Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-30181

Complete TLS Profile consistency work for Installer

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Major Major
    • ACM 2.17.0
    • ACM 2.17.0
    • Installer, Security
    • None
    • None

      This task tracks the TLS Profile consistency work for the Installer component as part of Epic ACM-26882.

      Parent Epic: ACM-26882 - [ACM] Central TLS Profile consistency

      Action Required:

      Refactor the component to dynamically inherit its TLS settings from the designated global configuration source, rather than managing them locally.

      Key Requirements:
      - Ensure the component uses the correct TLS version and cipher suites for PQC readiness
      - PQC-resilient algorithms will be available only in TLS 1.3+
      - Obtain TLS configuration from one of the three central sources:
      * API Server configuration (default for most components)
      * Kubelet configuration (for components running on nodes)
      * Ingress configuration (for components serving ingress traffic)
      - Ensure the component pulls TLS configuration from the appropriate knob that customers can adjust
      - Support custom TLS profiles (not just Old, Intermediate, Modern defaults)

      This is a release blocker for OpenShift 4.22

      Acceptance Criteria:
      - [ ] All local or hardcoded TLS configurations (protocols, ciphers, curves) removed from codebase and deployment scripts
      - [ ] Component successfully fetches and applies TLS policy from central configuration source
      - [ ] Security re-scan using tls-scanner confirms endpoint compliance with global TLS policy
      - [ ] Service remains stable, functional, and accessible after changes
      - [ ] Component explicitly respects all TLS profile settings (does not rely on Go defaults)
      - [ ] Functional testing confirms component accepts only permitted TLS profile settings (including custom TLS profiles)
      - [ ] Component is PQC-ready by properly adhering to all aspects of the configured TLS profile

      Resources:
      - [Technical Guide|https://docs.google.com/document/d/1cMc9E8psHfnoK06ntR8kHSWB8d3rMtmldhnmM4nImjs/edit?tab=t.0#heading=h.ip4ox6ogxnl1]
      - [FAQ|https://docs.google.com/document/d/11t7Q4teUQaHPCgtFoMwVsVrdYcvAW08Vrm5kHh8dYGM/edit?tab=t.0#heading=h.s53z59b1pltc]
      - [Slack: #forum-ocp-tls-strict-obedience|https://redhat.enterprise.slack.com/archives/C098FU5MRAB]

      Need Help?
      Contact: [~jjung@redhat.com], [~mpatel1@redhat.com], [~lbragsta@redhat.com], [~rh-ee-shsmith], or [~rh-ee-nirichar]

      Generated by Claude Code for Epic ACM-26882

              dbennett@redhat.com Disaiah Bennett
              gparvin-redhat Gus Parvin
              Matthew Smigielski Matthew Smigielski
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: