OCPCLOUD-3348: Honor TLSAdherence

[damdo]

Honor tls adherence

[coderabbitai]

Walkthrough

This pull request refactors TLS configuration management to support CLI flag overrides. It introduces a unified TLS resolution layer via pkgtls.ResolveTLSConfig, updates the configuration API to accept TLS config callbacks instead of profile specs, adds CLI flags for TLS min version and cipher suites, and includes comprehensive test coverage for the new functionality.

Changes

Cohort / File(s)	Summary
TLS Resolution Layer pkg/tls/tls.go, pkg/tls/tls_test.go	New TLSConfigResult struct and ResolveTLSConfig function handle TLS configuration from CLI flags or cluster-wide APIServer profile. Flag-based resolution parses min version and cipher suites using CLI helpers; cluster-based resolution fetches APIServer resource and applies adherence policies. Tests validate both paths with multiple profile types and error scenarios.
TLS Test Infrastructure pkg/tls/suite_test.go	New Ginkgo test suite with envtest environment setup for integration testing. Initializes REST config, controller-runtime client, CRD manifests, and OpenShift API scheme.
Configuration API pkg/config/config.go, pkg/config/config_test.go	ComposeConfig signature changed to accept tlsConfig func(*tls.Config) instead of configv1.TLSProfileSpec. TLS derivation now reads from resolved tls.Config.MinVersion and tls.Config.CipherSuites with conditional cipher suite handling for TLS 1.3.
Controller Integration pkg/controllers/clusteroperator_controller.go	CloudOperatorReconciler.TLSProfileSpec field replaced with TLSConfig func(*tls.Config). Updated reconciliation to pass new callback into ComposeConfig.
Main Entry Point cmd/cluster-cloud-controller-manager-operator/main.go	Added CLI flags --tls-min-version and --tls-cipher-suites for TLS configuration overrides. Replaced direct APIServer TLS profile fetching with pkgtls.ResolveTLSConfig call. Updated controller and webhook server TLS setup with conditional security profile watcher based on flag presence.
Dependency Updates go.mod	Bumped openshift modules (api, client-go, controller-runtime-common, library-go) and Kubernetes modules (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go to v0.35.2, sigs.k8s.io/controller-runtime to v0.23.3).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

pkg/tls/tls.go (1)

103-117: Error handling approach is reasonable but consider logging level.

The fallback behavior on errors is intentional and documented. However, using klog.Errorf for expected fallback scenarios may be too noisy in production. Consider whether klog.Warningf would be more appropriate since this is a graceful degradation, not a critical failure.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/tls/tls.go` around lines 103 - 117, The current error logs for
utiltls.FetchAPIServerTLSAdherencePolicy and utiltls.FetchAPIServerTLSProfile
use klog.Errorf which is too noisy for an expected graceful fallback; change
both calls to klog.Warningf (keeping the same message and error interpolation)
when assigning tlsAdherencePolicy and tlsProfileSpec defaults so these
situations are logged as warnings rather than errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/tls/tls.go`:
- Around line 103-117: The current error logs for
utiltls.FetchAPIServerTLSAdherencePolicy and utiltls.FetchAPIServerTLSProfile
use klog.Errorf which is too noisy for an expected graceful fallback; change
both calls to klog.Warningf (keeping the same message and error interpolation)
when assigning tlsAdherencePolicy and tlsProfileSpec defaults so these
situations are logged as warnings rather than errors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d0eb1614-a12a-4806-aef0-49612c622aee

📥 Commits

Reviewing files that changed from the base of the PR and between 4f5632a and 3b1283e.

⛔ Files ignored due to path filters (93)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/api/.coderabbit.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_apiserver.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/types_cluster_version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_00_cluster-version-operator_01_clusterversions-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/register.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/types_image_policy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/envtest-releases.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/features.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/features/legacyfeaturegates.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/types_machineconfiguration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-Default.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_80_machine-config_01_machineconfigurations-OKD.crd.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/apiserverspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/update.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/additionalalertmanagerconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/authorizationconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/basicauth.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicyspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clusterimagepolicystatus.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/clustermonitoringspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/dropequalactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/hashmodactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyfulciocawithrekorrootoftrust.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypkirootoftrust.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicypublickeyrootoftrust.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicyspec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagepolicystatus.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/imagesigstoreverificationpolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/keepequalactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/label.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/labelmapactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/lowercaseactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metadataconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/metadataconfigcustom.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/oauth2.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/oauth2endpointparam.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/openshiftstatemetricsconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/pkicertificatesubject.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyfulciosubject.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyidentity.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchexactrepository.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policymatchremapidentity.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/policyrootoftrust.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/prometheusremotewriteheader.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/queueconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/relabelactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/relabelconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/remotewriteauthorization.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/remotewritespec.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/replaceactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/retention.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/secretkeyselector.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/sigv4.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/tlsconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/uppercaseactionconfig.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/config_client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/generated_expansion.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1alpha1/imagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/imagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1alpha1/interface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/clusterimagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/expansion_generated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/config/listers/config/v1alpha1/imagepolicy.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/controller-runtime-common/pkg/tls/controller.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/controller-runtime-common/pkg/tls/tls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/crypto/tls_adherence.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/v1helpers/helpers.go is excluded by !vendor/**, !**/vendor/**
• vendor/modules.txt is excluded by !vendor/**, !**/vendor/**
• vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/defaulter_custom.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (8)

• cmd/cluster-cloud-controller-manager-operator/main.go
• go.mod
• pkg/config/config.go
• pkg/config/config_test.go
• pkg/controllers/clusteroperator_controller.go
• pkg/tls/suite_test.go
• pkg/tls/tls.go
• pkg/tls/tls_test.go

[damdo]

/retest

[damdo]

/retest

[openshift-ci]

@damdo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@damdo: This pull request references OCPCLOUD-3348 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Honor tls adherence

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[damdo]

/assign @RadekManak