CNTRLPLANE-3423: feat: have CVO inject the centralized TLS configuration into the operator's config

[ingvagabund]

Also, have the operator restart whenever the config changes.

wip-docs: openshift/enhancements#2020

Summary by CodeRabbit

• Improvements
  • Enabled TLS certificate injection for the service operator via configuration annotation.
  • Operator now automatically restarts when configuration or TLS certificate files are updated, ensuring fresh configurations are loaded promptly.

[coderabbitai]

Walkthrough

The PR enables automatic TLS injection and file-watch-based process termination in the service-ca-operator. A ConfigMap annotation marks the operator config for TLS injection, and deployment args configure the operator to terminate and restart when those injected files or the config change.

Changes

TLS Injection and File-Watch Setup

Layer / File(s)	Summary
ConfigMap TLS injection annotation manifests/03_cm.yaml	ConfigMap metadata annotation config.openshift.io/inject-tls: "true" added to enable TLS injection.
Deployment file-watch termination manifests/05_deploy.yaml, manifests/05_deploy-ibm-cloud-managed.yaml	Container args now include --terminate-on-files entries for operator-config.yaml, tls.crt, and tls.key file paths, triggering process termination on file changes.

---

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 12 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	New Ginkgo e2e tests reference ClusterOperator API (config.openshift.io/v1), which is not available on MicroShift. Five tests found without protective measures.	Add [apigroup:config.openshift.io] tags to test names or [Skipped:MicroShift] labels for tests using ClusterOperator, or guard with exutil.IsMicroShiftCluster() check.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New e2e tests create StatefulSet with 3 replicas and reference individual pods by DNS without SNO skip labels or topology checks.	Add [Skipped:SingleReplicaTopology] to StatefulSet test or guard with exutil.IsSingleNode() check to skip on SNO.
Topology-Aware Scheduling Compatibility	⚠️ Warning	05_deploy.yaml uses nodeSelector targeting control-plane nodes; on HyperShift this causes pods to remain Pending indefinitely as no master nodes exist.	Implement topology-aware scheduling by checking ControlPlaneTopology before applying node-role.kubernetes.io/master constraints, or use separate deployment manifests for different topologies.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modified only manifest files (YAML), not test files. No Ginkgo test names were added or modified, so the stable/deterministic test names requirement is not applicable.
Test Structure And Quality	✅ Passed	PR contains only manifest file changes (ConfigMap annotation and Deployment args). Repository uses standard Go testing package, not Ginkgo. Check for Ginkgo test quality is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR modifies only manifest YAML files with no source code changes. OTE Binary Stdout Contract applies to process-level code; manifest-only changes cannot violate it.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The changes only modify manifest YAML files to add TLS injection configuration via CVO, not test code.
No-Weak-Crypto	✅ Passed	PR adds TLS injection configuration to operator. Code uses only secure crypto (crypto/x509, crypto/rand), no weak algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) detected.
Container-Privileges	✅ Passed	No privileged container settings found in modified manifests; containers enforce allowPrivilegeEscalation: false, run as non-root (UID 1001), drop all capabilities, and use RuntimeDefault seccomp.
No-Sensitive-Data-In-Logs	✅ Passed	PR adds manifest changes for TLS config injection. No sensitive data (passwords, tokens, keys, PII) is logged in code or manifests.
Title check	✅ Passed	The title accurately describes the main change: enabling CVO to inject centralized TLS configuration into the operator's config, which is reflected in the ConfigMap annotation addition and deployment argument changes.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-3423 which is a valid jira issue.

Details

In response to this:

Also, have the operator restart whenever the config changes.

Summary by CodeRabbit

• Improvements
• Enabled TLS certificate injection for the service operator via configuration annotation.
• Operator now automatically restarts when configuration or TLS certificate files are updated, ensuring fresh configurations are loaded promptly.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 0

[openshift-ci]

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ricardomaraschini]

/approve

[ingvagabund]

From https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_service-ca-operator/359/pull-ci-openshift-service-ca-operator-main-e2e-aws-operator/2060135376353234944/artifacts/e2e-aws-operator/gather-extra/artifacts/configmaps.json:

        {
            "apiVersion": "v1",
            "data": {
                "operator-config.yaml": "apiVersion: operator.openshift.io/v1alpha1\nkind: GenericOperatorConfig\nservingInfo:\n  cipherSuites:\n  - TLS_AES_128_GCM_SHA256\n  - TLS_AES_256_GCM_SHA384\n  - TLS_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n  minTLSVersion: VersionTLS12\n"
            },
            "kind": "ConfigMap",
            "metadata": {
                "annotations": {
                    "config.openshift.io/inject-tls": "true",
                    "include.release.openshift.io/hypershift": "true",
                    "include.release.openshift.io/ibm-cloud-managed": "true",
                    "include.release.openshift.io/self-managed-high-availability": "true",
                    "include.release.openshift.io/single-node-developer": "true"
                },
                "creationTimestamp": "2026-05-28T23:28:07Z",
                "name": "service-ca-operator-config",
                "namespace": "openshift-service-ca-operator",
                "ownerReferences": [
                    {
                        "apiVersion": "config.openshift.io/v1",
                        "controller": true,
                        "kind": "ClusterVersion",
                        "name": "version",
                        "uid": "59dc4be5-781d-49b4-bde5-5c6abb5797fc"
                    }
                ],
                "resourceVersion": "1647",
                "uid": "c87b5362-b170-4931-88db-78e3dff12236"
            }
        },

TLS injected

[ricardomaraschini]

What's up with these certs ? Are we fixing a bug in here as well ?

[ingvagabund]

Consistency with other operators. Yet, I can drop it.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ricardomaraschini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ricardomaraschini]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment