feat(tls): inject centrally managed TLS config into pipelines-as-codde#3385
Open
jkhelil wants to merge 1 commit intotektoncd:mainfrom
Open
feat(tls): inject centrally managed TLS config into pipelines-as-codde#3385jkhelil wants to merge 1 commit intotektoncd:mainfrom
jkhelil wants to merge 1 commit intotektoncd:mainfrom
Conversation
tekton-robot
added
the
release-note
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
tekton-robot
added
the
size/L
Member
Author
|
/kind feature |
tekton-robot
added
the
kind/feature
jkhelil
force-pushed
the
tls-pac-webhook
branch
3 times, most recently
from
03034ff to
6894bb5
Compare
Member
Author
Evidence: TLS injection into PAC controller, watcher, and webhook + dynamic propagationThis comment extends the original evidence to cover the full PAC TLS scope:
And validates the automatic propagation flow end-to-end after a fix to the InstallerSet hash computation. 1. Baseline — APIServer: Intermediate (TLSv1.2)All three PAC deployments — TLS_MIN_VERSION=1.2, confirmed in both the InstallerSet manifests and the live Deployments: 2. Switch to Old profile (TLSv1.0)~20 seconds later, automatic propagation — no operator restart, no manual intervention: All three PAC deployments updated automatically: 3. Restore Intermediate — reverts automatically~20 seconds later: Summary table
Operator image: |
… deployment and webhook Extend the OpenShift TLS centralization pattern (introduced for Tekton Pipelines and Triggers webhooks) to the Pipelines-as-Code webhook. The openshiftpipelinesascode extension now resolves the cluster-wide APIServer TLS security profile in PreReconcile and injects the resulting TLS_MIN_VERSION and TLS_CIPHER_SUITES environment variables into the pipelines-as-code-webhook deployment (pac-webhook container) via the Transformers step, identical to the approach used for tekton-triggers-webhook. PlatformDataHashKey propagation is wired through EnsureOpenShiftPipelinesAsCodeExists / createOPAC / updateOPAC so that any change to the cluster APIServer TLS profile automatically re-reconciles the OpenShiftPipelinesAsCode CR and redeploys the webhook with the updated settings. Resolves: SRVKP-9616 Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the OpenShift TLS centralization pattern to the pipelines-as-code-webhook deployment (SRVKP-9616), completing the webhook TLS trilogy alongside the Pipelines and Triggers PRs.
What changes
openshiftpipelinesascode/extension.go — switched to pointer receiver; added tektonConfigLister and resolvedTLSConfig fields. PreReconcile resolves the cluster APIServer TLS profile via ResolveCentralTLSToEnvVars. Transformers injects TLS_MIN_VERSION and TLS_CIPHER_SUITES into the pipelines-as-code-webhook deployment (pac-webhook container) when a profile is resolved.
pipelinesascode/pipelinesascode.go — EnsureOpenShiftPipelinesAsCodeExists, createOPAC, and updateOPAC now accept and propagate a platformData string parameter, stamped as the operator.tekton.dev/platform-data-hash annotation on the OpenShiftPipelinesAsCode CR. This triggers re-reconciliation when the APIServer TLS profile changes.
openshift/tektonconfig/extension.go — PostReconcile passes oe.GetPlatformData() (the APIServer TLS hash) into EnsureOpenShiftPipelinesAsCodeExists.
kubernetes/tektonconfig/extension.go — Kubernetes-side caller updated to pass "" (no platform data on Kubernetes).
extension_test.go (new) — 3 table-driven tests: no TLS config, injection into pac-webhook, no injection into unrelated deployments.
Evidence
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
make test lintbefore submitting a PRSee the contribution guide for more details.
Release Notes