inject TLS config to the CCM operands

damdo · damdo · commit 2898912455f4 · 2026-02-17T15:12:24.000+01:00
diff --git a/cmd/cluster-cloud-controller-manager-operator/main.go b/cmd/cluster-cloud-controller-manager-operator/main.go
@@ -265,6 +265,7 @@ func main() {
 		Scheme:            mgr.GetScheme(),
 		ImagesFile:        *imagesFile,
 		FeatureGateAccess: featureGateAccessor,
+		TLSProfileSpec:    tlsProfileSpec,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ClusterOperator")
 		os.Exit(1)
diff --git a/pkg/cloud/aws/assets/deployment.yaml b/pkg/cloud/aws/assets/deployment.yaml
@@ -43,6 +43,12 @@ spec:
           --leader-elect-renew-deadline=107s \
           --leader-elect-retry-period=26s \
           --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+          {{- if .tlsCipherSuites }}
+          --tls-cipher-suites={{ .tlsCipherSuites }} \
+          {{- end }}
+          {{- if .tlsMinVersion }}
+          --tls-min-version={{ .tlsMinVersion }} \
+          {{- end }}
           --secure-port=0 \
           -v=2
         env:
diff --git a/pkg/cloud/aws/aws.go b/pkg/cloud/aws/aws.go
@@ -33,6 +33,8 @@ type imagesReference struct {
 var templateValuesValidationMap = map[string]interface{}{
 	"images":            "required",
 	"cloudproviderName": "required,type(string)",
+	"tlsCipherSuites":   "type(string)",
+	"tlsMinVersion":     "type(string)",
 }
 
 type awsAssets struct {
@@ -48,6 +50,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 	values := common.TemplateValues{
 		"images":            images,
 		"cloudproviderName": operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":   operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":     operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/azure/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/azure/assets/cloud-controller-manager-deployment.yaml
@@ -122,6 +122,12 @@ spec:
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
                 --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+                {{- if .tlsCipherSuites }}
+                --tls-cipher-suites={{ .tlsCipherSuites }} \
+                {{- end }}
+                {{- if .tlsMinVersion }}
+                --tls-min-version={{ .tlsMinVersion }} \
+                {{- end }}
                 --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
diff --git a/pkg/cloud/azure/azure.go b/pkg/cloud/azure/azure.go
@@ -71,6 +71,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"images":             "required",
 	"infrastructureName": "required,type(string)",
 	"cloudproviderName":  "required,notnull,type(string)",
+	"tlsCipherSuites":    "type(string)",
+	"tlsMinVersion":      "type(string)",
 }
 
 type azureAssets struct {
@@ -87,6 +89,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 		"images":             images,
 		"infrastructureName": operatorConfig.InfrastructureName,
 		"cloudproviderName":  operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":    operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":      operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/azurestack/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/azurestack/assets/cloud-controller-manager-deployment.yaml
@@ -114,6 +114,12 @@ spec:
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
                 --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+                {{- if .tlsCipherSuites }}
+                --tls-cipher-suites={{ .tlsCipherSuites }} \
+                {{- end }}
+                {{- if .tlsMinVersion }}
+                --tls-min-version={{ .tlsMinVersion }} \
+                {{- end }}
                 --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
diff --git a/pkg/cloud/azurestack/azurestack.go b/pkg/cloud/azurestack/azurestack.go
@@ -41,6 +41,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"images":             "required",
 	"infrastructureName": "required,type(string)",
 	"cloudproviderName":  "required,type(string)",
+	"tlsCipherSuites":    "type(string)",
+	"tlsMinVersion":      "type(string)",
 }
 
 type azurestackAssets struct {
@@ -57,6 +59,8 @@ func getTemplateValues(images imagesReference, operatorConfig config.OperatorCon
 		"images":             images,
 		"infrastructureName": operatorConfig.InfrastructureName,
 		"cloudproviderName":  operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":    operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":      operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/gcp/assets/cloud-controller-manager.yaml b/pkg/cloud/gcp/assets/cloud-controller-manager.yaml
@@ -96,6 +96,12 @@ spec:
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
                 --leader-elect-resource-namespace=openshift-cloud-controller-manager \
+                {{- if .tlsCipherSuites }}
+                --tls-cipher-suites={{ .tlsCipherSuites }} \
+                {{- end }}
+                {{- if .tlsMinVersion }}
+                --tls-min-version={{ .tlsMinVersion }} \
+                {{- end }}
                 --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
diff --git a/pkg/cloud/gcp/gcp.go b/pkg/cloud/gcp/gcp.go
@@ -36,6 +36,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"images":             "required",
 	"infrastructureName": "required,type(string)",
 	"cloudproviderName":  "required,type(string)",
+	"tlsCipherSuites":    "type(string)",
+	"tlsMinVersion":      "type(string)",
 }
 
 type GCPAssets struct {
@@ -52,6 +54,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 		"images":             images,
 		"infrastructureName": operatorConfig.InfrastructureName,
 		"cloudproviderName":  operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":    operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":      operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/ibm/assets/deployment.yaml b/pkg/cloud/ibm/assets/deployment.yaml
@@ -84,7 +84,12 @@ spec:
             --leader-elect-renew-deadline=107s \
             --leader-elect-retry-period=26s \
             --leader-elect-resource-namespace=openshift-cloud-controller-manager \
-            --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384 \
+            {{- if .tlsCipherSuites }}
+            --tls-cipher-suites={{ .tlsCipherSuites }} \
+            {{- end }}
+            {{- if .tlsMinVersion }}
+            --tls-min-version={{ .tlsMinVersion }} \
+            {{- end }}
             --v=2
         livenessProbe:
           failureThreshold: 3
diff --git a/pkg/cloud/ibm/ibm.go b/pkg/cloud/ibm/ibm.go
@@ -32,6 +32,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"images":               "required",
 	"enablePublicEndpoint": "required",
 	"cloudproviderName":    "required,type(string)",
+	"tlsCipherSuites":      "type(string)",
+	"tlsMinVersion":        "type(string)",
 }
 
 type ibmAssets struct {
@@ -48,6 +50,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 		"images":               images,
 		"enablePublicEndpoint": fmt.Sprintf("%t", getEnablePublicEndpointValue(operatorConfig)),
 		"cloudproviderName":    operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":      operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":        operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/nutanix/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/nutanix/assets/cloud-controller-manager-deployment.yaml
@@ -98,7 +98,12 @@ spec:
                 --leader-elect-renew-deadline=107s \
                 --leader-elect-retry-period=26s \
                 --leader-elect-resource-namespace=openshift-cloud-controller-manager \
-                --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \
+                {{- if .tlsCipherSuites }}
+                --tls-cipher-suites={{ .tlsCipherSuites }} \
+                {{- end }}
+                {{- if .tlsMinVersion }}
+                --tls-min-version={{ .tlsMinVersion }} \
+                {{- end }}
                 --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
diff --git a/pkg/cloud/nutanix/nutanix.go b/pkg/cloud/nutanix/nutanix.go
@@ -42,6 +42,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"globalCredsSecretNamespace": "required,type(string)",
 	"globalCredsSecretName":      "required,type(string)",
 	"cloudproviderName":          "required,type(string)",
+	"tlsCipherSuites":            "type(string)",
+	"tlsMinVersion":              "type(string)",
 }
 
 type nutanixAssets struct {
@@ -60,6 +62,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 		"globalCredsSecretNamespace": operatorConfig.ManagedNamespace,
 		"globalCredsSecretName":      globalCredsSecretName,
 		"cloudproviderName":          operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":            operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":              operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/openstack/assets/deployment.yaml b/pkg/cloud/openstack/assets/deployment.yaml
@@ -79,6 +79,12 @@ spec:
             --leader-elect-retry-period=26s \
             --leader-elect-resource-namespace=openshift-cloud-controller-manager \
             --feature-gates={{ .featureGates }} \
+            {{- if .tlsCipherSuites }}
+            --tls-cipher-suites={{ .tlsCipherSuites }} \
+            {{- end }}
+            {{- if .tlsMinVersion }}
+            --tls-min-version={{ .tlsMinVersion }} \
+            {{- end }}
             --secure-port=0
           ports:
           - containerPort: 10258
diff --git a/pkg/cloud/openstack/openstack.go b/pkg/cloud/openstack/openstack.go
@@ -37,6 +37,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"cloudproviderName":  "required,type(string)",
 	"featureGates":       "type(string)",
 	"infrastructureName": "required,type(string)",
+	"tlsCipherSuites":    "type(string)",
+	"tlsMinVersion":      "type(string)",
 }
 
 type openstackAssets struct {
@@ -54,6 +56,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 		"cloudproviderName":  operatorConfig.GetPlatformNameString(),
 		"featureGates":       operatorConfig.FeatureGates,
 		"infrastructureName": operatorConfig.InfrastructureName,
+		"tlsCipherSuites":    operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":      operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/powervs/assets/deployment.yaml b/pkg/cloud/powervs/assets/deployment.yaml
@@ -83,7 +83,12 @@ spec:
             --leader-elect-renew-deadline=107s \
             --leader-elect-retry-period=26s \
             --leader-elect-resource-namespace=openshift-cloud-controller-manager \
-            --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384 \
+            {{- if .tlsCipherSuites }}
+            --tls-cipher-suites={{ .tlsCipherSuites }} \
+            {{- end }}
+            {{- if .tlsMinVersion }}
+            --tls-min-version={{ .tlsMinVersion }} \
+            {{- end }}
             --v=2
         livenessProbe:
           httpGet:
diff --git a/pkg/cloud/powervs/powervs.go b/pkg/cloud/powervs/powervs.go
@@ -29,6 +29,8 @@ type imagesReference struct {
 var templateValuesValidationMap = map[string]interface{}{
 	"images":            "required",
 	"cloudproviderName": "required,type(string)",
+	"tlsCipherSuites":   "type(string)",
+	"tlsMinVersion":     "type(string)",
 }
 
 type powerVSAssets struct {
@@ -44,6 +46,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 	values := common.TemplateValues{
 		"images":            images,
 		"cloudproviderName": operatorConfig.GetPlatformNameString(),
+		"tlsCipherSuites":   operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":     operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/cloud/vsphere/assets/cloud-controller-manager-deployment.yaml b/pkg/cloud/vsphere/assets/cloud-controller-manager-deployment.yaml
@@ -104,7 +104,13 @@ spec:
                 --use-service-account-credentials=true \
                 {{- if .additionalLabels }}
                 --node-labels="$(ADDITIONAL_NODE_LABELS)" \
-                {{- end}}
+                {{- end }}
+                {{- if .tlsCipherSuites }}
+                --tls-cipher-suites={{ .tlsCipherSuites }} \
+                {{- end }}
+                {{- if .tlsMinVersion }}
+                --tls-min-version={{ .tlsMinVersion }} \
+                {{- end }}
                 --secure-port=0
           terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
diff --git a/pkg/cloud/vsphere/vsphere.go b/pkg/cloud/vsphere/vsphere.go
@@ -49,6 +49,8 @@ var templateValuesValidationMap = map[string]interface{}{
 	"cloudproviderName":          "required,type(string)",
 	"featureGates":               "type(string)",
 	"additionalLabels":           "type(string)",
+	"tlsCipherSuites":            "type(string)",
+	"tlsMinVersion":              "type(string)",
 }
 
 type vsphereAssets struct {
@@ -75,6 +77,8 @@ func getTemplateValues(images *imagesReference, operatorConfig config.OperatorCo
 		"cloudproviderName":          operatorConfig.GetPlatformNameString(),
 		"featureGates":               operatorConfig.FeatureGates,
 		"additionalLabels":           additionalLabels,
+		"tlsCipherSuites":            operatorConfig.TLSCipherSuites,
+		"tlsMinVersion":              operatorConfig.TLSMinVersion,
 	}
 	_, err := govalidator.ValidateMap(values, templateValuesValidationMap)
 	if err != nil {
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -5,10 +5,12 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"k8s.io/klog/v2"
 
 	configv1 "github.com/openshift/api/config/v1"
+	libgocrypto "github.com/openshift/library-go/pkg/crypto"
 	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 
 	"github.com/openshift/cluster-cloud-controller-manager-operator/pkg/util"
@@ -41,6 +43,10 @@ type OperatorConfig struct {
 	ClusterProxy       *configv1.Proxy
 	FeatureGates       string
 	OCPFeatureGates    featuregates.FeatureGate
+	// TLSCipherSuites is a comma-separated list of TLS cipher suites for CCM --tls-cipher-suites flag
+	TLSCipherSuites string
+	// TLSMinVersion is the minimum TLS version for CCM --tls-min-version flag
+	TLSMinVersion string
 }
 
 func (cfg *OperatorConfig) GetPlatformNameString() string {
@@ -79,7 +85,7 @@ func getImagesFromJSONFile(filePath string) (ImagesReference, error) {
 }
 
 // ComposeConfig creates a Config for operator
-func ComposeConfig(infrastructure *configv1.Infrastructure, clusterProxy *configv1.Proxy, imagesFile, managedNamespace string, featureGateAccessor featuregates.FeatureGateAccess) (OperatorConfig, error) {
+func ComposeConfig(infrastructure *configv1.Infrastructure, clusterProxy *configv1.Proxy, imagesFile, managedNamespace string, featureGateAccessor featuregates.FeatureGateAccess, tlsProfile configv1.TLSProfileSpec) (OperatorConfig, error) {
 	err := checkInfrastructureResource(infrastructure)
 	if err != nil {
 		klog.Errorf("Unable to get platform from infrastructure: %s", err)
@@ -106,6 +112,9 @@ func ComposeConfig(infrastructure *configv1.Infrastructure, clusterProxy *config
 		featureGatesString = util.BuildFeatureGateString(enabled, nil)
 	}
 
+	// Convert OpenSSL cipher names from the TLS profile to IANA names expected by CCM CLI flags.
+	ianaCiphers := libgocrypto.OpenSSLToIANACipherSuites(tlsProfile.Ciphers)
+
 	config := OperatorConfig{
 		PlatformStatus:     infrastructure.Status.PlatformStatus.DeepCopy(),
 		ClusterProxy:       clusterProxy,
@@ -115,6 +124,8 @@ func ComposeConfig(infrastructure *configv1.Infrastructure, clusterProxy *config
 		IsSingleReplica:    infrastructure.Status.ControlPlaneTopology == configv1.SingleReplicaTopologyMode,
 		FeatureGates:       featureGatesString,
 		OCPFeatureGates:    features,
+		TLSCipherSuites:    strings.Join(ianaCiphers, ","),
+		TLSMinVersion:      string(tlsProfile.MinTLSVersion),
 	}
 
 	return config, nil
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
diff --git a/pkg/controllers/clusteroperator_controller.go b/pkg/controllers/clusteroperator_controller.go
