OCPBUGS-61038: SSL Medium Strength Cipher Suites Supported for kube-apiserver-check-endpoints

[lance5890]

Tow different approach for setting more safe Cipher Suites for kube-apiserver-check-endpoints, compared with #1911

Summary by CodeRabbit

• New Features

  • Endpoint checks can now load TLS configuration from a managed ConfigMap deployed to the cluster.

• Security

  • Enforces minimum TLS 1.2 and a curated set of strong cipher suites for endpoint checks.

• Chores

  • Operator deploys and manages the ConfigMap and configures the endpoint-check container to use it; config application errors are surfaced during target config creation.

[openshift-ci-robot]

@lance5890: This pull request references Jira Issue OCPBUGS-61038, which is invalid:

• expected the bug to target the "4.20.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds a kube-apiserver check-endpoints ConfigMap with static TLS settings, updates the kube-apiserver static-pod to pass that config to the check-endpoints container, registers the ConfigMap in revision-controlled maps, and applies it during target-config reconciliation.

Changes

Cohort / File(s)	Summary of changes
Kube-apiserver assets bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml, bindata/assets/kube-apiserver/pod.yaml	Added kube-apiserver-check-endpoints-config ConfigMap containing config.yaml (GenericOperatorConfig with servingInfo.cipherSuites and minTLSVersion: VersionTLS12); updated static-pod args for the check-endpoints container to include --config /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-check-endpoints-config/config.yaml.
Operator wiring pkg/operator/starter.go, pkg/operator/targetconfigcontroller/...	Registered kube-apiserver-check-endpoints-config in RevisionConfigMaps (starter.go); added manageKubeAPICheckEndpointsConfig helper that reads the asset and applies the ConfigMap, and invoked it during target config creation/reconcile, appending errors under configmap/kube-apiserver-check-endpoints-config on failure.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant TCC as TargetConfigController
  participant Assets as bindata/assets
  participant K8s as Kubernetes API
  participant Pod as kube-apiserver static pod

  Note over TCC: reconcile target config
  TCC->>Assets: Read check-endpoints-config-cm.yaml
  TCC->>K8s: Apply ConfigMap kube-apiserver-check-endpoints-config
  K8s-->>TCC: Created/Updated or error

  rect rgba(220,245,255,0.4)
    Note right of Pod: On static-pod start
    Pod->>Pod: check-endpoints container invoked with\n`--config /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-check-endpoints-config/config.yaml`
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

I thump my paws—new config in the breeze,
Cipher carrots set in tidy rows,
The operator reads and applies with ease,
The check-endpoints hops and quietly knows,
TLS snug like burrows where security grows. 🥕✨

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lance5890
Once this PR has been reviewed and has the lgtm label, please assign vrutkovs for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @lance5890. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lance5890]

/cc @vrutkovs

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

pkg/operator/starter.go (1)

635-637: Minor: clarify comment; it’s the check-endpoints TLS config.

The comment mentions “operator-config” which is misleading here.

Apply:

-	// kube-apiserver-operator-config (TLS cipherSuites/minTLSVersion for check-endpoints).
+	// kube-apiserver-check-endpoints-config (TLS cipherSuites/minTLSVersion for check-endpoints).

pkg/operator/targetconfigcontroller/targetconfigcontroller.go (1)

222-225: Typo in function name; keep naming consistent.

Rename manageKubeAPICheckEndpointdConfig → manageKubeAPICheckEndpointsConfig.

Apply:

-	_, _, err = manageKubeAPICheckEndpointdConfig(ctx, c.kubeClient.CoreV1(), recorder, operatorSpec)
+	_, _, err = manageKubeAPICheckEndpointsConfig(ctx, c.kubeClient.CoreV1(), recorder, operatorSpec)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 0bec046 and c0ec1c2.

📒 Files selected for processing (4)

• bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml (1 hunks)
• bindata/assets/kube-apiserver/pod.yaml (1 hunks)
• pkg/operator/starter.go (1 hunks)
• pkg/operator/targetconfigcontroller/targetconfigcontroller.go (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/operator/targetconfigcontroller/targetconfigcontroller.go (3)

vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/core.go (1)

• ReadConfigMapV1OrDie (20-26)

bindata/assets.go (1)

• MustAsset (17-24)

vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go (1)

• ApplyConfigMap (83-85)

🔇 Additional comments (2)

bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml (1)

11-18: Verify AES_128 GCM suites against your security policy
No in-repo docs mandate dropping 128-bit GCM. Confirm whether your scanner flags TLS_ECDHE_*_AES_128_GCM_SHA256 as medium strength and requires only AES_256_GCM/CHACHA20; if so, remove the AES_128 entries:

@@ bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml Lines 11-18
       cipherSuites:
-      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
       - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
       - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
       - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
       - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
       minTLSVersion: VersionTLS12

bindata/assets/kube-apiserver/pod.yaml (1)

242-243: Verify check-endpoints supports --config / GenericOperatorConfig
pkg/cmd/checkendpoints/cmd.go relies on library-go’s ControllerCommandConfig to register flags—no explicit --config definition is present here. Manually confirm the built CLI exposes a --config flag and unmarshals its file into a GenericOperatorConfig schema.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/operator/starter.go (1)

635-637: Fix misleading comment text.

The comment mentions “kube-apiserver-operator-config” but the actual resource is kube-apiserver-check-endpoints-config. Align the comment to avoid confusion.

-    // kube-apiserver-operator-config (TLS cipherSuites/minTLSVersion for check-endpoints).
+    // kube-apiserver-check-endpoints-config: TLS cipherSuites/minTLSVersion for check-endpoints.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between dcc1cf1 and 7b75728.

📒 Files selected for processing (4)

• bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml (1 hunks)
• bindata/assets/kube-apiserver/pod.yaml (1 hunks)
• pkg/operator/starter.go (1 hunks)
• pkg/operator/targetconfigcontroller/targetconfigcontroller.go (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• bindata/assets/kube-apiserver/pod.yaml
• pkg/operator/targetconfigcontroller/targetconfigcontroller.go

🔇 Additional comments (2)

pkg/operator/starter.go (2)

635-637: LGTM: adding the revisioned CM for check-endpoints TLS config is correct.

Including kube-apiserver-check-endpoints-config in RevisionConfigMaps keeps it roll-forward/rollback aware with the rest of the static-pod inputs. Order remains intact, with kube-apiserver-pod first.

---

635-637: Cross-file wiring verified
CM uses the config.yaml key and the pod’s --config …/configmaps/kube-apiserver-check-endpoints-config/config.yaml matches it; manageKubeAPICheckEndpointsConfig in the targetconfigcontroller applies this CM.

[lance5890]

compared with #1911, this PR use RevisionConfigMaps, I think this way is more compliant with the origin logic

[vrutkovs]

/ok-to-test

/cc @sanchezl

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

pkg/operator/targetconfigcontroller/targetconfigcontroller.go (1)

244-247: Placement: ensure the configmap exists before revision/pod reconciliation

Consider moving this call earlier (right after manageKubeAPIServerConfig and before managePods) to avoid a window where the revision controller or pod template references a not-yet-created configmap. Please confirm bootstrap/upgrade paths don’t go degraded when this CM is missing briefly.

Run to verify wiring across the repo:

#!/bin/bash
set -euo pipefail

# 1) Asset basics
file="$(fd -a 'check-endpoints-config-cm.yaml' bindata | head -n1)"
echo "Asset file: $file"
rg -nC2 -e '^kind:\s*ConfigMap' -e '^metadata:' -e 'name:\s*kube-apiserver-check-endpoints-config' -e 'namespace:\s*openshift-kube-apiserver' "$file"

# 2) Ensure data key is config.yaml
rg -nC2 -e '^data:' -e '^\s*config\.yaml:' "$file"

# 3) Ensure revision controller includes this CM
rg -nC3 -e 'RevisionConfigMaps' -e 'kube-apiserver-check-endpoints-config' pkg/operator/starter.go

# 4) Ensure pod uses the config path for check-endpoints
rg -nC3 -e 'kube-apiserver-check-endpoints' -e '--config' -e 'kube-apiserver-check-endpoints-config/config\.yaml' bindata/assets/kube-apiserver/pod\.yaml

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 347c516 and 1ed850d.

📒 Files selected for processing (4)

• bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml (1 hunks)
• bindata/assets/kube-apiserver/pod.yaml (1 hunks)
• pkg/operator/starter.go (1 hunks)
• pkg/operator/targetconfigcontroller/targetconfigcontroller.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml
• bindata/assets/kube-apiserver/pod.yaml
• pkg/operator/starter.go

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/operator/targetconfigcontroller/targetconfigcontroller.go (4)

vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/core.go (1)

• ReadConfigMapV1OrDie (20-26)

bindata/assets.go (1)

• MustAsset (17-24)

pkg/operator/operatorclient/interfaces.go (1)

• TargetNamespace (7-7)

vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go (1)

• ApplyConfigMap (83-85)

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

pkg/operator/targetconfigcontroller/targetconfigcontroller.go (1)

310-318: Fix compile error and simplify: use ApplyConfigMap directly; normalize namespace

The helper currently won’t compile (return _, _, err) and redundantly performs a Get. Replace with a straight ApplyConfigMap and force the namespace to TargetNamespace to guard against asset drift.

-func manageKubeAPICheckEndpointsConfig(ctx context.Context, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
-	configMap := resourceread.ReadConfigMapV1OrDie(bindata.MustAsset("assets/kube-apiserver/check-endpoints-config-cm.yaml"))
-	cmCLient := client.ConfigMaps(operatorclient.TargetNamespace)
-	_, err := cmCLient.Get(ctx, "kube-apiserver-check-endpoints-config", metav1.GetOptions{})
-	if err != nil && apierrors.IsNotFound(err){
-		return _, _, err
-	}
-	return resourceapply.ApplyConfigMap(ctx, client, recorder, configMap)
-}
+func manageKubeAPICheckEndpointsConfig(ctx context.Context, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
+	required := resourceread.ReadConfigMapV1OrDie(bindata.MustAsset("assets/kube-apiserver/check-endpoints-config-cm.yaml"))
+	// Defensively normalize namespace in case the asset drifts.
+	required.Namespace = operatorclient.TargetNamespace
+	return resourceapply.ApplyConfigMap(ctx, client, recorder, required)
+}

🧹 Nitpick comments (1)

pkg/operator/targetconfigcontroller/targetconfigcontroller.go (1)

244-247: Consider applying the CM before updating the pod template to avoid first-rollout mount stalls

kube-apiserver-pod likely mounts this ConfigMap; applying it after managePods can transiently reference a non-existent CM on initial revisions. Prefer calling manageKubeAPICheckEndpointsConfig before managePods (e.g., right after manageKubeAPIServerConfig). If the revision controller already gates on presence, ignore.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1ed850d and f439451.

📒 Files selected for processing (4)

• bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml (1 hunks)
• bindata/assets/kube-apiserver/pod.yaml (1 hunks)
• pkg/operator/starter.go (1 hunks)
• pkg/operator/targetconfigcontroller/targetconfigcontroller.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• bindata/assets/kube-apiserver/pod.yaml
• pkg/operator/starter.go
• bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/operator/targetconfigcontroller/targetconfigcontroller.go (4)

vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/core.go (1)

• ReadConfigMapV1OrDie (20-26)

bindata/assets.go (1)

• MustAsset (17-24)

pkg/operator/operatorclient/interfaces.go (1)

• TargetNamespace (7-7)

vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go (1)

• ApplyConfigMap (83-85)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/operator/targetconfigcontroller/targetconfigcontroller.go (1)

310-313: Set namespace defensively before apply.

Avoid surprises if the asset’s namespace ever drifts; normalize it to TargetNamespace before Apply.

-func manageKubeAPICheckEndpointsConfig(ctx context.Context, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
-	configMap := resourceread.ReadConfigMapV1OrDie(bindata.MustAsset("assets/kube-apiserver/check-endpoints-config-cm.yaml"))
-	return resourceapply.ApplyConfigMap(ctx, client, recorder, configMap)
-}
+func manageKubeAPICheckEndpointsConfig(ctx context.Context, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
+	required := resourceread.ReadConfigMapV1OrDie(bindata.MustAsset("assets/kube-apiserver/check-endpoints-config-cm.yaml"))
+	required.Namespace = operatorclient.TargetNamespace
+	return resourceapply.ApplyConfigMap(ctx, client, recorder, required)
+}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f27f4b5 and 1ce447f.

📒 Files selected for processing (4)

• bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml (1 hunks)
• bindata/assets/kube-apiserver/pod.yaml (1 hunks)
• pkg/operator/starter.go (1 hunks)
• pkg/operator/targetconfigcontroller/targetconfigcontroller.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• bindata/assets/kube-apiserver/pod.yaml
• pkg/operator/starter.go
• bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/operator/targetconfigcontroller/targetconfigcontroller.go (3)

vendor/github.com/openshift/library-go/pkg/operator/resource/resourceread/core.go (1)

• ReadConfigMapV1OrDie (20-26)

bindata/assets.go (1)

• MustAsset (17-24)

vendor/github.com/openshift/library-go/pkg/operator/resource/resourceapply/core.go (1)

• ApplyConfigMap (83-85)

🔇 Additional comments (2)

pkg/operator/targetconfigcontroller/targetconfigcontroller.go (2)

222-225: Good sequencing and error wiring for check-endpoints ConfigMap.

Applied before managePods and uses a precise degraded key. This integrates cleanly with the existing error aggregation.

---

222-225: Resolve: ConfigMap wiring and usage verified
manageKubeAPICheckEndpointsConfig is invoked in createTargetConfig, the ConfigMap asset exists with name kube-apiserver-check-endpoints-config in namespace openshift-kube-apiserver, the pod’s args include --config /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-check-endpoints-config/config.yaml, and the CM is listed (optional) in RevisionConfigMaps.

[lance5890]

/retest

[openshift-ci]

@lance5890: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-single-node	1ce447f	link	false	/test e2e-gcp-operator-single-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.