metrics: Introduce override flags for TLS configuration to support HyperShift

Introducing new flags based on a recommendation from the centralized TLS
config enhancement [1] to support HyperShift

> When these flags are set by the CPO, they take precedence over any
> value the component would read from
> apiservers.config.openshift.io/cluster. When they are not set, the
> component falls back to its normal behavior of watching the cluster config.

[1]: https://github.com/openshift/enhancements/blob/master/enhancements/security/centralized-tls-config.md

Author: DavidHurta

cmd/cluster-version-operator/start.go

@@ -2,9 +2,11 @@ package main
 
 import (
 	"context"
+	"strings"
 
 	"github.com/spf13/cobra"
 
+	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog/v2"
 
 	"github.com/openshift/cluster-version-operator/pkg/start"
@@ -37,6 +39,8 @@ func init() {
 	cmd.PersistentFlags().StringVar(&opts.ReleaseImage, "release-image", opts.ReleaseImage, "The Openshift release image url.")
 	cmd.PersistentFlags().StringVar(&opts.MetricsOptions.ServingCertFile, "serving-cert-file", opts.MetricsOptions.ServingCertFile, "The X.509 certificate file for serving metrics over HTTPS.  You must set both --serving-cert-file and --serving-key-file unless you set --listen empty.")
 	cmd.PersistentFlags().StringVar(&opts.MetricsOptions.ServingKeyFile, "serving-key-file", opts.MetricsOptions.ServingKeyFile, "The X.509 key file for serving metrics over HTTPS.  You must set both --serving-cert-file and --serving-key-file unless you set --listen empty.")
+	cmd.PersistentFlags().StringVar(&opts.MetricsOptions.TLSMinVersionOverride, "tls-min-version", opts.MetricsOptions.TLSMinVersionOverride, "Minimum TLS version supported. When set, overrides the value from the central TLS profile. Possible values: "+strings.Join(cliflag.TLSPossibleVersions(), ", "))
+	cmd.PersistentFlags().StringSliceVar(&opts.MetricsOptions.TLSCipherSuitesOverride, "tls-cipher-suites", opts.MetricsOptions.TLSCipherSuitesOverride, "Comma-separated list of cipher suites for the server. When set, overrides the value from the central TLS profile. Accepts the cipher suite names defined by Go's crypto/tls package.")
 	cmd.PersistentFlags().StringVar(&opts.PromQLTarget.CABundleFile, "metrics-ca-bundle-file", opts.PromQLTarget.CABundleFile, "The service CA bundle file containing one or more X.509 certificate files for validating certificates generated from the service CA for the respective remote PromQL query service.")
 	cmd.PersistentFlags().StringVar(&opts.PromQLTarget.BearerTokenFile, "metrics-token-file", opts.PromQLTarget.BearerTokenFile, "The bearer token file used to access the remote PromQL query service.")
 	cmd.PersistentFlags().StringVar(&opts.PromQLTarget.KubeSvc.Namespace, "metrics-namespace", opts.PromQLTarget.KubeSvc.Namespace, "The name of the namespace where the the remote PromQL query service resides. Must be specified when --use-dns-for-services is disabled.")

pkg/cvo/metrics.go

@@ -24,6 +24,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
+	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/klog/v2"
 
 	configv1 "github.com/openshift/api/config/v1"
@@ -326,6 +327,53 @@ type MetricsOptions struct {
 
 	DisableAuthentication bool
 	DisableAuthorization  bool
+
+	// TLSMinVersionOverride is the minimum TLS version supported.
+	// When set, it takes precedence over the central TLS profile.
+	TLSMinVersionOverride string
+
+	// TLSCipherSuitesOverride is the list of allowed cipher suites for the server.
+	// When set, it takes precedence over the central TLS profile.
+	TLSCipherSuitesOverride []string
+}
+
+// ValidateTLSOptions validates the TLS configuration options.
+func (o *MetricsOptions) ValidateTLSOptions() error {
+	if o.TLSMinVersionOverride != "" {
+		if _, err := cliflag.TLSVersion(o.TLSMinVersionOverride); err != nil {
+			return fmt.Errorf("invalid --tls-min-version %q: %w (valid values: %v)", o.TLSMinVersionOverride, err, cliflag.TLSPossibleVersions())
+		}
+	}
+
+	if len(o.TLSCipherSuitesOverride) > 0 {
+		if _, err := cliflag.TLSCipherSuites(o.TLSCipherSuitesOverride); err != nil {
+			return fmt.Errorf("invalid --tls-cipher-suites: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// ApplyTLSOptions applies the TLS configuration options to the provided tls.Config.
+// When flags are set, they override the corresponding settings from the central TLS profile.
+func (o *MetricsOptions) ApplyTLSOptions(config *tls.Config) error {
+	if o.TLSMinVersionOverride != "" {
+		minVersion, err := cliflag.TLSVersion(o.TLSMinVersionOverride)
+		if err != nil {
+			return fmt.Errorf("invalid --tls-min-version %q: %w", o.TLSMinVersionOverride, err)
+		}
+		config.MinVersion = minVersion
+	}
+
+	if len(o.TLSCipherSuitesOverride) > 0 {
+		cipherSuites, err := cliflag.TLSCipherSuites(o.TLSCipherSuitesOverride)
+		if err != nil {
+			return fmt.Errorf("invalid --tls-cipher-suites: %w", err)
+		}
+		config.CipherSuites = cipherSuites
+	}
+
+	return nil
 }
 
 // RunMetrics launches an HTTPS server bound to listenAddress serving
@@ -344,6 +392,17 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, res
 		return errors.New("invalid configuration: cannot enable authorization without authentication")
 	}
 
+	if err := options.ValidateTLSOptions(); err != nil {
+		return fmt.Errorf("invalid TLS configuration: %w", err)
+	}
+
+	if options.TLSMinVersionOverride != "" {
+		klog.Infof("TLS min version flag set to %s, will override central TLS profile", options.TLSMinVersionOverride)
+	}
+	if len(options.TLSCipherSuitesOverride) > 0 {
+		klog.Infof("TLS cipher suites flag set to %v, will override central TLS profile", options.TLSCipherSuitesOverride)
+	}
+
 	// Prepare synchronization for to-be created go routines
 	metricsContext, metricsContextCancel := context.WithCancel(runContext)
 	defer metricsContextCancel()
@@ -474,6 +533,11 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, res
 			lastApplier = applier
 			applier.applyTLSProfile(config)
 
+			// Then apply flag-based overrides
+			if err := options.ApplyTLSOptions(config); err != nil {
+				return nil, fmt.Errorf("failed to apply TLS options: %w", err)
+			}
+
 			return config, nil
 		},
 	})