Implement central TLS configuration for PQC readiness

Author: jkhelil

.github/codeql/codeql-config.yml

@@ -0,0 +1,13 @@
+name: "Tekton Operator CodeQL Config"
+
+# Suppress go/insecure-tls for tlsconfig.go
+# JUSTIFICATION: TLS configuration is inherited from OpenShift's validated
+# cluster-wide security profile (APIServer.spec.tlsSecurityProfile), not hardcoded.
+# This ensures compliance with administrator-defined security policies and enables
+# FIPS compliance and Post-Quantum Cryptography readiness.
+query-filters:
+  - exclude:
+      id: go/insecure-tls
+      paths:
+        - pkg/reconciler/openshift/common/tlsconfig.go
+

.github/workflows/codeql-analysis.yml

@@ -47,10 +47,7 @@ jobs:
       uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89  # v4.31.10
       with:
         languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+        config-file: ./.github/codeql/codeql-config.yml
 
     - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb  # v5.0.1
       with:

cmd/openshift/webhook/main.go

@@ -20,9 +20,11 @@ import (
 	"context"
 	"os"
 
+	occommon "github.com/tektoncd/operator/pkg/reconciler/openshift/common"
 	"github.com/tektoncd/operator/pkg/webhook"
 	"knative.dev/pkg/injection"
 	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/pkg/logging"
 	"knative.dev/pkg/signals"
 	kwebhook "knative.dev/pkg/webhook"
 	"knative.dev/pkg/webhook/certificates"
@@ -39,14 +41,40 @@ func main() {
 		secretName = "tekton-operator-webhook-certs"
 	}
 
-	//Set up a signal context with our webhook options
-	ctx := kwebhook.WithOptions(signals.NewContext(), kwebhook.Options{
+	cfg := injection.ParseAndGetRESTConfigOrDie()
+	ctx := signals.NewContext()
+	ctx, _ = injection.EnableInjectionOrDie(ctx, cfg)
+
+	logger := logging.FromContext(ctx)
+
+	// Observe TLS configuration from OpenShift APIServer if feature is enabled
+	webhookOpts := kwebhook.Options{
 		ServiceName: serviceName,
 		Port:        8443,
 		SecretName:  secretName,
-	})
-	cfg := injection.ParseAndGetRESTConfigOrDie()
-	ctx, _ = injection.EnableInjectionOrDie(ctx, cfg)
+	}
+
+	if occommon.IsCentralTLSConfigEnabled() {
+		logger.Info("Central TLS config is enabled for webhook, observing APIServer TLS profile")
+
+		// Observe TLS config (stores in context)
+		ctx = occommon.ObserveAndStoreTLSConfig(ctx, cfg)
+
+		// Get TLS config from context
+		if tlsConfig := occommon.GetTLSConfigFromContext(ctx); tlsConfig != nil {
+			// Only set MinVersion (not cipher suites or curves) to avoid knative version bump
+			webhookOpts.TLSMinVersion = tlsConfig.MinVersion
+			logger.Infof("Webhook TLS min version set to: %s", occommon.TLSVersionToString(tlsConfig.MinVersion))
+		} else {
+			logger.Warn("Central TLS config enabled but TLS config not available from context")
+		}
+	} else {
+		logger.Info("Central TLS config is disabled for webhook")
+	}
+
+	// Set up context with webhook options
+	ctx = kwebhook.WithOptions(ctx, webhookOpts)
+
 	webhook.CreateWebhookResources(ctx)
 	webhook.SetTypes("openshift")
 

config/openshift/base/operator.yaml

@@ -73,6 +73,8 @@ spec:
           value: tekton.dev/operator
         - name: VERSION
           value: "devel"
+        - name: ENABLE_CENTRAL_TLS_CONFIG
+          value: "false"
         - name: AUTOINSTALL_COMPONENTS
           valueFrom:
             configMapKeyRef:
@@ -138,6 +140,8 @@ spec:
             value: "9009"
           - name: VERSION
             value: "devel"
+          - name: ENABLE_CENTRAL_TLS_CONFIG
+            value: "false"
           - name: METRICS_DOMAIN
             value: tekton.dev/operator
           - name: CONFIG_LEADERELECTION_NAME

config/openshift/base/role.yaml

@@ -396,3 +396,12 @@ rules:
   - delete
   - update
   - patch
+# to observe APIServer TLS security profile for central TLS configuration
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  verbs:
+  - get
+  - list
+  - watch

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/openshift/api v0.0.0-20240521185306-0314f31e7774
 	github.com/openshift/apiserver-library-go v0.0.0-20230816171015-6bfafa975bfb
 	github.com/openshift/client-go v0.0.0-20240523113335-452272e0496d
+	github.com/openshift/library-go v0.0.0-20230503173034-95ca3c14e50a
 	github.com/sigstore/cosign/v2 v2.6.2
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
@@ -139,10 +140,12 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/emicklei/proto v1.14.2 // indirect
+	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-chi/chi/v5 v5.2.3 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
@@ -196,6 +199,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/henvic/httpretty v0.0.6 // indirect
+	github.com/imdario/mergo v0.3.7 // indirect
 	github.com/in-toto/attestation v1.1.2 // indirect
 	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -248,6 +252,7 @@ require (
 	github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/robfig/cron v1.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/sagikazarmark/locafero v0.11.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
@@ -315,12 +320,16 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/apiserver v0.32.9 // indirect
+	k8s.io/component-base v0.32.9 // indirect
 	k8s.io/gengo/v2 v2.0.0-20250604051438-85fd79dbfd9f // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-aggregator v0.27.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
 	knative.dev/hack v0.0.0-20250331013814-c577ed9f7775 // indirect
 	sigs.k8s.io/controller-runtime v0.15.3 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/kube-storage-version-migrator v0.0.4 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/release-utils v0.12.2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect