feat(tls): inject centrally managed TLS config into pipelines-as-code

[jkhelil]

Summary

Extends the OpenShift TLS centralization pattern to the pipelines-as-code-webhook deployment (SRVKP-9616), completing the webhook TLS trilogy alongside the Pipelines and Triggers PRs.

What changes

openshiftpipelinesascode/extension.go — switched to pointer receiver; added tektonConfigLister and resolvedTLSConfig fields. PreReconcile resolves the cluster APIServer TLS profile via ResolveCentralTLSToEnvVars. Transformers injects TLS_MIN_VERSION and TLS_CIPHER_SUITES into the pipelines-as-code-webhook deployment (pac-webhook container) when a profile is resolved.

pipelinesascode/pipelinesascode.go — EnsureOpenShiftPipelinesAsCodeExists, createOPAC, and updateOPAC now accept and propagate a platformData string parameter, stamped as the operator.tekton.dev/platform-data-hash annotation on the OpenShiftPipelinesAsCode CR. This triggers re-reconciliation when the APIServer TLS profile changes.

openshift/tektonconfig/extension.go — PostReconcile passes oe.GetPlatformData() (the APIServer TLS hash) into EnsureOpenShiftPipelinesAsCodeExists.

kubernetes/tektonconfig/extension.go — Kubernetes-side caller updated to pass "" (no platform data on Kubernetes).

extension_test.go (new) — 3 table-driven tests: no TLS config, injection into pac-webhook, no injection into unrelated deployments.

Evidence

=== pipelines-as-code-webhook ===
TLS_MIN_VERSION=1.2
TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,...
=== OpenShiftPipelinesAsCode PlatformDataHashKey ===
{"operator.tekton.dev/platform-data-hash":"d96e4890584e1fc72e863f47ee42b735054cfe7e5af8df11c1ae9d499150c129"}
Changing the cluster APIServer TLS profile updates the hash annotation and triggers a redeploy with the new settings — same verified behavior as Pipelines and Triggers PRs.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Run make test lint before submitting a PR
• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

On OpenShift, the `pipelines-as-code-webhook` deployment now automatically inherits the cluster-wide TLS version and cipher suites from the OpenShift APIServer TLS security profile. Changes to the profile are automatically propagated without manual intervention.

[jkhelil]

/kind feature

[jkhelil]

Evidence: TLS injection into PAC controller, watcher, and webhook + dynamic propagation

This comment extends the original evidence to cover the full PAC TLS scope:

• pipelines-as-code-controller (pac-controller)
• pipelines-as-code-watcher (pac-watcher)
• pipelines-as-code-webhook (pac-webhook)

And validates the automatic propagation flow end-to-end after a fix to the InstallerSet hash computation.

---

1. Baseline — APIServer: Intermediate (TLSv1.2)

$ kubectl get apiserver cluster -o jsonpath='{.spec.tlsSecurityProfile.type}'
Intermediate

$ kubectl get openshiftpipelinesascode pipelines-as-code \
    -o jsonpath='{.metadata.annotations.operator\.tekton\.dev/platform-data-hash}'
d96e4890584e1fc72e863f47ee42b735054cfe7e5af8df11c1ae9d499150c129

$ kubectl get tektoninstallerset openshiftpipelinesascode-main-deployment-ldjp7 \
    -o jsonpath='{.metadata.annotations.operator\.tekton\.dev/last-applied-hash}'
952b8c90d99c31da85c8e8f1ac93bc84fff0d47c78ec06121fcdde813a062365

All three PAC deployments — TLS_MIN_VERSION=1.2, confirmed in both the InstallerSet manifests and the live Deployments:

=== pipelines-as-code-controller (pac-controller) ===
  TLS_MIN_VERSION=1.2
  TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,...

=== pipelines-as-code-watcher (pac-watcher) ===
  TLS_MIN_VERSION=1.2
  TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,...

=== pipelines-as-code-webhook (pac-webhook) ===
  TLS_MIN_VERSION=1.2
  TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,...

---

2. Switch to Old profile (TLSv1.0)

$ kubectl patch apiserver cluster --type=merge \
    -p '{"spec":{"tlsSecurityProfile":{"type":"Old","old":{}}}}'
apiserver.config.openshift.io/cluster patched

~20 seconds later, automatic propagation — no operator restart, no manual intervention:

$ kubectl get openshiftpipelinesascode pipelines-as-code \
    -o jsonpath='{.metadata.annotations.operator\.tekton\.dev/platform-data-hash}'
c44729544d9530f284d40bdab2891509f656c9f9512e06c45fa6b122daf28ec9   ← changed

$ kubectl get tektoninstallerset openshiftpipelinesascode-main-deployment-ldjp7 \
    -o jsonpath='{.metadata.annotations.operator\.tekton\.dev/last-applied-hash}'
eedb46d65fd06a9181fc1c3d01b4e80419f8687cb68dc9759a3118fd01b4ad21   ← updated

All three PAC deployments updated automatically:

=== pipelines-as-code-controller (pac-controller) ===
  TLS_MIN_VERSION=1.0   ← updated from 1.2

=== pipelines-as-code-watcher (pac-watcher) ===
  TLS_MIN_VERSION=1.0   ← updated from 1.2

=== pipelines-as-code-webhook (pac-webhook) ===
  TLS_MIN_VERSION=1.0   ← updated from 1.2

---

3. Restore Intermediate — reverts automatically

$ kubectl patch apiserver cluster --type=merge \
    -p '{"spec":{"tlsSecurityProfile":{"type":"Intermediate","old":null}}}'
apiserver.config.openshift.io/cluster patched

~20 seconds later:

pipelines-as-code-controller (pac-controller): TLS_MIN_VERSION=1.2   ← reverted
pipelines-as-code-watcher (pac-watcher):       TLS_MIN_VERSION=1.2   ← reverted
pipelines-as-code-webhook (pac-webhook):        TLS_MIN_VERSION=1.2   ← reverted

---

Summary table

Event	platform-data-hash	InstallerSet last-applied-hash	TLS_MIN_VERSION (all 3 PAC deployments)
Baseline (Intermediate)	d96e4890…	952b8c90…	1.2
After switch to Old	c44729544…	eedb46d65…	1.0
After restore Intermediate	d96e4890…	reverted	1.2

Operator image: quay.io/jkhelil/operator-1d69a75f22dd094880847eac907fb2c1@sha256:3b90671df72a91c3a82821ac7779eec0f047929823a92d012e03f54158271c7a

[jkhelil]

/kind feature

[anithapriyanatarajan]

@jkhelil - same comment as for PR#3383 and PR#3384 related to webhook env vars. Please consider updating the var names prefixed with WEBHOOK_

[anithapriyanatarajan]

@jkhelil - Thank you for the update. The controller and watcher correctly have the env vars as TLS_CIPHER_SUITES and TLS_MIN_VERSION while the webhook has the values as WEBHOOK_TLS_MIN_VERSION and WEBHOOK_TLS_CIPHER_SUITES.

Could you check the ci failure for e2e tests?

[theakshaypant]

Question: Why did we need to replace the usage of specHashInput here when it essentially does the same thing, with the key name being different (PlatformData -> PlatformDataHash)?

Same for other occurrences of hash calculation.

[jkhelil]

/retest

[jkhelil]

/retest

[anithapriyanatarajan]

@jkhelil - NIT: Do we need the TLS vars injected to controller and watcher deployments?

[anithapriyanatarajan]

/lgtm

[jkhelil]

/retest

[theakshaypant]

LGTM

[anithapriyanatarajan]

/lgtm

[anithapriyanatarajan]

/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anithapriyanatarajan, theakshaypant

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [anithapriyanatarajan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment