XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Major
Fix Version/s: Pipelines 1.22.0
Affects Version/s: None
Component/s: Tekton Results
Labels:
- qa_needed

Story Points:
5
Epic Link:
[OpenShift Pipelines] Central TLS Profile consistency
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Release Note Text:

Hide
Added support for explicit TLS configuration. This helps the centralized TLS management support. It allows the Tekton Operator to propagate TLS configuration to all Tekton components. The change also allows the administrator to set specific TLS configuration through the Results API config.
The three new configuration options are:
- TLS_MIN_VERSION - Minimum TLS protocol version.
- TLS_CIPHER_SUITES - Comma-separated list of allowed cipher suites (IANA names or numeric IDs).
- TLS_CURVE_PREFERENCES - Comma-separated list of elliptic curves for key exchange.
When neither is set, Go's default values are used.
To prevent mixing settings from different sources that could result in incompatible TLS configurations (e.g., TLS 1.2 minimum version with TLS 1.3-only cipher suites), the API server uses an **all-or-nothing** approach:
- **If ANY TLS environment variable is set** (`TLS_MIN_VERSION`, `TLS_CIPHER_SUITES`, or `TLS_CURVE_PREFERENCES`), the API server uses **only environment variables** for all TLS settings.
- **If NO TLS environment variables are set**, the API server uses **only ConfigMap values** for all TLS settings.
This ensures that TLS configuration comes entirely from one source, avoiding partial overrides that could create invalid combinations.

Show
Added support for explicit TLS configuration. This helps the centralized TLS management support. It allows the Tekton Operator to propagate TLS configuration to all Tekton components. The change also allows the administrator to set specific TLS configuration through the Results API config. The three new configuration options are: - TLS_MIN_VERSION - Minimum TLS protocol version. - TLS_CIPHER_SUITES - Comma-separated list of allowed cipher suites (IANA names or numeric IDs). - TLS_CURVE_PREFERENCES - Comma-separated list of elliptic curves for key exchange. When neither is set, Go's default values are used. To prevent mixing settings from different sources that could result in incompatible TLS configurations (e.g., TLS 1.2 minimum version with TLS 1.3-only cipher suites), the API server uses an **all-or-nothing** approach: - **If ANY TLS environment variable is set** (`TLS_MIN_VERSION`, `TLS_CIPHER_SUITES`, or `TLS_CURVE_PREFERENCES`), the API server uses **only environment variables** for all TLS settings. - **If NO TLS environment variables are set**, the API server uses **only ConfigMap values** for all TLS settings. This ensures that TLS configuration comes entirely from one source, avoiding partial overrides that could create invalid combinations.
Release Note Type:
Feature
Intelligence Requested:
Market:

Sprint:
Pipelines Sprint CrookShank 45, Pipelines Sprint CrookShank 46, Pipelines Sprint CrookShank 47, Pipelines Sprint CrookShank 48

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Story (Required)

To support OpenShift’s Post-Quantum Cryptography (PQC) readiness initiative, the api endpoint must stop using locally configured TLS settings and instead inherit TLS settings from the centrally managed APIServer TLS Profile.

This story requires refactoring the api endpoint so that:

TLS version and cipher suites are dynamically inherited from the APIServer TLS Profile.

The endpoint configuration aligns with OpenShift’s PQC readiness, supporting TLS 1.3+ for PQC-resilient algorithms.

Configuration changes to the APIServer TLS Profile automatically propagate to the api endpoint without requiring code changes.

Technical guide and Examples:https://docs.google.com/document/d/1cMc9E8psHfnoK06ntR8kHSWB8d3rMtmldhnmM4nImjs/edit?tab=t.4cxmujrb3zyn#heading=h.kah5ngeaf35x

Background (Required)

<Describes the context or background related to this story>

Out of scope

<Defines what is not included in this story>

Approach (Required)

<Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

Dependencies

<Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

Acceptance Criteria (Mandatory)

<Describe edge cases to consider when implementing the story and defining tests>

<Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

Verification Steps

- OpenShift Pipelines are deployed to the PEnshift cluster.

- Common tests are validated to ensure they continue to function as expected, including unchanged webhook admission behavior.

- The Modern TLS profile is validated by updating the API server configuration and observing system behavior after the change.

- Network-level verification is performed using HPCASE’s tls-scanner to determine which TLS profile settings are accepted over the network (refer to Using tls-scanner for detailed instructions).

Expected Results

- Only TLS settings permitted by the selected profile are accepted.

- Each component reflects and adheres to the configured TLS profile.

Reference

- https://docs.google.com/document/d/1cMc9E8psHfnoK06ntR8kHSWB8d3rMtmldhnmM4nImjs/edit?tab=t.mk0m0or6ab7g#heading=h.s2ar9mmswwua

INVEST Checklist

Dependencies identified

Blockers noted and expected delivery timelines set

Design is implementable

Acceptance criteria agreed upon

Story estimated

Legend

Unknown

Verified

Unsatisfied

Done Checklist

Code is completed, reviewed, documented and checked in
Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
Continuous Delivery pipeline(s) is able to proceed with new code included
Customer facing documentation, API docs etc. are produced/updated, reviewed and published
Acceptance criteria are met

clones

SRVKP-9624 [mag/metrics]Centrally Managed TLS for Metrics Endpoint

Closed

is cloned by

SRVKP-9629 [hub-api]Centrally Managed TLS for API Endpoint

Closed

Assignee:: Emil Natan

Reporter:: abdeljawed khelil

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/12/08 1:36 PM

Updated:: 2026/02/03 10:40 AM

Details

Description

Story (Required)

Background (Required)

Out of scope

Approach (Required)

Dependencies

Acceptance Criteria (Mandatory)

Verification Steps

Legend

Done Checklist

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates