Add centralized TLS configuration infrastructure

Add support for centralized TLS configuration derived from the
OpenShift APIServer TLS security profile. This enables Tekton
components to inherit cluster-wide TLS settings (minimum version,
cipher suites) via the TektonConfig CR.

Key changes:
- Watch the APIServer resource for TLS profile changes and enqueue
  TektonConfig for reconciliation
- Add GetTLSProfileFromAPIServer and TLSEnvVarsFromProfile to extract
  and convert TLS profiles to environment variables
- Add ResolveCentralTLSToEnvVars and InjectTLSEnvVars as reusable
  helpers for component extensions
- Add EnableCentralTLSConfig flag in TektonConfig OpenShift platform
  spec (opt-in, default false)
- Add GetPlatformData to the Extension interface for platform-specific
  hash data (e.g., TLS config fingerprint)
- Add RBAC permissions for reading the APIServer resource

Note: curve preferences (CurvePreferences) are currently omitted and
default to Go's standard library values until openshift/api#2583 is
merged.

Assisted-by: Cursor

Author: enarha

config/openshift/base/role.yaml

@@ -396,3 +396,12 @@ rules:
   - delete
   - update
   - patch
+# to read cluster TLS security profile for centralized TLS configuration
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  verbs:
+  - get
+  - list
+  - watch

docs/OpenShiftCentralizedTLSManagement.md

@@ -0,0 +1,93 @@
+# Centralized TLS Configuration Support
+
+This change adds support for centralized TLS configuration from OpenShift's APIServer resource, enabling Tekton components to inherit TLS settings (minimum version, cipher suites, curve preferences) from the cluster-wide security policy.
+
+## Key Changes
+
+### 1. New Configuration Flag
+
+- Added `EnableCentralTLSConfig` boolean field to `TektonConfig.Spec.Platforms.OpenShift`
+- When enabled, TLS settings from the cluster's APIServer are automatically injected into supported components
+- Default: `false` (opt-in)
+
+### 2. APIServer Watcher
+
+- Single centralized watcher in TektonConfig controller monitors the APIServer cluster resource
+- Uses a shared informer with 30-minute resync interval
+- When APIServer TLS profile changes, enqueues TektonConfig for reconciliation
+
+### 3. Extension Interface Enhancement
+
+- Added `GetPlatformData() string` method to the Extension interface
+- Enables components to include platform-specific data in installer set hash computation
+- Triggers installer set updates when TLS configuration changes
+
+### 4. TektonResult Integration
+
+- First component to support centralized TLS configuration
+- Injects `TLS_MIN_VERSION`, `TLS_CIPHER_SUITES`, and `TLS_CURVE_PREFERENCES` environment variables into the Results API deployment
+
+## TLS Configuration Flow
+
+```
+┌─────────────────────────────────────────────────────────────────────────────┐
+│                           INITIALIZATION                                     │
+├─────────────────────────────────────────────────────────────────────────────┤
+│                                                                              │
+│  1. TektonConfig Controller starts                                           │
+│     └─► setupAPIServerTLSWatch() creates shared informer for APIServer      │
+│         └─► Stores lister in occommon.SetSharedAPIServerLister()            │
+│         └─► Registers event handler to enqueue TektonConfig on changes      │
+│                                                                              │
+└─────────────────────────────────────────────────────────────────────────────┘
+
+┌─────────────────────────────────────────────────────────────────────────────┐
+│                           RECONCILIATION                                     │
+├─────────────────────────────────────────────────────────────────────────────┤
+│                                                                              │
+│  2. TektonResult reconciliation triggered                                    │
+│     │                                                                        │
+│     ▼                                                                        │
+│  3. Extension.PreReconcile(ctx) called                                       │
+│     │                                                                        │
+│     ├─► resolveTLSConfig(ctx)                                               │
+│     │   ├─► Check TektonConfig.Spec.Platforms.OpenShift.EnableCentralTLSConfig│
+│     │   │   └─► If false, return nil (no central TLS)                       │
+│     │   │                                                                    │
+│     │   └─► occommon.GetTLSEnvVarsFromAPIServer(ctx)                        │
+│     │       ├─► Read from shared APIServer lister (no API call)             │
+│     │       ├─► Use library-go's ObserveTLSSecurityProfile()                │
+│     │       └─► Return TLSEnvVars{MinVersion, CipherSuites, CurvePreferences}│
+│     │                                                                        │
+│     └─► Store result in oe.resolvedTLSConfig                                │
+│         └─► Log: "Injecting central TLS config: MinVersion=..."             │
+│                                                                              │
+│  4. Hash computation includes Extension.GetPlatformData()                        │
+│     └─► Returns fingerprint: "MinVersion:CipherSuites:CurvePreferences"     │
+│     └─► Change in TLS config → different hash → installer set update        │
+│                                                                              │
+│  5. Extension.Transformers() called                                          │
+│     └─► If resolvedTLSConfig != nil:                                        │
+│         └─► Add injectTLSConfig() transformer                               │
+│                                                                              │
+│  6. Manifests transformed                                                    │
+│     └─► injectTLSConfig() adds env vars to Results API deployment:          │
+│         ├─► TLS_MIN_VERSION                                                 │
+│         ├─► TLS_CIPHER_SUITES                                               │
+│         └─► TLS_CURVE_PREFERENCES                                           │
+│                                                                              │
+└─────────────────────────────────────────────────────────────────────────────┘
+
+┌─────────────────────────────────────────────────────────────────────────────┐
+│                           AUTOMATIC UPDATES                                  │
+├─────────────────────────────────────────────────────────────────────────────┤
+│                                                                              │
+│  7. When APIServer TLS profile changes:                                      │
+│     └─► Informer event handler triggers                                     │
+│         └─► Enqueues TektonConfig for reconciliation                        │
+│             └─► TektonResult reconciled with new TLS config                 │
+│                 └─► New hash computed → InstallerSet updated                │
+│                     └─► Deployment updated with new env vars                │
+│                                                                              │
+└─────────────────────────────────────────────────────────────────────────────┘
+```

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/openshift/api v0.0.0-20240521185306-0314f31e7774
 	github.com/openshift/apiserver-library-go v0.0.0-20230816171015-6bfafa975bfb
 	github.com/openshift/client-go v0.0.0-20240523113335-452272e0496d
+	github.com/openshift/library-go v0.0.0-20230503173034-95ca3c14e50a
 	github.com/sigstore/cosign/v2 v2.6.2
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
@@ -141,10 +142,12 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/emicklei/proto v1.14.2 // indirect
+	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-chi/chi/v5 v5.2.4 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
@@ -199,6 +202,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/henvic/httpretty v0.0.6 // indirect
+	github.com/imdario/mergo v0.3.11 // indirect
 	github.com/in-toto/attestation v1.1.2 // indirect
 	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -250,6 +254,7 @@ require (
 	github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/robfig/cron v1.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/sagikazarmark/locafero v0.11.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
@@ -316,13 +321,17 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/apiserver v0.34.1 // indirect
+	k8s.io/component-base v0.34.1 // indirect
 	k8s.io/gengo/v2 v2.0.0-20250820003526-c297c0c1eb9d // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-aggregator v0.34.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e // indirect
 	knative.dev/hack v0.0.0-20250331013814-c577ed9f7775 // indirect
 	sigs.k8s.io/controller-runtime v0.22.4 // indirect
 	sigs.k8s.io/gateway-api v1.4.1 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/kube-storage-version-migrator v0.0.4 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/release-utils v0.12.3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect