Enable centralized TLS configuration for TektonResult

enarha · cursoragent · enarha · commit 2de7f834001c · 2026-02-18T13:10:19.000+02:00
Activate the centralized TLS configuration feature for the TektonResult
component. When EnableCentralTLSConfig is set in TektonConfig, the TLS
settings from the cluster's APIServer are automatically injected into the
Results API deployment.

Changes:
- Implement GetHashData() in tektonresult extension to include TLS config
  fingerprint, triggering installer set updates when TLS configuration changes
- Update hash computation in tektonresult reconciler and installerset to
  include platform-specific data from the extension

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/pkg/reconciler/kubernetes/tektonresult/installerset.go b/pkg/reconciler/kubernetes/tektonresult/installerset.go
@@ -33,11 +33,18 @@ func (r *Reconciler) createInstallerSet(ctx context.Context, tr *v1alpha1.Tekton
 		return nil, err
 	}
 
-	// compute the hash of tektonresult spec and store as an annotation
-	// in further reconciliation we compute hash of td spec and check with
-	// annotation, if they are same then we skip updating the object
+	// compute the hash of tektonresult spec (including platform-specific data)
+	// and store as an annotation. In further reconciliation we compute hash
+	// and check with annotation, if they are same then we skip updating the object
 	// otherwise we update the manifest
-	specHash, err := hash.Compute(tr.Spec)
+	hashInput := struct {
+		Spec      v1alpha1.TektonResultSpec
+		ExtraData string
+	}{
+		Spec:      tr.Spec,
+		ExtraData: r.extension.GetHashData(),
+	}
+	specHash, err := hash.Compute(hashInput)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/reconciler/kubernetes/tektonresult/tektonresult.go b/pkg/reconciler/kubernetes/tektonresult/tektonresult.go
@@ -322,8 +322,15 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, tr *v1alpha1.TektonResul
 		// of TektonResult is changed by checking hash stored as annotation on
 		// TektonInstallerSet with computing new hash of TektonResult Spec
 		logger.Debug("Checking for spec changes in TektonResult")
-		// Hash of TektonResult Spec
-		expectedSpecHash, err := hash.Compute(tr.Spec)
+		// Hash of TektonResult Spec including platform-specific data (e.g., TLS config)
+		hashInput := struct {
+			Spec      v1alpha1.TektonResultSpec
+			ExtraData string
+		}{
+			Spec:      tr.Spec,
+			ExtraData: r.extension.GetHashData(),
+		}
+		expectedSpecHash, err := hash.Compute(hashInput)
 		if err != nil {
 			logger.Errorw("Failed to compute spec hash", "error", err)
 			return err
diff --git a/pkg/reconciler/openshift/tektonresult/controller.go b/pkg/reconciler/openshift/tektonresult/controller.go
@@ -19,9 +19,10 @@ package tektonresult
 import (
 	"context"
 
-	k8s_ctrl "github.com/tektoncd/operator/pkg/reconciler/kubernetes/tektonresult"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
+
+	k8s_ctrl "github.com/tektoncd/operator/pkg/reconciler/kubernetes/tektonresult"
 )
 
 // NewController initializes the controller and is called by the generated code
diff --git a/pkg/reconciler/openshift/tektonresult/extension.go b/pkg/reconciler/openshift/tektonresult/extension.go
@@ -18,6 +18,7 @@ package tektonresult
 
 import (
 	"context"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
@@ -84,7 +85,6 @@ func OpenShiftExtension(ctx context.Context) common.Extension {
 		logsRBACManifest:   logsRBACManifest,
 		tektonConfigLister: tektonConfigLister,
 		restConfig:         injection.GetConfig(ctx),
-		ctx:                ctx,
 	}
 	return ext
 }
@@ -96,13 +96,12 @@ type openshiftExtension struct {
 	tektonConfigLister interface {
 		Get(name string) (*v1alpha1.TektonConfig, error)
 	}
-	restConfig *rest.Config
-	ctx        context.Context
+	restConfig        *rest.Config
+	resolvedTLSConfig *occommon.TLSEnvVars
 }
 
-func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Transformer {
+func (oe *openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Transformer {
 	instance := comp.(*v1alpha1.TektonResult)
-	logger := logging.FromContext(oe.ctx)
 
 	transformers := []mf.Transformer{
 		occommon.RemoveRunAsUser(),
@@ -117,21 +116,18 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr
 		injectPostgresUpgradeSupport(),
 	}
 
-	// Resolve TLS configuration with proper precedence:
-	// 1. If EnableCentralTLSConfig AND APIServer has TLS → use APIServer TLS
-	// 2. Otherwise → user-specified config takes effect (handled by component itself)
-	if tlsEnvVars := oe.resolveTLSConfig(); tlsEnvVars != nil {
-		transformers = append(transformers, injectTLSConfig(tlsEnvVars))
-		logger.Infof("Injecting central TLS config: MinVersion=%s", tlsEnvVars.MinVersion)
+	// Use TLS config resolved in PreReconcile
+	if oe.resolvedTLSConfig != nil {
+		transformers = append(transformers, injectTLSConfig(oe.resolvedTLSConfig))
 	}
 
 	return transformers
 }
 
 // resolveTLSConfig reads TLS config from the shared APIServer lister.
 // Returns nil if central TLS is disabled or no TLS config is available.
-func (oe *openshiftExtension) resolveTLSConfig() *occommon.TLSEnvVars {
-	logger := logging.FromContext(oe.ctx)
+func (oe *openshiftExtension) resolveTLSConfig(ctx context.Context) *occommon.TLSEnvVars {
+	logger := logging.FromContext(ctx)
 
 	tc, err := oe.tektonConfigLister.Get(v1alpha1.ConfigResourceName)
 	if err != nil {
@@ -144,7 +140,7 @@ func (oe *openshiftExtension) resolveTLSConfig() *occommon.TLSEnvVars {
 	}
 
 	// Read TLS config from the shared APIServer lister
-	tlsEnvVars, err := occommon.GetTLSEnvVarsFromAPIServer(oe.ctx, oe.restConfig)
+	tlsEnvVars, err := occommon.GetTLSEnvVarsFromAPIServer(ctx, oe.restConfig)
 	if err != nil {
 		logger.Warnf("Failed to get TLS config from APIServer: %v", err)
 		return nil
@@ -153,20 +149,31 @@ func (oe *openshiftExtension) resolveTLSConfig() *occommon.TLSEnvVars {
 	return tlsEnvVars
 }
 
+// GetHashData returns TLS config fingerprint for hash computation.
+// This ensures installer set is updated when TLS config changes.
 func (oe *openshiftExtension) GetHashData() string {
-	return ""
+	if oe.resolvedTLSConfig == nil {
+		return ""
+	}
+	return fmt.Sprintf("%s:%s:%s", oe.resolvedTLSConfig.MinVersion, oe.resolvedTLSConfig.CipherSuites, oe.resolvedTLSConfig.CurvePreferences)
 }
 
 func (oe *openshiftExtension) PreReconcile(ctx context.Context, tc v1alpha1.TektonComponent) error {
+	logger := logging.FromContext(ctx)
 	result := tc.(*v1alpha1.TektonResult)
-	mf := mf.Manifest{}
+	manifest := mf.Manifest{}
 
 	if (result.Spec.LokiStackName != "" && result.Spec.LokiStackNamespace != "") ||
 		strings.EqualFold(result.Spec.LogsType, "LOKI") {
-		mf = mf.Append(*oe.logsRBACManifest)
+		manifest = manifest.Append(*oe.logsRBACManifest)
+	}
+
+	oe.resolvedTLSConfig = oe.resolveTLSConfig(ctx)
+	if oe.resolvedTLSConfig != nil {
+		logger.Infof("Injecting central TLS config: MinVersion=%s", oe.resolvedTLSConfig.MinVersion)
 	}
 
-	return oe.installerSetClient.PreSet(ctx, tc, &mf, filterAndTransform())
+	return oe.installerSetClient.PreSet(ctx, tc, &manifest, filterAndTransform())
 }
 
 func (oe openshiftExtension) PostReconcile(ctx context.Context, tc v1alpha1.TektonComponent) error {
