openshift
diff --git a/‎go.mod‎
Lines changed: 5 additions & 1 deletion b/‎go.mod‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 13 additions & 2 deletions b/‎go.sum‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎lib/resourcebuilder/core.go‎
Lines changed: 227 additions & 0 deletions b/‎lib/resourcebuilder/core.go‎
Lines changed: 227 additions & 0 deletions
@@ -32,6 +32,8 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kube-aggregator v0.34.1
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
+	sigs.k8s.io/kustomize/kyaml v0.21.1
+	sigs.k8s.io/yaml v1.6.0
 )
 
 require (
@@ -41,6 +43,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
@@ -49,6 +52,7 @@ require (
 	github.com/google/cel-go v0.26.0 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/jpillora/backoff v1.0.0 // indirect
@@ -87,9 +91,9 @@ require (
 	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
 	sigs.k8s.io/controller-runtime v0.12.1 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
-	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 
 replace github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20241205171354-8006f302fd12
@@ -20,6 +20,8 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
+github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
@@ -45,6 +47,8 @@ github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgY
 github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
+github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -103,6 +107,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0 h1:AHzMWDxNiAVscJL6+4wkvFRTpMnJqiaZFEKA/osaBXE=
+github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA=
 github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
 github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
@@ -113,8 +119,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
 github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -211,6 +217,7 @@ gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -240,6 +247,10 @@ sigs.k8s.io/controller-runtime v0.12.1 h1:4BJY01xe9zKQti8oRjj/NeHKRXthf1YkYJAgLO
 sigs.k8s.io/controller-runtime v0.12.1/go.mod h1:BKhxlA4l7FPK4AQcsuL4X6vZeWnKDXez/vp1Y8dxTU0=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
+sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 h1:PFWFSkpArPNJxFX4ZKWAk9NSeRoZaXschn+ULa4xVek=
+sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I=
+sigs.k8s.io/kustomize/kyaml v0.21.1 h1:IVlbmhC076nf6foyL6Taw4BkrLuEsXUXNpsE+ScX7fI=
+sigs.k8s.io/kustomize/kyaml v0.21.1/go.mod h1:hmxADesM3yUN2vbA5z1/YTBnzLJ1dajdqpQonwBL1FQ=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
 
@@ -0,0 +1,227 @@
+package resourcebuilder
+
+import (
+	"context"
+	"slices"
+	"sort"
+
+	configv1 "github.com/openshift/api/config/v1"
+	configclientv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
+	configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
+	"github.com/openshift/library-go/pkg/operator/configobserver/apiserver"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+	"k8s.io/utils/clock"
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+)
+
+const (
+	// ConfigMapInjectTLSAnnotation is the annotation key that triggers TLS injection into ConfigMaps
+	ConfigMapInjectTLSAnnotation = "config.openshift.io/inject-tls"
+)
+
+func (b *builder) modifyConfigMap(ctx context.Context, cm *corev1.ConfigMap) error {
+	// Check for TLS injection annotation
+	if value, ok := cm.Annotations[ConfigMapInjectTLSAnnotation]; !ok || value != "true" {
+		return nil
+	}
+
+	klog.V(2).Infof("ConfigMap %s/%s has %s annotation set to true", cm.Namespace, cm.Name, ConfigMapInjectTLSAnnotation)
+
+	// Empty data, nothing to inject into
+	if cm.Data == nil {
+		klog.V(2).Infof("ConfigMap %s/%s has empty data, skipping", cm.Namespace, cm.Name)
+		return nil
+	}
+
+	// Observe TLS configuration from APIServer
+	minTLSVersion, minTLSFound, cipherSuites, ciphersFound := b.observeTLSConfiguration(ctx, cm)
+
+	if !minTLSFound && !ciphersFound {
+		klog.V(2).Infof("ConfigMap %s/%s: no TLS configuration found, skipping", cm.Namespace, cm.Name)
+		return nil
+	}
+
+	// Process each data entry that contains GenericOperatorConfig
+	for key, value := range cm.Data {
+		// Parse YAML into RNode to preserve formatting and field order
+		rnode, err := yaml.Parse(value)
+		if err != nil {
+			// Not valid YAML, skip this entry
+			continue
+		}
+
+		// Check if this is a GenericOperatorConfig by checking the kind field
+		kind, err := rnode.GetString("kind")
+		if err != nil || kind != "GenericOperatorConfig" {
+			// Not a GenericOperatorConfig, skip this entry
+			continue
+		}
+
+		klog.V(2).Infof("ConfigMap %s/%s processing GenericOperatorConfig in key %s", cm.Namespace, cm.Name, key)
+
+		// Inject TLS settings into the GenericOperatorConfig while preserving structure
+		if err := updateRNodeWithTLSSettings(rnode, minTLSVersion, minTLSFound, cipherSuites, ciphersFound); err != nil {
+			return err
+		}
+
+		// Marshal the modified RNode back to YAML
+		modifiedYAML, err := rnode.String()
+		if err != nil {
+			return err
+		}
+
+		// Update the ConfigMap data entry with the modified YAML
+		cm.Data[key] = modifiedYAML
+		klog.V(2).Infof("ConfigMap %s/%s updated GenericOperatorConfig in key %s with %d ciphers and minTLSVersion=%s",
+			cm.Namespace, cm.Name, key, len(cipherSuites), minTLSVersion)
+	}
+
+	klog.V(2).Infof("APIServer config available for ConfigMap %s/%s TLS injection", cm.Namespace, cm.Name)
+
+	return nil
+}
+
+// observeTLSConfiguration retrieves TLS configuration from the APIServer cluster CR
+// using ObserveTLSSecurityProfile and extracts minTLSVersion and cipherSuites.
+func (b *builder) observeTLSConfiguration(ctx context.Context, cm *corev1.ConfigMap) (minTLSVersion string, minTLSFound bool, cipherSuites []string, ciphersFound bool) {
+	// First check if the APIServer cluster resource exists
+	_, err := b.configClientv1.APIServers().Get(ctx, "cluster", metav1.GetOptions{})
+	if err != nil {
+		klog.V(2).Infof("ConfigMap %s/%s: APIServer cluster resource not found, skipping TLS injection: %v", cm.Namespace, cm.Name, err)
+		return "", false, nil, false
+	}
+
+	// Create a lister adapter for ObserveTLSSecurityProfile
+	lister := &apiServerListerAdapter{
+		client: b.configClientv1.APIServers(),
+		ctx:    ctx,
+	}
+	listers := &configObserverListers{
+		apiServerLister: lister,
+	}
+
+	// Create an in-memory event recorder that doesn't send events to the API server
+	recorder := events.NewInMemoryRecorder("configmap-tls-injection", clock.RealClock{})
+
+	// Call ObserveTLSSecurityProfile to get TLS configuration
+	observedConfig, errs := apiserver.ObserveTLSSecurityProfile(listers, recorder, map[string]interface{}{})
+	if len(errs) > 0 {
+		// Log errors but continue - ObserveTLSSecurityProfile is tolerant of missing config
+		for _, err := range errs {
+			klog.V(2).Infof("ConfigMap %s/%s: error observing TLS profile: %v", cm.Namespace, cm.Name, err)
+		}
+	}
+
+	// Extract the TLS settings from the observed config
+	minTLSVersion, minTLSFound, _ = unstructured.NestedString(observedConfig, "servingInfo", "minTLSVersion")
+	cipherSuites, ciphersFound, _ = unstructured.NestedStringSlice(observedConfig, "servingInfo", "cipherSuites")
+
+	// Sort cipher suites for consistent comparison
+	if ciphersFound && len(cipherSuites) > 0 {
+		sort.Strings(cipherSuites)
+	}
+
+	return minTLSVersion, minTLSFound, cipherSuites, ciphersFound
+}
+
+// updateRNodeWithTLSSettings injects TLS settings into a GenericOperatorConfig RNode while preserving structure
+// cipherSuites is expected to be sorted
+func updateRNodeWithTLSSettings(rnode *yaml.RNode, minTLSVersion string, minTLSFound bool, cipherSuites []string, ciphersFound bool) error {
+	servingInfo, err := rnode.Pipe(yaml.LookupCreate(yaml.MappingNode, "servingInfo"))
+	if err != nil {
+		return err
+	}
+
+	if ciphersFound && len(cipherSuites) > 0 {
+		currentCiphers, err := getSortedCipherSuites(servingInfo)
+		if err != nil || !slices.Equal(currentCiphers, cipherSuites) {
+			// Create a sequence node with the cipher suites
+			seqNode := yaml.NewListRNode(cipherSuites...)
+			if err := servingInfo.PipeE(yaml.SetField("cipherSuites", seqNode)); err != nil {
+				return err
+			}
+		}
+	}
+
+	// Update minTLSVersion if found
+	if minTLSFound && minTLSVersion != "" {
+		if err := servingInfo.PipeE(yaml.SetField("minTLSVersion", yaml.NewStringRNode(minTLSVersion))); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// getSortedCipherSuites extracts and sorts the cipherSuites string slice from a servingInfo RNode
+func getSortedCipherSuites(servingInfo *yaml.RNode) ([]string, error) {
+	ciphersNode, err := servingInfo.Pipe(yaml.Lookup("cipherSuites"))
+	if err != nil || ciphersNode == nil {
+		return nil, err
+	}
+
+	elements, err := ciphersNode.Elements()
+	if err != nil {
+		return nil, err
+	}
+
+	var ciphers []string
+	for _, elem := range elements {
+		// For scalar nodes, access the value directly without YAML serialization
+		// This avoids the trailing newline that String() (which uses yaml.Encode) adds
+		if elem.YNode().Kind == yaml.ScalarNode {
+			value := elem.YNode().Value
+			// Skip empty values
+			if value == "" {
+				continue
+			}
+			ciphers = append(ciphers, value)
+		}
+	}
+
+	// Sort cipher suites for consistent comparison
+	sort.Strings(ciphers)
+
+	return ciphers, nil
+}
+
+// apiServerListerAdapter adapts a client interface to the lister interface
+type apiServerListerAdapter struct {
+	client configclientv1.APIServerInterface
+	ctx    context.Context
+}
+
+func (a *apiServerListerAdapter) List(selector labels.Selector) ([]*configv1.APIServer, error) {
+	// Not implemented - ObserveTLSSecurityProfile only uses Get()
+	return nil, nil
+}
+
+func (a *apiServerListerAdapter) Get(name string) (*configv1.APIServer, error) {
+	return a.client.Get(a.ctx, name, metav1.GetOptions{})
+}
+
+// configObserverListers implements the configobserver.Listers interface
+type configObserverListers struct {
+	apiServerLister configlistersv1.APIServerLister
+}
+
+func (l *configObserverListers) APIServerLister() configlistersv1.APIServerLister {
+	return l.apiServerLister
+}
+
+func (l *configObserverListers) ResourceSyncer() resourcesynccontroller.ResourceSyncer {
+	// Not needed for TLS observation
+	return nil
+}
+
+func (l *configObserverListers) PreRunHasSynced() []cache.InformerSynced {
+	// Not needed for TLS observation
+	return nil
+}