Merge pull request #2680 from richardsonnick/tls-adherance-fate

Add TLS adherence feature gate

Author: openshift-merge-bot[bot]

config/v1/tests/apiservers.config.openshift.io/TLSAdherence.yaml

@@ -0,0 +1,116 @@
+apiVersion: apiextensions.k8s.io/v1
+name: "APIServer"
+crdName: apiservers.config.openshift.io
+featureGates:
+- TLSAdherence
+tests:
+  onCreate:
+    - name: Should be able to create without tlsAdherence
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec: {}
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+    - name: Should be able to create with tlsAdherence set to LegacyAdheringComponentsOnly
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: LegacyAdheringComponentsOnly
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          tlsAdherence: LegacyAdheringComponentsOnly
+    - name: Should be able to create with tlsAdherence set to StrictAllComponents
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: StrictAllComponents
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          tlsAdherence: StrictAllComponents
+    - name: Should reject invalid tlsAdherence value
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: InvalidValue
+      expectedError: 'spec.tlsAdherence: Unsupported value: "InvalidValue": supported values: "LegacyAdheringComponentsOnly", "StrictAllComponents"'
+  onUpdate:
+    - name: Should be able to update tlsAdherence from LegacyAdheringComponentsOnly to StrictAllComponents
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: LegacyAdheringComponentsOnly
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: StrictAllComponents
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          tlsAdherence: StrictAllComponents
+    - name: Should be able to update tlsAdherence from StrictAllComponents to LegacyAdheringComponentsOnly
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: StrictAllComponents
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: LegacyAdheringComponentsOnly
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          tlsAdherence: LegacyAdheringComponentsOnly
+    - name: Should be able to set tlsAdherence from unset on update
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec: {}
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: StrictAllComponents
+      expected: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          audit:
+            profile: Default
+          tlsAdherence: StrictAllComponents
+    - name: Should not allow removing tlsAdherence once set
+      initial: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec:
+          tlsAdherence: StrictAllComponents
+      updated: |
+        apiVersion: config.openshift.io/v1
+        kind: APIServer
+        spec: {}
+      expectedError: "tlsAdherence may not be removed once set"

config/v1/types_apiserver.go

@@ -34,6 +34,7 @@ type APIServer struct {
 	Status APIServerStatus `json:"status"`
 }
 
+// +openshift:validation:FeatureGateAwareXValidation:featureGate=TLSAdherence,rule="has(oldSelf.tlsAdherence) ? has(self.tlsAdherence) : true",message="tlsAdherence may not be removed once set"
 type APIServerSpec struct {
 	// servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates
 	// will be used for serving secure traffic.
@@ -62,6 +63,39 @@ type APIServerSpec struct {
 	// The current default is the Intermediate profile.
 	// +optional
 	TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
+	// tlsAdherence controls if components in the cluster adhere to the TLS security profile
+	// configured on this APIServer resource.
+	//
+	// Valid values are "LegacyAdheringComponentsOnly" and "StrictAllComponents".
+	//
+	// When set to "LegacyAdheringComponentsOnly", components that already honor the
+	// cluster-wide TLS profile continue to do so. Components that do not already honor
+	// it continue to use their individual TLS configurations.
+	//
+	// When set to "StrictAllComponents", all components must honor the configured TLS
+	// profile unless they have a component-specific TLS configuration that overrides
+	// it. This mode is recommended for security-conscious deployments and is required
+	// for certain compliance frameworks.
+	//
+	// Note: Some components such as Kubelet and IngressController have their own
+	// dedicated TLS configuration mechanisms via KubeletConfig and IngressController
+	// CRs respectively. When these component-specific TLS configurations are set,
+	// they take precedence over the cluster-wide tlsSecurityProfile. When not set,
+	// these components fall back to the cluster-wide default.
+	//
+	// Components that encounter an unknown value for tlsAdherence should treat it
+	// as "StrictAllComponents" and log a warning to ensure forward compatibility
+	// while defaulting to the more secure behavior.
+	//
+	// This field is optional.
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose reasonable defaults. These defaults are subject to change over time.
+	// The current default is LegacyAdheringComponentsOnly.
+	//
+	// Once set, this field may be changed to a different value, but may not be removed.
+	// +openshift:enable:FeatureGate=TLSAdherence
+	// +optional
+	TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`
 	// audit specifies the settings for audit configuration to be applied to all OpenShift-provided
 	// API servers in the cluster.
 	// +optional
@@ -237,6 +271,35 @@ const (
 type APIServerStatus struct {
 }
 
+// TLSAdherencePolicy defines which components adhere to the TLS security profile.
+// Implementors should use the ShouldHonorClusterTLSProfile helper function from library-go
+// rather than checking these values directly.
+// +kubebuilder:validation:Enum=LegacyAdheringComponentsOnly;StrictAllComponents
+type TLSAdherencePolicy string
+
+const (
+	// TLSAdherencePolicyNoOpinion represents an empty/unset value for tlsAdherence.
+	// This value cannot be explicitly set and is only present when the field is omitted.
+	// When the field is omitted, the cluster defaults to LegacyAdheringComponentsOnly
+	// behavior. Components should treat this the same as LegacyAdheringComponentsOnly.
+	TLSAdherencePolicyNoOpinion TLSAdherencePolicy = ""
+
+	// TLSAdherencePolicyLegacyAdheringComponentsOnly maintains backward-compatible behavior.
+	// Components that already honor the cluster-wide TLS profile (such as kube-apiserver,
+	// openshift-apiserver, oauth-apiserver, and others) continue to do so. Components that do
+	// not already honor it continue to use their individual TLS configurations (e.g.,
+	// IngressController.spec.tlsSecurityProfile, KubeletConfig.spec.tlsSecurityProfile,
+	// or component defaults). No additional components are required to start honoring the
+	// cluster-wide profile in this mode.
+	TLSAdherencePolicyLegacyAdheringComponentsOnly TLSAdherencePolicy = "LegacyAdheringComponentsOnly"
+
+	// TLSAdherencePolicyStrictAllComponents means all components must honor the configured TLS
+	// profile unless they have a component-specific TLS configuration that overrides it.
+	// This mode is recommended for security-conscious deployments and is required
+	// for certain compliance frameworks.
+	TLSAdherencePolicyStrictAllComponents TLSAdherencePolicy = "StrictAllComponents"
+)
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml

@@ -292,6 +292,42 @@ spec:
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object
+              tlsAdherence:
+                description: |-
+                  tlsAdherence controls if components in the cluster adhere to the TLS security profile
+                  configured on this APIServer resource.
+
+                  Valid values are "LegacyAdheringComponentsOnly" and "StrictAllComponents".
+
+                  When set to "LegacyAdheringComponentsOnly", components that already honor the
+                  cluster-wide TLS profile continue to do so. Components that do not already honor
+                  it continue to use their individual TLS configurations.
+
+                  When set to "StrictAllComponents", all components must honor the configured TLS
+                  profile unless they have a component-specific TLS configuration that overrides
+                  it. This mode is recommended for security-conscious deployments and is required
+                  for certain compliance frameworks.
+
+                  Note: Some components such as Kubelet and IngressController have their own
+                  dedicated TLS configuration mechanisms via KubeletConfig and IngressController
+                  CRs respectively. When these component-specific TLS configurations are set,
+                  they take precedence over the cluster-wide tlsSecurityProfile. When not set,
+                  these components fall back to the cluster-wide default.
+
+                  Components that encounter an unknown value for tlsAdherence should treat it
+                  as "StrictAllComponents" and log a warning to ensure forward compatibility
+                  while defaulting to the more secure behavior.
+
+                  This field is optional.
+                  When omitted, this means the user has no opinion and the platform is left
+                  to choose reasonable defaults. These defaults are subject to change over time.
+                  The current default is LegacyAdheringComponentsOnly.
+
+                  Once set, this field may be changed to a different value, but may not be removed.
+                enum:
+                - LegacyAdheringComponentsOnly
+                - StrictAllComponents
+                type: string
               tlsSecurityProfile:
                 description: |-
                   tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
@@ -427,6 +463,9 @@ spec:
                     type: string
                 type: object
             type: object
+            x-kubernetes-validations:
+            - message: tlsAdherence may not be removed once set
+              rule: 'has(oldSelf.tlsAdherence) ? has(self.tlsAdherence) : true'
           status:
             description: status holds observed values from the cluster. They may not
               be overridden.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml

@@ -292,6 +292,42 @@ spec:
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object
+              tlsAdherence:
+                description: |-
+                  tlsAdherence controls if components in the cluster adhere to the TLS security profile
+                  configured on this APIServer resource.
+
+                  Valid values are "LegacyAdheringComponentsOnly" and "StrictAllComponents".
+
+                  When set to "LegacyAdheringComponentsOnly", components that already honor the
+                  cluster-wide TLS profile continue to do so. Components that do not already honor
+                  it continue to use their individual TLS configurations.
+
+                  When set to "StrictAllComponents", all components must honor the configured TLS
+                  profile unless they have a component-specific TLS configuration that overrides
+                  it. This mode is recommended for security-conscious deployments and is required
+                  for certain compliance frameworks.
+
+                  Note: Some components such as Kubelet and IngressController have their own
+                  dedicated TLS configuration mechanisms via KubeletConfig and IngressController
+                  CRs respectively. When these component-specific TLS configurations are set,
+                  they take precedence over the cluster-wide tlsSecurityProfile. When not set,
+                  these components fall back to the cluster-wide default.
+
+                  Components that encounter an unknown value for tlsAdherence should treat it
+                  as "StrictAllComponents" and log a warning to ensure forward compatibility
+                  while defaulting to the more secure behavior.
+
+                  This field is optional.
+                  When omitted, this means the user has no opinion and the platform is left
+                  to choose reasonable defaults. These defaults are subject to change over time.
+                  The current default is LegacyAdheringComponentsOnly.
+
+                  Once set, this field may be changed to a different value, but may not be removed.
+                enum:
+                - LegacyAdheringComponentsOnly
+                - StrictAllComponents
+                type: string
               tlsSecurityProfile:
                 description: |-
                   tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
@@ -427,6 +463,9 @@ spec:
                     type: string
                 type: object
             type: object
+            x-kubernetes-validations:
+            - message: tlsAdherence may not be removed once set
+              rule: 'has(oldSelf.tlsAdherence) ? has(self.tlsAdherence) : true'
           status:
             description: status holds observed values from the cluster. They may not
               be overridden.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml

@@ -224,6 +224,42 @@ spec:
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object
+              tlsAdherence:
+                description: |-
+                  tlsAdherence controls if components in the cluster adhere to the TLS security profile
+                  configured on this APIServer resource.
+
+                  Valid values are "LegacyAdheringComponentsOnly" and "StrictAllComponents".
+
+                  When set to "LegacyAdheringComponentsOnly", components that already honor the
+                  cluster-wide TLS profile continue to do so. Components that do not already honor
+                  it continue to use their individual TLS configurations.
+
+                  When set to "StrictAllComponents", all components must honor the configured TLS
+                  profile unless they have a component-specific TLS configuration that overrides
+                  it. This mode is recommended for security-conscious deployments and is required
+                  for certain compliance frameworks.
+
+                  Note: Some components such as Kubelet and IngressController have their own
+                  dedicated TLS configuration mechanisms via KubeletConfig and IngressController
+                  CRs respectively. When these component-specific TLS configurations are set,
+                  they take precedence over the cluster-wide tlsSecurityProfile. When not set,
+                  these components fall back to the cluster-wide default.
+
+                  Components that encounter an unknown value for tlsAdherence should treat it
+                  as "StrictAllComponents" and log a warning to ensure forward compatibility
+                  while defaulting to the more secure behavior.
+
+                  This field is optional.
+                  When omitted, this means the user has no opinion and the platform is left
+                  to choose reasonable defaults. These defaults are subject to change over time.
+                  The current default is LegacyAdheringComponentsOnly.
+
+                  Once set, this field may be changed to a different value, but may not be removed.
+                enum:
+                - LegacyAdheringComponentsOnly
+                - StrictAllComponents
+                type: string
               tlsSecurityProfile:
                 description: |-
                   tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
@@ -359,6 +395,9 @@ spec:
                     type: string
                 type: object
             type: object
+            x-kubernetes-validations:
+            - message: tlsAdherence may not be removed once set
+              rule: 'has(oldSelf.tlsAdherence) ? has(self.tlsAdherence) : true'
           status:
             description: status holds observed values from the cluster. They may not
               be overridden.

config/v1/zz_generated.featuregated-crd-manifests.yaml

@@ -8,6 +8,7 @@ apiservers.config.openshift.io:
   FeatureGates:
   - KMSEncryption
   - KMSEncryptionProvider
+  - TLSAdherence
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_10"