Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-9629

[hub-api]Centrally Managed TLS for API Endpoint

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • Pipelines 1.22.0
    • None
    • Tekton Hub
    • None

      Story (Required)

      To support OpenShift’s Post-Quantum Cryptography (PQC) readiness initiative, the api endpoint must stop using locally configured TLS settings and instead inherit TLS settings from the centrally managed APIServer TLS Profile.

      This story requires refactoring the api endpoint so that:

      1. TLS version and cipher suites are dynamically inherited from the APIServer TLS Profile.
      1. The endpoint configuration aligns with OpenShift’s PQC readiness, supporting TLS 1.3+ for PQC-resilient algorithms.
      1. Configuration changes to the APIServer TLS Profile automatically propagate to the api endpoint without requiring code changes.

      Technical guide and Examples:https://docs.google.com/document/d/1cMc9E8psHfnoK06ntR8kHSWB8d3rMtmldhnmM4nImjs/edit?tab=t.4cxmujrb3zyn#heading=h.kah5ngeaf35x

      Background (Required)

      <Describes the context or background related to this story>

      Out of scope

      <Defines what is not included in this story>

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      Verification Steps

        • OpenShift Pipelines are deployed to the PEnshift cluster.
        • Common tests are validated to ensure they continue to function as expected, including unchanged webhook admission behavior.
        • The Modern TLS profile is validated by updating the API server configuration and observing system behavior after the change.
        • Network-level verification is performed using HPCASE’s tls-scanner to determine which TLS profile settings are accepted over the network (refer to Using tls-scanner for detailed instructions).

      Expected Results

        • Only TLS settings permitted by the selected profile are accepted.
        • Each component reflects and adheres to the configured TLS profile.

      Reference

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

              shverma Shiv Verma
              jkhelil abdeljawed khelil
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: