServer TLS profile watch not enabled: %v" , err )
6861 } else {
6962 logger .Panicf ("Couldn't setup APIServer TLS profile watch: %v" , err )
@@ -73,121 +66,13 @@ func NewController(ctx context.Context, cmw configmap.Watcher) *controller.Impl
7366 return ctrl
7467}
7568
76- // setupAPIServerTLSWatch sets up a watch on the OpenShift APIServer resource
77- // to monitor TLS security profile changes. When changes are detected, it enqueues
69+ // setupAPIServerTLSWatch sets up a watch on the OpenShift APIServer resource to
70+ // monitor TLS security profile changes. When changes are detected, it enqueues
7871// TektonConfig for reconciliation so TLS config can be propagated to components.
7972func setupAPIServerTLSWatch (ctx context.Context , impl * controller.Impl ) error {
8073 logger := logging .FromContext (ctx )
81- restConfig := injection .GetConfig (ctx )
82-
83- // Create OpenShift config client
84- configClient , err := openshiftconfigclient .NewForConfig (restConfig )
85- if err != nil {
86- return err
87- }
88-
89- // Check if we can access the APIServer resource
90- _ , err = configClient .ConfigV1 ().APIServers ().Get (ctx , "cluster" , metav1.GetOptions {})
91- if err != nil {
92- return err
93- }
94-
95- // Create a shared informer factory for OpenShift config resources.
96- // 30 minute resync is sufficient since the APIServer resource rarely changes
97- // and the watch mechanism handles real-time updates.
98- configInformerFactory := configinformers .NewSharedInformerFactory (configClient , 30 * time .Minute )
99-
100- // Get the APIServer informer
101- apiServerInformer := configInformerFactory .Config ().V1 ().APIServers ()
102-
103- // Add event handler to watch for APIServer changes
104- if _ , err := apiServerInformer .Informer ().AddEventHandler (cache.ResourceEventHandlerFuncs {
105- UpdateFunc : func (oldObj , newObj interface {}) {
106- oldAPIServer , ok := oldObj .(* configv1.APIServer )
107- if ! ok {
108- return
109- }
110- newAPIServer , ok := newObj .(* configv1.APIServer )
111- if ! ok {
112- return
113- }
114-
115- // Check if TLS security profile actually changed
116- if ! tlsProfileChanged (oldAPIServer , newAPIServer ) {
117- return
118- }
119-
120- logger .Info ("APIServer TLS security profile changed, triggering TektonConfig reconciliation" )
121- impl .EnqueueKey (types.NamespacedName {Name : v1alpha1 .ConfigResourceName })
122- },
123- }); err != nil {
124- return err
125- }
126-
127- // Start the informer factory
128- configInformerFactory .Start (ctx .Done ())
129-
130- // Wait for caches to sync
131- if ! cache .WaitForCacheSync (ctx .Done (), apiServerInformer .Informer ().HasSynced ) {
132- return fmt .Errorf ("failed to sync APIServer informer cache" )
133- }
134-
135- // Share the lister with other components so they don't need to create their own informers
136- occommon .SetSharedAPIServerLister (apiServerInformer .Lister (), configClient )
137-
138- return nil
139- }
140-
141- // tlsProfileChanged checks if the TLS security profile has changed between two APIServer resources
142- func tlsProfileChanged (old , new * configv1.APIServer ) bool {
143- oldProfile := old .Spec .TLSSecurityProfile
144- newProfile := new .Spec .TLSSecurityProfile
145-
146- // Both nil - no change
147- if oldProfile == nil && newProfile == nil {
148- return false
149- }
150-
151- // One nil, one not - changed
152- if (oldProfile == nil ) != (newProfile == nil ) {
153- return true
154- }
155-
156- // Different types - changed
157- if oldProfile .Type != newProfile .Type {
158- return true
159- }
160-
161- // For custom profiles, check the actual settings
162- if oldProfile .Type == configv1 .TLSProfileCustomType {
163- return ! customProfilesEqual (oldProfile .Custom , newProfile .Custom )
164- }
165-
166- // For predefined profiles (Old, Intermediate, Modern), type change is sufficient
167- return false
168- }
169-
170- // customProfilesEqual checks if two custom TLS profiles are equal
171- func customProfilesEqual (old , new * configv1.CustomTLSProfile ) bool {
172- if old == nil && new == nil {
173- return true
174- }
175- if (old == nil ) != (new == nil ) {
176- return false
177- }
178-
179- if old .MinTLSVersion != new .MinTLSVersion {
180- return false
181- }
182-
183- if len (old .Ciphers ) != len (new .Ciphers ) {
184- return false
185- }
186- for i := range old .Ciphers {
187- if old .Ciphers [i ] != new .Ciphers [i ] {
188- return false
189- }
190- }
191-
192- return true
74+ return occommon .SetupAPIServerTLSWatch (ctx , injection .GetConfig (ctx ), func () {
75+ logger .Info ("APIServer TLS security profile changed, triggering TektonConfig reconciliation" )
76+ impl .EnqueueKey (types.NamespacedName {Name : v1alpha1 .ConfigResourceName })
77+ })
19378}
0 commit comments