LOG-8972: Enhance cluster-logging-operator to react to cluster TLS Profile updates#3228
LOG-8972: Enhance cluster-logging-operator to react to cluster TLS Profile updates#3228jcantrill wants to merge 6 commits intoopenshift:masterfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@jcantrill: This pull request references LOG-8972 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.8.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
@jcantrill: This pull request references LOG-8972 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.8.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
the
midstream/Dockerfile
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jcantrill The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
…s config Add functions to convert OpenShift TLSProfileSpec to Go crypto/tls.Config: - CipherSuiteStringToID: Convert cipher suite names to crypto/tls IDs - TLSVersionToConstant: Convert TLS version strings to crypto/tls constants - TLSConfigFromProfile: Create crypto/tls.Config from TLSProfileSpec - GetTLSConfigOptions: Get TLS config options for controller-runtime manager These helpers enable the operator to apply cluster TLS profiles to its own endpoints (metrics server) by converting OpenShift's TLS configuration format to Go's native crypto/tls types. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…or on changes Add a new controller that watches the APIServer resource for TLS profile changes and gracefully exits the operator pod when changes are detected. This allows Kubernetes to restart the pod with the new TLS configuration. The controller: - Watches APIServer resource with name "cluster" - Compares current TLS profile to initial startup profile - Exits with code 0 (graceful shutdown) when TLS profile changes - Uses predicates to filter only TLS profile change events This is necessary because the controller-runtime manager's TLS configuration is set at creation time and cannot be changed dynamically. Restarting the pod is the cleanest way to apply new TLS settings to the metrics server. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Configure the operator's metrics server to use the cluster TLS profile: - Fetch cluster TLS profile at operator startup - Apply TLS configuration (cipher suites and min TLS version) to metrics server - Register TLS profile watcher controller to restart on profile changes - Store initial TLS profile for comparison in watcher The metrics server now respects the cluster's TLS security configuration, ensuring the operator adheres to the same security standards as other cluster components. When the cluster TLS profile changes, the operator pod will gracefully restart to apply the new configuration. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
… updates Add APIServer watch to ClusterLogForwarder controller to trigger reconciliation when the cluster TLS profile changes: - Watch APIServer resource for TLS profile changes - Enqueue all ClusterLogForwarders when cluster TLS profile changes - Use predicate to filter only TLS profile change events - Regenerate collector configs with new TLS profile - Roll out collector pods with updated configuration This ensures collectors use the cluster TLS profile for output connections when the ClusterLogForwarder does not specify an output-specific profile. Output-level TLS profiles continue to take precedence over cluster profile. The implementation is non-disruptive: collectors are stateless workloads that are safely rolled out with new configuration using Kubernetes' default rolling update strategy. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…dicates Both tlsprofile and observability controllers had duplicate predicate implementations for filtering APIServer TLS profile changes. This consolidates the logic into a single shared implementation in the tls package. The shared APIServerTLSProfileChangedPredicate function accepts a reconcileOnCreate parameter to handle the different behavior needs: - tlsprofile controller (false): only watches updates, not creation - observability controller (true): watches both creation and updates This reduces code duplication and makes the predicate logic easier to maintain and test. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
/test all |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
| } | ||
|
|
||
| // Fetch and apply cluster TLS profile | ||
| tlsOpts, err := internaltls.GetTLSConfigOptions(k8sClient) |
There was a problem hiding this comment.
GetTLSConfigOptions(k8sClient) calls FetchAPIServerTlsProfile internally and we repeat this call again in line 128
There was a problem hiding this comment.
I believe this comment is obsolete with the most recent push
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
@jcantrill: This pull request references LOG-8972 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.8.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@jcantrill: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
Summary
This PR enhances the cluster-logging-operator to react to cluster TLS Profile updates, ensuring both the operator itself and deployed collectors use the cluster's TLS security configuration.
Fixes LOG-8972
Blocked by #3238
Changes
Operator's Own TLS Configuration
TLSProfileSpecto Gocrypto/tls.ConfigImplementation Details
Part A: Operator TLS Configuration
Added
internal/tls/tls.goconversion functions:CipherSuiteStringToID: Convert cipher suite names to crypto/tls IDsTLSVersionToConstant: Convert TLS version strings to crypto/tls constantsTLSConfigFromProfile: Create crypto/tls.Config from TLSProfileSpecGetTLSConfigOptions: Get TLS options for controller-runtime managerCreated
internal/controller/tlsprofile/watcher controller:Updated
cmd/main.go:Behavior
When Cluster TLS Profile Changes
Operator:
TLS Profile Precedence
Testing
Unit Tests
Verification
make build- Successmake lint- 0 issuesManual Testing Recommendations
oc patch apiserver cluster --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Modern"}}}'RBAC
No changes needed - existing ClusterRole already has permissions to read APIServer resources.
Notes
Why restart the operator? The controller-runtime manager's TLS configuration is set at creation time and cannot be dynamically updated. Restarting is the cleanest way to apply new TLS settings.
Impact on running collectors: The operator restart does not affect running collectors. They continue operating normally during the brief restart period.
TLS Curves: OpenShift's TLSProfileSpec doesn't have a separate field for EC curves. Curves are implicitly controlled by cipher suites (e.g., ECDHE cipher suites use EC curves).
Graceful degradation: If APIServer cannot be fetched, operator logs a warning and uses default TLS configuration (TLS 1.2).
Commits
feat(tls): Add TLS profile conversion helpers for crypto/tls configfeat(controller): Add TLS profile watcher to restart operator on changesfeat(operator): Apply cluster TLS profile to metrics endpointDocumentation
Follow-up PR needed to update
docs/features/tls_security_profile.adocwith:🤖 Generated with Claude Code via
/jira:solve [LOG-8972](https://redhat.atlassian.net/browse/LOG-8972)