Skip to content

CNTRLPLANE-3423: feat: have CVO inject the centralized TLS configuration into the operator's config#491

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
ingvagabund:cvo-injected-tls-configuration
Jun 1, 2026
Merged

CNTRLPLANE-3423: feat: have CVO inject the centralized TLS configuration into the operator's config#491
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
ingvagabund:cvo-injected-tls-configuration

Conversation

@ingvagabund
Copy link
Copy Markdown
Member

@ingvagabund ingvagabund commented May 28, 2026
edited
Loading

Also, have the operator restart whenever the config changes.

wip-docs: openshift/enhancements#2020

Summary by CodeRabbit

  • Chores
    • Enhanced configuration management for the config operator with explicit file path declarations.
    • Implemented automatic termination monitoring for configuration and certificate files, ensuring the operator gracefully responds to configuration and security credential changes.

@ingvagabund
feat: have CVO inject the centralized TLS configuration into the oper…
6908ee4 
…ator's config

Also, have the operator restart whenever the config changes.
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 28, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented May 28, 2026
edited by openshift-ci Bot
Loading

@ingvagabund: This pull request references CNTRLPLANE-3423 which is a valid jira issue.

Details

In response to this:

Also, have the operator restart whenever the config changes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 28, 2026
edited
Loading

Walkthrough

This PR adds Kubernetes manifest configuration to enable the config-operator to read from a ConfigMap. A new ConfigMap is created with embedded operator configuration, and the Deployment is updated to mount that ConfigMap, expose it to the operator container, and configure the operator to watch for changes and terminate on file modifications.

Changes

ConfigMap-based operator configuration

Layer / File(s) Summary
ConfigMap and Deployment integration for operator config
manifests/0000_10_config-operator_06_configmap.yaml, manifests/0000_10_config-operator_07_deployment.yaml		 A new ConfigMap named openshift-config-operator-config defines the operator configuration with standard release/role annotations and a config.yaml payload. The Deployment adds a config volume sourced from the ConfigMap, mounts it at /var/run/configmaps/config in the operator container, and updates the operator command-line arguments to explicitly reference the mounted config path (--config=/var/run/configmaps/config/config.yaml) and enable termination on config or TLS file changes (--terminate-on-files).

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Topology-Aware Scheduling Compatibility ⚠️ Warning Deployment uses nodeSelector targeting control-plane nodes (node-role.kubernetes.io/master), which breaks on HyperShift topologies where no in-cluster control-plane nodes exist. Check infrastructure.Status.ControlPlaneTopology and avoid control-plane nodeSelectors on HyperShift, or use topology-aware node affinity that gracefully handles External topologies.
✅ Passed checks (14 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: having CVO inject centralized TLS configuration into the operator's config, which is reflected in the manifests adding a ConfigMap with TLS-related configuration and updating the Deployment to use it.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only modifies Kubernetes manifest files (ConfigMap and Deployment YAML), not test files. No Ginkgo test names present in the changes.
Test Structure And Quality ✅ Passed PR contains 9 test files using standard Go testing.T framework, not Ginkgo. Custom check for Ginkgo test quality is not applicable to this PR.
Microshift Test Compatibility ✅ Passed PR adds only Kubernetes manifest files (ConfigMap and Deployment), not Ginkgo e2e tests. MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR contains only Kubernetes manifest changes (ConfigMap and Deployment) with no Ginkgo e2e test additions. Check for SNO test compatibility is not applicable.
Ote Binary Stdout Contract ✅ Passed PR contains only Kubernetes manifest changes (ConfigMap and Deployment YAML files). No code files modified, no process-level code that could write to stdout.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No Ginkgo e2e tests were added; PR contains only Kubernetes manifests and test infrastructure scaffolding without test definitions.
No-Weak-Crypto ✅ Passed PR adds only Kubernetes manifests. No MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB usage found. No non-constant-time secret comparisons or custom crypto implementations detected.
Container-Privileges ✅ Passed No privileged container settings found. ConfigMap and Deployment follow security best practices with restrictive securityContext (runAsNonRoot, allowPrivilegeEscalation: false, capabilities dropped).
No-Sensitive-Data-In-Logs ✅ Passed No logging of sensitive data detected. Command args use standard Kubernetes mount paths; operator code contains minimal logging (klog with generic messages only, no config/secrets logging).
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from deads2k and everettraven May 28, 2026 22:54
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 28, 2026

Actionable comments posted: 0

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 29, 2026

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@ingvagabund
Copy link
Copy Markdown
Member Author

ingvagabund commented Jun 1, 2026

From https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-config-operator/491/pull-ci-openshift-cluster-config-operator-main-e2e-aws-ovn/2060132483688566784/artifacts/e2e-aws-ovn/gather-extra/artifacts/configmaps.json:

        {
            "apiVersion": "v1",
            "data": {
                "config.yaml": "apiVersion: operator.openshift.io/v1alpha1\nkind: GenericOperatorConfig\nservingInfo:\n  cipherSuites:\n  - TLS_AES_128_GCM_SHA256\n  - TLS_AES_256_GCM_SHA384\n  - TLS_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n  minTLSVersion: VersionTLS12\n"
            },
            "kind": "ConfigMap",
            "metadata": {
                "annotations": {
                    "config.openshift.io/inject-tls": "true",
                    "include.release.openshift.io/self-managed-high-availability": "true",
                    "include.release.openshift.io/single-node-developer": "true"
                },
                "creationTimestamp": "2026-05-28T23:18:38Z",
                "name": "openshift-config-operator-config",
                "namespace": "openshift-config-operator",
                "ownerReferences": [
                    {
                        "apiVersion": "config.openshift.io/v1",
                        "controller": true,
                        "kind": "ClusterVersion",
                        "name": "version",
                        "uid": "5e10e8f5-a7c5-4e4a-8c22-803cdb7e9d52"
                    }
                ],
                "resourceVersion": "2562",
                "uid": "5304671a-4816-4ce3-b2f3-d36bb4ce4556"
            }
        },

TLS injected

everettraven
everettraven reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@everettraven everettraven left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 1, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Jun 1, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven, ingvagabund

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 1, 2026
@ingvagabund
Copy link
Copy Markdown
Member Author

ingvagabund commented Jun 1, 2026

/verified by ci/prow/e2e-aws-ovn

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 1, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Jun 1, 2026

@ingvagabund: This PR has been marked as verified by ci/prow/e2e-aws-ovn.

Details

In response to this:

/verified by ci/prow/e2e-aws-ovn

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot openshift-merge-bot Bot merged commit 2697a43 into openshift:main Jun 1, 2026
14 checks passed
@ingvagabund ingvagabund deleted the cvo-injected-tls-configuration branch June 1, 2026 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@everettraven everettraven everettraven left review comments

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@everettraven everettraven

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ingvagabund @openshift-ci-robot @everettraven