Enable centralized TLS configuration for TektonResult

Activate the centralized TLS configuration infrastructure for the
TektonResult component:

- Resolve TLS config from APIServer via ResolveCentralTLSToEnvVars in PreReconcile
- Inject TLS env vars into the results-api deployment using the generic
  InjectTLSEnvVars transformer
- Include TLS config fingerprint in GetPlatformData for installer set
  hash computation, triggering updates on TLS profile changes
- Log injected TLS config at Info level for observability

Assisted-by: Cursor

Author: enarha

pkg/reconciler/kubernetes/tektonresult/installerset.go

@@ -33,11 +33,18 @@ func (r *Reconciler) createInstallerSet(ctx context.Context, tr *v1alpha1.Tekton
 		return nil, err
 	}
 
-	// compute the hash of tektonresult spec and store as an annotation
-	// in further reconciliation we compute hash of td spec and check with
-	// annotation, if they are same then we skip updating the object
+	// compute the hash of tektonresult spec (including platform-specific data)
+	// and store as an annotation. In further reconciliation we compute hash
+	// and check with annotation, if they are same then we skip updating the object
 	// otherwise we update the manifest
-	specHash, err := hash.Compute(tr.Spec)
+	hashInput := struct {
+		Spec      v1alpha1.TektonResultSpec
+		ExtraData string
+	}{
+		Spec:      tr.Spec,
+		ExtraData: tr.Annotations[v1alpha1.PlatformDataHashKey],
+	}
+	specHash, err := hash.Compute(hashInput)
 	if err != nil {
 		return nil, err
 	}

pkg/reconciler/kubernetes/tektonresult/tektonresult.go

@@ -322,8 +322,15 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, tr *v1alpha1.TektonResul
 		// of TektonResult is changed by checking hash stored as annotation on
 		// TektonInstallerSet with computing new hash of TektonResult Spec
 		logger.Debug("Checking for spec changes in TektonResult")
-		// Hash of TektonResult Spec
-		expectedSpecHash, err := hash.Compute(tr.Spec)
+		// Hash of TektonResult Spec including platform-specific data (e.g., TLS config)
+		hashInput := struct {
+			Spec      v1alpha1.TektonResultSpec
+			ExtraData string
+		}{
+			Spec:      tr.Spec,
+			ExtraData: tr.Annotations[v1alpha1.PlatformDataHashKey],
+		}
+		expectedSpecHash, err := hash.Compute(hashInput)
 		if err != nil {
 			logger.Errorw("Failed to compute spec hash", "error", err)
 			return err

pkg/reconciler/openshift/tektonresult/controller.go

@@ -19,9 +19,10 @@ package tektonresult
 import (
 	"context"
 
-	k8s_ctrl "github.com/tektoncd/operator/pkg/reconciler/kubernetes/tektonresult"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
+
+	k8s_ctrl "github.com/tektoncd/operator/pkg/reconciler/kubernetes/tektonresult"
 )
 
 // NewController initializes the controller and is called by the generated code

pkg/reconciler/openshift/tektonresult/extension.go

@@ -23,16 +23,18 @@ import (
 	"strings"
 
 	mf "github.com/manifestival/manifestival"
-	"github.com/tektoncd/operator/pkg/apis/operator/v1alpha1"
-	operatorclient "github.com/tektoncd/operator/pkg/client/injection/client"
-	"github.com/tektoncd/operator/pkg/reconciler/common"
-	"github.com/tektoncd/operator/pkg/reconciler/kubernetes/tektoninstallerset/client"
-	occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	"knative.dev/pkg/logging"
+
+	"github.com/tektoncd/operator/pkg/apis/operator/v1alpha1"
+	operatorclient "github.com/tektoncd/operator/pkg/client/injection/client"
+	tektonConfiginformer "github.com/tektoncd/operator/pkg/client/injection/informers/operator/v1alpha1/tektonconfig"
+	"github.com/tektoncd/operator/pkg/reconciler/common"
+	"github.com/tektoncd/operator/pkg/reconciler/kubernetes/tektoninstallerset/client"
+	occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
 )
 
 const (
@@ -71,11 +73,15 @@ func OpenShiftExtension(ctx context.Context) common.Extension {
 		logger.Fatalf("Failed to fetch logs RBAC manifest: %v", err)
 	}
 
+	// Get TektonConfig lister to check EnableCentralTLSConfig flag
+	tektonConfigLister := tektonConfiginformer.Get(ctx).Lister()
+
 	ext := &openshiftExtension{
 		installerSetClient: client.NewInstallerSetClient(operatorclient.Get(ctx).OperatorV1alpha1().TektonInstallerSets(),
 			version, "results-ext", v1alpha1.KindTektonResult, nil),
-		routeManifest:    routeManifest,
-		logsRBACManifest: logsRBACManifest,
+		routeManifest:      routeManifest,
+		logsRBACManifest:   logsRBACManifest,
+		tektonConfigLister: tektonConfigLister,
 	}
 	return ext
 }
@@ -84,12 +90,14 @@ type openshiftExtension struct {
 	installerSetClient *client.InstallerSetClient
 	routeManifest      *mf.Manifest
 	logsRBACManifest   *mf.Manifest
+	tektonConfigLister occommon.TektonConfigLister
+	resolvedTLSConfig  *occommon.TLSEnvVars
 }
 
-func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Transformer {
+func (oe *openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Transformer {
 	instance := comp.(*v1alpha1.TektonResult)
 
-	return []mf.Transformer{
+	transformers := []mf.Transformer{
 		occommon.RemoveRunAsUser(),
 		occommon.RemoveRunAsGroup(),
 		occommon.ApplyCABundlesToDeployment,
@@ -101,18 +109,39 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr
 		injectResultsAPIServiceCACert(instance.Spec.ResultsAPIProperties),
 		injectPostgresUpgradeSupport(),
 	}
+
+	// Use TLS config resolved in PreReconcile
+	if oe.resolvedTLSConfig != nil {
+		transformers = append(transformers, occommon.InjectTLSEnvVars(oe.resolvedTLSConfig, "Deployment", deploymentAPI, []string{apiContainerName}))
+	}
+
+	return transformers
+}
+
+func (oe *openshiftExtension) GetPlatformData() string {
+	return ""
 }
 
 func (oe *openshiftExtension) PreReconcile(ctx context.Context, tc v1alpha1.TektonComponent) error {
+	logger := logging.FromContext(ctx)
 	result := tc.(*v1alpha1.TektonResult)
-	mf := mf.Manifest{}
+	manifest := mf.Manifest{}
 
 	if (result.Spec.LokiStackName != "" && result.Spec.LokiStackNamespace != "") ||
 		strings.EqualFold(result.Spec.LogsType, "LOKI") {
-		mf = mf.Append(*oe.logsRBACManifest)
+		manifest = manifest.Append(*oe.logsRBACManifest)
 	}
 
-	return oe.installerSetClient.PreSet(ctx, tc, &mf, filterAndTransform())
+	resolvedTLS, err := occommon.ResolveCentralTLSToEnvVars(ctx, oe.tektonConfigLister)
+	if err != nil {
+		return err
+	}
+	oe.resolvedTLSConfig = resolvedTLS
+	if oe.resolvedTLSConfig != nil {
+		logger.Infof("Injecting central TLS config: MinVersion=%s", oe.resolvedTLSConfig.MinVersion)
+	}
+
+	return oe.installerSetClient.PreSet(ctx, tc, &manifest, filterAndTransform())
 }
 
 func (oe openshiftExtension) PostReconcile(ctx context.Context, tc v1alpha1.TektonComponent) error {
@@ -130,10 +159,6 @@ func (oe openshiftExtension) PostReconcile(ctx context.Context, tc v1alpha1.Tekt
 	return oe.installerSetClient.PostSet(ctx, tc, &manifest, filterAndTransform())
 }
 
-func (oe openshiftExtension) GetPlatformData() string {
-	return ""
-}
-
 func (oe openshiftExtension) Finalize(ctx context.Context, tc v1alpha1.TektonComponent) error {
 	if err := oe.installerSetClient.CleanupPostSet(ctx); err != nil {
 		return err

pkg/reconciler/shared/tektonconfig/result/result.go

@@ -157,6 +157,16 @@ func UpdateResult(ctx context.Context, old *v1alpha1.TektonResult, new *v1alpha1
 		updated = true
 	}
 
+	oldPlatformData := old.ObjectMeta.Annotations[v1alpha1.PlatformDataHashKey]
+	newPlatformData := new.ObjectMeta.Annotations[v1alpha1.PlatformDataHashKey]
+	if oldPlatformData != newPlatformData {
+		if old.ObjectMeta.Annotations == nil {
+			old.ObjectMeta.Annotations = map[string]string{}
+		}
+		old.ObjectMeta.Annotations[v1alpha1.PlatformDataHashKey] = newPlatformData
+		updated = true
+	}
+
 	if updated {
 		_, err := clients.Update(ctx, old, metav1.UpdateOptions{})
 		if err != nil {

pkg/reconciler/shared/tektonconfig/tektonconfig.go

@@ -304,6 +304,12 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, tc *v1alpha1.TektonConfi
 	// Ensure Result CR
 	if !tc.Spec.Result.Disabled {
 		tektonresult := result.GetTektonResultCR(tc, r.operatorVersion)
+		if platformData := r.extension.GetPlatformData(); platformData != "" {
+			if tektonresult.Annotations == nil {
+				tektonresult.Annotations = map[string]string{}
+			}
+			tektonresult.Annotations[v1alpha1.PlatformDataHashKey] = platformData
+		}
 		logger.Debug("Ensuring TektonResult CR exists")
 		if _, err := result.EnsureTektonResultExists(ctx, r.operatorClientSet.OperatorV1alpha1().TektonResults(), tektonresult); err != nil {
 			errMsg := fmt.Sprintf("TektonResult %s", err.Error())