Skip to content

Usr/akhil/tls feature #1151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
akhilnittala wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Usr/akhil/tls feature #1151

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b7643ca
TLS configurable option for PQC
akhilnittala May 19, 2026
6a7df94
[GITOPS-9258]: Configurable TLS server settings for argocd and argocd…
akhilnittala May 20, 2026
6c6d532
[GITOPS-9258]: Configurable TLS server settings for argocd and argocd…
akhilnittala May 21, 2026
c417c48
[GITOPS-9258]: Configurable TLS server settings for argocd and argocd…
akhilnittala May 21, 2026
8cba26d
[GITOPS-9258]: Configurable TLS server settings for argocd and argocd…
akhilnittala May 21, 2026
ad36018
Merge branch 'master' into usr/akhil/TLS_FEATURE
akhilnittala May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
611 changes: 589 additions & 22 deletions bundle/manifests/argoproj.io_argocds.yaml
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions bundle/manifests/gitops-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -589,6 +589,7 @@ spec:
- apiGroups:
- config.openshift.io
resources:
- apiservers
- authentications
- clusterversions
- ingresses
Expand Down
63 changes: 58 additions & 5 deletions cmd/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
package main

import (
"context"
"crypto/tls"
"flag"
"fmt"
Expand Down Expand Up @@ -46,6 +47,7 @@
oauthv1 "github.com/openshift/api/oauth/v1"
routev1 "github.com/openshift/api/route/v1"
templatev1 "github.com/openshift/api/template/v1"
tlspkg "github.com/openshift/controller-runtime-common/pkg/tls"
operatorsv1 "github.com/operator-framework/api/pkg/operators/v1"
operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
Expand Down Expand Up @@ -131,6 +133,8 @@
flag.Parse()

ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
defer cancel()

if err := util.InspectCluster(); err != nil {
setupLog.Info("unable to inspect cluster")
Expand All @@ -142,15 +146,40 @@
}
c.NextProtos = []string{"http/1.1"}
}

restConfig := ctrl.GetConfigOrDie()
// Register config.openshift.io APIs before creating bootstrap client
utilruntime.Must(configv1.Install(scheme))
bootstrapClient, err := crclient.New(restConfig, crclient.Options{
Scheme: scheme,
})
if err != nil {
setupLog.Error(err, "unable to create bootstrap client")
os.Exit(1)
}
Comment thread
akhilnittala marked this conversation as resolved.
var profile configv1.TLSProfileSpec
profile, err = tlspkg.FetchAPIServerTLSProfile(ctx, bootstrapClient)
if err != nil {
setupLog.Error(err, "unable to fetch cluster TLS profile")
os.Exit(1)
}
Comment on lines +161 to +165
Copy link
Copy Markdown
Member

@svghadi svghadi May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be handled properly for non-fatal errors without exiting, as we want the operator to work on non OpenShift clusters as well. Refer to #1157 or talk to @anandrkskd for more details.

Copy link
Copy Markdown
Member Author

@akhilnittala akhilnittala May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will check with anand on this

Copy link
Copy Markdown
Member Author

@akhilnittala akhilnittala May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

post anand changes, will refactor it for non openshift cluster scenario.

tlsOpts := []func(*tls.Config){disableHTTP2}
tlsConfigFn, unsupported := tlspkg.NewTLSConfigFromProfile(profile)
if len(unsupported) > 0 {
setupLog.Info("TLS profile contains unsupported Go cipher suites", "ciphers", unsupported)
}

tlsOpts = append(tlsOpts, tlsConfigFn)

webhookServerOptions := webhook.Options{
TLSOpts: []func(config *tls.Config){disableHTTP2},
TLSOpts: tlsOpts,
Port: 9443,
}
webhookServer := webhook.NewServer(webhookServerOptions)

metricsServerOptions := metricsserver.Options{
BindAddress: metricsAddr,
TLSOpts: []func(*tls.Config){disableHTTP2},
TLSOpts: tlsOpts,
FilterProvider: filters.WithAuthenticationAndAuthorization,
}

Expand Down Expand Up @@ -180,15 +209,35 @@
}
}

mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), options)
mgr, err := ctrl.NewManager(restConfig, options)
if err != nil {
setupLog.Error(err, "unable to start manager")
os.Exit(1)
}

watcher := &tlspkg.SecurityProfileWatcher{
Client: mgr.GetClient(),
InitialTLSProfileSpec: profile,
OnProfileChange: func(_ context.Context, oldProfile, newProfile configv1.TLSProfileSpec) {
if reflect.DeepEqual(oldProfile, newProfile) {
return
}
setupLog.Info("cluster TLS profile changed, restarting operator",
"oldProfileMinVersion", oldProfile.MinTLSVersion,
"newProfileMinVersion", newProfile.MinTLSVersion)

cancel()
},
}

if err := watcher.SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to setup TLS security profile watcher")
os.Exit(1)
}

var client crclient.Client
if strings.ToLower(os.Getenv("MEMORY_OPTIMIZATION_ENABLED")) != "false" {
liveClient, err := crclient.New(ctrl.GetConfigOrDie(), crclient.Options{Scheme: mgr.GetScheme()})
liveClient, err := crclient.New(restConfig, crclient.Options{Scheme: mgr.GetScheme()})
if err != nil {
setupLog.Error(err, "unable to create live client")
os.Exit(1)
Expand Down Expand Up @@ -266,6 +315,10 @@
K8sClient: k8sClient,
LocalUsers: argocdprovisioner.NewLocalUsersInfo(),
FipsConfigChecker: argoutil.NewLinuxFipsConfigChecker(),
CentralTlsConfigProfile: argocdprovisioner.TlsConfigProfile{

Check failure on line 318 in cmd/main.go

View workflow job for this annotation

GitHub Actions / Ensure that code passes gosec and golint 

undefined: argocdprovisioner.TlsConfigProfile

Check failure on line 318 in cmd/main.go

View workflow job for this annotation

GitHub Actions / Ensure that code passes gosec and golint 

unknown field CentralTlsConfigProfile in struct literal of type "github.com/argoproj-labs/argocd-operator/controllers/argocd".ReconcileArgoCD
MinVersion: profile.MinTLSVersion,
Ciphers: profile.Ciphers,
},
}).SetupWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create controller", "controller", "Argo CD")
os.Exit(1)
Expand Down Expand Up @@ -314,7 +367,7 @@
}

setupLog.Info("starting manager")
if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
if err := mgr.Start(ctx); err != nil {
setupLog.Error(err, "problem running manager")
os.Exit(1)
}
Expand Down
Loading
Loading