Skip to content

[feat]Add centrally managed TLS configuration for console-plugin nginx#3218

Open
jkhelil wants to merge 1 commit intotektoncd:mainfrom
jkhelil:SRVKP-9632
Open

[feat]Add centrally managed TLS configuration for console-plugin nginx#3218
jkhelil wants to merge 1 commit intotektoncd:mainfrom
jkhelil:SRVKP-9632

Conversation

@jkhelil
Copy link
Copy Markdown
Member

@jkhelil jkhelil commented Feb 16, 2026

Summary

Enables the console-plugin nginx server to inherit TLS settings from the centrally managed APIServer TLS Profile for Post-Quantum Cryptography (PQC) readiness compliance.

Changes

  • Modified: pkg/reconciler/openshift/tektonconfig/console_plugin_reconciler.go

    • Added TLS environment variable support (TLS_MIN_VERSION, TLS_CIPHER_SUITES, TLS_CURVE_PREFERENCES)
    • Implemented nginx.conf transformation to inject TLS directives
    • Added fail-safe defaults when env vars are not set
    • Cipher suites intentionally skipped (using nginx secure defaults)

  • Modified: pkg/reconciler/openshift/tektonconfig/console_plugin_reconciler_test.go

    • Added comprehensive unit tests for TLS configuration
    • 22 test cases covering all scenarios (default, partial, full config)

Test Results

Test 1: Default Configuration (No Env Vars)

Environment:

  • No TLS environment variables set

Generated nginx.conf:

server {
    ssl_protocols TLSv1.2 TLSv1.3;
    listen              8443 ssl;
    listen              [::]:8443 ssl;
    ssl_certificate     /var/cert/tls.crt;
    ssl_certificate_key /var/cert/tls.key;
    root                /usr/share/nginx/html;
}

Result: ✅ Pod starts successfully, TLS 1.3 negotiated, no errors

Test 2: With TLS Environment Variables

Environment:

TLS_MIN_VERSION=VersionTLS13
TLS_CURVE_PREFERENCES=X25519,prime256v1,secp384r1

Generated nginx.conf:

server {
    ssl_protocols TLSv1.3;
    ssl_ecdh_curve X25519:prime256v1:secp384r1;
    listen              8443 ssl;
    listen              [::]:8443 ssl;
    ssl_certificate     /var/cert/tls.crt;
    ssl_certificate_key /var/cert/tls.key;
    root                /usr/share/nginx/html;
}

Result: ✅ Pod starts successfully, TLS 1.3 negotiated, curves applied, no errors

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

NONE

@tekton-robot tekton-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesnt merit a release note. labels Feb 16, 2026
@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Feb 16, 2026
@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 5, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jkhelil jkhelil changed the title [WIP]Add centrally managed TLS configuration for console-plugin nginx [feat]Add centrally managed TLS configuration for console-plugin nginx May 5, 2026
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 5, 2026
@jkhelil
Copy link
Copy Markdown
Member Author

jkhelil commented May 5, 2026
edited
Loading

Manual Validation — TLS Propagation from APIServer Profile to nginx

Tested on OCP cluster: api.ci-ln-sbyz8bb-76ef8.aws-4.ci.openshift.org:6443

Setup

kubectl patch tektonconfig config --type=merge \
  -p '{"spec":{"platforms":{"openShift":{"enableCentralTLSConfig":true}}}}'

Test 1 — Intermediate Profile (default, no tlsSecurityProfile set)

APIServer TLS Profile:

{"intermediate":{},"type":"Intermediate"}

Generated nginx.conf (server block):

  server {
    ssl_protocols TLSv1.2 TLSv1.3;
    listen              8443 ssl;
    listen              [::]:8443 ssl;
    ssl_certificate     /var/cert/tls.crt;
    ssl_certificate_key /var/cert/tls.key;
    root                /usr/share/nginx/html;
  }

ssl_protocols TLSv1.2 TLSv1.3 correctly reflects Intermediate profile

Test 2 — Old Profile (TLS 1.0+)

kubectl patch apiserver cluster --type=merge \
  -p '{"spec":{"tlsSecurityProfile":{"type":"Old","old":{}}}}'

Generated nginx.conf (server block) after reconcile:

  server {
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    listen              8443 ssl;
    ...
  }

ssl_protocols updated dynamically — InstallerSet recreated automatically

Observations

  • TLS profile changes propagate without operator restart — the hash-based reconcile loop detects the change and recreates the console plugin InstallerSet
  • TektonConfig status remains Ready: True throughout
  • ssl_protocols indentation matches the rest of the nginx server block (4 spaces)
  • Cipher suites are intentionally not configured (nginx TLS 1.3 secure defaults apply)

TektonConfig state: enableCentralTLSConfig: true, Ready: True
InstallerSet: tekton-config-console-plugin-manifests-xjwtk True

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anithapriyanatarajan anithapriyanatarajan Awaiting requested review from anithapriyanatarajan

@pramodbindal pramodbindal Awaiting requested review from pramodbindal

Assignees

No one assigned

Labels

release-note-none Denotes a PR that doesnt merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkhelil @tekton-robot