metrics: Respect central TLS profile using controller-runtime-common

DavidHurta · DavidHurta · commit c2493e591153 · 2026-03-17T02:27:25.000+01:00
diff --git a/pkg/cvo/cvo.go b/pkg/cvo/cvo.go
@@ -122,6 +122,7 @@ type Operator struct {
 	cmConfigManagedLister listerscorev1.ConfigMapNamespaceLister
 	proxyLister           configlistersv1.ProxyLister
 	featureGateLister     configlistersv1.FeatureGateLister
+	apiServerLister       configlistersv1.APIServerLister
 	cacheSynced           []cache.InformerSynced
 
 	// queue tracks applying updates to a cluster.
@@ -223,6 +224,7 @@ func New(
 	proxyInformer configinformersv1.ProxyInformer,
 	operatorInformerFactory operatorexternalversions.SharedInformerFactory,
 	featureGateInformer configinformersv1.FeatureGateInformer,
+	apiServerInformer configinformersv1.APIServerInformer,
 	client clientset.Interface,
 	kubeClient kubernetes.Interface,
 	operatorClient operatorclientset.Interface,
@@ -305,6 +307,8 @@ func New(
 	optr.featureGateLister = featureGateInformer.Lister()
 	optr.cacheSynced = append(optr.cacheSynced, featureGateInformer.Informer().HasSynced)
 
+	optr.apiServerLister = apiServerInformer.Lister()
+
 	// make sure this is initialized after all the listers are initialized
 	optr.upgradeableChecks = optr.defaultUpgradeableChecks()
 
@@ -1184,3 +1188,8 @@ func (optr *Operator) shouldReconcileAcceptRisks() bool {
 	// HyperShift will be supported later if needed
 	return optr.enabledCVOFeatureGates.AcceptRisks() && !optr.hypershift
 }
+
+// APIServerLister returns the APIServer lister for accessing cluster TLS configuration
+func (optr *Operator) APIServerLister() configlistersv1.APIServerLister {
+	return optr.apiServerLister
+}
diff --git a/pkg/cvo/metrics.go b/pkg/cvo/metrics.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"slices"
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
@@ -27,6 +28,8 @@ import (
 	"k8s.io/klog/v2"
 
 	configv1 "github.com/openshift/api/config/v1"
+	configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
+	tlsprofile "github.com/openshift/controller-runtime-common/pkg/tls"
 	"github.com/openshift/library-go/pkg/crypto"
 
 	"github.com/openshift/cluster-version-operator/lib/resourcemerge"
@@ -134,6 +137,87 @@ type asyncResult struct {
 	error error
 }
 
+type cachedTLSProfile struct {
+	// spec is the TLS profile specification, or nil if no profile should be applied
+	spec  *configv1.TLSProfileSpec
+	apply func(*tls.Config)
+
+	// generation is used to detect when the APIServer resource has been updated for caching
+	generation int64
+}
+
+// getAPIServerTLSProfile fetches the cluster TLS profile from APIServer resource.
+// On error, returns cached profile or fails if no cache exists.
+func getAPIServerTLSProfile(apiServerLister configlistersv1.APIServerLister, lastValidProfile *cachedTLSProfile) (*cachedTLSProfile, error) {
+	apiServer, err := apiServerLister.Get(tlsprofile.APIServerName)
+	if err != nil {
+		klog.Errorf("Failed to get APIServer resource: %v", err)
+		return fallbackToCached(lastValidProfile)
+	}
+
+	// Check if the cached profile is still valid based on generation
+	if lastValidProfile != nil && lastValidProfile.generation == apiServer.Generation {
+		klog.V(4).Info("Using cached TLS profile (generation unchanged)")
+		return lastValidProfile, nil
+	}
+
+	if false { // TODO: Add TLS adherence logic when API changes merge
+		return &cachedTLSProfile{
+			spec:       nil,
+			apply:      func(config *tls.Config) {}, // do nothing
+			generation: apiServer.Generation,
+		}, nil
+	}
+
+	profile, err := tlsprofile.GetTLSProfileSpec(apiServer.Spec.TLSSecurityProfile)
+	if err != nil {
+		klog.Errorf("Failed to resolve TLS profile from APIServer: %v", err)
+		return fallbackToCached(lastValidProfile)
+	}
+
+	if lastValidProfile != nil && lastValidProfile.isEqual(&profile) {
+		klog.V(4).Info("TLS profile spec unchanged despite generation bump, updating generation")
+		return &cachedTLSProfile{
+			spec:       &profile,
+			apply:      lastValidProfile.apply,
+			generation: apiServer.Generation,
+		}, nil
+	}
+
+	applyTLSProfile, unsupportedCiphers := tlsprofile.NewTLSConfigFromProfile(profile)
+	if len(unsupportedCiphers) > 0 {
+		klog.Warningf("TLS profile contains unsupported ciphers (will be ignored): %v", unsupportedCiphers)
+	}
+	klog.Infof("TLS profile changed to: MinTLSVersion=%s, Ciphers=%v", profile.MinTLSVersion, profile.Ciphers)
+	return &cachedTLSProfile{
+		spec:       &profile,
+		apply:      applyTLSProfile,
+		generation: apiServer.Generation,
+	}, nil
+}
+
+// fallbackToCached returns the cached profile if available, otherwise returns an error.
+func fallbackToCached(lastValidProfile *cachedTLSProfile) (*cachedTLSProfile, error) {
+	if lastValidProfile != nil {
+		klog.Warningf("Using last valid TLS profile")
+		return lastValidProfile, nil
+	}
+	return nil, fmt.Errorf("no valid TLS profile available")
+}
+
+// isEqual checks if the cached profile matches the given profile spec.
+func (c *cachedTLSProfile) isEqual(profile *configv1.TLSProfileSpec) bool {
+	switch {
+	case c == nil || c.spec == nil:
+		return profile == nil
+	case profile == nil:
+		return false
+	default:
+		return c.spec.MinTLSVersion == profile.MinTLSVersion &&
+			slices.Equal(c.spec.Ciphers, profile.Ciphers)
+	}
+}
+
 func createHttpServer(options MetricsOptions, clientCA dynamiccertificates.CAContentProvider) *http.Server {
 	if options.DisableAuthentication && options.DisableAuthorization {
 		handler := http.NewServeMux()
@@ -276,7 +360,7 @@ type MetricsOptions struct {
 // Continues serving until runContext.Done() and then attempts a clean
 // shutdown limited by shutdownContext.Done(). Assumes runContext.Done()
 // occurs before or simultaneously with shutdownContext.Done().
-func RunMetrics(runContext context.Context, shutdownContext context.Context, restConfig *rest.Config, options MetricsOptions) error {
+func RunMetrics(runContext context.Context, shutdownContext context.Context, restConfig *rest.Config, apiServerLister configlistersv1.APIServerLister, options MetricsOptions) error {
 	if options.ListenAddress == "" {
 		return errors.New("listen address is required to serve metrics")
 	}
@@ -361,6 +445,7 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, res
 	// baseTlSConfig is a template passed to servingCertController,
 	// which generates updated configs via GetConfigForClient callback on each TLS handshake.
 	// This enables automatic certificate rotation without server restarts.
+	// The cluster TLS profile will be applied dynamically in GetConfigForClient.
 	baseTlSConfig := crypto.SecureTLSConfig(&tls.Config{ClientAuth: clientAuth})
 	servingCertController := dynamiccertificates.NewDynamicServingCertificateController(
 		baseTlSConfig,
@@ -388,6 +473,12 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, res
 	}()
 
 	server := createHttpServer(options, clientCA)
+
+	// lastValidProfile caches the last successfully fetched TLS profile and its apply function.
+	// On errors, we use this cached value to maintain stability rather than
+	// constantly switching between profiles on transient errors.
+	var lastValidProfile *cachedTLSProfile
+
 	tlsConfig := crypto.SecureTLSConfig(&tls.Config{
 		GetConfigForClient: func(clientHello *tls.ClientHelloInfo) (*tls.Config, error) {
 			config, err := servingCertController.GetConfigForClient(clientHello)
@@ -399,6 +490,14 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, res
 				err := fmt.Errorf("serving certificate controller returned nil TLS configuration")
 				return nil, err
 			}
+
+			profile, err := getAPIServerTLSProfile(apiServerLister, lastValidProfile)
+			if err != nil {
+				return nil, fmt.Errorf("failed to get TLS profile for metrics server: %w", err)
+			}
+			lastValidProfile = profile
+			profile.apply(config)
+
 			return config, nil
 		},
 	})
diff --git a/pkg/start/start.go b/pkg/start/start.go
@@ -356,7 +356,7 @@ func (o *Options) run(ctx context.Context, controllerCtx *Context, lock resource
 						resultChannelCount++
 						go func() {
 							defer utilruntime.HandleCrash()
-							err := cvo.RunMetrics(postMainContext, shutdownContext, restConfig, o.MetricsOptions)
+							err := cvo.RunMetrics(postMainContext, shutdownContext, restConfig, controllerCtx.CVO.APIServerLister(), o.MetricsOptions)
 							resultChannel <- asyncResult{name: "metrics server", error: err}
 						}()
 					}
@@ -615,6 +615,7 @@ func (o *Options) NewControllerContext(
 		configInformerFactory.Config().V1().Proxies(),
 		operatorInformerFactory,
 		configInformerFactory.Config().V1().FeatureGates(),
+		configInformerFactory.Config().V1().APIServers(),
 		cb.ClientOrDie(o.Namespace),
 		cvoKubeClient,
 		operatorClient,
