Wire TLS security profile through operator to service config.

onmete · onmete · commit 064aa10b009d · 2026-03-26T08:51:45.000+01:00
Propagate the CR tlsSecurityProfile into generated olsconfig.yaml (with Intermediate defaults) so service endpoint TLS follows operator/user configuration, and add appserver coverage for default, modern, and custom profiles.

Made-with: Cursor
diff --git a/internal/controller/appserver/assets.go b/internal/controller/appserver/assets.go
@@ -8,7 +8,10 @@ import (
 	"slices"
 	"strings"
 
+	configv1 "github.com/openshift/api/config/v1"
+
 	"github.com/openshift/lightspeed-operator/internal/controller/reconciler"
+	utiltls "github.com/openshift/lightspeed-operator/internal/tls"
 
 	monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -284,6 +287,17 @@ func buildOLSConfig(r reconciler.Reconciler, ctx context.Context, cr *olsv1alpha
 		ProxyConfig: proxyConfig,
 	}
 
+	tlsProfileType := utiltls.DefaultTLSProfileType
+	if cr.Spec.OLSConfig.TLSSecurityProfile != nil && cr.Spec.OLSConfig.TLSSecurityProfile.Type != "" {
+		tlsProfileType = cr.Spec.OLSConfig.TLSSecurityProfile.Type
+	}
+	tlsProfileSpec := utiltls.GetTLSProfileSpec(cr.Spec.OLSConfig.TLSSecurityProfile)
+	olsConfig.TLSSecurityProfile = &utils.TLSSecurityProfileConfig{
+		ProfileType:   serviceTLSProfileType(tlsProfileType),
+		MinTLSVersion: utiltls.MinTLSVersion(tlsProfileSpec),
+		Ciphers:       utiltls.TLSCiphers(tlsProfileSpec),
+	}
+
 	return olsConfig, nil
 }
 
@@ -398,8 +412,6 @@ func GenerateOLSConfigMap(r reconciler.Reconciler, ctx context.Context, cr *olsv
 		return nil, err
 	}
 
-	// Add quota handlers configuration if specified
-	// This configures rate limiting and token tracking for API usage
 	if cr.Spec.OLSConfig.QuotaHandlersConfig != nil {
 		olsConfig.QuotaHandlersConfig = &utils.QuotaHandlersConfig{
 			Storage: postgresCacheConfig(r, cr),
@@ -888,6 +900,21 @@ func GenerateMetricsReaderSecret(r reconciler.Reconciler, cr *olsv1alpha1.OLSCon
 	return secret, nil
 }
 
+func serviceTLSProfileType(profileType configv1.TLSProfileType) string {
+	switch profileType {
+	case configv1.TLSProfileOldType:
+		return "OldType"
+	case configv1.TLSProfileIntermediateType:
+		return "IntermediateType"
+	case configv1.TLSProfileModernType:
+		return "ModernType"
+	case configv1.TLSProfileCustomType:
+		return "Custom"
+	default:
+		return "IntermediateType"
+	}
+}
+
 func getQueryFilters(cr *olsv1alpha1.OLSConfig) []utils.QueryFilters {
 	if cr.Spec.OLSConfig.QueryFilters == nil {
 		return nil
diff --git a/internal/controller/appserver/assets_test.go b/internal/controller/appserver/assets_test.go
@@ -8,6 +8,7 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	. "github.com/onsi/gomega/gstruct"
+	configv1 "github.com/openshift/api/config/v1"
 	monv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 
@@ -104,6 +105,11 @@ var _ = Describe("App server assets", func() {
 						TLSCertificatePath: path.Join(utils.OLSAppCertsMountRoot, utils.OLSCertsSecretName, "tls.crt"),
 						TLSKeyPath:         path.Join(utils.OLSAppCertsMountRoot, utils.OLSCertsSecretName, "tls.key"),
 					},
+					TLSSecurityProfile: &utils.TLSSecurityProfileConfig{
+						ProfileType:   "IntermediateType",
+						MinTLSVersion: string(configv1.TLSProfiles[configv1.TLSProfileIntermediateType].MinTLSVersion),
+						Ciphers:       configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers,
+					},
 					ReferenceContent: utils.ReferenceContent{
 						EmbeddingsModelPath: "/app-root/embeddings_model",
 						Indexes: []utils.ReferenceIndex{
@@ -154,6 +160,48 @@ var _ = Describe("App server assets", func() {
 			utils.DeleteTelemetryPullSecret(ctx, k8sClient)
 		})
 
+		It("should generate configmap with modern TLS security profile", func() {
+			cr.Spec.OLSConfig.TLSSecurityProfile = &configv1.TLSSecurityProfile{
+				Type: configv1.TLSProfileModernType,
+			}
+			cm, err := GenerateOLSConfigMap(testReconcilerInstance, context.TODO(), cr)
+			Expect(err).NotTo(HaveOccurred())
+
+			var olsConfigMap map[string]interface{}
+			err = yaml.Unmarshal([]byte(cm.Data[utils.OLSConfigFilename]), &olsConfigMap)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(olsConfigMap).To(HaveKeyWithValue("ols_config", HaveKeyWithValue("tlsSecurityProfile", MatchKeys(Options(IgnoreExtras), Keys{
+				"type":          Equal("ModernType"),
+				"minTLSVersion": Equal(string(configv1.TLSProfiles[configv1.TLSProfileModernType].MinTLSVersion)),
+			}))))
+		})
+
+		It("should generate configmap with custom TLS security profile", func() {
+			cr.Spec.OLSConfig.TLSSecurityProfile = &configv1.TLSSecurityProfile{
+				Type: configv1.TLSProfileCustomType,
+				Custom: &configv1.CustomTLSProfile{
+					TLSProfileSpec: configv1.TLSProfileSpec{
+						MinTLSVersion: configv1.VersionTLS13,
+						Ciphers: []string{
+							"TLS_AES_128_GCM_SHA256",
+							"TLS_AES_256_GCM_SHA384",
+						},
+					},
+				},
+			}
+			cm, err := GenerateOLSConfigMap(testReconcilerInstance, context.TODO(), cr)
+			Expect(err).NotTo(HaveOccurred())
+
+			var olsConfigMap map[string]interface{}
+			err = yaml.Unmarshal([]byte(cm.Data[utils.OLSConfigFilename]), &olsConfigMap)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(olsConfigMap).To(HaveKeyWithValue("ols_config", HaveKeyWithValue("tlsSecurityProfile", MatchKeys(Options(IgnoreExtras), Keys{
+				"type":          Equal("Custom"),
+				"minTLSVersion": Equal("VersionTLS13"),
+				"ciphers":       ContainElements("TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"),
+			}))))
+		})
+
 		It("should generate configmap with queryFilters", func() {
 			crWithFilters := utils.WithQueryFilters(cr)
 			cm, err := GenerateOLSConfigMap(testReconcilerInstance, context.TODO(), crWithFilters)
@@ -1237,6 +1285,19 @@ ols_config:
     - product_docs_index_id: ocp-product-docs-` + major + `_` + minor + `
       product_docs_index_path: /app-root/vector_db/ocp_product_docs/` + major + `.` + minor + `
       product_docs_origin: Red Hat OpenShift 123.456 documentation
+  tlsSecurityProfile:
+    ciphers:
+    - TLS_AES_128_GCM_SHA256
+    - TLS_AES_256_GCM_SHA384
+    - TLS_CHACHA20_POLY1305_SHA256
+    - ECDHE-ECDSA-AES128-GCM-SHA256
+    - ECDHE-RSA-AES128-GCM-SHA256
+    - ECDHE-ECDSA-AES256-GCM-SHA384
+    - ECDHE-RSA-AES256-GCM-SHA384
+    - ECDHE-ECDSA-CHACHA20-POLY1305
+    - ECDHE-RSA-CHACHA20-POLY1305
+    minTLSVersion: VersionTLS12
+    type: IntermediateType
   tls_config:
     tls_certificate_path: /etc/certs/lightspeed-tls/tls.crt
     tls_key_path: /etc/certs/lightspeed-tls/tls.key
@@ -1297,6 +1358,19 @@ ols_config:
     - product_docs_index_id: ocp-product-docs-` + major + `_` + minor + `
       product_docs_index_path: /app-root/vector_db/ocp_product_docs/` + major + `.` + minor + `
       product_docs_origin: Red Hat OpenShift 123.456 documentation
+  tlsSecurityProfile:
+    ciphers:
+    - TLS_AES_128_GCM_SHA256
+    - TLS_AES_256_GCM_SHA384
+    - TLS_CHACHA20_POLY1305_SHA256
+    - ECDHE-ECDSA-AES128-GCM-SHA256
+    - ECDHE-RSA-AES128-GCM-SHA256
+    - ECDHE-ECDSA-AES256-GCM-SHA384
+    - ECDHE-RSA-AES256-GCM-SHA384
+    - ECDHE-ECDSA-CHACHA20-POLY1305
+    - ECDHE-RSA-CHACHA20-POLY1305
+    minTLSVersion: VersionTLS12
+    type: IntermediateType
   tls_config:
     tls_certificate_path: /etc/certs/lightspeed-tls/tls.crt
     tls_key_path: /etc/certs/lightspeed-tls/tls.key
diff --git a/internal/controller/appserver/deployment.go b/internal/controller/appserver/deployment.go
@@ -23,7 +23,6 @@ import (
 	"github.com/openshift/lightspeed-operator/internal/controller/utils"
 )
 
-
 func getOLSServerResources(cr *olsv1alpha1.OLSConfig) *corev1.ResourceRequirements {
 	return utils.GetResourcesOrDefault(
 		cr.Spec.OLSConfig.DeploymentConfig.APIContainer.Resources,
@@ -496,7 +495,7 @@ func GenerateOLSDeployment(r reconciler.Reconciler, cr *olsv1alpha1.OLSConfig) (
 			Image:           r.GetOpenShiftMCPServerImage(),
 			ImagePullPolicy: corev1.PullIfNotPresent,
 			SecurityContext: utils.RestrictedContainerSecurityContext(),
-			VolumeMounts: []corev1.VolumeMount{configMount},
+			VolumeMounts:    []corev1.VolumeMount{configMount},
 			Command: []string{
 				"/openshift-mcp-server",
 				"--read-only",
diff --git a/internal/controller/console/deployment.go b/internal/controller/console/deployment.go
@@ -58,7 +58,7 @@ func GenerateConsoleUIDeployment(r reconciler.Reconciler, cr *olsv1alpha1.OLSCon
 									Protocol:      corev1.ProtocolTCP,
 								},
 							},
-						SecurityContext: utils.RestrictedContainerSecurityContext(),
+							SecurityContext: utils.RestrictedContainerSecurityContext(),
 							ImagePullPolicy: corev1.PullAlways,
 							Env:             utils.GetProxyEnvVars(),
 							Resources:       *resources,
diff --git a/internal/controller/postgres/deployment.go b/internal/controller/postgres/deployment.go
@@ -205,9 +205,9 @@ func GeneratePostgresDeployment(r reconciler.Reconciler, ctx context.Context, cr
 									Protocol:      corev1.ProtocolTCP,
 								},
 							},
-						SecurityContext: utils.RestrictedContainerSecurityContext(),
-							VolumeMounts: volumeMounts,
-							Resources:    *databaseResources,
+							SecurityContext: utils.RestrictedContainerSecurityContext(),
+							VolumeMounts:    volumeMounts,
+							Resources:       *databaseResources,
 							Env: []corev1.EnvVar{
 								{
 									Name:  "POSTGRESQL_USER",
diff --git a/internal/controller/utils/types.go b/internal/controller/utils/types.go
@@ -165,6 +165,8 @@ type OLSConfig struct {
 	ConversationCache ConversationCacheConfig `json:"conversation_cache,omitempty"`
 	// TLS configuration
 	TLSConfig TLSConfig `json:"tls_config,omitempty"`
+	// TLS security profile for service endpoint
+	TLSSecurityProfile *TLSSecurityProfileConfig `json:"tlsSecurityProfile,omitempty"`
 	// Query filters
 	QueryFilters []QueryFilters `json:"query_filters,omitempty"`
 	// Reference content for RAG
@@ -187,6 +189,15 @@ type OLSConfig struct {
 	ToolsApproval *ToolsApprovalConfig `json:"tools_approval,omitempty"`
 }
 
+type TLSSecurityProfileConfig struct {
+	// Profile type expected by the service (OldType, IntermediateType, ModernType, Custom)
+	ProfileType string `json:"type,omitempty"`
+	// Minimum TLS protocol version (VersionTLS12, VersionTLS13, ...)
+	MinTLSVersion string `json:"minTLSVersion,omitempty"`
+	// Allowed ciphers in OpenSSL format
+	Ciphers []string `json:"ciphers,omitempty"`
+}
+
 // ToolFilteringConfig defines configuration for tool filtering using hybrid RAG retrieval
 // The embedding model is not exposed as it's handled by the container image
 type ToolFilteringConfig struct {
