feat: auto-detect TLS security profile from OpenShift cluster#850
feat: auto-detect TLS security profile from OpenShift cluster#850jcrossley3 wants to merge 1 commit into
Conversation
Add support for configuring the trustify server's TLS security profile to align with OpenShift's centralized TLS Security Profiles (Old, Intermediate, Modern, Custom). This works with the new HTTP_SERVER_TLS_SECURITY_PROFILE env var added in trustify TC-3426. The TLS security profile is resolved with three-tier precedence: 1. User-specified: set tls.securityProfile in the CR spec (as a simple string like "intermediate" or as an object with custom cipher config) 2. Auto-detected: on OpenShift, the operator reads the APIServer CR (config.openshift.io/v1, named "cluster") using Helm's lookup function and extracts spec.tlsSecurityProfile 3. Compiled default: if neither is available (vanilla Kubernetes, or helm template dry-run where lookup returns empty), no env var is set and the trustify server uses its compiled default (modern/TLS 1.3) For custom profiles, the operator also sets HTTP_SERVER_TLS_MIN_VERSION, HTTP_SERVER_TLS_CIPHERS, and HTTP_SERVER_TLS_CIPHERSUITES. OpenShift's VersionTLS* names (e.g. VersionTLS12) are mapped to trustify's format (e.g. 1.2), and cipher lists are colon-joined. Changes: - New _tls_profile.tpl helper with profile resolution and version mapping - _http.tpl calls the new helper for all HTTP server deployments - values.schema.yaml adds tls.securityProfile (string or object with type, minTLSVersion, ciphers, ciphersuites) - RBAC ClusterRole gains get/list on config.openshift.io/apiservers Implements TC-3426 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reviewer's GuideImplements automatic and user-configurable TLS security profile handling for the Trustify HTTP server Helm chart, including OpenShift APIServer auto-detection, explicit CR-driven overrides, and required RBAC to read cluster TLS configuration. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The
trustification.tls.securityProfile.envVarshelper expects arootkey but_http.tplcalls it with.directly; this will make.rootnil in the helper, so either change the helper to use.directly or call it with{{ include "trustification.tls.securityProfile.envVars" (dict "root" .) }}. - The
digcall for the APIServer TLS profile appears mis-ordered:{{- $tlsProfile := dig "spec" "tlsSecurityProfile" dict $apiserver -}}treats "spec" as the default anddictas a key; it should follow thedig DEFAULT KEY1 KEY2 ... COLLECTIONcontract (e.g.dig dict "spec" "tlsSecurityProfile" $apiserver). - For auto-detected custom TLS profiles from the OpenShift APIServer, you only propagate
minTLSVersionandciphersbut notciphersuites, which is inconsistent with the user-specified custom profile handling and the PR description that mentions settingHTTP_SERVER_TLS_CIPHERSUITESfor custom profiles.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `trustification.tls.securityProfile.envVars` helper expects a `root` key but `_http.tpl` calls it with `.` directly; this will make `.root` nil in the helper, so either change the helper to use `.` directly or call it with `{{ include "trustification.tls.securityProfile.envVars" (dict "root" .) }}`.
- The `dig` call for the APIServer TLS profile appears mis-ordered: `{{- $tlsProfile := dig "spec" "tlsSecurityProfile" dict $apiserver -}}` treats "spec" as the default and `dict` as a key; it should follow the `dig DEFAULT KEY1 KEY2 ... COLLECTION` contract (e.g. `dig dict "spec" "tlsSecurityProfile" $apiserver`).
- For auto-detected custom TLS profiles from the OpenShift APIServer, you only propagate `minTLSVersion` and `ciphers` but not `ciphersuites`, which is inconsistent with the user-specified custom profile handling and the PR description that mentions setting `HTTP_SERVER_TLS_CIPHERSUITES` for custom profiles.
## Individual Comments
### Comment 1
<location path="helm-charts/redhat-trusted-profile-analyzer/templates/helpers/_tls_profile.tpl" line_range="42-43" />
<code_context>
+
+{{- else if eq (include "trustification.openshift.detect" .root) "true" -}}
+ {{/* Auto-detect from OpenShift APIServer CR */}}
+ {{- $apiserver := (lookup "config.openshift.io/v1" "APIServer" "" "cluster") -}}
+ {{- $tlsProfile := dig "spec" "tlsSecurityProfile" dict $apiserver -}}
+ {{- with $tlsProfile -}}
+ {{- $type := .type | lower }}
</code_context>
<issue_to_address>
**issue (bug_risk):** Using `dict` as the default for `dig` may cause `with $tlsProfile` to execute on an empty map and then fail when accessing `.type`.
Because `dig` defaults to `dict`, `$tlsProfile` becomes an empty map when the APIServer resource or its `tlsSecurityProfile` field is missing. Empty maps are truthy in Go templates, so the `with` block still runs and `.type | lower` is evaluated on a value without `type`, likely causing a render error. To avoid this, default to `nil` (or omit the default and handle `nil`) so the `with` block is skipped when the profile is absent:
```tpl
{{- $tlsProfile := dig "spec" "tlsSecurityProfile" nil $apiserver -}}
{{- with $tlsProfile -}}
{{- $type := .type | lower }}
...
{{- end }}
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| {{- $apiserver := (lookup "config.openshift.io/v1" "APIServer" "" "cluster") -}} | ||
| {{- $tlsProfile := dig "spec" "tlsSecurityProfile" dict $apiserver -}} |
There was a problem hiding this comment.
issue (bug_risk): Using dict as the default for dig may cause with $tlsProfile to execute on an empty map and then fail when accessing .type.
Because dig defaults to dict, $tlsProfile becomes an empty map when the APIServer resource or its tlsSecurityProfile field is missing. Empty maps are truthy in Go templates, so the with block still runs and .type | lower is evaluated on a value without type, likely causing a render error. To avoid this, default to nil (or omit the default and handle nil) so the with block is skipped when the profile is absent:
{{- $tlsProfile := dig "spec" "tlsSecurityProfile" nil $apiserver -}}
{{- with $tlsProfile -}}
{{- $type := .type | lower }}
...
{{- end }}
Add support for configuring the trustify server's TLS security profile to align with OpenShift's centralized TLS Security Profiles (Old, Intermediate, Modern, Custom). This works with the new HTTP_SERVER_TLS_SECURITY_PROFILE env var added in trustify TC-3426.
The TLS security profile is resolved with three-tier precedence:
For custom profiles, the operator also sets HTTP_SERVER_TLS_MIN_VERSION, HTTP_SERVER_TLS_CIPHERS, and HTTP_SERVER_TLS_CIPHERSUITES. OpenShift's VersionTLS* names (e.g. VersionTLS12) are mapped to trustify's format (e.g. 1.2), and cipher lists are colon-joined.
Changes:
Implements TC-3426
Summary by Sourcery
Add support for configuring the TLS security profile for HTTP servers, including auto-detection from OpenShift APIServer configuration, while preserving existing defaults.
New Features:
Enhancements:
Chores: