feat(resource builder): allow to inject tls configuration into annotated config maps

Author: ingvagabund

hack/generate-lib-resources.py

@@ -307,6 +307,7 @@ def scheme_group_versions(types):
     modifiers = {
         ('k8s.io/api/apps/v1', 'Deployment'): 'b.modifyDeployment',
         ('k8s.io/api/apps/v1', 'DaemonSet'): 'b.modifyDaemonSet',
+        ('k8s.io/api/core/v1', 'ConfigMap'): 'b.modifyConfigMap',
     }
 
     health_checks = {

lib/resourcebuilder/core.go

@@ -0,0 +1,251 @@
+package resourcebuilder
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"sort"
+
+	"sigs.k8s.io/kustomize/kyaml/yaml"
+
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+	"k8s.io/utils/clock"
+
+	configv1 "github.com/openshift/api/config/v1"
+	configclientv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
+	configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
+	"github.com/openshift/library-go/pkg/operator/configobserver/apiserver"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
+)
+
+const (
+	// ConfigMapInjectTLSAnnotation is the annotation key that triggers TLS injection into ConfigMaps
+	ConfigMapInjectTLSAnnotation = "config.openshift.io/inject-tls"
+)
+
+func (b *builder) modifyConfigMap(ctx context.Context, cm *corev1.ConfigMap) error {
+	// Check for TLS injection annotation
+	if value, ok := cm.Annotations[ConfigMapInjectTLSAnnotation]; !ok || value != "true" {
+		return nil
+	}
+
+	klog.V(2).Infof("ConfigMap %s/%s has %s annotation set to true", cm.Namespace, cm.Name, ConfigMapInjectTLSAnnotation)
+
+	// Empty data, nothing to inject into
+	if cm.Data == nil {
+		klog.V(2).Infof("ConfigMap %s/%s has empty data, skipping", cm.Namespace, cm.Name)
+		return nil
+	}
+
+	// Observe TLS configuration from APIServer
+	minTLSVersion, minTLSFound, cipherSuites, ciphersFound, err := b.observeTLSConfiguration(ctx, cm)
+	if err != nil {
+		return fmt.Errorf("unable to observe TLS configuration: %v", err)
+	}
+
+	if !minTLSFound && !ciphersFound {
+		klog.V(2).Infof("ConfigMap %s/%s: no TLS configuration found, skipping", cm.Namespace, cm.Name)
+		return nil
+	}
+
+	klog.V(4).Infof("Observing minTLSVersion=%v, cipherSuites=%v", minTLSVersion, cipherSuites)
+
+	// Process each data entry that contains GenericOperatorConfig
+	for key, value := range cm.Data {
+		klog.V(4).Infof("Processing %q key", key)
+		// Parse YAML into RNode to preserve formatting and field order
+		rnode, err := yaml.Parse(value)
+		if err != nil {
+			klog.V(4).Infof("ConfigMap's %q entry parsing failed: %v", key, err)
+			// Not valid YAML, skip this entry
+			continue
+		}
+
+		// Check if this is a GenericOperatorConfig by checking the kind field
+		kind, err := rnode.GetString("kind")
+		if err != nil {
+			klog.V(4).Infof("ConfigMap's %q kind accessing failed: %v", key, err)
+			continue
+		}
+		if kind != "GenericOperatorConfig" {
+			klog.V(4).Infof("ConfigMap's %q entry is not a GenericOperatorConfig, skiping this entry", key)
+			continue
+		}
+
+		klog.V(2).Infof("ConfigMap %s/%s processing GenericOperatorConfig in key %s", cm.Namespace, cm.Name, key)
+
+		// Inject TLS settings into the GenericOperatorConfig while preserving structure
+		if err := updateRNodeWithTLSSettings(rnode, minTLSVersion, minTLSFound, cipherSuites, ciphersFound); err != nil {
+			klog.V(4).Infof("Error injecting the TLS configuration: %v", err)
+			return err
+		}
+
+		// Marshal the modified RNode back to YAML
+		modifiedYAML, err := rnode.String()
+		if err != nil {
+			klog.V(4).Infof("Error marshalling the modified ConfigMap back to YAML: %v", err)
+			return err
+		}
+
+		// Update the ConfigMap data entry with the modified YAML
+		cm.Data[key] = modifiedYAML
+		klog.V(2).Infof("ConfigMap %s/%s updated GenericOperatorConfig in key %s with %d ciphers and minTLSVersion=%s",
+			cm.Namespace, cm.Name, key, len(cipherSuites), minTLSVersion)
+	}
+
+	klog.V(2).Infof("APIServer config available for ConfigMap %s/%s TLS injection", cm.Namespace, cm.Name)
+
+	return nil
+}
+
+// observeTLSConfiguration retrieves TLS configuration from the APIServer cluster CR
+// using ObserveTLSSecurityProfile and extracts minTLSVersion and cipherSuites.
+// minTLSVersion string, minTLSFound bool, cipherSuites []string, ciphersFound bool, err error
+func (b *builder) observeTLSConfiguration(ctx context.Context, cm *corev1.ConfigMap) (string, bool, []string, bool, error) {
+	// First check if the APIServer cluster resource exists
+	_, err := b.configClientv1.APIServers().Get(ctx, "cluster", metav1.GetOptions{})
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			klog.V(2).Infof("ConfigMap %s/%s: APIServer cluster resource not found, skipping TLS injection", cm.Namespace, cm.Name)
+			return "", false, nil, false, nil
+		}
+		// For transient API failures (network errors, timeouts, etc.), log at higher severity
+		klog.Warningf("ConfigMap %s/%s: failed to get APIServer cluster resource (transient failure), skipping TLS injection: %v", cm.Namespace, cm.Name, err)
+		return "", false, nil, false, err
+	}
+
+	// Create a lister adapter for ObserveTLSSecurityProfile
+	lister := &apiServerListerAdapter{
+		client: b.configClientv1.APIServers(),
+		ctx:    ctx,
+	}
+	listers := &configObserverListers{
+		apiServerLister: lister,
+	}
+
+	// Create an in-memory event recorder that doesn't send events to the API server
+	recorder := events.NewInMemoryRecorder("configmap-tls-injection", clock.RealClock{})
+
+	// Call ObserveTLSSecurityProfile to get TLS configuration
+	observedConfig, errs := apiserver.ObserveTLSSecurityProfile(listers, recorder, map[string]any{})
+	if len(errs) > 0 {
+		// Log errors but continue - ObserveTLSSecurityProfile is tolerant of missing config
+		for _, err := range errs {
+			klog.V(2).Infof("ConfigMap %s/%s: error observing TLS profile: %v", cm.Namespace, cm.Name, err)
+		}
+	}
+
+	// Extract the TLS settings from the observed config
+	minTLSVersion, minTLSFound, _ := unstructured.NestedString(observedConfig, "servingInfo", "minTLSVersion")
+	cipherSuites, ciphersFound, _ := unstructured.NestedStringSlice(observedConfig, "servingInfo", "cipherSuites")
+
+	// Sort cipher suites for consistent comparison
+	if ciphersFound && len(cipherSuites) > 0 {
+		sort.Strings(cipherSuites)
+	}
+
+	return minTLSVersion, minTLSFound, cipherSuites, ciphersFound, nil
+}
+
+// updateRNodeWithTLSSettings injects TLS settings into a GenericOperatorConfig RNode while preserving structure
+// cipherSuites is expected to be sorted
+func updateRNodeWithTLSSettings(rnode *yaml.RNode, minTLSVersion string, minTLSFound bool, cipherSuites []string, ciphersFound bool) error {
+	servingInfo, err := rnode.Pipe(yaml.LookupCreate(yaml.MappingNode, "servingInfo"))
+	if err != nil {
+		return err
+	}
+
+	if ciphersFound && len(cipherSuites) > 0 {
+		currentCiphers, err := getSortedCipherSuites(servingInfo)
+		if err != nil || !slices.Equal(currentCiphers, cipherSuites) {
+			// Create a sequence node with the cipher suites
+			seqNode := yaml.NewListRNode(cipherSuites...)
+			if err := servingInfo.PipeE(yaml.SetField("cipherSuites", seqNode)); err != nil {
+				return err
+			}
+		}
+	}
+
+	// Update minTLSVersion if found
+	if minTLSFound && minTLSVersion != "" {
+		if err := servingInfo.PipeE(yaml.SetField("minTLSVersion", yaml.NewStringRNode(minTLSVersion))); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// getSortedCipherSuites extracts and sorts the cipherSuites string slice from a servingInfo RNode
+func getSortedCipherSuites(servingInfo *yaml.RNode) ([]string, error) {
+	ciphersNode, err := servingInfo.Pipe(yaml.Lookup("cipherSuites"))
+	if err != nil || ciphersNode == nil {
+		return nil, err
+	}
+
+	elements, err := ciphersNode.Elements()
+	if err != nil {
+		return nil, err
+	}
+
+	var ciphers []string
+	for _, elem := range elements {
+		// For scalar nodes, access the value directly without YAML serialization
+		// This avoids the trailing newline that String() (which uses yaml.Encode) adds
+		if elem.YNode().Kind == yaml.ScalarNode {
+			value := elem.YNode().Value
+			// Skip empty values
+			if value == "" {
+				continue
+			}
+			ciphers = append(ciphers, value)
+		}
+	}
+
+	// Sort cipher suites for consistent comparison
+	sort.Strings(ciphers)
+
+	return ciphers, nil
+}
+
+// apiServerListerAdapter adapts a client interface to the lister interface
+type apiServerListerAdapter struct {
+	client configclientv1.APIServerInterface
+	ctx    context.Context
+}
+
+func (a *apiServerListerAdapter) List(selector labels.Selector) ([]*configv1.APIServer, error) {
+	// Not implemented - ObserveTLSSecurityProfile only uses Get()
+	return nil, nil
+}
+
+func (a *apiServerListerAdapter) Get(name string) (*configv1.APIServer, error) {
+	return a.client.Get(a.ctx, name, metav1.GetOptions{})
+}
+
+// configObserverListers implements the configobserver.Listers interface.
+// It's expected to be used solely for apiserver.ObserveTLSSecurityProfile.
+type configObserverListers struct {
+	apiServerLister configlistersv1.APIServerLister
+}
+
+func (l *configObserverListers) APIServerLister() configlistersv1.APIServerLister {
+	return l.apiServerLister
+}
+
+func (l *configObserverListers) ResourceSyncer() resourcesynccontroller.ResourceSyncer {
+	// Not needed for TLS observation
+	return nil
+}
+
+func (l *configObserverListers) PreRunHasSynced() []cache.InformerSynced {
+	// Not needed for TLS observation
+	return nil
+}