STOR-2954: feat: have CVO inject the centralized TLS configuration into the operator's config

[ingvagabund]

Also, have the operator restart whenever the config changes.

wip-docs: openshift/enhancements#2020

Summary by CodeRabbit

• New Features

  • Operator metrics endpoint (TCP 8443) exposed for monitoring.

• Improvements

  • TLS injection enabled for operator configuration.
  • Operator now reloads/restarts automatically when config or serving certificate files change.
  • Deployment templates/patches updated to append volume and mount entries, preserving existing lists.

[openshift-ci-robot]

@ingvagabund: This pull request references STOR-2954 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Also, have the operator restart whenever the config changes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f591c747-40f0-43f8-b4ac-978890f0ad64

📥 Commits

Reviewing files that changed from the base of the PR and between 378ae06 and d22ce72.

📒 Files selected for processing (5)

• manifests/03_configmap.yaml
• manifests/07_deployment-hypershift.yaml
• manifests/07_deployment-ibm-cloud-managed.yaml
• manifests/07_deployment.yaml
• profile-patches/hypershift/07_deployment.yaml-patch

🚧 Files skipped from review as they are similar to previous changes (5)

• profile-patches/hypershift/07_deployment.yaml-patch
• manifests/03_configmap.yaml
• manifests/07_deployment-hypershift.yaml
• manifests/07_deployment.yaml
• manifests/07_deployment-ibm-cloud-managed.yaml

---

Walkthrough

This PR annotates the operator ConfigMap for TLS injection, updates Deployment variants to mount the injected ConfigMap and serving certs, exposes a metrics port (8443), and passes --config plus --terminate-on-files args to restart on config/certificate changes; HyperShift patch now appends volumes instead of replacing arrays.

Changes

Operator Configuration and Metrics Instrumentation

Layer / File(s)	Summary
ConfigMap TLS injection manifests/03_configmap.yaml	ConfigMap metadata gains config.openshift.io/inject-tls: "true" annotation.
Operator args and restart-on-change flags manifests/07_deployment.yaml, manifests/07_deployment-hypershift.yaml, manifests/07_deployment-ibm-cloud-managed.yaml	Container args now include --config /var/run/configmaps/config/operator-config.yaml and --terminate-on-files entries for the operator config and serving cert/key files.
Container ports and volumeMounts manifests/07_deployment.yaml, manifests/07_deployment-hypershift.yaml, manifests/07_deployment-ibm-cloud-managed.yaml	Add metrics container port on 8443 and mount serving-cert Secret plus config ConfigMap at /var/run/configmaps/config.
Pod volumes wiring manifests/07_deployment.yaml, manifests/07_deployment-hypershift.yaml, manifests/07_deployment-ibm-cloud-managed.yaml	Add pod volumes entries for serving-cert Secret and csi-snapshot-controller-operator-config ConfigMap.
HyperShift patch: append volumes profile-patches/hypershift/07_deployment.yaml-patch	JSON patch updated to append guest-kubeconfig entries to spec.template.spec.volumes and spec.template.spec.containers[0].volumeMounts arrays rather than replacing those fields.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective: enabling CVO to inject centralized TLS configuration into the operator's config, which is reflected across all modified manifests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only Kubernetes manifest YAML files; contains no Ginkgo tests. Check is not applicable to this PR.
Test Structure And Quality	✅ Passed	This PR adds test code using Go standard testing package, not Ginkgo. The custom check specifically reviews Ginkgo test structure, so it's not applicable here.
Microshift Test Compatibility	✅ Passed	PR adds standard Go testing tests (not Ginkgo), which is outside scope of check that specifically targets Ginkgo e2e tests (It(), Describe(), etc.).
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds no new Ginkgo e2e tests. Changes are limited to Kubernetes manifest files (ConfigMap and Deployment YAMLs).
Topology-Aware Scheduling Compatibility	✅ Passed	PR deploys with WithControlPlaneTopologyHook that dynamically clears nodeSelectors for External topology (HyperShift), preventing scheduling issues. HyperShift manifest lacks nodeSelector.
Ote Binary Stdout Contract	✅ Passed	PR adds CSI Snapshot Controller Operator, not an OTE test binary. The OTE Binary Stdout Contract applies only to openshift-tests extension binaries that output JSON on stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR; only Kubernetes manifest and configuration files were modified. The custom check is not applicable.
No-Weak-Crypto	✅ Passed	PR contains only Kubernetes manifest and patch file modifications with no cryptographic implementations, weak crypto usages (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB), or insecure secret comparisons.
Container-Privileges	✅ Passed	No privileged container settings found. All manifests maintain secure configurations with allowPrivilegeEscalation: false, capabilities dropped, readOnlyRootFilesystem: true, and runAsNonRoot: true.
No-Sensitive-Data-In-Logs	✅ Passed	No passwords, tokens, API keys, PII, or sensitive credentials are logged. Only file paths are logged by library-go's file watcher, which is standard practice.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ingvagabund
Once this PR has been reviewed and has the lgtm label, please assign dfajmon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

manifests/07_deployment.yaml (1)

29-58: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add resource limits and health probes to this updated container spec.

This container still has requests only and no liveness/readiness probes. Since this PR is updating the pod wiring and exposing the metrics listener, please add cpu/memory limits plus probes here before merge.

As per coding guidelines, **/*.{yaml,yml}: Resource limits (cpu, memory) on every container and Liveness + readiness probes defined.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@manifests/07_deployment.yaml` around lines 29 - 58, The container
"csi-snapshot-controller-operator" currently only defines resource requests and
no probes; add a resources.limits block (cpu and memory) alongside existing
requests and add both livenessProbe and readinessProbe on the container spec.
Use the existing container name and metrics/containerPort (8443) as the probe
port and choose an appropriate probe type (httpGet to a health endpoint such as
/healthz or /ready, or tcpSocket if no HTTP endpoint) with sensible
initialDelaySeconds, periodSeconds and failureThreshold values; ensure the probe
fields are added under the same container definition that contains args like
"start" and "--config=/var/run/configmaps/config/operator-config.yaml".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@manifests/07_deployment.yaml`:
- Around line 29-58: The container "csi-snapshot-controller-operator" currently
only defines resource requests and no probes; add a resources.limits block (cpu
and memory) alongside existing requests and add both livenessProbe and
readinessProbe on the container spec. Use the existing container name and
metrics/containerPort (8443) as the probe port and choose an appropriate probe
type (httpGet to a health endpoint such as /healthz or /ready, or tcpSocket if
no HTTP endpoint) with sensible initialDelaySeconds, periodSeconds and
failureThreshold values; ensure the probe fields are added under the same
container definition that contains args like "start" and
"--config=/var/run/configmaps/config/operator-config.yaml".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 77dcc8f8-256c-4998-87cb-4219b8da56ae

📥 Commits

Reviewing files that changed from the base of the PR and between 108f37f and fa43efb.

📒 Files selected for processing (4)

• manifests/03_configmap.yaml
• manifests/07_deployment-hypershift.yaml
• manifests/07_deployment-ibm-cloud-managed.yaml
• manifests/07_deployment.yaml

[ingvagabund]

/retest-required

[ingvagabund]

/retest-required

[ingvagabund]

/retest-required

[ingvagabund]

From https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-csi-snapshot-controller-operator/276/pull-ci-openshift-cluster-csi-snapshot-controller-operator-main-e2e-vsphere-csi/2061365343267328000/artifacts/e2e-vsphere-csi/gather-extra/artifacts/configmaps.json:

        {
            "apiVersion": "v1",
            "data": {
                "operator-config.yaml": "apiVersion: operator.openshift.io/v1alpha1\nkind: GenericOperatorConfig\nservingInfo:\n  cipherSuites:\n  - TLS_AES_128_GCM_SHA256\n  - TLS_AES_256_GCM_SHA384\n  - TLS_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n  minTLSVersion: VersionTLS12\n"
            },
            "kind": "ConfigMap",
            "metadata": {
                "annotations": {
                    "capability.openshift.io/name": "CSISnapshot",
                    "config.openshift.io/inject-tls": "true",
                    "include.release.openshift.io/hypershift": "true",
                    "include.release.openshift.io/ibm-cloud-managed": "true",
                    "include.release.openshift.io/self-managed-high-availability": "true",
                    "include.release.openshift.io/single-node-developer": "true"
                },
                "creationTimestamp": "2026-06-01T09:09:09Z",
                "labels": {
                    "app": "csi-snapshot-controller-operator"
                },
                "name": "csi-snapshot-controller-operator-config",
                "namespace": "openshift-cluster-storage-operator",
                "ownerReferences": [
                    {
                        "apiVersion": "config.openshift.io/v1",
                        "controller": true,
                        "kind": "ClusterVersion",
                        "name": "version",
                        "uid": "7e805fbf-b54f-4fb6-b96f-fd7fedd5c97a"
                    }
                ],
                "resourceVersion": "1261",
                "uid": "8fbde059-bead-450f-8398-bbac1e96e38d"
            }
        },

TLS injected

[ingvagabund]

/retest-required

[dfajmon]

/retest

[openshift-ci]

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.