From f6e4761ceb268dc5bf3ac8593e9259f12c621eba Mon Sep 17 00:00:00 2001 From: Vimal Solanki Date: Wed, 20 May 2026 16:15:29 +0530 Subject: [PATCH] fix(cpo): add --tls-cipher-suites to oauth-apiserver deployment The openshift-oauth-apiserver was started with --tls-min-version but without --tls-cipher-suites, unlike standalone OCP and other CPO-managed components (KCM, kube-scheduler). This adds the cipher suites arg using config.CipherSuites(), following the same pattern as kube-controller-manager. --- ..._openshift_oauth_apiserver_deployment.yaml | 1 + ..._openshift_oauth_apiserver_deployment.yaml | 1 + ..._openshift_oauth_apiserver_deployment.yaml | 1 + ..._openshift_oauth_apiserver_deployment.yaml | 1 + ..._openshift_oauth_apiserver_deployment.yaml | 1 + .../v2/oauth_apiserver/deployment.go | 4 ++ .../v2/oauth_apiserver/deployment_test.go | 45 +++++++++++++++++++ 7 files changed, 54 insertions(+) diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/AROSwift/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/AROSwift/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml index cf04e43f20e..c06ebd5776d 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/AROSwift/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/AROSwift/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml @@ -105,6 +105,7 @@ spec: - --api-audiences=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --etcd-servers=https://etcd-client:2379 - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /usr/bin/oauth-apiserver env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/GCP/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/GCP/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml index 9594e7d5de4..3558397ce6e 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/GCP/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/GCP/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml @@ -105,6 +105,7 @@ spec: - --api-audiences=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --etcd-servers=https://etcd-client:2379 - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /usr/bin/oauth-apiserver env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml index cd61efc34b9..1b5944070a7 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml @@ -105,6 +105,7 @@ spec: - --api-audiences=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --etcd-servers=https://etcd-client:2379 - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /usr/bin/oauth-apiserver env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml index cf04e43f20e..c06ebd5776d 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml @@ -105,6 +105,7 @@ spec: - --api-audiences=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --etcd-servers=https://etcd-client:2379 - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /usr/bin/oauth-apiserver env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml index cf04e43f20e..c06ebd5776d 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml @@ -105,6 +105,7 @@ spec: - --api-audiences=https://test-oidc-bucket.s3.us-east-1.amazonaws.com/test-cluster - --etcd-servers=https://etcd-client:2379 - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /usr/bin/oauth-apiserver env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go index 1d25593d837..3e69ce8ab63 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go @@ -52,6 +52,10 @@ func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Dep fmt.Sprintf("--tls-min-version=%s", config.MinTLSVersion(configuration.GetTLSSecurityProfile())), ) + if cipherSuites := config.CipherSuites(configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + if cpContext.HCP.Spec.AuditWebhook != nil && len(cpContext.HCP.Spec.AuditWebhook.Name) > 0 { c.Args = append(c.Args, fmt.Sprintf("--audit-webhook-config-file=%s", path.Join("/etc/kubernetes/auditwebhook", hyperv1.AuditWebhookKubeconfigKey))) c.Args = append(c.Args, "--audit-webhook-mode=batch") diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go index ef32bf820ea..9b565a3cef4 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go @@ -148,6 +148,51 @@ func TestAdaptDeployment(t *testing.T) { container := podspec.FindContainer(ComponentName, deployment.Spec.Template.Spec.Containers) g.Expect(container).ToNot(BeNil()) g.Expect(container.Args).To(ContainElement("--tls-min-version=VersionTLS13")) + g.Expect(container.Args).ToNot(ContainElement(ContainSubstring("--tls-cipher-suites="))) + }, + }, + { + name: "When TLS security profile is Intermediate, it should configure tls-cipher-suites", + hcp: &hyperv1.HostedControlPlane{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-hcp", + Namespace: "test-ns", + }, + Spec: hyperv1.HostedControlPlaneSpec{ + Platform: hyperv1.PlatformSpec{ + Type: hyperv1.AWSPlatform, + }, + IssuerURL: "https://test-issuer.example.com", + Etcd: hyperv1.EtcdSpec{ + ManagementType: hyperv1.Managed, + }, + Configuration: &hyperv1.ClusterConfiguration{ + APIServer: &configv1.APIServerSpec{ + TLSSecurityProfile: &configv1.TLSSecurityProfile{ + Type: configv1.TLSProfileIntermediateType, + Intermediate: &configv1.IntermediateTLSProfile{}, + }, + }, + }, + }, + }, + validate: func(t *testing.T, g *GomegaWithT, hcp *hyperv1.HostedControlPlane) { + + deployment, loadErr := assets.LoadDeploymentManifest(ComponentName) + g.Expect(loadErr).ToNot(HaveOccurred()) + + cpContext := component.WorkloadContext{ + Client: fake.NewClientBuilder().WithScheme(api.Scheme).Build(), + HCP: hcp, + } + + err := adaptDeployment(cpContext, deployment) + g.Expect(err).ToNot(HaveOccurred()) + + container := podspec.FindContainer(ComponentName, deployment.Spec.Template.Spec.Containers) + g.Expect(container).ToNot(BeNil()) + g.Expect(container.Args).To(ContainElement("--tls-min-version=VersionTLS12")) + g.Expect(container.Args).To(ContainElement(ContainSubstring("--tls-cipher-suites="))) }, }, {