-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
None
-
None
-
None
-
None
Watch config.openshift.io/apiservers singleton for TLS profile changes and trigger reconciliation.
Files to modify:
- pkg/operator/starter.go - Add config client and informer factory
- pkg/operator/target_config_reconciler.go - Add APIServer lister and watch handler
Implementation:
// In starter.go configClient, err := configclient.NewForConfig(cc.KubeConfig) configInformers := configinformers.NewSharedInformerFactory(configClient, 10*time.Minute) configInformers.Config().V1().APIServers().Informer() configInformers.Start(ctx.Done()) // In target_config_reconciler.go func (c *TargetConfigReconciler) getClusterTLSProfile(ctx context.Context) (*configv1.TLSSecurityProfile, error) { apiServer, err := c.apiServerLister.Get("cluster") if err != nil { if errors.IsNotFound(err) { return nil, nil // Use default } return nil, err } return apiServer.Spec.TLSSecurityProfile, nil }
Note: RBAC for config.openshift.io/apiservers already exists (get, watch, list) in manageOpenshiftClusterRolesForKueue.
Acceptance Criteria:
- Operator watches APIServer singleton for changes
- TLS profile changes trigger reconciliation
- Reconciler can fetch current cluster TLS profile
No upstream dependency - can start immediately