openshift · simonpasquier · Mar 6, 2026 · Mar 9, 2026 · Mar 12, 2026 · machine424
diff --git a/cmd/operator/main.go b/cmd/operator/main.go
@@ -25,12 +25,18 @@ import (
 	"strings"
 	"syscall"
 
+	configv1client "github.com/openshift/client-go/config/clientset/versioned"
+	"github.com/openshift/library-go/pkg/operator/events"
 	"golang.org/x/sync/errgroup"
 	"k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/clock"
 	runtimelog "sigs.k8s.io/controller-runtime/pkg/log"
 
+	"github.com/openshift/cluster-monitoring-operator/pkg/client"
 	"github.com/openshift/cluster-monitoring-operator/pkg/manifests"
 	cmo "github.com/openshift/cluster-monitoring-operator/pkg/operator"
 	"github.com/openshift/cluster-monitoring-operator/pkg/server"
@@ -83,6 +89,42 @@ type telemetryConfig struct {
 	Matches []string `json:"matches"`
 }
 
+func newClient(
+	ctx context.Context,
+	config *rest.Config,
+	version string,
+	namespace, namespaceUserWorkload string,
+) (*client.Client, error) {
+	kclient, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, fmt.Errorf("creating kubernetes clientset client: %w", err)
+	}
+	controllerRef, err := events.GetControllerReferenceForCurrentPod(ctx, kclient, namespace, nil)
+	if err != nil {
+		klog.Warningf("unable to get owner reference (falling back to namespace): %v", err)
+	}
+
+	eventRecorder := events.NewKubeRecorderWithOptions(
+		kclient.CoreV1().Events(namespace),
+		events.RecommendedClusterSingletonCorrelatorOptions(),
+		"cluster-monitoring-operator",
+		controllerRef,
+		clock.RealClock{},
+	)
+
+	configClient, err := configv1client.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	c, err := client.NewForConfig(config, version, namespace, namespaceUserWorkload, client.KubernetesClient(kclient), client.OpenshiftConfigClient(configClient), client.EventRecorder(eventRecorder))
+	if err != nil {
+		return nil, err
+	}
+
+	return c, nil
+}
+
 func Main() int {
 	flagset := flag.CommandLine
 	klog.InitFlags(flagset)
@@ -170,10 +212,30 @@ func Main() int {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
+	client, err := newClient(ctx, config, *releaseVersion, *namespace, *namespaceUserWorkload)
+	if err != nil {
+		fmt.Fprint(os.Stderr, err)
+		return 1
+	}
+
+	// Retrieve the TLS settings from the API server configuration.
+	apiServerConfig, err := client.GetAPIServerConfig(ctx)
+	if err != nil {
+		fmt.Fprint(os.Stderr, err)
+		return 1
+	}
+	apiServerConfigAdapter := manifests.NewAPIServerConfig(apiServerConfig)
+	klog.Infof(
+		"TLS configuration (read from the cluster TLS security profile): minimum version=%q, ciphers=[%s]",
+		apiServerConfigAdapter.MinTLSVersion(),
+		strings.Join(apiServerConfigAdapter.TLSCiphers(), ","),
+	)
+
 	userWorkloadConfigMapName := "user-workload-monitoring-config"
 	o, err := cmo.New(
 		ctx,
-		config,
+		client,
+		apiServerConfigAdapter,
 		*releaseVersion,
 		*namespace,
 		*namespaceUserWorkload,
@@ -183,6 +245,7 @@ func Main() int {
 		images.asMap(),
 		telemetryConfig.Matches,
 		assets,
+		cancel,
 	)
 	if err != nil {
 		fmt.Fprint(os.Stderr, err)
@@ -203,11 +266,24 @@ func Main() int {
 
 	wg.Go(func() error { return o.Run(ctx) })
 
-	srv, err := server.NewServer("cluster-monitoring-operator", config, *kubeconfigPath, *certFile, *keyFile)
+	srv, err := server.NewServer(
+		"cluster-monitoring-operator",
+		config,
+		*kubeconfigPath,
+		*certFile, *keyFile,
+		apiServerConfigAdapter.MinTLSVersion(),
+		apiServerConfigAdapter.TLSCiphers(),
+	)
 	if err != nil {
 		fmt.Fprint(os.Stderr, err)
 		return 1
 	}
+
+	// Catch any configuration error before running the server.
+	if err := srv.Prepare(ctx); err != nil {
+		fmt.Fprint(os.Stderr, err)
+		return 1
+	}
 	wg.Go(func() error { return srv.Run(ctx) })
 
 	term := make(chan os.Signal, 1)

diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -602,8 +602,8 @@ func (c *Client) GetInfrastructure(ctx context.Context, name string) (*configv1.
 	return c.oscclient.ConfigV1().Infrastructures().Get(ctx, name, metav1.GetOptions{})
 }
 
-func (c *Client) GetAPIServerConfig(ctx context.Context, name string) (*configv1.APIServer, error) {
-	return c.oscclient.ConfigV1().APIServers().Get(ctx, name, metav1.GetOptions{})
+func (c *Client) GetAPIServerConfig(ctx context.Context) (*configv1.APIServer, error) {
+	return c.oscclient.ConfigV1().APIServers().Get(ctx, "cluster", metav1.GetOptions{})
 }
 
 func (c *Client) GetConsoleConfig(ctx context.Context, name string) (*configv1.Console, error) {
@@ -1963,3 +1963,7 @@ func Poll(ctx context.Context, condition wait.ConditionWithContextFunc, options
 
 	return nil
 }
+
+func (c *Client) OpenShiftConfigClientset() openshiftconfigclientset.Interface {
+	return c.oscclient
+}
diff --git a/pkg/manifests/apiserver_config.go b/pkg/manifests/apiserver_config.go
@@ -15,6 +15,8 @@
 package manifests
 
 import (
+	"slices"
+
 	configv1 "github.com/openshift/api/config/v1"
 )
 
@@ -37,6 +39,13 @@ func NewAPIServerConfig(config *configv1.APIServer) *APIServerConfig {
 	}
 }
 
+// Equal returns true if the given configuration is semantically equal to the
+// current configuration.
+func (c *APIServerConfig) Equal(other *APIServerConfig) bool {
+	return c.MinTLSVersion() == other.MinTLSVersion() &&
+		slices.Equal(c.TLSCiphers(), other.TLSCiphers())
+}
+
 // TLSCiphers returns the TLS ciphers for the
 // TLS security profile defined in the APIServerConfig.
 func (c *APIServerConfig) TLSCiphers() []string {