From 9b7a03bc445fff7371578d00d31d07ab53ab9b03 Mon Sep 17 00:00:00 2001 From: desmax74 Date: Thu, 19 Mar 2026 16:25:10 +0100 Subject: [PATCH] TLS-1.3 Signed-off-by: desmax74 --- .../rhtpa-operator.clusterserviceversion.yaml | 48 +++++++++++++++++++ config/rbac/kustomization.yaml | 4 ++ config/rbac/role_binding_tlsconfigurator.yaml | 12 +++++ config/rbac/role_cluster_rbac_manager.yaml | 17 +++++++ .../role_cluster_rbac_manager_binding.yaml | 12 +++++ config/rbac/role_cluster_tlsconfigurator.yaml | 11 +++++ config/rbac/service_account.yaml | 9 ++++ .../tls-configure/010-ServiceAccount.yaml | 17 +++++++ .../init/tls-configure/015-ClusterRole.yaml | 23 +++++++++ .../tls-configure/018-ClusterRoleBinding.yaml | 24 ++++++++++ .../templates/init/tls-configure/020-Job.yaml | 39 +++++++++++++++ .../values.schema.json | 14 ++++++ .../values.schema.yaml | 8 ++++ .../values.yaml | 7 +++ 14 files changed, 245 insertions(+) create mode 100644 config/rbac/role_binding_tlsconfigurator.yaml create mode 100644 config/rbac/role_cluster_rbac_manager.yaml create mode 100644 config/rbac/role_cluster_rbac_manager_binding.yaml create mode 100644 config/rbac/role_cluster_tlsconfigurator.yaml create mode 100644 helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/010-ServiceAccount.yaml create mode 100644 helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/015-ClusterRole.yaml create mode 100644 helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/018-ClusterRoleBinding.yaml create mode 100644 helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/020-Job.yaml diff --git a/bundle/manifests/rhtpa-operator.clusterserviceversion.yaml b/bundle/manifests/rhtpa-operator.clusterserviceversion.yaml index cca1ab45..7cb93561 100644 --- a/bundle/manifests/rhtpa-operator.clusterserviceversion.yaml +++ b/bundle/manifests/rhtpa-operator.clusterserviceversion.yaml @@ -148,6 +148,54 @@ spec: spec: clusterPermissions: - rules: + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch + - delete + - patch + - update + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - get + - list + - watch + - delete + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - create + - get + - list + - watch + - delete + - patch + - update + - apiGroups: + - config.openshift.io + resources: + - ingresses + - clusterversions + verbs: + - get + - list + - watch + - patch + - update - apiGroups: - networking.k8s.io resources: diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 162b99f4..80f14ce2 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -15,6 +15,10 @@ resources: - rolebinding_job.yaml - role_cluster_ingress.yaml - role_cluster_ingress_binding.yaml +- role_cluster_tlsconfigurator.yaml +- role_binding_tlsconfigurator.yaml +- role_cluster_rbac_manager.yaml +- role_cluster_rbac_manager_binding.yaml # The following RBAC configurations are used to protect # the metrics endpoint with authn/authz. These configurations # ensure that only authorized users and service accounts diff --git a/config/rbac/role_binding_tlsconfigurator.yaml b/config/rbac/role_binding_tlsconfigurator.yaml new file mode 100644 index 00000000..c58181cc --- /dev/null +++ b/config/rbac/role_binding_tlsconfigurator.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tls-configurator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tls-configurator +subjects: + - kind: ServiceAccount + name: tls-configurator + namespace: openshift-ingress-operator diff --git a/config/rbac/role_cluster_rbac_manager.yaml b/config/rbac/role_cluster_rbac_manager.yaml new file mode 100644 index 00000000..aba31a51 --- /dev/null +++ b/config/rbac/role_cluster_rbac_manager.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rhtpa-rbac-manager +rules: +- apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["create", "get", "list", "watch", "delete", "patch", "update"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "get", "list", "watch", "delete", "patch", "update"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "clusterrolebindings"] + verbs: ["create", "get", "list", "watch", "delete", "patch", "update"] +- apiGroups: ["config.openshift.io"] + resources: ["ingresses", "clusterversions"] + verbs: ["get", "list", "watch", "patch", "update"] diff --git a/config/rbac/role_cluster_rbac_manager_binding.yaml b/config/rbac/role_cluster_rbac_manager_binding.yaml new file mode 100644 index 00000000..51cb2fb6 --- /dev/null +++ b/config/rbac/role_cluster_rbac_manager_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rhtpa-rbac-manager +subjects: +- kind: ServiceAccount + name: rhtpa-operator-controller-manager + namespace: placeholder +roleRef: + kind: ClusterRole + name: rhtpa-rbac-manager + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/role_cluster_tlsconfigurator.yaml b/config/rbac/role_cluster_tlsconfigurator.yaml new file mode 100644 index 00000000..5d617947 --- /dev/null +++ b/config/rbac/role_cluster_tlsconfigurator.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tls-configurator +rules: +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "get", "list", "watch", "delete", "patch"] +- apiGroups: ["config.openshift.io"] + resources: ["ingresses", "clusterversions"] + verbs: ["get", "list", "watch", "patch", "update"] diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 69ce2a15..e14fa11c 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -6,3 +6,12 @@ metadata: app.kubernetes.io/managed-by: kustomize name: controller-manager namespace: system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: rhtpa-operator + app.kubernetes.io/managed-by: kustomize + name: tls-configurator + namespace: openshift-ingress-operator diff --git a/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/010-ServiceAccount.yaml b/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/010-ServiceAccount.yaml new file mode 100644 index 00000000..43884e1b --- /dev/null +++ b/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/010-ServiceAccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.modules.tlsConfigurator.enabled }} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tls-configurator + namespace: openshift-ingress-operator + labels: + app.kubernetes.io/name: tls-configurator + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + argocd.argoproj.io/sync-wave: "1" + helm.sh/hook-weight: "10" + helm.sh/hook: "pre-install,pre-upgrade" + helm.sh/hook-delete-policy: before-hook-creation +{{- end }} diff --git a/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/015-ClusterRole.yaml b/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/015-ClusterRole.yaml new file mode 100644 index 00000000..4c2dd282 --- /dev/null +++ b/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/015-ClusterRole.yaml @@ -0,0 +1,23 @@ +{{- if .Values.modules.tlsConfigurator.enabled }} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tls-configurator + labels: + app.kubernetes.io/name: tls-configurator + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + argocd.argoproj.io/sync-wave: "2" + helm.sh/hook-weight: "15" + helm.sh/hook: "pre-install,pre-upgrade" + helm.sh/hook-delete-policy: before-hook-creation +rules: +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "get", "list", "watch", "delete", "patch"] +- apiGroups: ["config.openshift.io"] + resources: ["ingresses", "clusterversions"] + verbs: ["get", "list", "watch", "patch", "update"] +{{- end }} diff --git a/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/018-ClusterRoleBinding.yaml b/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/018-ClusterRoleBinding.yaml new file mode 100644 index 00000000..86680b8e --- /dev/null +++ b/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/018-ClusterRoleBinding.yaml @@ -0,0 +1,24 @@ +{{- if .Values.modules.tlsConfigurator.enabled }} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tls-configurator + labels: + app.kubernetes.io/name: tls-configurator + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + argocd.argoproj.io/sync-wave: "2" + helm.sh/hook-weight: "18" + helm.sh/hook: "pre-install,pre-upgrade" + helm.sh/hook-delete-policy: before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tls-configurator +subjects: + - kind: ServiceAccount + name: tls-configurator + namespace: openshift-ingress-operator +{{- end }} diff --git a/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/020-Job.yaml b/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/020-Job.yaml new file mode 100644 index 00000000..db6dcf66 --- /dev/null +++ b/helm-charts/redhat-trusted-profile-analyzer/templates/init/tls-configure/020-Job.yaml @@ -0,0 +1,39 @@ +{{- if .Values.modules.tlsConfigurator.enabled }} + +kind: Job +apiVersion: batch/v1 +metadata: + name: tls-configurator + namespace: openshift-ingress-operator + labels: + app.kubernetes.io/name: tls-configurator + annotations: + argocd.argoproj.io/hook: PreSync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + argocd.argoproj.io/sync-wave: "3" + helm.sh/hook-weight: "20" + helm.sh/hook: "pre-install,pre-upgrade" + helm.sh/hook-delete-policy: before-hook-creation + +spec: + backoffLimit: 10 + completions: 1 + parallelism: 1 + ttlSecondsAfterFinished: 600 + + template: + metadata: + labels: + app.kubernetes.io/name: tls-configurator + spec: + serviceAccountName: tls-configurator + containers: + - name: tls-configurator + image: {{ .Values.modules.tlsConfigurator.image.fullName }} + args: + - "--action=update" + - "--type=Custom" + - "--min-tls-version=VersionTLS13" + - "--ciphers=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384" + restartPolicy: OnFailure +{{- end }} diff --git a/helm-charts/redhat-trusted-profile-analyzer/values.schema.json b/helm-charts/redhat-trusted-profile-analyzer/values.schema.json index cd7301a1..29a841f2 100644 --- a/helm-charts/redhat-trusted-profile-analyzer/values.schema.json +++ b/helm-charts/redhat-trusted-profile-analyzer/values.schema.json @@ -352,6 +352,20 @@ } } ] + }, + "tlsConfigurator": { + "description": "TLS Configuragtor for Openshift\n", + "allOf": [ + { + "$ref": "#/definitions/Feature" + }, + { + "$ref": "#/definitions/Image" + }, + { + "$ref": "#/definitions/Application" + } + ] } } }, diff --git a/helm-charts/redhat-trusted-profile-analyzer/values.schema.yaml b/helm-charts/redhat-trusted-profile-analyzer/values.schema.yaml index f2746b44..4e10ed03 100644 --- a/helm-charts/redhat-trusted-profile-analyzer/values.schema.yaml +++ b/helm-charts/redhat-trusted-profile-analyzer/values.schema.yaml @@ -254,6 +254,14 @@ properties: - $ref: "#/definitions/Image" - $ref: "#/definitions/Application" + tlsConfigurator: + description: | + TLS Configurator for Openshift + allOf: + - $ref: "#/definitions/Feature" + - $ref: "#/definitions/Image" + - $ref: "#/definitions/Application" + createImporters: description: | Job to create a set of pre-defined importers diff --git a/helm-charts/redhat-trusted-profile-analyzer/values.yaml b/helm-charts/redhat-trusted-profile-analyzer/values.yaml index 94713801..0a1c5979 100644 --- a/helm-charts/redhat-trusted-profile-analyzer/values.yaml +++ b/helm-charts/redhat-trusted-profile-analyzer/values.yaml @@ -116,3 +116,10 @@ modules: source: quay.io namespace: redhat-user-workloads disabled: true + + tlsConfigurator: + enabled: false + name: tls-configurator + image: + fullName: quay.io/mdessi/tls-configurator:latest + pullPolicy: IfNotPresent