Context

To allow admins to manage TLS configuration for all the cluster components, we need to allow components to use the cluster configuration.

Outcome

UIPlugins should support to receive configuration from COO regarding TLS: Similar to these PRs:

• https://github.com/openshift/monitoring-plugin/pull/580
• https://github.com/openshift/monitoring-plugin/pull/660

Context 

 PR #580 - Additional TLS Configuration
  - Purpose: Adds enhanced TLS configuration capabilities to the monitoring plugin backend
  - Features: Introduces 4 new configurable TLS options:
    - tls-min-version: Minimum TLS protocol version
    - tls-max-version: Maximum TLS protocol version
    - tls-cipher-suites: Allowed cipher suites for encryption
    - tls-curves: Elliptic curves for key exchange
  - Configuration: Can be set via environment variables or CLI flags

  PR #660 - TLS Configuration Bug Fix
  - Purpose: Fixes a bug where TLS max version was always defaulted to 1.2
  - Problem: This caused conflicts with OpenShift's "modern" TLS profile (which requires TLS 1.3 minimum)
  - Solution: Only sets TLS max version when explicitly configured, allowing cluster-level TLS profiles to work properly

Steps 

• [ <1 pt ]Set up logging environment 
• [ <1 pt ] Implementation changes from monitoring-plugin PRs to allow TLS to be configured 
• [ 1-2pt ]Testing  + Addressing comments 
  • Test 1: New configurations can be consumed (test local + deploy)  
    • Running the command below should lead to no errors 
    • ./plugin-backend \
          --tls-min-version=1.2 \
          --tls-max-version=1.3 \
          --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384 \
          --tls-curves=P-256,P-384
  • Test 2: Test configured TLS Version (test local + deploy)  
    • Should Succeed
      • openssl s_client -connect localhost:9443 -tls1_2 OR  openssl s_client -connect localhost:9443 -tls1_3
    • Should Fail 
      • openssl s_client -connect localhost:9443 -tls1_1 
  • Test 3: Test TLS Ciphers (test local + deploy) 
    •  Should Succeed: `openssl s_client -connect localhost:9443 -ciphersuites 'TLS_AES_256_GCM_SHA384'` OR `openssl s_client -connect localhost:9443 -ciphersuites 'TLS_AES_128_GCM_SHA256'
    • Should Fail : openssl s_client -connect localhost:9443 -ciphersuites 'TLS_CHACHA20_POLY1305_SHA256'
  • Test 4: Test TLS Curves (test local + deploy)

• • •  Should Succeed: `openssl s_client -connect localhost:9443 -curves P-256 -brief`
    • Should Fail:   `openssl s_client -connect localhost:9443 -curves P-521 -brief`
  • Test 5: No TLS max unless specified by config (test deploy only! needs to test OpenShift cluster policies) 
    • See Details below
  • Test 6: UI Testing (test local + deploy)
    • Go to the OpenShift Console UI
    • Check that the Plugins can fetch (with TLS) and load data properly 

Example scripts for testing 

https://github.com/zhuje/monitoring-plugin/pull/new/monitoring-tls-config-script-examples

Test 5: No TLS max unless specified by config

The following are instructions for testing on the monitoring plugin; adjust the instructions for the UI plugin for this issue.  

⏺ PR #660 Testing Summary - TLS Configuration Bug Fix

Verifying that the plugin no longer conflicts with OpenShift's cluster-level TLS policies, specifically the "modern" TLS profile that requires TLS 1.3 minimum.                                                                               
              

  Prerequisites

  1. OpenShift cluster with admin access
  2. oc CLI tool configured
  3. Monitoring plugin with PR #660 changes deployed

  —
  Step-by-Step Testing for PR #660

  Step 1: Baseline Test - Default TLS Profile

  // Check current TLS profile
  oc get apiservers.config.openshift.io cluster -o jsonpath='{.spec.tlsSecurityProfile}'

  // Check plugin pods are running normally
  oc get pods -n openshift-monitoring -l app=console-plugin-monitoring

  Step 2: Apply Modern TLS Profile (The Critical Test)

  // Set cluster to modern TLS profile (requires TLS 1.3 minimum)
  oc patch apiservers.config.openshift.io cluster --type=merge -p='{"spec":{"tlsSecurityProfile":

}}'

  Step 3: Monitor Plugin Behavior (Key Success Indicator)

  // Watch plugin pods roll out - they should NOT fail
  oc get pods -n openshift-monitoring -l app=console-plugin-monitoring -w

  // Expected: Pods should restart successfully, not crash loop

  Step 4: Verify No TLS Configuration Conflicts

  // Check for TLS-related errors in plugin logs
  oc logs -n openshift-monitoring -l app=console-plugin-monitoring --tail=100 | grep -i tls

  // Check for configuration conflict events
  oc get events -n openshift-monitoring | grep -i tls

  // Expected: No "invalid TLS configuration" or "min > max" errors

  Step 5: Verify TLS 1.3 is Actually Used

  // Get plugin service IP
  PLUGIN_SERVICE=$(oc get svc -n openshift-monitoring console-plugin-monitoring -o jsonpath='{.spec.clusterIP}')

  // Test TLS 1.3 connection from within cluster
  oc run tls-test --image=registry.access.redhat.com/ubi8/ubi --rm -it --restart=Never – \
    openssl s_client -connect ${PLUGIN_SERVICE}:9443 -tls1_3 -brief

  // Expected: TLS 1.3 connection succeeds

  Step 6: Verify Plugin Functionality

  // Test that monitoring console still works
  oc get routes -n openshift-console

  // Access OpenShift console → Observe → Dashboards
  // Expected: Monitoring features work normally

  Step 7: Test Rollback (Optional)

  // Revert to default TLS profile
  oc patch apiservers.config.openshift.io cluster --type=merge -p='{"spec":{"tlsSecurityProfile":null}}'

  // Verify plugin continues working
  oc get pods -n openshift-monitoring -l app=console-plugin-monitoring

  —
  Success vs Failure Indicators

  ✅ PR #660 Fix Working (Success)

  // After applying modern TLS profile:
  oc get pods -n openshift-monitoring -l app=console-plugin-monitoring
  // Should show: Running pods, no CrashLoopBackOff

  oc logs -n openshift-monitoring -l app=console-plugin-monitoring | grep -i tls
  // Should show: Normal TLS startup, no configuration errors

  oc get events -n openshift-monitoring | grep -i tls
  // Should show: No error events

  ❌ PR #660 Bug Still Present (Failure)

  // After applying modern TLS profile:
  oc get pods -n openshift-monitoring -l app=console-plugin-monitoring
  // Would show: CrashLoopBackOff or Error state

  oc logs -n openshift-monitoring -l app=console-plugin-monitoring
  // Would show: "Invalid TLS configuration: minimum version (1.3) > maximum version (1.2)"

  oc get events -n openshift-monitoring | grep -i tls
  // Would show: TLS configuration error events

  —
  Key Test Cases

  Test Case 1: Modern Profile Compatibility

  // Modern profile = TLS 1.3 minimum
  // Before fix: Plugin hardcoded max = 1.2 → CONFLICT
  // After fix: Plugin max = unset → NO CONFLICT

  oc patch apiservers.config.openshift.io cluster --type=merge -p='{"spec":{"tlsSecurityProfile":

}}'
  // Expected: Plugin pods restart successfully

  Test Case 2: Intermediate Profile Compatibility

  // Test with intermediate profile too
  oc patch apiservers.config.openshift.io cluster --type=merge -p='{"spec":{"tlsSecurityProfile":

}}'
  // Expected: Plugin continues working

  Test Case 3: Custom TLS Profile

  // Test with custom profile
  oc patch apiservers.config.openshift.io cluster --type=merge -p='{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"tls":

}}}}'
  // Expected: Plugin respects custom settings