ACM-30179: Use TLS configuration from the APIServer when available

OCP 4.22 indroduces a new feature in the APIServer for configuring TLS configuration, and we want our components to also use the same TLS configuration that is defined in the APIServer.

When starting a components we will attempt to get the APIServer and check its TLSAdherencePolicy (decides whether we should apply the TLS configuration) and TLSProfileSpec (the actual TLS configuration).
For our operator we also add a controller called SecurityProfileWatcher (provided by openshift/controller-runtime-common) in order to force a restart when these values change.
For our server we implement a similar behavior ourselves.

This also required updating a lot of packages including the client-go which further required setting the environment variable KUBE_FEATURE_WatchListClient to false on the operator in order to fix a known bug where controllers don't start due to a cache sync issue.

Author: giladravid16

bundle/manifests/image-based-install-metrics_v1_service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: ibi-metrics-serving-certs
+  creationTimestamp: null
+  name: image-based-install-metrics
+spec:
+  ports:
+  - port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: image-based-install-operator
+status:
+  loadBalancer: {}

bundle/manifests/image-based-install-operator.clusterserviceversion.yaml

@@ -36,7 +36,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    createdAt: "2026-02-05T10:59:19Z"
+    createdAt: "2026-04-20T07:31:40Z"
     operators.operatorframework.io/builder: operator-sdk-v1.30.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
   name: image-based-install-operator.v0.0.1
@@ -82,6 +82,26 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
+        - apiGroups:
+          - config.openshift.io
+          resources:
+          - apiservers
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - extensions.hive.openshift.io
           resources:
@@ -196,6 +216,8 @@ spec:
                   value: "1"
                 - name: TMPDIR
                   value: /data
+                - name: KUBE_FEATURE_WatchListClient
+                  value: "false"
                 image: controller:latest
                 livenessProbe:
                   httpGet:
@@ -226,6 +248,8 @@ spec:
                   name: data
                 - mountPath: /webhook-certs
                   name: webhook-certs
+                - mountPath: /metrics-certs
+                  name: metrics-certs
               - command:
                 - /usr/local/bin/server
                 env:
@@ -279,6 +303,9 @@ spec:
               - name: webhook-certs
                 secret:
                   secretName: ibi-webhook-serving-certs
+              - name: metrics-certs
+                secret:
+                  secretName: ibi-metrics-serving-certs
       permissions:
       - rules:
         - apiGroups:

cmd/manager/main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"net/http"
@@ -26,11 +27,13 @@ import (
 	"os"
 	"time"
 
+	crtls "github.com/openshift/controller-runtime-common/pkg/tls"
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
+	configv1 "github.com/openshift/api/config/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -41,6 +44,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
@@ -54,6 +58,7 @@ import (
 	"github.com/openshift/image-based-install-operator/internal/credentials"
 	"github.com/openshift/image-based-install-operator/internal/installer"
 	"github.com/openshift/image-based-install-operator/internal/monitor"
+	"github.com/openshift/image-based-install-operator/internal/tlsconfig"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -67,6 +72,7 @@ func init() {
 	utilruntime.Must(v1alpha1.AddToScheme(scheme))
 	utilruntime.Must(bmh_v1alpha1.AddToScheme(scheme))
 	utilruntime.Must(hivev1.AddToScheme(scheme))
+	utilruntime.Must(configv1.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 
@@ -96,17 +102,32 @@ func main() {
 		go startPPROF(logger)
 	}
 
-	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+	ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
+	defer cancel()
+
+	restCfg := ctrl.GetConfigOrDie()
+	tlsResult, err := tlsconfig.ResolveTLSConfig(context.Background(), restCfg)
+	if err != nil {
+		setupLog.Error(err, "unable to resolve TLS config")
+		os.Exit(1)
+	}
+
+	mgr, err := ctrl.NewManager(restCfg, ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
-			BindAddress: metricsAddr,
+			BindAddress:    metricsAddr,
+			SecureServing:  true,
+			CertDir:        "/metrics-certs",
+			FilterProvider: filters.WithAuthenticationAndAuthorization,
+			TLSOpts:        []func(*tls.Config){tlsResult.TLSConfig},
 		},
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "e21b2704.openshift.io",
 		WebhookServer: webhook.NewServer(webhook.Options{
 			Port:    9443,
 			CertDir: "/webhook-certs",
+			TLSOpts: []func(*tls.Config){tlsResult.TLSConfig},
 		}),
 		Cache: cache.Options{
 			ByObject: map[client.Object]cache.ByObject{
@@ -179,6 +200,25 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := (&crtls.SecurityProfileWatcher{
+		Client:                    mgr.GetClient(),
+		InitialTLSAdherencePolicy: tlsResult.TLSAdherencePolicy,
+		InitialTLSProfileSpec:     tlsResult.TLSProfileSpec,
+		OnAdherencePolicyChange: func(_ context.Context, oldPolicy, newPolicy configv1.TLSAdherencePolicy) {
+			logger.Infof("TLS adherence policy has changed, shutting down to reload, oldPolicy: %v, newPolicy: %v",
+				oldPolicy, newPolicy)
+			cancel()
+		},
+		OnProfileChange: func(_ context.Context, oldProfile, newProfile configv1.TLSProfileSpec) {
+			logger.Infof("TLS profile has changed, shutting down to reload, oldProfile: %v, newProfile: %v",
+				oldProfile, newProfile)
+			cancel()
+		},
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create TLS security profile watcher")
+		os.Exit(1)
+	}
+
 	if err = (&v1alpha1.ImageClusterInstall{}).SetupWebhookWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create webhook", "webhook", "ImageClusterInstall")
 		os.Exit(1)
@@ -197,7 +237,7 @@ func main() {
 	go EnqueueExistingImageClusterInstall(mgr)
 
 	setupLog.Info("starting manager")
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+	if err := mgr.Start(ctx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
 	}

cmd/server/main.go

@@ -2,6 +2,8 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
+	"flag"
 	"fmt"
 	"net/http"
 	"os"
@@ -11,8 +13,21 @@ import (
 	"time"
 
 	"github.com/kelseyhightower/envconfig"
-	"github.com/openshift/image-based-install-operator/internal/imageserver"
+	configv1 "github.com/openshift/api/config/v1"
+	configclientset "github.com/openshift/client-go/config/clientset/versioned"
+	crtls "github.com/openshift/controller-runtime-common/pkg/tls"
 	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/watch"
+
+	"github.com/openshift/image-based-install-operator/internal/imageserver"
+	"github.com/openshift/image-based-install-operator/internal/tlsconfig"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 )
 
 var Options struct {
@@ -23,6 +38,13 @@ var Options struct {
 }
 
 func main() {
+	opts := zap.Options{
+		Development: true,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 	log := logrus.New()
 	log.SetReportCaller(true)
 
@@ -50,8 +72,23 @@ func main() {
 	go func() {
 		var err error
 		if Options.HTTPSKeyFile != "" && Options.HTTPSCertFile != "" {
+			var tlsResult tlsconfig.TLSConfigResult
+			var cert tls.Certificate
 			log.Infof("Starting https handler on %s...", server.Addr)
-			err = server.ListenAndServeTLS(Options.HTTPSCertFile, Options.HTTPSKeyFile)
+
+			restCfg := ctrl.GetConfigOrDie()
+			tlsResult, err = tlsconfig.ResolveTLSConfig(context.Background(), restCfg)
+			if err != nil {
+				log.WithError(err).Fatal("unable to configure HTTPS TLS")
+			}
+			go watchAndExitOnTLSChange(context.Background(), log, configclientset.NewForConfigOrDie(restCfg), tlsResult)
+
+			cert, err = tls.LoadX509KeyPair(Options.HTTPSCertFile, Options.HTTPSKeyFile)
+			if err != nil {
+				log.WithError(err).Fatal("failed to load HTTPS certificate")
+			}
+			server.TLSConfig = tlsconfig.ServingTLSConfig(tlsResult, cert)
+			err = server.ListenAndServeTLS("", "")
 		} else {
 			log.Infof("Starting http handler on %s...", server.Addr)
 			err = server.ListenAndServe()
@@ -75,3 +112,43 @@ func main() {
 		log.Info("server terminated gracefully")
 	}
 }
+
+func watchAndExitOnTLSChange(ctx context.Context, log *logrus.Logger, configClient configclientset.Interface, current tlsconfig.TLSConfigResult) {
+	w, err := configClient.ConfigV1().APIServers().Watch(ctx, metav1.ListOptions{
+		FieldSelector: "metadata.name=cluster",
+	})
+	if err != nil {
+		log.WithError(err).Error("failed to watch the APIServer, TLS updates will not be monitored")
+		return
+	}
+	defer w.Stop()
+
+	for event := range w.ResultChan() {
+		if event.Type != watch.Modified {
+			continue
+		}
+		updated, ok := event.Object.(*configv1.APIServer)
+		if !ok {
+			continue
+		}
+
+		if current.TLSAdherencePolicy != updated.Spec.TLSAdherence {
+			log.Infof("TLS adherence policy has changed, shutting down to reload, oldPolicy: %v, newPolicy: %v",
+				current.TLSAdherencePolicy, updated.Spec.TLSAdherence)
+			os.Exit(0)
+		}
+
+		profile, err := crtls.GetTLSProfileSpec(updated.Spec.TLSSecurityProfile)
+		if err != nil {
+			log.WithError(err).Error("failed to load TLS profile spec after APIServer update, ignoring")
+			continue
+		}
+		if !equality.Semantic.DeepEqual(current.TLSProfileSpec, profile) {
+			log.Infof("TLS profile has changed, shutting down to reload, oldProfile: %v, newProfile: %v",
+				current.TLSProfileSpec, profile)
+			os.Exit(0)
+		}
+	}
+
+	log.Error("watch on APIServer existed, TLS updates will not be monitored")
+}

config/manager/manager.yaml

@@ -49,6 +49,8 @@ spec:
           value: "1"
         - name: TMPDIR
           value: /data
+        - name: KUBE_FEATURE_WatchListClient
+          value: "false"
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
@@ -77,6 +79,8 @@ spec:
           mountPath: /data
         - name: webhook-certs
           mountPath: /webhook-certs
+        - name: metrics-certs
+          mountPath: /metrics-certs
       - command:
         - /usr/local/bin/server
         image: controller:latest
@@ -124,6 +128,9 @@ spec:
       - name: webhook-certs
         secret:
           secretName: ibi-webhook-serving-certs
+      - name: metrics-certs
+        secret:
+          secretName: ibi-metrics-serving-certs
       serviceAccountName: image-based-install-operator
       terminationGracePeriodSeconds: 10
 ---
@@ -141,3 +148,18 @@ spec:
     name: config-server
   selector:
     app: image-based-install-operator
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: image-based-install-metrics
+  namespace: image-based-install-operator
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: ibi-metrics-serving-certs
+spec:
+  ports:
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
+  selector:
+    app: image-based-install-operator

config/rbac/role.yaml

@@ -26,6 +26,26 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - extensions.hive.openshift.io
   resources: