STOR-2954: feat: have CVO inject the centralized TLS configuration into the operator's config

[ingvagabund]

Also, have the operator restart whenever the config changes.

wip-docs: openshift/enhancements#2020

Summary by CodeRabbit

• Chores
  • Added a dedicated ConfigMap to manage operator configuration and updated deployments to mount and consume it.
  • Enabled operator graceful shutdown tied to the presence of the mounted config file.
  • Updated deployment templates for hypershift/managed profiles: appended guest kubeconfig volume/mount, added control-plane/component image env vars and guest-kubeconfig argument.
  • Adjusted pod template annotations, labels and security/scheduling settings to align with updated platform requirements.

[openshift-ci-robot]

@ingvagabund: This pull request references STOR-2954 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Also, have the operator restart whenever the config changes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

This PR adds a ConfigMap containing a GenericOperatorConfig and updates standard, HyperShift, and IBM Cloud managed cluster-storage-operator deployments to mount that ConfigMap and pass its config file path via --config and --terminate-on-files. A HyperShift profile patch appends guest-kubeconfig entries and adds image environment variables.

Changes

Operator Configuration Introduction

Layer / File(s)	Summary
Operator configuration contract manifests/04_configmap.yaml	New ConfigMap cluster-storage-operator-config containing GenericOperatorConfig with OpenShift capability and annotation metadata.
Standard Deployment configuration wiring manifests/10_deployment.yaml	Container args include --config=/var/run/configmaps/config/config.yaml and --terminate-on-files pointing to the same path; ConfigMap volume and mount are added to wire the configuration file.
HyperShift Deployment configuration and serving cert wiring manifests/10_deployment-hypershift.yaml	Container args and volumeMounts/volumes are updated to mount both the operator config ConfigMap and the serving certificate secret; volumes section adds cluster-storage-operator-serving-cert and cluster-storage-operator-config.
IBM Cloud managed Deployment configuration wiring manifests/10_deployment-ibm-cloud-managed.yaml	Container args include config file path and termination flag; ConfigMap volume and mount are added to make the config available at /var/run/configmaps/config.
HyperShift profile-patch adjustments profile-patches/hypershift/10_deployment.yaml-patch	Patch now appends guest-kubeconfig volume and mount entries instead of replacing arrays, and adds container env vars for control-plane/CSI/proxy/liveness images.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Weak-Crypto	❌ Error	The PR introduces weak cryptographic algorithms: MD5 and SHA1 are used in vendored dependencies (google/uuid for UUID generation and openshift/library-go for resource caching).	Review the use of crypto/md5 and crypto/sha1 in vendor dependencies - evaluate if MD5/SHA1 for UUID generation and resource caching is acceptable for your security requirements, or use stronger alternatives.
Microshift Test Compatibility	⚠️ Warning	New Ginkgo test in test/e2e/storage_performant_policy.go references [OCPFeatureGate:StoragePerformantSecurityPolicy], an unsupported FeatureGate on MicroShift, without MicroShift skip protection.	Add [Skipped:MicroShift] or [apigroup:config.openshift.io] tag to test name, guard with exutil.IsMicroShiftCluster() check, or run MicroShift CI job to verify compatibility.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: enabling CVO to inject centralized TLS configuration into the operator's config, which is directly reflected in the manifest changes adding ConfigMap, volumes, and mounting configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in storage_performant_policy.go use static strings like "should default to OnRootMismatch if pod has none" with no dynamic values, fmt.Sprintf, or variable interpolation.
Test Structure And Quality	✅ Passed	Ginkgo test meets all quality criteria: single responsibility per test block, proper BeforeEach/AfterEach setup/cleanup, timeouts on cluster ops, and meaningful failure messages.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The changes are limited to Kubernetes manifests (ConfigMaps, Deployments, patches). The check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only ConfigMap mounts, not scheduling constraints. HyperShift topology is properly handled via separate manifests and patches removing nodeSelector.
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML manifest changes; no Go binary source code was modified, so OTE stdout contract check does not apply.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; PR only modifies Kubernetes manifests (ConfigMap, Deployments, patches) for TLS configuration injection.
Container-Privileges	✅ Passed	No privileged container settings found. All deployments set allowPrivilegeEscalation: false, runAsNonRoot: true, drop all capabilities, and enforce nonroot/restricted SCCs.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logging detected. The TLS config injected by CVO is not parsed or logged by operator code; only a vsphere detector config containing a boolean flag is logged at klog.V(4) level.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ingvagabund
Once this PR has been reviewed and has the lgtm label, please assign romanbednar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

[ingvagabund]

/retest-required

[coderabbitai]

🧹 Nitpick comments (1)

profile-patches/hypershift/10_deployment.yaml-patch (1)

37-75: ⚡ Quick win

Prefer appending env vars with /- instead of fixed indices in JSON Patch

In profile-patches/hypershift/10_deployment.yaml-patch the env vars are added at /spec/template/spec/containers/0/env/33 … /env/40. JSON Patch add with /array/<index> inserts at a fixed position and shifts the rest, so upstream changes to the env array ordering/length can make this patch fragile or mis-target. Switching these ops to /env/- makes them append safely (and matches the existing /volumeMounts/- style in this patch).

♻️ Suggested patch shape

-  path: /spec/template/spec/containers/0/env/33
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/34
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/35
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/36
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/37
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/38
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/39
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/40
+  path: /spec/template/spec/containers/0/env/-

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@profile-patches/hypershift/10_deployment.yaml-patch` around lines 37 - 75,
The JSON Patch uses fixed env indices (/spec/template/spec/containers/0/env/33 …
/env/40) which makes the patch brittle; update each add operation to append
instead by changing the path to /spec/template/spec/containers/0/env/- for all
ENV entries (HYPERSHIFT_IMAGE, AWS_EBS_DRIVER_CONTROL_PLANE_IMAGE,
AZURE_DISK_DRIVER_CONTROL_PLANE_IMAGE, LIVENESS_PROBE_CONTROL_PLANE_IMAGE,
AZURE_FILE_DRIVER_CONTROL_PLANE_IMAGE,
OPENSTACK_CINDER_DRIVER_CONTROL_PLANE_IMAGE, MANILA_DRIVER_CONTROL_PLANE_IMAGE,
KUBE_RBAC_PROXY_CONTROL_PLANE_IMAGE) so they are appended safely (matching the
existing /volumeMounts/- style).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@profile-patches/hypershift/10_deployment.yaml-patch`:
- Around line 37-75: The JSON Patch uses fixed env indices
(/spec/template/spec/containers/0/env/33 … /env/40) which makes the patch
brittle; update each add operation to append instead by changing the path to
/spec/template/spec/containers/0/env/- for all ENV entries (HYPERSHIFT_IMAGE,
AWS_EBS_DRIVER_CONTROL_PLANE_IMAGE, AZURE_DISK_DRIVER_CONTROL_PLANE_IMAGE,
LIVENESS_PROBE_CONTROL_PLANE_IMAGE, AZURE_FILE_DRIVER_CONTROL_PLANE_IMAGE,
OPENSTACK_CINDER_DRIVER_CONTROL_PLANE_IMAGE, MANILA_DRIVER_CONTROL_PLANE_IMAGE,
KUBE_RBAC_PROXY_CONTROL_PLANE_IMAGE) so they are appended safely (matching the
existing /volumeMounts/- style).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7adc3ab9-2d1d-4cb8-9a9a-fb9077369df7

📥 Commits

Reviewing files that changed from the base of the PR and between 0883e0b and be400cd.

📒 Files selected for processing (5)

• manifests/04_configmap.yaml
• manifests/10_deployment-hypershift.yaml
• manifests/10_deployment-ibm-cloud-managed.yaml
• manifests/10_deployment.yaml
• profile-patches/hypershift/10_deployment.yaml-patch

🚧 Files skipped from review as they are similar to previous changes (4)

• manifests/10_deployment.yaml
• manifests/10_deployment-ibm-cloud-managed.yaml
• manifests/04_configmap.yaml
• manifests/10_deployment-hypershift.yaml

[ingvagabund]

From https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-storage-operator/703/pull-ci-openshift-cluster-storage-operator-main-e2e-aws-csi/2060322735082442752/artifacts/e2e-aws-csi/gather-extra/artifacts/configmaps.json:

        {
            "apiVersion": "v1",
            "data": {
                "config.yaml": "apiVersion: operator.openshift.io/v1alpha1\nkind: GenericOperatorConfig\nservingInfo:\n  cipherSuites:\n  - TLS_AES_128_GCM_SHA256\n  - TLS_AES_256_GCM_SHA384\n  - TLS_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n  minTLSVersion: VersionTLS12\n"
            },
            "kind": "ConfigMap",
            "metadata": {
                "annotations": {
                    "capability.openshift.io/name": "Storage",
                    "config.openshift.io/inject-tls": "true",
                    "include.release.openshift.io/hypershift": "true",
                    "include.release.openshift.io/ibm-cloud-managed": "true",
                    "include.release.openshift.io/self-managed-high-availability": "true",
                    "include.release.openshift.io/single-node-developer": "true"
                },
                "creationTimestamp": "2026-05-29T11:54:09Z",
                "name": "cluster-storage-operator-config",
                "namespace": "openshift-cluster-storage-operator",
                "ownerReferences": [
                    {
                        "apiVersion": "config.openshift.io/v1",
                        "controller": true,
                        "kind": "ClusterVersion",
                        "name": "version",
                        "uid": "6079762a-b2b2-4d0b-a321-c9a558950840"
                    }
                ],
                "resourceVersion": "2022",
                "uid": "4b10a857-116e-491d-986a-4835e6857dcf"
            }
        },

TLS injected

[dfajmon]

/retest

[openshift-ci]

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dfajmon]

/lgtm

[jsafrane]

This will cause CVO creating the config map in guest cluster, where nobody reads it. I'd remove this annotation.

[jsafrane]

Who creates the ConfigMap in a hosted control plane? I think it will need something like openshift/hypershift#8011 to create it there.

We can merge this PR + then someone must copy 10_deployment-hypershift.yaml‎ to hypershift here and add ConfigMap creation in the same hypershift PR to make sure nothing breaks.