Enable TLS profile configuration for TektonResult

enarha · enarha · commit a2b6ec3f4269 · 2026-01-14T16:03:13.000+02:00
Activate the TLS profile infrastructure for the Results component:

- extension.go: Add injectTLSConfig transformer that injects
  TLS_MIN_VERSION and TLS_CIPHER_SUITES env vars into the Results API
  deployment based on cluster APIServer configuration. TLS config is
  fetched once during Transformers() call, not per-resource.

- controller.go: Set up APIServer watch to trigger reconciliation when
  the cluster TLS security profile changes.

The Results API deployment will automatically pick up TLS configuration
from the OpenShift APIServer resource and update when it changes.
diff --git a/pkg/reconciler/kubernetes/tektonresult/tektonresult.go b/pkg/reconciler/kubernetes/tektonresult/tektonresult.go
@@ -320,10 +320,26 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, tr *v1alpha1.TektonResul
 	} else {
 		// If target namespace and version are not changed then check if spec
 		// of TektonResult is changed by checking hash stored as annotation on
-		// TektonInstallerSet with computing new hash of TektonResult Spec
+		// TektonInstallerSet with computing new hash of TektonResult Spec.
+		// Also include external TLS profile state to trigger updates when
+		// platform TLS configuration changes.
 		logger.Debug("Checking for spec changes in TektonResult")
-		// Hash of TektonResult Spec
-		expectedSpecHash, err := hash.Compute(tr.Spec)
+
+		// Get platform TLS profile fingerprint if extension supports it (empty on vanilla k8s)
+		var tlsFingerprint string
+		if fp, ok := r.extension.(common.TLSProfileFingerprinter); ok {
+			tlsFingerprint = fp.GetTLSProfileFingerprint(ctx)
+		}
+
+		// Hash of TektonResult Spec combined with TLS fingerprint
+		type hashInput struct {
+			Spec           v1alpha1.TektonResultSpec
+			TLSFingerprint string
+		}
+		expectedSpecHash, err := hash.Compute(hashInput{
+			Spec:           tr.Spec,
+			TLSFingerprint: tlsFingerprint,
+		})
 		if err != nil {
 			logger.Errorw("Failed to compute spec hash", "error", err)
 			return err
diff --git a/pkg/reconciler/openshift/tektonresult/controller.go b/pkg/reconciler/openshift/tektonresult/controller.go
@@ -19,13 +19,41 @@ package tektonresult
 import (
 	"context"
 
+	tektonResultInformer "github.com/tektoncd/operator/pkg/client/injection/informers/operator/v1alpha1/tektonresult"
+	"github.com/tektoncd/operator/pkg/reconciler/common"
+	occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
 	k8s_ctrl "github.com/tektoncd/operator/pkg/reconciler/kubernetes/tektonresult"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
+	"knative.dev/pkg/injection"
+	"knative.dev/pkg/logging"
 )
 
 // NewController initializes the controller and is called by the generated code
 // Registers eventhandlers to enqueue events
 func NewController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
-	return k8s_ctrl.NewExtendedController(OpenShiftExtension)(ctx, cmw)
+	return NewExtendedController(OpenShiftExtension)(ctx, cmw)
+}
+
+// NewExtendedController wraps the base Kubernetes controller and adds OpenShift-specific watches
+func NewExtendedController(generator common.ExtensionGenerator) func(context.Context, configmap.Watcher) *controller.Impl {
+	return func(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+		logger := logging.FromContext(ctx)
+
+		// Create the base Kubernetes controller with OpenShift extension
+		impl := k8s_ctrl.NewExtendedController(generator)(ctx, cmw)
+
+		// Setup OpenShift APIServer watch for TLS profile changes.
+		// This will trigger reconciliation when the cluster TLS policy changes.
+		// Errors are logged by SetupAPIServerTLSWatch; we don't fail controller startup.
+		restConfig := injection.GetConfig(ctx)
+		lister := tektonResultInformer.Get(ctx).Lister()
+		listerAdapter := occommon.TektonResultListerAdapter{Lister: lister}
+
+		if err := occommon.SetupAPIServerTLSWatch(ctx, restConfig, impl, listerAdapter, "TektonResult"); err == nil {
+			logger.Info("APIServer TLS profile watch enabled")
+		}
+
+		return impl
+	}
 }
diff --git a/pkg/reconciler/openshift/tektonresult/extension.go b/pkg/reconciler/openshift/tektonresult/extension.go
@@ -32,6 +32,8 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/rest"
+	"knative.dev/pkg/injection"
 	"knative.dev/pkg/logging"
 )
 
@@ -71,11 +73,16 @@ func OpenShiftExtension(ctx context.Context) common.Extension {
 		logger.Fatalf("Failed to fetch logs RBAC manifest: %v", err)
 	}
 
+	// Get the rest.Config from the context for accessing OpenShift APIServer
+	restConfig := injection.GetConfig(ctx)
+
 	ext := &openshiftExtension{
 		installerSetClient: client.NewInstallerSetClient(operatorclient.Get(ctx).OperatorV1alpha1().TektonInstallerSets(),
 			version, "results-ext", v1alpha1.KindTektonResult, nil),
 		routeManifest:    routeManifest,
 		logsRBACManifest: logsRBACManifest,
+		restConfig:       restConfig,
+		ctx:              ctx,
 	}
 	return ext
 }
@@ -84,12 +91,22 @@ type openshiftExtension struct {
 	installerSetClient *client.InstallerSetClient
 	routeManifest      *mf.Manifest
 	logsRBACManifest   *mf.Manifest
+	restConfig         *rest.Config
+	ctx                context.Context
+}
+
+// GetTLSProfileFingerprint returns a deterministic string representing the current
+// OpenShift TLS security profile state. This is used to detect TLS configuration
+// changes that should trigger component reconciliation.
+func (oe *openshiftExtension) GetTLSProfileFingerprint(ctx context.Context) string {
+	return occommon.GetTLSProfileFingerprint(ctx, oe.restConfig)
 }
 
 func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Transformer {
 	instance := comp.(*v1alpha1.TektonResult)
+	logger := logging.FromContext(oe.ctx)
 
-	return []mf.Transformer{
+	transformers := []mf.Transformer{
 		occommon.RemoveRunAsUser(),
 		occommon.RemoveRunAsGroup(),
 		occommon.ApplyCABundlesToDeployment,
@@ -101,6 +118,16 @@ func (oe openshiftExtension) Transformers(comp v1alpha1.TektonComponent) []mf.Tr
 		injectResultsAPIServiceCACert(instance.Spec.ResultsAPIProperties),
 		injectPostgresUpgradeSupport(),
 	}
+
+	// Fetch TLS configuration once and create the transformer if available
+	tlsEnvVars, err := occommon.GetTLSEnvVarsFromAPIServer(oe.ctx, oe.restConfig)
+	if err != nil {
+		logger.Warnf("Failed to get TLS configuration from APIServer: %v", err)
+	} else if tlsEnvVars != nil {
+		transformers = append(transformers, injectTLSConfig(tlsEnvVars))
+	}
+
+	return transformers
 }
 
 func (oe *openshiftExtension) PreReconcile(ctx context.Context, tc v1alpha1.TektonComponent) error {
@@ -470,3 +497,69 @@ func injectPostgresUpgradeSupport() mf.Transformer {
 		return nil
 	}
 }
+
+// injectTLSConfig injects the TLS configuration as environment variables into the Results API deployment
+func injectTLSConfig(tlsEnvVars *occommon.TLSEnvVars) mf.Transformer {
+	return func(u *unstructured.Unstructured) error {
+		if u.GetKind() != "Deployment" || u.GetName() != deploymentAPI {
+			return nil
+		}
+
+		d := &appsv1.Deployment{}
+		if err := k8sruntime.DefaultUnstructuredConverter.FromUnstructured(u.Object, d); err != nil {
+			return err
+		}
+
+		for i, container := range d.Spec.Template.Spec.Containers {
+			if container.Name != apiContainerName {
+				continue
+			}
+
+			envVars := []corev1.EnvVar{}
+			if tlsEnvVars.MinVersion != "" {
+				envVars = append(envVars, corev1.EnvVar{
+					Name:  occommon.TLSMinVersionEnvVar,
+					Value: tlsEnvVars.MinVersion,
+				})
+			}
+			if tlsEnvVars.CipherSuites != "" {
+				envVars = append(envVars, corev1.EnvVar{
+					Name:  occommon.TLSCipherSuitesEnvVar,
+					Value: tlsEnvVars.CipherSuites,
+				})
+			}
+			// CurvePreferences will be populated once openshift/api#2583 is merged
+			if tlsEnvVars.CurvePreferences != "" {
+				envVars = append(envVars, corev1.EnvVar{
+					Name:  occommon.TLSCurvePreferencesEnvVar,
+					Value: tlsEnvVars.CurvePreferences,
+				})
+			}
+
+			// Merge with existing env vars
+			existingEnv := container.Env
+			for _, newEnv := range envVars {
+				found := false
+				for j, existing := range existingEnv {
+					if existing.Name == newEnv.Name {
+						existingEnv[j] = newEnv
+						found = true
+						break
+					}
+				}
+				if !found {
+					existingEnv = append(existingEnv, newEnv)
+				}
+			}
+			d.Spec.Template.Spec.Containers[i].Env = existingEnv
+			break
+		}
+
+		uObj, err := k8sruntime.DefaultUnstructuredConverter.ToUnstructured(d)
+		if err != nil {
+			return err
+		}
+		u.SetUnstructuredContent(uObj)
+		return nil
+	}
+}
