This change adds support for centralized TLS configuration from OpenShift's APIServer resource, enabling Tekton components to inherit TLS settings (minimum version, cipher suites, curve preferences) from the cluster-wide security policy.
- Added
EnableCentralTLSConfigboolean field toTektonConfig.Spec.Platforms.OpenShift - When enabled, TLS settings from the cluster's APIServer are automatically injected into supported components
- Default:
false(opt-in)
- Single centralized watcher in TektonConfig controller monitors the APIServer cluster resource
- Uses a shared informer with 30-minute resync interval
- When APIServer TLS profile changes, enqueues TektonConfig for reconciliation
- Added
GetPlatformData() stringmethod to the Extension interface - Enables components to include platform-specific data in installer set hash computation
- Triggers installer set updates when TLS configuration changes
- First component to support centralized TLS configuration
- Injects
TLS_MIN_VERSION,TLS_CIPHER_SUITES, andTLS_CURVE_PREFERENCESenvironment variables into the Results API deployment
┌─────────────────────────────────────────────────────────────────────────────┐
│ INITIALIZATION │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. TektonConfig Controller starts │
│ └─► setupAPIServerTLSWatch() creates shared informer for APIServer │
│ └─► Stores lister in occommon.SetSharedAPIServerLister() │
│ └─► Registers event handler to enqueue TektonConfig on changes │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────┐
│ RECONCILIATION │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 2. TektonResult reconciliation triggered │
│ │ │
│ ▼ │
│ 3. Extension.PreReconcile(ctx) called │
│ │ │
│ ├─► resolveTLSConfig(ctx) │
│ │ ├─► Check TektonConfig.Spec.Platforms.OpenShift.EnableCentralTLSConfig│
│ │ │ └─► If false, return nil (no central TLS) │
│ │ │ │
│ │ └─► occommon.GetTLSEnvVarsFromAPIServer(ctx) │
│ │ ├─► Read from shared APIServer lister (no API call) │
│ │ ├─► Use library-go's ObserveTLSSecurityProfile() │
│ │ └─► Return TLSEnvVars{MinVersion, CipherSuites, CurvePreferences}│
│ │ │
│ └─► Store result in oe.resolvedTLSConfig │
│ └─► Log: "Injecting central TLS config: MinVersion=..." │
│ │
│ 4. Hash computation includes Extension.GetPlatformData() │
│ └─► Returns fingerprint: "MinVersion:CipherSuites:CurvePreferences" │
│ └─► Change in TLS config → different hash → installer set update │
│ │
│ 5. Extension.Transformers() called │
│ └─► If resolvedTLSConfig != nil: │
│ └─► Add injectTLSConfig() transformer │
│ │
│ 6. Manifests transformed │
│ └─► injectTLSConfig() adds env vars to Results API deployment: │
│ ├─► TLS_MIN_VERSION │
│ ├─► TLS_CIPHER_SUITES │
│ └─► TLS_CURVE_PREFERENCES │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────┐
│ AUTOMATIC UPDATES │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 7. When APIServer TLS profile changes: │
│ └─► Informer event handler triggers │
│ └─► Enqueues TektonConfig for reconciliation │
│ └─► TektonResult reconciled with new TLS config │
│ └─► New hash computed → InstallerSet updated │
│ └─► Deployment updated with new env vars │
│ │
└─────────────────────────────────────────────────────────────────────────────┘