Uploaded image for project: 'OpenShift Kueue'
  1. OpenShift Kueue
  2. OCPKUEUE-459

Create TLS helper package in operator

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • None

      Implement pkg/tls/ package with TLS profile resolution logic using library-go utilities.

      Implementation Approach: Direct Go Code with library-go Crypto Utilities

      {info}Why not library-go configobserver pattern?

      The TLS Compliance Guidance recommends two approaches:
      # library-go configobserver pattern - for operators using library-go's full configobserver stack
      # Direct Go code - for controller-runtime based operators

      Kueue Operator uses library-go selectively for infrastructure (controller/factory, events, resourceapply, v1helpers) but does NOT use the configobserver pattern. The operator has its own reconciliation pattern via TargetConfigReconciler and already watches config.openshift.io/apiservers via existing RBAC.

      Therefore, we use Direct Go Application Code approach while leveraging library-go's crypto utilities (crypto.OpenSSLToIANACipherSuites, crypto.TLSVersionOrDie) which are already vendored at vendor/github.com/openshift/library-go/pkg/crypto/crypto.go.{info}

      File to create:

      • pkg/tls/config.go
      • pkg/tls/config_test.go

      Key functions:

      // ResolveTLSProfile resolves the effective TLS profile
// Priority: CRD override > APIServer cluster profile > Intermediate default
func ResolveTLSProfile(operatorProfile, clusterProfile *configv1.TLSSecurityProfile) *configv1.TLSSecurityProfile

// GetTLSConfig converts a TLS security profile to Go tls.Config settings
// Uses library-go crypto utilities for cipher/version conversion
func GetTLSConfig(profile *configv1.TLSSecurityProfile) *TLSConfig

// TLSConfigForKueue returns TLS settings formatted for Kueue ConfigMap
func TLSConfigForKueue(profile *configv1.TLSSecurityProfile) (minVersion string, ciphers []string)

      Library-go Crypto Utilities Used:

      import "github.com/openshift/library-go/pkg/crypto"

// Convert TLS version string to uint16
minVersion := crypto.TLSVersionOrDie(string(spec.MinTLSVersion))

// Convert OpenSSL cipher names to IANA names
ianaCiphers := crypto.OpenSSLToIANACipherSuites(spec.Ciphers)

// Get cipher suite IDs
cipherSuites := crypto.CipherSuiteIDs(ianaCiphers)

      Dependencies:

      • github.com/openshift/api/config/v1 - TLS profile types (configv1.TLSSecurityProfile, configv1.TLSProfiles)
      • github.com/openshift/library-go/pkg/crypto - Cipher conversion utilities (already vendored)

      Acceptance Criteria:

      • Package resolves TLS profiles correctly (CRD > APIServer > default)
      • Supports Old, Intermediate, Modern, and Custom profile types
      • Converts OpenSSL cipher names to IANA names using library-go
      • Explicitly sets all TLS settings (not relying on Go defaults)
      • Unit tests cover all resolution scenarios

      No upstream dependency - can start immediately

              harpatil@redhat.com Harshal Patil
              harpatil@redhat.com Harshal Patil
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: