feat(proxy-webhook/tls): read OpenShift APIServer TLS profile at startup, inject as WEBHOOK_TLS_* env vars

Same pattern as cmd/openshift/webhook/main.go: cfg and signalCtx are created
first, SetupAPIServerTLSWatch populates the shared lister and watches for TLS
profile changes (os.Exit(1) on change), then GetTLSProfileFromAPIServer +
TLSEnvVarsFromProfile inject WEBHOOK_TLS_* env vars before Knative bootstraps.

Both openshift and kubernetes proxy-webhook/main.go now inline the context setup
(namespace scope + kwebhook.WithOptions) directly, the same way the regular
webhooks do. proxy.Getctx() is removed from controller.go — it was only a thin
wrapper around signals.NewContext() + webhook.WithOptions and is no longer needed.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: jkhelil

cmd/kubernetes/proxy-webhook/main.go

@@ -17,15 +17,39 @@ limitations under the License.
 package main
 
 import (
+	"os"
+
 	"github.com/tektoncd/operator/pkg/reconciler/proxy"
 	"knative.dev/pkg/injection"
 	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/pkg/signals"
+	kwebhook "knative.dev/pkg/webhook"
 	"knative.dev/pkg/webhook/certificates"
 )
 
 func main() {
-	sharedmain.WebhookMainWithConfig(proxy.Getctx(), "webhook-operator",
-		injection.ParseAndGetRESTConfigOrDie(),
+	serviceName := os.Getenv("WEBHOOK_SERVICE_NAME")
+	if serviceName == "" {
+		serviceName = "tekton-operator-proxy-webhook"
+	}
+	secretName := os.Getenv("WEBHOOK_SECRET_NAME")
+	if secretName == "" {
+		secretName = "proxy-webhook-certs"
+	}
+	systemNamespace := os.Getenv("SYSTEM_NAMESPACE")
+
+	cfg := injection.ParseAndGetRESTConfigOrDie()
+	ctx := kwebhook.WithOptions(
+		injection.WithNamespaceScope(signals.NewContext(), systemNamespace),
+		kwebhook.Options{
+			ServiceName: serviceName,
+			Port:        8443,
+			SecretName:  secretName,
+		},
+	)
+
+	sharedmain.WebhookMainWithConfig(ctx, "webhook-operator",
+		cfg,
 		certificates.NewController,
 		proxy.NewProxyDefaultingAdmissionController,
 	)

cmd/openshift/operator/kodata/webhook/webhook.yaml

@@ -29,6 +29,10 @@ rules:
   - apiGroups: ["security.openshift.io"]
     resources: ["securitycontextconstraints"]
     verbs: ["get", "list", "watch"]
+  # Required to read the OpenShift APIServer TLS profile at startup
+  - apiGroups: ["config.openshift.io"]
+    resources: ["apiservers"]
+    verbs: ["get", "list", "watch"]
 
 ---
 

cmd/openshift/proxy-webhook/main.go

@@ -18,14 +18,19 @@ package main
 
 import (
 	"context"
+	"log"
+	"os"
 
 	"github.com/tektoncd/operator/pkg/reconciler/openshift/annotation"
+	occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
 	"github.com/tektoncd/operator/pkg/reconciler/openshift/namespace"
 	"github.com/tektoncd/operator/pkg/reconciler/proxy"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection"
 	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/pkg/signals"
+	kwebhook "knative.dev/pkg/webhook"
 	"knative.dev/pkg/webhook/certificates"
 )
 
@@ -50,8 +55,64 @@ func newAnnotationDefaultingAdmissionController(ctx context.Context, cmw configm
 }
 
 func main() {
-	sharedmain.WebhookMainWithConfig(proxy.Getctx(), "webhook-operator",
-		injection.ParseAndGetRESTConfigOrDie(),
+	serviceName := os.Getenv("WEBHOOK_SERVICE_NAME")
+	if serviceName == "" {
+		serviceName = "tekton-operator-proxy-webhook"
+	}
+	secretName := os.Getenv("WEBHOOK_SECRET_NAME")
+	if secretName == "" {
+		secretName = "proxy-webhook-certs"
+	}
+
+	cfg := injection.ParseAndGetRESTConfigOrDie()
+	signalCtx := signals.NewContext()
+
+	if err := occommon.SetupAPIServerTLSWatch(signalCtx, cfg, func() {
+		log.Println("APIServer TLS profile changed — restarting proxy webhook to apply updated settings")
+		os.Exit(1)
+	}); err != nil {
+		if os.Getenv(occommon.SkipAPIServerTLSWatch) == "true" {
+			log.Printf("WARNING: APIServer TLS watch not available, using Knative defaults: %v", err)
+		} else {
+			log.Fatalf("Failed to set up APIServer TLS watch: %v", err)
+		}
+	}
+
+	if tlsProfile, err := occommon.GetTLSProfileFromAPIServer(signalCtx); err != nil {
+		log.Printf("WARNING: could not read APIServer TLS profile, using Knative defaults: %v", err)
+	} else if tlsProfile != nil {
+		if envVars, err := occommon.TLSEnvVarsFromProfile(tlsProfile); err != nil {
+			log.Printf("WARNING: could not convert TLS profile, using Knative defaults: %v", err)
+		} else if envVars != nil {
+			// Knative only accepts "1.2" or "1.3"; skip if the profile allows older versions
+			// (e.g. OpenShift "Old" profile uses VersionTLS10). The webhook will then fall
+			// back to Knative's default minimum of 1.2, which is always safe for admission webhooks.
+			if envVars.MinVersion == "1.2" || envVars.MinVersion == "1.3" {
+				os.Setenv("WEBHOOK_TLS_MIN_VERSION", envVars.MinVersion)
+			}
+			if envVars.CipherSuites != "" {
+				os.Setenv("WEBHOOK_TLS_CIPHER_SUITES", envVars.CipherSuites)
+			}
+			if envVars.CurvePreferences != "" {
+				os.Setenv("WEBHOOK_TLS_CURVE_PREFERENCES", envVars.CurvePreferences)
+			}
+		}
+	}
+
+	// Inline the context setup (same as proxy.Getctx but reuses the signal
+	// context already created above instead of calling signals.NewContext again).
+	systemNamespace := os.Getenv("SYSTEM_NAMESPACE")
+	ctx := kwebhook.WithOptions(
+		injection.WithNamespaceScope(signalCtx, systemNamespace),
+		kwebhook.Options{
+			ServiceName: serviceName,
+			Port:        8443,
+			SecretName:  secretName,
+		},
+	)
+
+	sharedmain.WebhookMainWithConfig(ctx, "webhook-operator",
+		cfg,
 		certificates.NewController,
 		proxy.NewProxyDefaultingAdmissionController,
 		newAnnotationDefaultingAdmissionController,

cmd/openshift/webhook/main.go

@@ -73,7 +73,10 @@ func main() {
 		if envVars, err := occommon.TLSEnvVarsFromProfile(tlsProfile); err != nil {
 			log.Printf("WARNING: could not convert TLS profile, using Knative defaults: %v", err)
 		} else if envVars != nil {
-			if envVars.MinVersion != "" {
+			// Knative only accepts "1.2" or "1.3"; skip if the profile allows older versions
+			// (e.g. OpenShift "Old" profile uses VersionTLS10). The webhook will then fall
+			// back to Knative's default minimum of 1.2, which is always safe for admission webhooks.
+			if envVars.MinVersion == "1.2" || envVars.MinVersion == "1.3" {
 				os.Setenv("WEBHOOK_TLS_MIN_VERSION", envVars.MinVersion)
 			}
 			if envVars.CipherSuites != "" {

pkg/reconciler/openshift/tektonpipeline/extension.go

@@ -72,6 +72,7 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr
 		occommon.RemoveRunAsUserForStatefulSet(tektonRemoteResolversControllerName),
 		occommon.ApplyCABundlesForStatefulSet(tektonPipelinesControllerName),
 		occommon.ApplyCABundlesForStatefulSet(tektonRemoteResolversControllerName),
+		common.ReplaceNamespaceInClusterRoleBinding(comp.GetSpec().GetTargetNamespace()),
 	}
 	return trns
 }

pkg/reconciler/proxy/controller.go

@@ -18,13 +18,9 @@ package proxy
 
 import (
 	"context"
-	"os"
 
 	"knative.dev/pkg/configmap"
 
-	"knative.dev/pkg/injection"
-	"knative.dev/pkg/signals"
-
 	// Injection stuff
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/cache"
@@ -100,29 +96,6 @@ func NewAdmissionController(
 	return c
 }
 
-func Getctx() context.Context {
-	serviceName := os.Getenv("WEBHOOK_SERVICE_NAME")
-	if serviceName == "" {
-		serviceName = "tekton-operator-proxy-webhook"
-	}
-
-	secretName := os.Getenv("WEBHOOK_SECRET_NAME")
-	if secretName == "" {
-		secretName = "proxy-webhook-certs"
-	}
-	systemNamespace := os.Getenv("SYSTEM_NAMESPACE")
-
-	// Scope informers to the webhook's namespace instead of cluster-wide
-	ctx := injection.WithNamespaceScope(signals.NewContext(), systemNamespace)
-
-	// Set up a signal context with our webhook options
-	ctx = webhook.WithOptions(ctx, webhook.Options{
-		ServiceName: serviceName,
-		Port:        8443,
-		SecretName:  secretName,
-	})
-	return ctx
-}
 
 func NewProxyDefaultingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {