ACM-30179: Use TLS configuration from the APIServer when available

Author: giladravid16

bundle/manifests/image-based-install-metrics_v1_service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: ibi-metrics-serving-certs
+  creationTimestamp: null
+  name: image-based-install-metrics
+spec:
+  ports:
+  - port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: image-based-install-operator
+status:
+  loadBalancer: {}

bundle/manifests/image-based-install-operator.clusterserviceversion.yaml

@@ -36,7 +36,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    createdAt: "2026-02-05T10:59:19Z"
+    createdAt: "2026-04-19T15:02:51Z"
     operators.operatorframework.io/builder: operator-sdk-v1.30.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
   name: image-based-install-operator.v0.0.1
@@ -82,6 +82,26 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
+        - apiGroups:
+          - config.openshift.io
+          resources:
+          - apiservers
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - extensions.hive.openshift.io
           resources:
@@ -226,6 +246,8 @@ spec:
                   name: data
                 - mountPath: /webhook-certs
                   name: webhook-certs
+                - mountPath: /metrics-certs
+                  name: metrics-certs
               - command:
                 - /usr/local/bin/server
                 env:
@@ -279,6 +301,9 @@ spec:
               - name: webhook-certs
                 secret:
                   secretName: ibi-webhook-serving-certs
+              - name: metrics-certs
+                secret:
+                  secretName: ibi-metrics-serving-certs
       permissions:
       - rules:
         - apiGroups:

cmd/manager/main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"net/http"
@@ -26,11 +27,13 @@ import (
 	"os"
 	"time"
 
+	crtls "github.com/openshift/controller-runtime-common/pkg/tls"
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
+	configv1 "github.com/openshift/api/config/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -41,6 +44,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
@@ -54,6 +58,7 @@ import (
 	"github.com/openshift/image-based-install-operator/internal/credentials"
 	"github.com/openshift/image-based-install-operator/internal/installer"
 	"github.com/openshift/image-based-install-operator/internal/monitor"
+	"github.com/openshift/image-based-install-operator/internal/tlsconfig"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -67,6 +72,7 @@ func init() {
 	utilruntime.Must(v1alpha1.AddToScheme(scheme))
 	utilruntime.Must(bmh_v1alpha1.AddToScheme(scheme))
 	utilruntime.Must(hivev1.AddToScheme(scheme))
+	utilruntime.Must(configv1.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 
@@ -96,17 +102,32 @@ func main() {
 		go startPPROF(logger)
 	}
 
-	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+	ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
+	defer cancel()
+
+	restCfg := ctrl.GetConfigOrDie()
+	tlsResult, err := tlsconfig.ResolveTLSConfig(context.Background(), restCfg)
+	if err != nil {
+		setupLog.Error(err, "unable to resolve TLS config")
+		os.Exit(1)
+	}
+
+	mgr, err := ctrl.NewManager(restCfg, ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
-			BindAddress: metricsAddr,
+			BindAddress:    metricsAddr,
+			SecureServing:  true,
+			CertDir:        "/metrics-certs",
+			FilterProvider: filters.WithAuthenticationAndAuthorization,
+			TLSOpts:        []func(*tls.Config){tlsResult.TLSConfig},
 		},
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "e21b2704.openshift.io",
 		WebhookServer: webhook.NewServer(webhook.Options{
 			Port:    9443,
 			CertDir: "/webhook-certs",
+			TLSOpts: []func(*tls.Config){tlsResult.TLSConfig},
 		}),
 		Cache: cache.Options{
 			ByObject: map[client.Object]cache.ByObject{
@@ -179,6 +200,25 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := (&crtls.SecurityProfileWatcher{
+		Client:                    mgr.GetClient(),
+		InitialTLSAdherencePolicy: tlsResult.TLSAdherencePolicy,
+		InitialTLSProfileSpec:     tlsResult.TLSProfileSpec,
+		OnAdherencePolicyChange: func(_ context.Context, oldPolicy, newPolicy configv1.TLSAdherencePolicy) {
+			logger.Infof("TLS adherence policy has changed, shutting down to reload, oldPolicy: %v, newPolicy: %v",
+				oldPolicy, newPolicy)
+			cancel()
+		},
+		OnProfileChange: func(_ context.Context, oldProfile, newProfile configv1.TLSProfileSpec) {
+			logger.Infof("TLS profile has changed, shutting down to reload, oldProfile: %v, newProfile: %v",
+				oldProfile, newProfile)
+			cancel()
+		},
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create TLS security profile watcher")
+		os.Exit(1)
+	}
+
 	if err = (&v1alpha1.ImageClusterInstall{}).SetupWebhookWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create webhook", "webhook", "ImageClusterInstall")
 		os.Exit(1)
@@ -197,7 +237,7 @@ func main() {
 	go EnqueueExistingImageClusterInstall(mgr)
 
 	setupLog.Info("starting manager")
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+	if err := mgr.Start(ctx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
 	}

cmd/server/main.go

@@ -2,6 +2,8 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
+	"flag"
 	"fmt"
 	"net/http"
 	"os"
@@ -11,8 +13,21 @@ import (
 	"time"
 
 	"github.com/kelseyhightower/envconfig"
-	"github.com/openshift/image-based-install-operator/internal/imageserver"
+	configv1 "github.com/openshift/api/config/v1"
+	configclientset "github.com/openshift/client-go/config/clientset/versioned"
+	crtls "github.com/openshift/controller-runtime-common/pkg/tls"
 	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/watch"
+
+	"github.com/openshift/image-based-install-operator/internal/imageserver"
+	"github.com/openshift/image-based-install-operator/internal/tlsconfig"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 )
 
 var Options struct {
@@ -23,6 +38,13 @@ var Options struct {
 }
 
 func main() {
+	opts := zap.Options{
+		Development: true,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 	log := logrus.New()
 	log.SetReportCaller(true)
 
@@ -50,8 +72,23 @@ func main() {
 	go func() {
 		var err error
 		if Options.HTTPSKeyFile != "" && Options.HTTPSCertFile != "" {
+			var tlsResult tlsconfig.TLSConfigResult
+			var cert tls.Certificate
 			log.Infof("Starting https handler on %s...", server.Addr)
-			err = server.ListenAndServeTLS(Options.HTTPSCertFile, Options.HTTPSKeyFile)
+
+			restCfg := ctrl.GetConfigOrDie()
+			tlsResult, err = tlsconfig.ResolveTLSConfig(context.Background(), restCfg)
+			if err != nil {
+				log.WithError(err).Fatal("unable to configure HTTPS TLS")
+			}
+			go watchAndExitOnTLSChange(context.Background(), log, configclientset.NewForConfigOrDie(restCfg), tlsResult)
+
+			cert, err = tls.LoadX509KeyPair(Options.HTTPSCertFile, Options.HTTPSKeyFile)
+			if err != nil {
+				log.WithError(err).Fatal("failed to load HTTPS certificate")
+			}
+			server.TLSConfig = tlsconfig.ServingTLSConfig(tlsResult, cert)
+			err = server.ListenAndServeTLS("", "")
 		} else {
 			log.Infof("Starting http handler on %s...", server.Addr)
 			err = server.ListenAndServe()
@@ -75,3 +112,40 @@ func main() {
 		log.Info("server terminated gracefully")
 	}
 }
+
+func watchAndExitOnTLSChange(ctx context.Context, log *logrus.Logger, configClient configclientset.Interface, current tlsconfig.TLSConfigResult) {
+	w, err := configClient.ConfigV1().APIServers().Watch(ctx, metav1.ListOptions{
+		FieldSelector: "metadata.name=cluster",
+	})
+	if err != nil {
+		return
+	}
+	defer w.Stop()
+
+	for event := range w.ResultChan() {
+		if event.Type != watch.Modified {
+			continue
+		}
+		updated, ok := event.Object.(*configv1.APIServer)
+		if !ok {
+			continue
+		}
+
+		if current.TLSAdherencePolicy != updated.Spec.TLSAdherence {
+			log.Infof("TLS adherence policy has changed, shutting down to reload, oldPolicy: %v, newPolicy: %v",
+				current.TLSAdherencePolicy, updated.Spec.TLSAdherence)
+			os.Exit(0)
+		}
+
+		profile, err := crtls.GetTLSProfileSpec(updated.Spec.TLSSecurityProfile)
+		if err != nil {
+			log.WithError(err).Error("failed to load TLS profile spec after APIServer update, ignoring")
+			continue
+		}
+		if !equality.Semantic.DeepEqual(current.TLSProfileSpec, profile) {
+			log.Infof("TLS profile has changed, shutting down to reload, oldProfile: %v, newProfile: %v",
+				current.TLSProfileSpec, profile)
+			os.Exit(0)
+		}
+	}
+}

config/manager/manager.yaml

@@ -77,6 +77,8 @@ spec:
           mountPath: /data
         - name: webhook-certs
           mountPath: /webhook-certs
+        - name: metrics-certs
+          mountPath: /metrics-certs
       - command:
         - /usr/local/bin/server
         image: controller:latest
@@ -124,6 +126,9 @@ spec:
       - name: webhook-certs
         secret:
           secretName: ibi-webhook-serving-certs
+      - name: metrics-certs
+        secret:
+          secretName: ibi-metrics-serving-certs
       serviceAccountName: image-based-install-operator
       terminationGracePeriodSeconds: 10
 ---
@@ -141,3 +146,18 @@ spec:
     name: config-server
   selector:
     app: image-based-install-operator
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: image-based-install-metrics
+  namespace: image-based-install-operator
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: ibi-metrics-serving-certs
+spec:
+  ports:
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
+  selector:
+    app: image-based-install-operator

config/rbac/role.yaml

@@ -26,6 +26,26 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - extensions.hive.openshift.io
   resources:

controllers/imageclusterinstall_controller.go

@@ -19,7 +19,6 @@ package controllers
 import (
 	"bytes"
 	"context"
-
 	// These are required for image parsing to work correctly with digest-based pull specs
 	// See: https://github.com/opencontainers/go-digest/blob/v1.0.0/README.md#usage
 	_ "crypto/sha256"
@@ -129,6 +128,9 @@ const (
 //+kubebuilder:rbac:groups=hive.openshift.io,resources=clusterdeployments/finalizers,verbs=update
 //+kubebuilder:rbac:groups=hive.openshift.io,resources=clusterimagesets,verbs=get;list;watch
 //+kubebuilder:rbac:groups=metal3.io,resources=dataimages,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=config.openshift.io,resources=apiservers,verbs=get;list;watch
+//+kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
+//+kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create
 
 func (r *ImageClusterInstallReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	log := r.Log.WithFields(logrus.Fields{"name": req.Name, "namespace": req.Namespace})