From 078d0c146fe59b364cf907839d73f4d33ae8c03c Mon Sep 17 00:00:00 2001
From: Gabriel Bernal <gbernal@redhat.com>
Date: Fri, 10 Oct 2025 10:54:23 +0200
Subject: [PATCH] OCPBUGS-62276: add tls configuration for the monitoring
 plugin deployment

Signed-off-by: Gabriel Bernal <gbernal@redhat.com>
---
 assets/monitoring-plugin/deployment.yaml       | 9 +++++----
 jsonnet/components/monitoring-plugin.libsonnet | 9 +++++----
 jsonnet/main.jsonnet                           | 1 +
 pkg/manifests/manifests.go                     | 4 ++++
 test/e2e/tls_security_profile_test.go          | 3 +++
 5 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/assets/monitoring-plugin/deployment.yaml b/assets/monitoring-plugin/deployment.yaml
index b61d4b0063..7d1c0d97e4 100644
--- a/assets/monitoring-plugin/deployment.yaml
+++ b/assets/monitoring-plugin/deployment.yaml
@@ -46,10 +46,11 @@ spec:
       automountServiceAccountToken: false
       containers:
       - args:
-        - -config-path=/opt/app-root/web/dist
-        - -static-path=/opt/app-root/web/dist
-        - -cert=/var/cert/tls.crt
-        - -key=/var/cert/tls.key
+        - --config-path=/opt/app-root/web/dist
+        - --static-path=/opt/app-root/web/dist
+        - --cert=/var/cert/tls.crt
+        - --key=/var/cert/tls.key
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
         command:
         - /opt/app-root/plugin-backend
         image: ""
diff --git a/jsonnet/components/monitoring-plugin.libsonnet b/jsonnet/components/monitoring-plugin.libsonnet
index 15de856eff..c94924873c 100644
--- a/jsonnet/components/monitoring-plugin.libsonnet
+++ b/jsonnet/components/monitoring-plugin.libsonnet
@@ -197,10 +197,11 @@ function(params)
                   $.volumeMount(tlsVolumeName, tlsMountPath),
                 ],
                 args: [
-                  '-config-path=/opt/app-root/web/dist',
-                  '-static-path=/opt/app-root/web/dist',
-                  '-cert=' + tlsCertPath,
-                  '-key=' + tlsKeyPath,
+                  '--config-path=/opt/app-root/web/dist',
+                  '--static-path=/opt/app-root/web/dist',
+                  '--cert=' + tlsCertPath,
+                  '--key=' + tlsKeyPath,
+                  '--tls-cipher-suites=' + cfg.tlsCipherSuites,
                 ],
                 command: [
                   '/opt/app-root/plugin-backend',
diff --git a/jsonnet/main.jsonnet b/jsonnet/main.jsonnet
index 6396569628..971d0e7f47 100644
--- a/jsonnet/main.jsonnet
+++ b/jsonnet/main.jsonnet
@@ -324,6 +324,7 @@ local inCluster =
         namespace: $.values.common.namespace,
         commonLabels+: $.values.common.commonLabels,
         image: $.values.common.images.monitoringPlugin,
+        tlsCipherSuites: $.values.common.tlsCipherSuites,
       },
       controlPlane: {
         namespace: $.values.common.namespace,
diff --git a/pkg/manifests/manifests.go b/pkg/manifests/manifests.go
index fc20255996..3642321fed 100644
--- a/pkg/manifests/manifests.go
+++ b/pkg/manifests/manifests.go
@@ -315,6 +315,8 @@ var (
 	MetricsServerTLSMinTLSVersionFlag                    = "--tls-min-version="
 	KubeRbacProxyTLSCipherSuitesFlag                     = "--tls-cipher-suites="
 	KubeRbacProxyMinTLSVersionFlag                       = "--tls-min-version="
+	MonitoringPluginTLSCipherSuitesFlag                  = "--tls-cipher-suites="
+	MonitoringPluginTLSMinTLSVersionFlag                 = "--tls-min-version="
 
 	AuthProxyExternalURLFlag  = "-external-url="
 	AuthProxyCookieDomainFlag = "-cookie-domain="
@@ -2817,6 +2819,8 @@ func (f *Factory) MonitoringPluginDeployment() (*appsv1.Deployment, error) {
 	}
 
 	containers[idx].Image = f.config.Images.MonitoringPlugin
+	containers[idx].Args = f.setTLSSecurityConfiguration(podSpec.Containers[0].Args,
+		MonitoringPluginTLSCipherSuitesFlag, MonitoringPluginTLSMinTLSVersionFlag)
 
 	cfg := f.config.ClusterMonitoringConfiguration.MonitoringPluginConfig
 	if cfg == nil {
diff --git a/test/e2e/tls_security_profile_test.go b/test/e2e/tls_security_profile_test.go
index e3788e408b..8b64438a5b 100644
--- a/test/e2e/tls_security_profile_test.go
+++ b/test/e2e/tls_security_profile_test.go
@@ -70,6 +70,9 @@ func TestDefaultTLSSecurityProfileConfiguration(t *testing.T) {
 	assertCorrectTLSConfiguration(t, "metrics-server", "deployment",
 		manifests.MetricsServerTLSCipherSuitesFlag,
 		manifests.MetricsServerTLSMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
+	assertCorrectTLSConfiguration(t, "monitoring-plugin", "deployment",
+		manifests.MonitoringPluginTLSCipherSuitesFlag,
+		manifests.MonitoringPluginTLSMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
 }
 
 func assertCorrectTLSConfiguration(t *testing.T, componentName, objectType, tlsCipherSuiteFlag, tlsMinTLSVersionFlag string, expectedCipherSuite []string, expectedTLSVersion string) {