Injecting centralized TLS configuration from the cluster APIServer into scheduler pods is critical for maintaining consistent security posture across the entire OpenShift cluster. When administrators configure TLS security profiles at the cluster level (via the APIServer resource), these settings must be propagated to all control plane components, including the kube-scheduler and secondary schedulers, to ensure uniform enforcement of cryptographic standards. Without this propagation, schedulers could operate with weaker or inconsistent TLS settings compared to the rest of the cluster, creating security gaps where attackers could exploit older cipher suites or TLS protocol versions that have been intentionally disabled cluster-wide. The config observer pattern enables operators to automatically observe changes to cluster TLS policies and inject the appropriate --tls-cipher-suites and --tls-min-version arguments into scheduler containers, ensuring that security policies are centrally managed, consistently applied, and automatically updated across all scheduler instances without requiring manual intervention or separate per-component configuration.

Acceptance criteria:

• operator reads APIServer configuration and injects --tls-cipher-suites and --tls-min-version arguments into the pod manifest, reusing library-go code
• the injection is tested