Enable TLS profile configuration for TektonResult

enarha · enarha · commit 81c9fa41a3a3 · 2026-01-11T19:51:28.000+02:00
Activate the TLS profile infrastructure for the Results component:

- extension.go: Add injectTLSConfig transformer that injects
  TLS_MIN_VERSION and TLS_CIPHER_SUITES env vars into the Results API
  deployment based on cluster APIServer configuration. TLS config is
  fetched once during Transformers() call, not per-resource.

- controller.go: Set up APIServer watch to trigger reconciliation when
  the cluster TLS security profile changes.

The Results API deployment will automatically pick up TLS configuration
from the OpenShift APIServer resource and update when it changes.
diff --git a/pkg/reconciler/openshift/tektonresult/controller.go b/pkg/reconciler/openshift/tektonresult/controller.go
@@ -19,13 +19,41 @@ package tektonresult
 import (
 	"context"
 
+	tektonResultInformer "github.com/tektoncd/operator/pkg/client/injection/informers/operator/v1alpha1/tektonresult"
+	"github.com/tektoncd/operator/pkg/reconciler/common"
+	occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
 	k8s_ctrl "github.com/tektoncd/operator/pkg/reconciler/kubernetes/tektonresult"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
+	"knative.dev/pkg/injection"
+	"knative.dev/pkg/logging"
 )
 
 // NewController initializes the controller and is called by the generated code
 // Registers eventhandlers to enqueue events
 func NewController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
-	return k8s_ctrl.NewExtendedController(OpenShiftExtension)(ctx, cmw)
+	return NewExtendedController(OpenShiftExtension)(ctx, cmw)
+}
+
+// NewExtendedController wraps the base Kubernetes controller and adds OpenShift-specific watches
+func NewExtendedController(generator common.ExtensionGenerator) func(context.Context, configmap.Watcher) *controller.Impl {
+	return func(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+		logger := logging.FromContext(ctx)
+
+		// Create the base Kubernetes controller with OpenShift extension
+		impl := k8s_ctrl.NewExtendedController(generator)(ctx, cmw)
+
+		// Setup OpenShift APIServer watch for TLS profile changes.
+		// This will trigger reconciliation when the cluster TLS policy changes.
+		// Errors are logged by SetupAPIServerTLSWatch; we don't fail controller startup.
+		restConfig := injection.GetConfig(ctx)
+		lister := tektonResultInformer.Get(ctx).Lister()
+		listerAdapter := occommon.TektonResultListerAdapter{Lister: lister}
+
+		if err := occommon.SetupAPIServerTLSWatch(ctx, restConfig, impl, listerAdapter, "TektonResult"); err == nil {
+			logger.Info("APIServer TLS profile watch enabled")
+		}
+
+		return impl
+	}
 }
diff --git a/pkg/reconciler/openshift/tektonresult/extension.go b/pkg/reconciler/openshift/tektonresult/extension.go
@@ -32,6 +32,8 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/rest"
+	"knative.dev/pkg/injection"
 	"knative.dev/pkg/logging"
 )
 
@@ -71,11 +73,16 @@ func OpenShiftExtension(ctx context.Context) common.Extension {
 		logger.Fatalf("Failed to fetch logs RBAC manifest: %v", err)
 	}
 
+	// Get the rest.Config from the context for accessing OpenShift APIServer
+	restConfig := injection.GetConfig(ctx)
+
 	ext := &openshiftExtension{
 		installerSetClient: client.NewInstallerSetClient(operatorclient.Get(ctx).OperatorV1alpha1().TektonInstallerSets(),
 			version, "results-ext", v1alpha1.KindTektonResult, nil),
 		routeManifest:    routeManifest,
 		logsRBACManifest: logsRBACManifest,
+		restConfig:       restConfig,
+		ctx:              ctx,
 	}
 	return ext
 }
@@ -84,12 +91,15 @@ type openshiftExtension struct {
 	installerSetClient *client.InstallerSetClient
 	routeManifest      *mf.Manifest
 	logsRBACManifest   *mf.Manifest
+	restConfig         *rest.Config
+	ctx                context.Context
 }
 
 func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Transformer {
 	instance := comp.(*v1alpha1.TektonResult)
+	logger := logging.FromContext(oe.ctx)
 
-	return []mf.Transformer{
+	transformers := []mf.Transformer{
 		occommon.RemoveRunAsUser(),
 		occommon.RemoveRunAsGroup(),
 		occommon.ApplyCABundlesToDeployment,
@@ -101,6 +111,16 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr
 		injectResultsAPIServiceCACert(instance.Spec.ResultsAPIProperties),
 		injectPostgresUpgradeSupport(),
 	}
+
+	// Fetch TLS configuration once and create the transformer if available
+	tlsEnvVars, err := occommon.GetTLSEnvVarsFromAPIServer(oe.ctx, oe.restConfig)
+	if err != nil {
+		logger.Warnf("Failed to get TLS configuration from APIServer: %v", err)
+	} else if tlsEnvVars != nil {
+		transformers = append(transformers, injectTLSConfig(tlsEnvVars))
+	}
+
+	return transformers
 }
 
 func (oe *openshiftExtension) PreReconcile(ctx context.Context, tc v1alpha1.TektonComponent) error {
@@ -470,3 +490,69 @@ func injectPostgresUpgradeSupport() mf.Transformer {
 		return nil
 	}
 }
+
+// injectTLSConfig injects the TLS configuration as environment variables into the Results API deployment
+func injectTLSConfig(tlsEnvVars *occommon.TLSEnvVars) mf.Transformer {
+	return func(u *unstructured.Unstructured) error {
+		if u.GetKind() != "Deployment" || u.GetName() != deploymentAPI {
+			return nil
+		}
+
+		d := &appsv1.Deployment{}
+		if err := k8sruntime.DefaultUnstructuredConverter.FromUnstructured(u.Object, d); err != nil {
+			return err
+		}
+
+		for i, container := range d.Spec.Template.Spec.Containers {
+			if container.Name != apiContainerName {
+				continue
+			}
+
+			envVars := []corev1.EnvVar{}
+			if tlsEnvVars.MinVersion != "" {
+				envVars = append(envVars, corev1.EnvVar{
+					Name:  occommon.TLSMinVersionEnvVar,
+					Value: tlsEnvVars.MinVersion,
+				})
+			}
+			if tlsEnvVars.CipherSuites != "" {
+				envVars = append(envVars, corev1.EnvVar{
+					Name:  occommon.TLSCipherSuitesEnvVar,
+					Value: tlsEnvVars.CipherSuites,
+				})
+			}
+			// CurvePreferences will be populated once openshift/api#2583 is merged
+			if tlsEnvVars.CurvePreferences != "" {
+				envVars = append(envVars, corev1.EnvVar{
+					Name:  occommon.TLSCurvePreferencesEnvVar,
+					Value: tlsEnvVars.CurvePreferences,
+				})
+			}
+
+			// Merge with existing env vars
+			existingEnv := container.Env
+			for _, newEnv := range envVars {
+				found := false
+				for j, existing := range existingEnv {
+					if existing.Name == newEnv.Name {
+						existingEnv[j] = newEnv
+						found = true
+						break
+					}
+				}
+				if !found {
+					existingEnv = append(existingEnv, newEnv)
+				}
+			}
+			d.Spec.Template.Spec.Containers[i].Env = existingEnv
+			break
+		}
+
+		uObj, err := k8sruntime.DefaultUnstructuredConverter.ToUnstructured(d)
+		if err != nil {
+			return err
+		}
+		u.SetUnstructuredContent(uObj)
+		return nil
+	}
+}
