NO-JIRA: restart operator upon tls config change

when the cluster wide tls config changes we now restart the operator by
cancelling the run context. by doing so we ensure that the metrics end
point will always use the correct tls version and ciphers.

Author: ricardomaraschini

pkg/cvo/metrics.go

@@ -27,6 +27,7 @@ import (
 	"k8s.io/klog/v2"
 
 	configv1 "github.com/openshift/api/config/v1"
+	configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
 	"github.com/openshift/library-go/pkg/crypto"
 
 	"github.com/openshift/cluster-version-operator/lib/resourcemerge"
@@ -267,6 +268,74 @@ type MetricsOptions struct {
 
 	DisableAuthentication bool
 	DisableAuthorization  bool
+
+	// TLS configuration observed from APIServer cluster object
+	MinTLSVersion uint16
+	CipherSuites  []uint16
+}
+
+// ObserveAPIServerTLSConfig extracts and converts TLS configuration from the
+// APIServer object. Always returns valid defaults even if APIServer object is
+// missing, has no TLS profile configured, or contains invalid values. Never
+// returns an error, any issues result in default values being returned.
+func ObserveAPIServerTLSConfig(ctx context.Context, lister configlistersv1.APIServerLister) (uint16, []uint16) {
+	defaultProfileConfig := configv1.TLSProfiles[crypto.DefaultTLSProfileType]
+
+	// capture the defaults. if we fail at any stage on this function we
+	// log and return the default values.
+	defaultMinTLS := crypto.TLSVersionOrDie(string(defaultProfileConfig.MinTLSVersion))
+	defaultCipherSuites := crypto.CipherSuitesOrDie(crypto.OpenSSLToIANACipherSuites(defaultProfileConfig.Ciphers))
+
+	apiServer, err := lister.Get("cluster")
+	if err != nil {
+		klog.V(4).Infof("Unable to read APIServer object, using default TLS profile: %v", err)
+		return defaultMinTLS, defaultCipherSuites
+	}
+
+	if apiServer.Spec.TLSSecurityProfile == nil {
+		return defaultMinTLS, defaultCipherSuites
+	}
+
+	profile := apiServer.Spec.TLSSecurityProfile
+
+	profileConfig := configv1.TLSProfiles[profile.Type]
+	if profile.Type == configv1.TLSProfileCustomType {
+		if profile.Custom == nil {
+			klog.Warningf("APIServer TLS profile type is Custom but no custom spec provided, using default TLS profile")
+			return defaultMinTLS, defaultCipherSuites
+		}
+		profileConfig = &profile.Custom.TLSProfileSpec
+	}
+
+	if profileConfig == nil {
+		klog.Warningf("TLS config for profile %q not found, using default TLS profile", profile.Type)
+		return defaultMinTLS, defaultCipherSuites
+	}
+
+	minTLSVersion, err := crypto.TLSVersion(string(profileConfig.MinTLSVersion))
+	if err != nil {
+		klog.Warningf("Invalid minTLSVersion %q in APIServer TLS profile, using default: %v", profileConfig.MinTLSVersion, err)
+		return defaultMinTLS, defaultCipherSuites
+	}
+
+	// convert OpenSSL cipher names to IANA names.
+	ianaCiphers := crypto.OpenSSLToIANACipherSuites(profileConfig.Ciphers)
+	if len(ianaCiphers) == 0 {
+		klog.Warningf("Failed to convert APIServer cipher suites %v to IANA format, using defaults", profileConfig.Ciphers)
+		return defaultMinTLS, defaultCipherSuites
+	}
+
+	cipherSuites := make([]uint16, 0, len(ianaCiphers))
+	for _, cipherName := range ianaCiphers {
+		cipher, err := crypto.CipherSuite(cipherName)
+		if err != nil {
+			klog.Warningf("Invalid cipher suite %q in APIServer TLS profile, using default TLS profile: %v", cipherName, err)
+			return defaultMinTLS, defaultCipherSuites
+		}
+		cipherSuites = append(cipherSuites, cipher)
+	}
+
+	return minTLSVersion, cipherSuites
 }
 
 // RunMetrics launches an HTTPS server bound to listenAddress serving
@@ -362,6 +431,15 @@ func RunMetrics(runContext context.Context, shutdownContext context.Context, res
 	// which generates updated configs via GetConfigForClient callback on each TLS handshake.
 	// This enables automatic certificate rotation without server restarts.
 	baseTlSConfig := crypto.SecureTLSConfig(&tls.Config{ClientAuth: clientAuth})
+
+	// Apply APIServer TLS configuration from options
+	if options.MinTLSVersion != 0 {
+		baseTlSConfig.MinVersion = options.MinTLSVersion
+	}
+	if len(options.CipherSuites) > 0 {
+		baseTlSConfig.CipherSuites = options.CipherSuites
+	}
+
 	servingCertController := dynamiccertificates.NewDynamicServingCertificateController(
 		baseTlSConfig,
 		clientCA,

pkg/cvo/metrics_test.go

@@ -18,11 +18,14 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	"k8s.io/client-go/tools/record"
 
 	configv1 "github.com/openshift/api/config/v1"
+	fakeconfigclientv1 "github.com/openshift/client-go/config/clientset/versioned/fake"
+	configinformers "github.com/openshift/client-go/config/informers/externalversions"
 	"github.com/openshift/library-go/pkg/crypto"
 
 	"github.com/openshift/cluster-version-operator/pkg/featuregates"
@@ -1428,3 +1431,130 @@ func (m *mockCAProvider) VerifyOptions() (x509.VerifyOptions, bool) {
 
 func (m *mockCAProvider) AddListener(_ dynamiccertificates.Listener) {
 }
+
+func TestObserveAPIServerTLSConfig(t *testing.T) {
+	ctx := t.Context()
+
+	tests := []struct {
+		name             string
+		apiServer        *configv1.APIServer
+		expectMinVersion uint16
+		checkCiphers     bool
+	}{
+		{
+			name: "custom TLS profile",
+			apiServer: &configv1.APIServer{
+				ObjectMeta: metav1.ObjectMeta{Name: "cluster"},
+				Spec: configv1.APIServerSpec{
+					TLSSecurityProfile: &configv1.TLSSecurityProfile{
+						Type: configv1.TLSProfileCustomType,
+						Custom: &configv1.CustomTLSProfile{
+							TLSProfileSpec: configv1.TLSProfileSpec{
+								MinTLSVersion: configv1.VersionTLS13,
+								Ciphers: []string{
+									"TLS_AES_128_GCM_SHA256",
+									"TLS_AES_256_GCM_SHA384",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectMinVersion: tls.VersionTLS13,
+			checkCiphers:     true,
+		},
+		{
+			name: "intermediate TLS profile",
+			apiServer: &configv1.APIServer{
+				ObjectMeta: metav1.ObjectMeta{Name: "cluster"},
+				Spec: configv1.APIServerSpec{
+					TLSSecurityProfile: &configv1.TLSSecurityProfile{
+						Type: configv1.TLSProfileIntermediateType,
+					},
+				},
+			},
+			expectMinVersion: tls.VersionTLS12,
+			checkCiphers:     true,
+		},
+		{
+			name:             "no APIServer object (uses defaults)",
+			apiServer:        nil,
+			expectMinVersion: tls.VersionTLS12, // default is intermediate
+			checkCiphers:     true,
+		},
+		{
+			name: "nil TLS profile (uses defaults)",
+			apiServer: &configv1.APIServer{
+				ObjectMeta: metav1.ObjectMeta{Name: "cluster"},
+				Spec:       configv1.APIServerSpec{},
+			},
+			expectMinVersion: tls.VersionTLS12,
+			checkCiphers:     true,
+		},
+		{
+			name: "custom TLS profile type but no custom spec (uses defaults)",
+			apiServer: &configv1.APIServer{
+				ObjectMeta: metav1.ObjectMeta{Name: "cluster"},
+				Spec: configv1.APIServerSpec{
+					TLSSecurityProfile: &configv1.TLSSecurityProfile{
+						Type: configv1.TLSProfileCustomType,
+					},
+				},
+			},
+			expectMinVersion: tls.VersionTLS12,
+			checkCiphers:     true,
+		},
+		{
+			name: "invalid TLS version and cipher suites (uses defaults)",
+			apiServer: &configv1.APIServer{
+				ObjectMeta: metav1.ObjectMeta{Name: "cluster"},
+				Spec: configv1.APIServerSpec{
+					TLSSecurityProfile: &configv1.TLSSecurityProfile{
+						Type: configv1.TLSProfileCustomType,
+						Custom: &configv1.CustomTLSProfile{
+							TLSProfileSpec: configv1.TLSProfileSpec{
+								MinTLSVersion: "InvalidTLSVersion",
+								Ciphers: []string{
+									"RANDOM_CIPHER_123",
+									"INVALID_CIPHER_XYZ",
+									"NOT_A_REAL_CIPHER",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectMinVersion: tls.VersionTLS12,
+			checkCiphers:     true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create fake client and informer
+			var objects []runtime.Object
+			if tt.apiServer != nil {
+				objects = append(objects, tt.apiServer)
+			}
+			fakeClient := fakeconfigclientv1.NewSimpleClientset(objects...)
+			informerFactory := configinformers.NewSharedInformerFactory(fakeClient, 0)
+			lister := informerFactory.Config().V1().APIServers().Lister()
+
+			// Start informers and wait for cache sync
+			stopCh := make(chan struct{})
+			defer close(stopCh)
+			informerFactory.Start(stopCh)
+			informerFactory.WaitForCacheSync(stopCh)
+
+			minVer, ciphers := ObserveAPIServerTLSConfig(ctx, lister)
+
+			if minVer != tt.expectMinVersion {
+				t.Errorf("expected minTLSVersion 0x%04x, got 0x%04x", tt.expectMinVersion, minVer)
+			}
+
+			if tt.checkCiphers && len(ciphers) == 0 {
+				t.Errorf("expected cipher suites to be non-empty")
+			}
+		})
+	}
+}

pkg/start/start.go

@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"os"
 	"os/signal"
+	"slices"
 	"syscall"
 	"time"
 
@@ -26,6 +27,7 @@ import (
 	"k8s.io/client-go/kubernetes/scheme"
 	coreclientsetv1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/leaderelection"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
@@ -326,6 +328,31 @@ func (o *Options) run(ctx context.Context, controllerCtx *Context, lock resource
 	resultChannel := make(chan asyncResult, 1)
 	resultChannelCount := 0
 
+	// add a watcher for APIServer TLS config changes before starting
+	// informers. this watcher will stop the cvo upon tls configuration
+	// changes (we need to restart it).
+	if o.MetricsOptions.ListenAddress != "" {
+		apiServerInformer := controllerCtx.ConfigInformerFactory.Config().V1().APIServers()
+		startMinTLS, startCiphers := cvo.ObserveAPIServerTLSConfig(runContext, apiServerInformer.Lister())
+
+		handler := func() {
+			currentMinTLS, currentCiphers := cvo.ObserveAPIServerTLSConfig(runContext, apiServerInformer.Lister())
+			if currentMinTLS == startMinTLS && slices.Equal(currentCiphers, startCiphers) {
+				return
+			}
+			klog.Infof("APIServer TLS configuration changed; requesting shutdown")
+			runCancel()
+		}
+
+		if _, err := apiServerInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+			AddFunc:    func(_ any) { handler() },
+			UpdateFunc: func(_, _ any) { handler() },
+			DeleteFunc: func(_ any) { handler() },
+		}); err != nil {
+			klog.Warningf("Failed to add watcher for APIServer TLS Config")
+		}
+	}
+
 	informersDone := postMainContext.Done()
 	// FIXME: would be nice if there was a way to collect these.
 	controllerCtx.ClusterVersionInformerFactory.Start(informersDone)
@@ -355,6 +382,12 @@ func (o *Options) run(ctx context.Context, controllerCtx *Context, lock resource
 				OnStartedLeading: func(_ context.Context) { // no need for this passed-through postMainContext, because goroutines we launch inside will use runContext
 					launchedMain = true
 					if o.MetricsOptions.ListenAddress != "" {
+						// observe cluster tls config, our metrics server should use it.
+						o.MetricsOptions.MinTLSVersion, o.MetricsOptions.CipherSuites = cvo.ObserveAPIServerTLSConfig(
+							runContext,
+							controllerCtx.ConfigInformerFactory.Config().V1().APIServers().Lister(),
+						)
+
 						resultChannelCount++
 						go func() {
 							defer utilruntime.HandleCrash()