inject TLS config to all the CCM operands

damdo · damdo · commit f298637dd8d1 · 2026-02-10T19:38:39.000+01:00
diff --git a/pkg/cloud/aws/assets/deployment.yaml b/pkg/cloud/aws/assets/deployment.yaml
@@ -43,6 +43,12 @@ spec:
           --leader-elect-renew-deadline=107s \
           --leader-elect-retry-period=26s \
           --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+          {{- if .tlsCipherSuites }}
+          --tls-cipher-suites={{ .tlsCipherSuites }} \
+          {{- end }}
+          {{- if .tlsMinVersion }}
+          --tls-min-version={{ .tlsMinVersion }} \
+          {{- end }}
           --secure-port=0 \
           -v=2
         env:
diff --git a/pkg/cloud/aws/aws.go b/pkg/cloud/aws/aws.go
@@ -33,6 +33,8 @@ type imagesReference struct {
 var templateValuesValidationMap = map[string]interface{}{
 	"images":            "required",
 	"cloudproviderName": "required,type(string)",
+	"tlsCipherSuites":   "type(string)",
+	"tlsMinVersion":     "type(string)",
 }
 
 type awsAssets struct {
@@ -48,6 +50,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 	values := common.TemplateValues{
 		"images":            images,
 		"cloudproviderName": operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":   operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":     operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/azure/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/azure/assets/cloud-controller-manager-deployment.yaml
@@ -122,6 +122,12 @@ spec:
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
                 --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+                {{- if .tlsCipherSuites }}
+                --tls-cipher-suites={{ .tlsCipherSuites }} \
+                {{- end }}
+                {{- if .tlsMinVersion }}
+                --tls-min-version={{ .tlsMinVersion }} \
+                {{- end }}
                 --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
diff --git a/pkg/cloud/azure/azure.go b/pkg/cloud/azure/azure.go
@@ -71,6 +71,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"images":             "required",
 	"infrastructureName": "required,type(string)",
 	"cloudproviderName":  "required,notnull,type(string)",
+	"tlsCipherSuites":    "type(string)",
+	"tlsMinVersion":      "type(string)",
 }
 
 type azureAssets struct {
@@ -87,6 +89,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 		"images":             images,
 		"infrastructureName": operatorConfig.InfrastructureName,
 		"cloudproviderName":  operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":    operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":      operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/azurestack/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/azurestack/assets/cloud-controller-manager-deployment.yaml
@@ -114,6 +114,12 @@ spec:
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
                 --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+                {{- if .tlsCipherSuites }}
+                --tls-cipher-suites={{ .tlsCipherSuites }} \
+                {{- end }}
+                {{- if .tlsMinVersion }}
+                --tls-min-version={{ .tlsMinVersion }} \
+                {{- end }}
                 --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
diff --git a/pkg/cloud/azurestack/azurestack.go b/pkg/cloud/azurestack/azurestack.go
@@ -41,6 +41,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"images":             "required",
 	"infrastructureName": "required,type(string)",
 	"cloudproviderName":  "required,type(string)",
+	"tlsCipherSuites":    "type(string)",
+	"tlsMinVersion":      "type(string)",
 }
 
 type azurestackAssets struct {
@@ -57,6 +59,8 @@ func getTemplateValues(images imagesReference, operatorConfig config.OperatorCon
 		"images":             images,
 		"infrastructureName": operatorConfig.InfrastructureName,
 		"cloudproviderName":  operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":    operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":      operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/gcp/assets/cloud-controller-manager.yaml b/pkg/cloud/gcp/assets/cloud-controller-manager.yaml
@@ -96,6 +96,12 @@ spec:
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
                 --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+                {{- if .tlsCipherSuites }}
+                --tls-cipher-suites={{ .tlsCipherSuites }} \
+                {{- end }}
+                {{- if .tlsMinVersion }}
+                --tls-min-version={{ .tlsMinVersion }} \
+                {{- end }}
                 --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
diff --git a/pkg/cloud/gcp/gcp.go b/pkg/cloud/gcp/gcp.go
@@ -36,6 +36,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"images":             "required",
 	"infrastructureName": "required,type(string)",
 	"cloudproviderName":  "required,type(string)",
+	"tlsCipherSuites":    "type(string)",
+	"tlsMinVersion":      "type(string)",
 }
 
 type GCPAssets struct {
@@ -52,6 +54,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 		"images":             images,
 		"infrastructureName": operatorConfig.InfrastructureName,
 		"cloudproviderName":  operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":    operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":      operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/openstack/assets/deployment.yaml b/pkg/cloud/openstack/assets/deployment.yaml
@@ -79,6 +79,12 @@ spec:
             --leader-elect-retry-period=26s \
             --leader-elect-resource-namespace=openshift-cloud-controller-manager \
             --feature-gates={{ .featureGates }} \
+            {{- if .tlsCipherSuites }}
+            --tls-cipher-suites={{ .tlsCipherSuites }} \
+            {{- end }}
+            {{- if .tlsMinVersion }}
+            --tls-min-version={{ .tlsMinVersion }} \
+            {{- end }}
             --secure-port=0
           ports:
           - containerPort: 10258
diff --git a/pkg/cloud/openstack/openstack.go b/pkg/cloud/openstack/openstack.go
@@ -37,6 +37,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"cloudproviderName":  "required,type(string)",
 	"featureGates":       "type(string)",
 	"infrastructureName": "required,type(string)",
+	"tlsCipherSuites":    "type(string)",
+	"tlsMinVersion":      "type(string)",
 }
 
 type openstackAssets struct {
@@ -54,6 +56,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 		"cloudproviderName":  operatorConfig.GetPlatformNameString(),
 		"featureGates":       operatorConfig.FeatureGates,
 		"infrastructureName": operatorConfig.InfrastructureName,
+		"tlsCipherSuites":    operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":      operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/vsphere/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/vsphere/assets/cloud-controller-manager-deployment.yaml
@@ -104,7 +104,13 @@ spec:
                 --use-service-account-credentials=true \
                 {{- if .additionalLabels }}
                 --node-labels="$(ADDITIONAL_NODE_LABELS)" \
-                {{- end}}
+                {{- end }}
+                {{- if .tlsCipherSuites }}
+                --tls-cipher-suites={{ .tlsCipherSuites }} \
+                {{- end }}
+                {{- if .tlsMinVersion }}
+                --tls-min-version={{ .tlsMinVersion }} \
+                {{- end }}
                 --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
diff --git a/pkg/cloud/vsphere/vsphere.go b/pkg/cloud/vsphere/vsphere.go
@@ -49,6 +49,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"cloudproviderName":          "required,type(string)",
 	"featureGates":               "type(string)",
 	"additionalLabels":           "type(string)",
+	"tlsCipherSuites":            "type(string)",
+	"tlsMinVersion":              "type(string)",
 }
 
 type vsphereAssets struct {
@@ -75,6 +77,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 		"cloudproviderName":          operatorConfig.GetPlatformNameString(),
 		"featureGates":               operatorConfig.FeatureGates,
 		"additionalLabels":           additionalLabels,
+		"tlsCipherSuites":            operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":              operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
