[DRAFT-WIP] TLS1.3

[desmax74]

Summary by Sourcery

Introduce a TLS configurator capability and supporting RBAC to manage OpenShift ingress TLS settings, and update build tooling.

New Features:

• Add an optional tlsConfigurator module and Kubernetes Job to configure OpenShift ingress TLS settings (e.g., TLS 1.3) during installation/upgrade.

Enhancements:

• Extend operator cluster permissions and introduce dedicated rhtpa-rbac-manager and tls-configurator ClusterRoles/ClusterRoleBindings to manage service accounts, jobs, RBAC objects, and OpenShift ingress/clusterversion resources.
• Update Helm values and schema to expose configuration for the tlsConfigurator component, disabled by default.

Build:

• Bump the Go toolchain patch version used in the operator Dockerfile builder stage.

[sourcery-ai]

Reviewer's Guide

Introduces a TLS configurator feature that runs as a pre-install/pre-upgrade Job in the openshift-ingress-operator namespace, with corresponding Helm values, RBAC, and ClusterServiceVersion permissions, plus a minor Go toolchain patch update in the Dockerfile.

Sequence diagram for TLS configurator pre-install/pre-upgrade Job execution

sequenceDiagram
  actor ArgoCD
  participant Helm as HelmChart
  participant K8sAPI as KubernetesAPI
  participant SA as TLSConfiguratorServiceAccount
  participant CR as TLSConfiguratorClusterRole
  participant CRB as TLSConfiguratorClusterRoleBinding
  participant Job as TLSConfiguratorJob
  participant ConfigAPI as OpenShiftConfigAPI

  ArgoCD->>Helm: Sync redhat_trusted_profile_analyzer (modules.tlsConfigurator.enabled=true)
  Helm->>K8sAPI: Apply tls_configurator_ServiceAccount (hook pre-install, wave 1)
  K8sAPI-->>SA: Persist ServiceAccount in openshift-ingress-operator

  Helm->>K8sAPI: Apply tls_configurator_ClusterRole (hook pre-install, wave 2)
  K8sAPI-->>CR: Persist ClusterRole tls-configurator

  Helm->>K8sAPI: Apply tls_configurator_ClusterRoleBinding (hook pre-install, wave 2)
  K8sAPI-->>CRB: Bind ServiceAccount tls-configurator to ClusterRole

  Helm->>K8sAPI: Apply tls_configurator_Job (hook pre-install, wave 3)
  K8sAPI-->>Job: Create Job tls-configurator

  Job->>K8sAPI: Start Pod using ServiceAccount tls-configurator
  Job->>ConfigAPI: GET ingresses, clusterversions
  Job->>ConfigAPI: PATCH ingresses, clusterversions (set TLS1.3 ciphers and min version)
  ConfigAPI-->>Job: Updated TLS configuration

  Job-->>K8sAPI: Report completion status
  K8sAPI-->>Helm: Job completed
  Helm-->>ArgoCD: Pre-install/pre-upgrade hooks completed

Loading

File-Level Changes

Change	Details	Files
Add cluster-wide RBAC for an rhtpa RBAC manager and TLS configurator to manage ServiceAccounts, Jobs, RBAC objects, and OpenShift ingress/cluster version resources.	Extend the ClusterServiceVersion clusterPermissions with rules for serviceaccounts, jobs, clusterroles/clusterrolebindings, and config.openshift.io ingresses/clusterversions. Create a ClusterRole rhtpa-rbac-manager granting management of serviceaccounts, jobs, clusterroles/bindings, and config.openshift.io ingresses/clusterversions. Bind the rhtpa-rbac-manager ClusterRole to the rhtpa-operator controller-manager ServiceAccount via a new ClusterRoleBinding with a placeholder namespace. Define a ClusterRole tls-configurator and ClusterRoleBinding tls-configurator for operating on batch jobs and config.openshift.io ingress/cluster version resources. Add RBAC kustomization entries so the new RBAC manifests are included in generated bundles.	bundle/manifests/rhtpa-operator.clusterserviceversion.yaml config/rbac/role_cluster_rbac_manager.yaml config/rbac/role_cluster_rbac_manager_binding.yaml config/rbac/role_cluster_tlsconfigurator.yaml config/rbac/role_binding_tlsconfigurator.yaml config/rbac/kustomization.yaml
Introduce a TLS configurator module in the Helm chart that runs as an ArgoCD/Helm hook Job to configure TLS 1.3 on OpenShift ingress.	Extend values.schema.yaml and values.schema.json to define the tlsConfigurator feature/image/application configuration schema. Add tlsConfigurator configuration defaults in values.yaml, including image reference and enablement flag. Add Helm templates for a tls-configurator ServiceAccount, ClusterRole, ClusterRoleBinding, and Job in the openshift-ingress-operator namespace, all gated by .Values.modules.tlsConfigurator.enabled. Configure the Job with specific arguments to enforce TLS 1.3 and restricted cipher suites, and mark these resources as pre-install/pre-upgrade hooks with sync-wave and delete policies for ArgoCD/Helm.	helm-charts/redhat-trusted-profile-analyzer/values.schema.yaml helm-charts/redhat-trusted-profile-analyzer/values.schema.json helm-charts/redhat-trusted-profile-analyzer/values.yaml helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/010-ServiceAccount.yaml helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/015-ClusterRole.yaml helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/018-ClusterRoleBinding.yaml helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/020-Job.yaml
Add a tls-configurator ServiceAccount manifest under config/rbac and update the build image version.	Add a standalone ServiceAccount tls-configurator in the openshift-ingress-operator namespace under config/rbac for non-Helm-based deployment paths. Bump the Go builder base image in the Dockerfile from golang:1.25.5 to golang:1.25.7 to pick up a newer toolchain.	config/rbac/service_account.yaml Dockerfile

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• The tls-configurator image is hard-coded in the Job manifest while also defined under modules.tlsConfigurator.image in values.yaml; consider wiring the Job template to use the Helm values so the image can be configured in one place.
• The tls-configurator ServiceAccount and RBAC are defined both in config/rbac/*.yaml and in Helm hook templates, which risks drift and conflicts; it would be better to consolidate these to a single source of truth or clearly separate cluster-bootstrapping vs. in-chart responsibilities.
• The new rhtpa-rbac-manager ClusterRole grants broad permissions (including create/delete on jobs, serviceaccounts, clusterroles, and clusterrolebindings); if possible, narrow these rules to only the specific resources and verbs needed by the controller to reduce RBAC surface area.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `tls-configurator` image is hard-coded in the Job manifest while also defined under `modules.tlsConfigurator.image` in `values.yaml`; consider wiring the Job template to use the Helm values so the image can be configured in one place.
- The `tls-configurator` ServiceAccount and RBAC are defined both in `config/rbac/*.yaml` and in Helm hook templates, which risks drift and conflicts; it would be better to consolidate these to a single source of truth or clearly separate cluster-bootstrapping vs. in-chart responsibilities.
- The new `rhtpa-rbac-manager` ClusterRole grants broad permissions (including create/delete on jobs, serviceaccounts, clusterroles, and clusterrolebindings); if possible, narrow these rules to only the specific resources and verbs needed by the controller to reduce RBAC surface area.

## Individual Comments

### Comment 1
<location path="helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/020-Job.yaml" line_range="18-22" />
<code_context>
+    helm.sh/hook-delete-policy: before-hook-creation
+
+spec:
+  backoffLimit: 1000
+  completions: 1
+  parallelism: 1
</code_context>
<issue_to_address>
**suggestion (performance):** The backoffLimit of 1000 is extremely high and could cause excessive retrying in failure scenarios.

This many retries can produce noisy failures and unnecessary cluster load if the Job is misconfigured (e.g., bad image, RBAC issues). Use a smaller value (around 3–10) unless you have a documented operational need for such a high retry count.

```suggestion
spec:
  backoffLimit: 5
  completions: 1
  parallelism: 1
  ttlSecondsAfterFinished: 600
```
</issue_to_address>

### Comment 2
<location path="helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/020-Job.yaml" line_range="32" />
<code_context>
+      serviceAccountName: tls-configurator
+      containers:
+        - name: tls-configurator
+          image: quay.io/mdessi/tls-configurator:latest
+          args:
+            - "--action=update"
</code_context>
<issue_to_address>
**issue:** The Job is using a hard-coded image instead of wiring it to the Helm values defined for tlsConfigurator.

The Job template should use the existing Helm values instead of a hard-coded image. Please reference `modules.tlsConfigurator.image.fullName` and `modules.tlsConfigurator.image.pullPolicy`, e.g.:

```yaml
aimage: {{ .Values.modules.tlsConfigurator.image.fullName }}
imagePullPolicy: {{ .Values.modules.tlsConfigurator.image.pullPolicy }}
```

This keeps the chart configurable and prevents drift between `values.yaml` and the template.
</issue_to_address>

### Comment 3
<location path="config/rbac/role_cluster_rbac_manager_binding.yaml" line_range="6-8" />
<code_context>
+  kind: ClusterRole
+  name: tls-configurator
+subjects:
+  - kind: ServiceAccount
+    name: tls-configurator
+    namespace: openshift-ingress-operator
</code_context>
<issue_to_address>
**question (bug_risk):** The ClusterRoleBinding refers to a ServiceAccount in a `placeholder` namespace, which looks like it may not exist as-is.

If this namespace is meant to be replaced by kustomize or another tool, that’s fine. Otherwise, update it to the actual controller manager namespace so the ClusterRoleBinding points to a real ServiceAccount and the RBAC binding is effective.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}