fix: return an error when APIServer CR is not found to avoid falling back to defaults

Falling back to the library-go's ObserveTLSSecurityProfile defaults
can cause a temporary flip to different TLS configuration that does not
adhere the centralized TLS configuration. To avoid any unexpected
changes error right away and wait until the CR is available again.
Meantime, do not update the corresponding CM.

Author: ingvagabund

lib/resourcebuilder/core.go

@@ -18,7 +18,6 @@ import (
 
 	configv1 "github.com/openshift/api/config/v1"
 	operatorv1alpha1 "github.com/openshift/api/operator/v1alpha1"
-	configclientv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
 	configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
 	"github.com/openshift/library-go/pkg/operator/configobserver/apiserver"
 	"github.com/openshift/library-go/pkg/operator/events"
@@ -114,13 +113,15 @@ func (b *builder) modifyConfigMap(ctx context.Context, cm *corev1.ConfigMap) err
 // observeTLSConfiguration retrieves TLS configuration from the APIServer cluster CR
 // using ObserveTLSSecurityProfile and extracts minTLSVersion and cipherSuites.
 func (b *builder) observeTLSConfiguration(ctx context.Context, cm *corev1.ConfigMap) (*tlsConfig, error) {
-	// Create a lister adapter for ObserveTLSSecurityProfile
-	lister := &apiServerListerAdapter{
-		client: b.configClientv1.APIServers(),
-		ctx:    ctx,
+	apiServer, err := b.configClientv1.APIServers().Get(ctx, "cluster", metav1.GetOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to retrieve APIServer CR for ConfigMap %s/%s: %w", cm.Namespace, cm.Name, err)
 	}
+
 	listers := &configObserverListers{
-		apiServerLister: lister,
+		apiServerLister: &apiServerListerAdapter{
+			apiServer: apiServer,
+		},
 	}
 
 	// Create an in-memory event recorder that doesn't send events to the API server
@@ -187,10 +188,9 @@ func updateRNodeWithTLSSettings(rnode *yaml.RNode, tlsConf *tlsConfig) error {
 	return nil
 }
 
-// apiServerListerAdapter adapts a client interface to the lister interface
+// apiServerListerAdapter adapts an injected APIServer to the lister interface
 type apiServerListerAdapter struct {
-	client configclientv1.APIServerInterface
-	ctx    context.Context
+	apiServer *configv1.APIServer
 }
 
 func (a *apiServerListerAdapter) List(selector labels.Selector) ([]*configv1.APIServer, error) {
@@ -199,7 +199,10 @@ func (a *apiServerListerAdapter) List(selector labels.Selector) ([]*configv1.API
 }
 
 func (a *apiServerListerAdapter) Get(name string) (*configv1.APIServer, error) {
-	return a.client.Get(a.ctx, name, metav1.GetOptions{})
+	if name != a.apiServer.Name {
+		return nil, fmt.Errorf("APIServer %q not found", name)
+	}
+	return a.apiServer, nil
 }
 
 // configObserverListers implements the configobserver.Listers interface.

lib/resourcebuilder/core_test.go

@@ -22,7 +22,6 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	operatorv1alpha1 "github.com/openshift/api/operator/v1alpha1"
 	fakeconfigclientv1 "github.com/openshift/client-go/config/clientset/versioned/fake"
-	"github.com/openshift/library-go/pkg/crypto"
 )
 
 // makeGenericConfigYAML generates a generic config YAML string with the specified servingInfo fields.
@@ -77,12 +76,6 @@ func makeGenericControllerConfigYAML(cipherSuites []string, minTLSVersion string
 	return makeGenericConfigYAML(configv1.GroupVersion.String(), "GenericControllerConfig", cipherSuites, minTLSVersion)
 }
 
-func getDefaultCipherSuitesSorted() []string {
-	cipherSuites := crypto.CipherSuitesToNamesOrDie(crypto.DefaultCiphers())
-	sort.Strings(cipherSuites)
-	return cipherSuites
-}
-
 const (
 	// TLS version constants used in test configurations
 	tlsVersion12 = "VersionTLS12"
@@ -126,8 +119,6 @@ var (
 		"AES256-GCM-SHA384",
 		"AES128-SHA256",
 	}
-
-	defaultCipherSuites = getDefaultCipherSuitesSorted()
 )
 
 // makeConfigMap is a helper to create a ConfigMap with optional annotation and data
@@ -374,19 +365,14 @@ func TestModifyConfigMap(t *testing.T) {
 			},
 		},
 		{
-			name: "ConfigMap with annotation and Data - APIServer not found - default TLS configuration expected",
+			name: "ConfigMap with annotation and Data - APIServer not found - error expected",
 			configMap: makeConfigMap(true, map[string]string{
 				genericOperatorConfigCMKey: makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion12),
 			}),
 			apiServer:   nil,
-			expectError: false,
+			expectError: true,
 			validateConfigMap: func(t *testing.T, original, modified *corev1.ConfigMap) {
-				defaultTLSConfigMap := makeConfigMap(true, map[string]string{
-					genericOperatorConfigCMKey: makeGenericOperatorConfigYAML(defaultCipherSuites, tlsVersion12),
-				})
-				if err := validateConfigMapsEqual(defaultTLSConfigMap, modified); err != nil {
-					t.Fatalf("validation failed: %v", err)
-				}
+				// No validation needed when error is expected
 			},
 		},
 		{

lib/resourcebuilder/resourcebuilder_test.go

@@ -29,35 +29,44 @@ metadata:
 func TestModifyConfigMapWithBuilder(t *testing.T) {
 
 	tests := []struct {
-		name       string
-		configMap  *corev1.ConfigMap
-		apiServer  *configv1.APIServer
-		expectYAML string // Expected YAML content after modification
+		name        string
+		configMap   *corev1.ConfigMap
+		apiServer   *configv1.APIServer
+		expectYAML  string // Expected YAML content after modification
+		expectError bool   // Whether an error is expected from Do()
 	}{
 		{
 			name: "ConfigMap with GenericOperatorConfig - TLS injection",
 			configMap: makeConfigMap(true, map[string]string{
-				"config.yaml": makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion12),
+				genericOperatorConfigCMKey: makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion12),
 			}),
 			apiServer:  makeAPIServerConfig(withCustomTLSProfile(testOpenSSLCipherSuites2, configv1.VersionTLS13)),
 			expectYAML: makeGenericOperatorConfigYAML(testCipherSuites2, tlsVersion13),
 		},
 		{
 			name: "ConfigMap without annotation - no modification",
 			configMap: makeConfigMap(false, map[string]string{
-				"config.yaml": makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion12),
+				genericOperatorConfigCMKey: makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion12),
 			}),
 			apiServer:  makeAPIServerConfig(withCustomTLSProfile(testOpenSSLCipherSuites2, configv1.VersionTLS13)),
 			expectYAML: makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion12),
 		},
 		{
 			name: "ConfigMap with non-GenericOperatorConfig - no modification",
 			configMap: makeConfigMap(true, map[string]string{
-				"config.yaml": noGenericOperatorConfigYAML,
+				genericOperatorConfigCMKey: noGenericOperatorConfigYAML,
 			}),
 			apiServer:  makeAPIServerConfig(withCustomTLSProfile(testOpenSSLCipherSuites, configv1.VersionTLS13)),
 			expectYAML: noGenericOperatorConfigYAML,
 		},
+		{
+			name: "ConfigMap with annotation - APIServer not found - error expected",
+			configMap: makeConfigMap(true, map[string]string{
+				genericOperatorConfigCMKey: makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion13),
+			}),
+			expectYAML:  makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion13),
+			expectError: true,
+		},
 	}
 
 	for _, tt := range tests {
@@ -73,6 +82,13 @@ func TestModifyConfigMapWithBuilder(t *testing.T) {
 			// Create fake kubernetes client
 			fakeKubeClient := fakekubernetes.NewClientset()
 
+			// Create the ConfigMap in the fake client before running the builder
+			ctx := context.Background()
+			_, err := fakeKubeClient.CoreV1().ConfigMaps(tt.configMap.Namespace).Create(ctx, tt.configMap, metav1.CreateOptions{})
+			if err != nil {
+				t.Fatalf("Failed to create ConfigMap: %v", err)
+			}
+
 			// Marshal ConfigMap to YAML bytes
 			configMapYAML, err := yaml.Marshal(tt.configMap)
 			if err != nil {
@@ -87,20 +103,23 @@ func TestModifyConfigMapWithBuilder(t *testing.T) {
 			}
 
 			// Call Do()
-			ctx := context.Background()
 			err = b.Do(ctx)
-			if err != nil {
-				t.Fatalf("Do() unexpected error: %v", err)
+
+			// Check error expectation
+			if (err != nil) != tt.expectError {
+				t.Fatalf("Do() error = %v, expectError %v", err, tt.expectError)
 			}
 
-			// Retrieve the applied ConfigMap from the fake client
+			// ConfigMap should always be retrievable, regardless of error
 			appliedConfigMap, err := fakeKubeClient.CoreV1().ConfigMaps(tt.configMap.Namespace).Get(ctx, tt.configMap.Name, metav1.GetOptions{})
 			if err != nil {
 				t.Fatalf("Failed to get applied ConfigMap: %v", err)
 			}
 
 			// Verify the result matches expected YAML
-			modifiedYAML := appliedConfigMap.Data["config.yaml"]
+			// When Do() errors, the ConfigMap should remain unchanged (expectYAML has the original values)
+			// When Do() succeeds, the ConfigMap should have modified values (expectYAML has the modified values)
+			modifiedYAML := appliedConfigMap.Data[genericOperatorConfigCMKey]
 			if diff := cmp.Diff(tt.expectYAML, modifiedYAML); diff != "" {
 				t.Errorf("ConfigMap YAML mismatch (-want +got):\n%s", diff)
 			}