Skip to content

Apply cluster TLS security profile to packageserver serving options#3849

Open
tmshort wants to merge 1 commit into
operator-framework:masterfrom
tmshort:packageserver-tls-profile
Open

Apply cluster TLS security profile to packageserver serving options#3849
tmshort wants to merge 1 commit into
operator-framework:masterfrom
tmshort:packageserver-tls-profile

Conversation

@tmshort

@tmshort tmshort commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Read the OpenShift APIServer CR at startup to apply the cluster-wide TLS security profile (min version and cipher suites) to the packageserver's SecureServingOptions when --tls-min-version is not already set via flags. Includes a 30s timeout on the API lookup and fails closed if the profile cannot be applied. Adds RBAC to allow reading apiservers.config.openshift.io.

This ought to complete the upstream portion of TLS profiles (not including curves). The existing catalog and olm operators also directly read the OpenShift API.

Description of the change:

Motivation for the change:

Architectural changes:

Testing remarks:

Reviewer Checklist

  • Implementation matches the proposed design, or proposal is updated to match implementation
  • Sufficient unit test coverage
  • Sufficient end-to-end test coverage
  • Bug fixes are accompanied by regression test(s)
  • e2e tests and flake fixes are accompanied evidence of flake testing, e.g. executing the test 100(0) times
  • tech debt/todo is accompanied by issue link(s) in comments in the surrounding code
  • Tests are comprehensible, e.g. Ginkgo DSL is being used appropriately
  • Docs updated or added to /doc
  • Commit messages sensible and descriptive
  • Tests marked as [FLAKE] are truly flaky and have an issue
  • Code is properly formatted

@tmshort
Apply cluster TLS security profile to packageserver serving options
90f32f7 
Read the OpenShift APIServer CR at startup to apply the cluster-wide TLS
security profile (min version and cipher suites) to the packageserver's
SecureServingOptions when --tls-min-version is not already set via flags.
Includes a 30s timeout on the API lookup and fails closed if the profile
cannot be applied. Adds RBAC to allow reading apiservers.config.openshift.io.

Signed-off-by: Todd Short <tshort@redhat.com>
Copilot AI review requested due to automatic review settings June 15, 2026 20:51
@openshift-ci openshift-ci Bot requested review from dtfranz and joelanford June 15, 2026 20:51
@openshift-ci

openshift-ci Bot commented Jun 15, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign dtfranz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tmshort tmshort mentioned this pull request Jun 15, 2026
Open
Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the packageserver startup flow to honor OpenShift’s cluster-wide TLS security profile by reading the APIServer config (apiservers.config.openshift.io/cluster) at boot and applying the resulting min TLS version and cipher suites to the packageserver’s SecureServingOptions when --tls-min-version is not explicitly set.

Changes:

  • Build a REST client config earlier in packageserver startup and (when --tls-min-version is unset) fetch/apply the cluster TLS security profile with a 30s timeout.
  • Add a helper to detect OpenShift config API availability and apply the derived TLS settings to serving options.
  • Extend RBAC in upstream quickstart and Helm CSV template to allow get on apiservers.config.openshift.io.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
pkg/package-server/server/server.go Applies OpenShift cluster TLS profile to packageserver secure serving options during startup.
deploy/upstream/quickstart/olm.yaml Grants packageserver RBAC to get the OpenShift APIServer config object.
deploy/chart/templates/_packageserver.clusterserviceversion.yaml Grants packageserver RBAC to get the OpenShift APIServer config object in the Helm-generated CSV.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/package-server/server/server.go
Comment on lines +380 to +384
minVersion, cipherSuites := olmapiserver.GetSecurityProfileConfig(apiServer.Spec.TLSSecurityProfile)
serving.MinTLSVersion = libcrypto.TLSVersionToNameOrDie(minVersion)
serving.CipherSuites = libcrypto.CipherSuitesToNamesOrDie(cipherSuites)
log.Infof("Applying cluster TLS security profile: minVersion=%s cipherSuites=%v", serving.MinTLSVersion, serving.CipherSuites)
return nil
Comment thread deploy/upstream/quickstart/olm.yaml
Comment on lines +268 to +272
- "config.openshift.io"
resources:
- apiservers
verbs:
- get
Comment thread deploy/chart/templates/_packageserver.clusterserviceversion.yaml
Comment on lines +71 to +75
- "config.openshift.io"
resources:
- apiservers
verbs:
- get
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dtfranz dtfranz Awaiting requested review from dtfranz

@joelanford joelanford Awaiting requested review from joelanford

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tmshort