Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-9681

[pac-controller] Centrally Managed TLS for pipeline as code controller

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • Pipelines 1.23.0
    • None
    • pac
    • None

      Story (Required)

      To support OpenShift's Post-Quantum Cryptography (PQC) readiness initiative, pipeline as code controller must stop using locally configured TLS settings and instead inherit TLS settings from the centrally managed APIServer TLS Profile.

      This story requires refactoring the metrics endpoint so that:

      1. TLS version and cipher suites are dynamically inherited from the APIServer TLS Profile.
      1. The endpoint configuration aligns with OpenShift's PQC readiness, supporting TLS 1.3+ for PQC-resilient algorithms.
      1. Configuration changes to the APIServer TLS Profile automatically propagate to the metrics endpoint without requiring code changes.

      Technical guide and Examples:https://docs.google.com/document/d/1cMc9E8psHfnoK06ntR8kHSWB8d3rMtmldhnmM4nImjs/edit?tab=t.4cxmujrb3zyn#heading=h.kah5ngeaf35x

      Background (Required)

      OpenShift provides centralized TLS configuration through the APIServer TLS Profile. Components should inherit these settings rather than maintaining local TLS configuration.

      Out of scope

      • Changes to non-metrics endpoints
      • Backward compatibility with older TLS versions below APIServer minimum

      Approach (Required)

      Architecture

      The implementation uses environment variable injection to pass TLS configuration from the operator to the PAC controller:

      Operator → Environment Variables → PAC Controller

      Environment Variables

      The operator will inject 3 environment variables into the PAC controller deployment:

      TLS_MIN_VERSION - Minimum TLS version (e.g., VersionTLS12, VersionTLS13)

      TLS_CIPHER_SUITES - Comma-separated list of allowed cipher suites

      TLS_CURVE_PREFERENCES - Comma-separated list of elliptic curves for key exchange

      - name: TLS_CIPHER_SUITES
          value: 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'
        - name: TLS_CURVE_PREFERENCES
          value: 'P-256,P-384,P-521'
        - name: TLS_MIN_VERSION
          value: TLSv1.2

      Implementation Components

      Operator Side:

      • Read APIServer TLS Profile from config.openshift.io/v1
      • Map TLS profile (Old/Intermediate/Modern) to environment variable values
      • Inject environment variables into PAC controller Deployment spec
      • Watch for APIServer TLS Profile changes and update deployment

      PAC Controller Side:

      • Parse environment variables at startup
      • Configure tls.Config for metrics endpoint using parsed values
      • Provide sensible defaults if environment variables are missing
      • Log TLS configuration for debugging

      Configuration Flow

      h1. 1. Operator reads APIServer TLS Profile
apiVersion: config.openshift.io/v1
kind: APIServer
spec:   tlsSecurityProfile:     type: Intermediate

h1. 2. Operator injects into PAC Deployment
spec:   template:     spec:       containers: **** name: pac-controller
        env: ***** name: TLS_MIN_VERSION
          value: "VersionTLS12"
***** name: TLS_CIPHER_SUITES
          value: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384"
***** name: TLS_CURVE_PREFERENCES
          value: "X25519,P-256,P-384"

h1. 3. PAC controller reads and applies
tlsConfig := &tls.Config{
    MinVersion: parseTLSVersion(os.Getenv("TLS_MIN_VERSION")),
    CipherSuites: parseCipherSuites(os.Getenv("TLS_CIPHER_SUITES")),
    CurvePreferences: parseCurves(os.Getenv("TLS_CURVE_PREFERENCES")),
}

      Acceptance Criteria (Mandatory)

      Configuration application: PAC controller successfully reads environment variables and applies them to metrics endpoint TLS configuration

      INVEST Checklist

      • Dependencies identified: APIServer TLS Profile read access
      • Blockers noted and expected delivery timelines set
      • Design is implementable: Environment variable approach is proven pattern
      • Acceptance criteria agreed upon: See above
      • Story estimated

      Legend

      ✓ Verified
      ? Unknown
      ✗ Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

              Unassigned Unassigned
              jkhelil abdeljawed khelil
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: