Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Labels:
- blocked
- operator
- tls

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
[Kueue Operator] Central TLS Profile consistency
Story Points:
None

Target Version:
None
Release Blocker:
None
Sprint:
None

Summary

Update the TLS security profile implementation to support curve preferences once openshift/api#2583 is merged.

{warning}Blocked: This story is blocked until openshift/api#2583 is merged and the vendored openshift/api is updated to include curve preferences in TLSSecurityProfile.{warning}

Background

OpenShift TLS profiles currently specify:

TLS protocol versions (e.g., TLS 1.2, TLS 1.3)
Cipher suites (e.g., ECDHE-RSA-AES128-GCM-SHA256)

Once openshift/api#2583 merges, TLS profiles will also include:

Curve preferences (e.g., X25519, P-256, P-384)

This is important for PQC (Post-Quantum Cryptography) readiness, as PQC-resilient key exchange algorithms will use specific curves.

{info}Note: The upstream Kueue KEP (OCPKUEUE-450) includes curve preferences in its design. This story is only for the operator to read curves from the OpenShift APIServer and pass them to the operand.{info}

Implementation Steps

Once openshift/api#2583 is merged:

Update go.mod to pull latest openshift/api with curve support
Update pkg/tls/config.go to extract curve preferences from profile
Update ConfigMap generation to include curvePreferences
Add unit tests for curve preferences handling
Add E2E tests to verify curve preferences are applied

Files to Modify

go.mod - Update openshift/api version
pkg/tls/config.go - Add curve handling to GetTLSConfig
pkg/tls/config_test.go - Add curve tests
pkg/operator/target_config_reconciler.go - Include curves in ConfigMap

Code Changes

// In pkg/tls/config.go
type TLSConfig struct {
    MinTLSVersion    uint16
    CipherSuites     []uint16
    CurvePreferences []tls.CurveID  // Add this
}

func GetTLSConfig(profile *configv1.TLSSecurityProfile) *TLSConfig {
    // ... existing code ...
    
    // Add once openshift/api#2583 merges:
    // curvePreferences := crypto.CurvesToIDs(spec.Curves)
    
    return &TLSConfig{
        MinTLSVersion:    minVersion,
        CipherSuites:     cipherSuites,
        CurvePreferences: curvePreferences,
    }
}

Acceptance Criteria

[ ] openshift/api#2583 is merged (blocker)
[ ] go.mod updated with new openshift/api version
[ ] TLS helper extracts curve preferences from profile
[ ] ConfigMap includes curvePreferences for operand
[ ] Default curves used when profile has no curve preferences
[ ] Unit tests for curve preferences
[ ] E2E tests verify curve configuration

References

openshift/api#2583 - Add TLS curve preferences to OpenShift API
OCPNODE-3970 - Similar story for DAS Operator
Go tls.Config.CurvePreferences
OCPKUEUE-450 - Upstream KEP includes curves in design

Assignee:: Harshal Patil

Reporter:: Harshal Patil

Contributors:: None

QA Contact:: None

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/12/11 3:44 PM

Updated:: 2025/12/11 3:44 PM

Details

Description

Summary

Background

Implementation Steps

Files to Modify

Code Changes

Acceptance Criteria

References

Attachments

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty