Merge pull request #1322 from ingvagabund/configmap-tls-injection

CNTRLPLANE-2777: feat(resource builder): allow to inject tls configuration into annotated config maps

Author: openshift-merge-bot[bot]

go.mod

@@ -34,6 +34,8 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kube-aggregator v0.35.1
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	sigs.k8s.io/kustomize/kyaml v0.21.1
+	sigs.k8s.io/yaml v1.6.0
 )
 
 require (
@@ -44,6 +46,7 @@ require (
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-openapi/jsonpointer v0.22.1 // indirect
 	github.com/go-openapi/jsonreference v0.21.2 // indirect
 	github.com/go-openapi/swag v0.25.1 // indirect
@@ -63,6 +66,7 @@ require (
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -98,9 +102,9 @@ require (
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	sigs.k8s.io/controller-runtime v0.22.2 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
-	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12

go.sum

@@ -21,6 +21,8 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
+github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.22.1 h1:sHYI1He3b9NqJ4wXLoJDKmUmHkWy/L7rtEo92JUxBNk=
@@ -68,6 +70,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
+github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
+github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
@@ -199,6 +203,9 @@ gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnf
 gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -226,6 +233,10 @@ sigs.k8s.io/controller-runtime v0.22.2 h1:cK2l8BGWsSWkXz09tcS4rJh95iOLney5eawcK5
 sigs.k8s.io/controller-runtime v0.22.2/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 h1:PFWFSkpArPNJxFX4ZKWAk9NSeRoZaXschn+ULa4xVek=
+sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I=
+sigs.k8s.io/kustomize/kyaml v0.21.1 h1:IVlbmhC076nf6foyL6Taw4BkrLuEsXUXNpsE+ScX7fI=
+sigs.k8s.io/kustomize/kyaml v0.21.1/go.mod h1:hmxADesM3yUN2vbA5z1/YTBnzLJ1dajdqpQonwBL1FQ=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=

hack/generate-lib-resources.py

@@ -307,6 +307,7 @@ def scheme_group_versions(types):
     modifiers = {
         ('k8s.io/api/apps/v1', 'Deployment'): 'b.modifyDeployment',
         ('k8s.io/api/apps/v1', 'DaemonSet'): 'b.modifyDaemonSet',
+        ('k8s.io/api/core/v1', 'ConfigMap'): 'b.modifyConfigMap',
     }
 
     health_checks = {

lib/resourcebuilder/core.go

@@ -0,0 +1,223 @@
+package resourcebuilder
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sort"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+	"k8s.io/utils/clock"
+
+	configv1 "github.com/openshift/api/config/v1"
+	operatorv1alpha1 "github.com/openshift/api/operator/v1alpha1"
+	configclientv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
+	configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
+	"github.com/openshift/library-go/pkg/operator/configobserver/apiserver"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
+)
+
+const (
+	// ConfigMapInjectTLSAnnotation is the annotation key that triggers TLS injection into ConfigMaps
+	ConfigMapInjectTLSAnnotation = "config.openshift.io/inject-tls"
+)
+
+type optional[T any] struct {
+	value T
+	found bool
+}
+
+type tlsConfig struct {
+	minTLSVersion optional[string]
+	cipherSuites  optional[[]string]
+}
+
+func (b *builder) modifyConfigMap(ctx context.Context, cm *corev1.ConfigMap) error {
+	// Check for TLS injection annotation
+	if value, ok := cm.Annotations[ConfigMapInjectTLSAnnotation]; !ok || value != "true" {
+		return nil
+	}
+
+	klog.V(2).Infof("ConfigMap %s/%s has %s annotation set to true", cm.Namespace, cm.Name, ConfigMapInjectTLSAnnotation)
+
+	// Empty data, nothing to inject into
+	if cm.Data == nil {
+		klog.V(2).Infof("ConfigMap %s/%s has empty data, skipping TLS profile injection", cm.Namespace, cm.Name)
+		return nil
+	}
+
+	// Observe TLS configuration from APIServer
+	tlsConf, err := b.observeTLSConfiguration(ctx, cm)
+	if err != nil {
+		return fmt.Errorf("unable to observe TLS configuration: %v", err)
+	}
+
+	minTLSLog := "<not found>"
+	if tlsConf.minTLSVersion.found {
+		minTLSLog = tlsConf.minTLSVersion.value
+	}
+	cipherSuitesLog := "<not found>"
+	if tlsConf.cipherSuites.found {
+		cipherSuitesLog = fmt.Sprintf("%v", tlsConf.cipherSuites.value)
+	}
+	klog.V(4).Infof("ConfigMap %s/%s: observed minTLSVersion=%v, cipherSuites=%v",
+		cm.Namespace, cm.Name, minTLSLog, cipherSuitesLog)
+
+	// Process each data entry that contains GenericOperatorConfig
+	for key, value := range cm.Data {
+		klog.V(4).Infof("Processing %q key", key)
+		// Parse YAML into RNode to preserve formatting and field order
+		rnode, err := yaml.Parse(value)
+		if err != nil {
+			klog.V(4).Infof("ConfigMap's %q entry parsing failed: %v", key, err)
+			// Not valid YAML, skip this entry
+			continue
+		}
+
+		// Check if this is a supported config kind
+		switch {
+		case rnode.GetKind() == "GenericOperatorConfig" && rnode.GetApiVersion() == operatorv1alpha1.GroupVersion.String():
+		case rnode.GetKind() == "GenericControllerConfig" && rnode.GetApiVersion() == configv1.GroupVersion.String():
+		default:
+			klog.V(4).Infof("ConfigMap's %q entry is not a supported config type. Only GenericOperatorConfig (%v) and GenericControllerConfig (%v) are. Skipping this entry", key, operatorv1alpha1.GroupVersion.String(), configv1.GroupVersion.String())
+			continue
+		}
+
+		klog.V(2).Infof("ConfigMap %s/%s processing GenericOperatorConfig in key %s", cm.Namespace, cm.Name, key)
+
+		// Inject TLS settings into the GenericOperatorConfig while preserving structure
+		if err := updateRNodeWithTLSSettings(rnode, tlsConf); err != nil {
+			return fmt.Errorf("failed to inject the TLS configuration: %v", err)
+		}
+
+		// Marshal the modified RNode back to YAML
+		modifiedYAML, err := rnode.String()
+		if err != nil {
+			return fmt.Errorf("failed to marshall the modified ConfigMap back to YAML: %v", err)
+		}
+
+		// Update the ConfigMap data entry with the modified YAML
+		cm.Data[key] = modifiedYAML
+		klog.V(2).Infof("ConfigMap %s/%s updated GenericOperatorConfig with TLS profile in key %s", cm.Namespace, cm.Name, key)
+	}
+	return nil
+}
+
+// observeTLSConfiguration retrieves TLS configuration from the APIServer cluster CR
+// using ObserveTLSSecurityProfile and extracts minTLSVersion and cipherSuites.
+func (b *builder) observeTLSConfiguration(ctx context.Context, cm *corev1.ConfigMap) (*tlsConfig, error) {
+	// Create a lister adapter for ObserveTLSSecurityProfile
+	lister := &apiServerListerAdapter{
+		client: b.configClientv1.APIServers(),
+		ctx:    ctx,
+	}
+	listers := &configObserverListers{
+		apiServerLister: lister,
+	}
+
+	// Create an in-memory event recorder that doesn't send events to the API server
+	recorder := events.NewInMemoryRecorder("configmap-tls-injection", clock.RealClock{})
+
+	// Call ObserveTLSSecurityProfile to get TLS configuration
+	observedConfig, errs := apiserver.ObserveTLSSecurityProfile(listers, recorder, map[string]any{})
+	if len(errs) > 0 {
+		return nil, fmt.Errorf("error observing TLS profile for ConfigMap %s/%s: %w", cm.Namespace, cm.Name, errors.Join(errs...))
+	}
+
+	config := &tlsConfig{}
+
+	// Extract minTLSVersion from the observed config
+	if minTLSVersion, minTLSFound, err := unstructured.NestedString(observedConfig, "servingInfo", "minTLSVersion"); err != nil {
+		return nil, err
+	} else if minTLSFound {
+		config.minTLSVersion = optional[string]{value: minTLSVersion, found: true}
+	}
+
+	// Extract cipherSuites from the observed config
+	if cipherSuites, ciphersFound, err := unstructured.NestedStringSlice(observedConfig, "servingInfo", "cipherSuites"); err != nil {
+		return nil, err
+	} else if ciphersFound {
+		// Sort cipher suites for consistent ordering
+		sort.Strings(cipherSuites)
+		config.cipherSuites = optional[[]string]{value: cipherSuites, found: true}
+	}
+
+	return config, nil
+}
+
+// updateRNodeWithTLSSettings injects TLS settings into a GenericOperatorConfig RNode while preserving structure.
+// If a field in tlsConf is not found, the corresponding field will be deleted from the RNode.
+func updateRNodeWithTLSSettings(rnode *yaml.RNode, tlsConf *tlsConfig) error {
+	servingInfo, err := rnode.Pipe(yaml.LookupCreate(yaml.MappingNode, "servingInfo"))
+	if err != nil {
+		return err
+	}
+
+	// Handle cipherSuites field
+	if tlsConf.cipherSuites.found {
+		seqNode := yaml.NewListRNode(tlsConf.cipherSuites.value...)
+		if err := servingInfo.PipeE(yaml.SetField("cipherSuites", seqNode)); err != nil {
+			return err
+		}
+	} else {
+		if err := servingInfo.PipeE(yaml.Clear("cipherSuites")); err != nil {
+			return err
+		}
+	}
+
+	// Handle minTLSVersion field
+	if tlsConf.minTLSVersion.found {
+		if err := servingInfo.PipeE(yaml.SetField("minTLSVersion", yaml.NewStringRNode(tlsConf.minTLSVersion.value))); err != nil {
+			return err
+		}
+	} else {
+		if err := servingInfo.PipeE(yaml.Clear("minTLSVersion")); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// apiServerListerAdapter adapts a client interface to the lister interface
+type apiServerListerAdapter struct {
+	client configclientv1.APIServerInterface
+	ctx    context.Context
+}
+
+func (a *apiServerListerAdapter) List(selector labels.Selector) ([]*configv1.APIServer, error) {
+	// Not implemented - ObserveTLSSecurityProfile only uses Get()
+	return nil, nil
+}
+
+func (a *apiServerListerAdapter) Get(name string) (*configv1.APIServer, error) {
+	return a.client.Get(a.ctx, name, metav1.GetOptions{})
+}
+
+// configObserverListers implements the configobserver.Listers interface.
+// It's expected to be used solely for apiserver.ObserveTLSSecurityProfile.
+type configObserverListers struct {
+	apiServerLister configlistersv1.APIServerLister
+}
+
+func (l *configObserverListers) APIServerLister() configlistersv1.APIServerLister {
+	return l.apiServerLister
+}
+
+func (l *configObserverListers) ResourceSyncer() resourcesynccontroller.ResourceSyncer {
+	// Not needed for TLS observation
+	return nil
+}
+
+func (l *configObserverListers) PreRunHasSynced() []cache.InformerSynced {
+	// Not needed for TLS observation
+	return nil
+}