ACM-30179: Use TLS configuration from the APIServer when available

OCP 4.22 indroduces a new feature in the APIServer for configuring TLS configuration, and we want our components to also use the same TLS configuration that is defined in the APIServer.

When starting a components we will attempt to get the APIServer and check its TLSAdherencePolicy (decides whether we should apply the TLS configuration) and TLSProfileSpec (the actual TLS configuration).
For our operator we also add a controller called SecurityProfileWatcher (provided by openshift/controller-runtime-common) in order to force a restart when these values change.
For our server we implement a similar behavior ourselves.

Author: giladravid16

bundle/manifests/image-based-install-metrics_v1_service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: ibi-metrics-serving-certs
+  creationTimestamp: null
+  name: image-based-install-metrics
+spec:
+  ports:
+  - port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: image-based-install-operator
+status:
+  loadBalancer: {}

bundle/manifests/image-based-install-operator.clusterserviceversion.yaml

@@ -36,7 +36,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    createdAt: "2026-04-23T10:32:42Z"
+    createdAt: "2026-04-23T10:49:15Z"
     operators.operatorframework.io/builder: operator-sdk-v1.30.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
   name: image-based-install-operator.v0.0.1
@@ -82,6 +82,26 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
+        - apiGroups:
+          - config.openshift.io
+          resources:
+          - apiservers
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - extensions.hive.openshift.io
           resources:
@@ -228,6 +248,8 @@ spec:
                   name: data
                 - mountPath: /webhook-certs
                   name: webhook-certs
+                - mountPath: /metrics-certs
+                  name: metrics-certs
               - command:
                 - /usr/local/bin/server
                 env:
@@ -281,6 +303,9 @@ spec:
               - name: webhook-certs
                 secret:
                   secretName: ibi-webhook-serving-certs
+              - name: metrics-certs
+                secret:
+                  secretName: ibi-metrics-serving-certs
       permissions:
       - rules:
         - apiGroups:

cmd/manager/main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"net/http"
@@ -26,11 +27,13 @@ import (
 	"os"
 	"time"
 
+	crtls "github.com/openshift/controller-runtime-common/pkg/tls"
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
+	configv1 "github.com/openshift/api/config/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -41,6 +44,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
@@ -54,6 +58,7 @@ import (
 	"github.com/openshift/image-based-install-operator/internal/credentials"
 	"github.com/openshift/image-based-install-operator/internal/installer"
 	"github.com/openshift/image-based-install-operator/internal/monitor"
+	"github.com/openshift/image-based-install-operator/internal/tlsconfig"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -67,6 +72,7 @@ func init() {
 	utilruntime.Must(v1alpha1.AddToScheme(scheme))
 	utilruntime.Must(bmh_v1alpha1.AddToScheme(scheme))
 	utilruntime.Must(hivev1.AddToScheme(scheme))
+	utilruntime.Must(configv1.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 
@@ -96,17 +102,32 @@ func main() {
 		go startPPROF(logger)
 	}
 
-	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+	ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
+	defer cancel()
+
+	restCfg := ctrl.GetConfigOrDie()
+	tlsResult, err := tlsconfig.ResolveTLSConfig(context.Background(), restCfg)
+	if err != nil {
+		setupLog.Error(err, "unable to resolve TLS config")
+		os.Exit(1)
+	}
+
+	mgr, err := ctrl.NewManager(restCfg, ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
-			BindAddress: metricsAddr,
+			BindAddress:    metricsAddr,
+			SecureServing:  true,
+			CertDir:        "/metrics-certs",
+			FilterProvider: filters.WithAuthenticationAndAuthorization,
+			TLSOpts:        []func(*tls.Config){tlsResult.TLSConfig},
 		},
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "e21b2704.openshift.io",
 		WebhookServer: webhook.NewServer(webhook.Options{
 			Port:    9443,
 			CertDir: "/webhook-certs",
+			TLSOpts: []func(*tls.Config){tlsResult.TLSConfig},
 		}),
 		Cache: cache.Options{
 			ByObject: map[client.Object]cache.ByObject{
@@ -179,6 +200,25 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := (&crtls.SecurityProfileWatcher{
+		Client:                    mgr.GetClient(),
+		InitialTLSAdherencePolicy: tlsResult.TLSAdherencePolicy,
+		InitialTLSProfileSpec:     tlsResult.TLSProfileSpec,
+		OnAdherencePolicyChange: func(_ context.Context, oldPolicy, newPolicy configv1.TLSAdherencePolicy) {
+			logger.Infof("TLS adherence policy has changed, shutting down to reload, oldPolicy: %v, newPolicy: %v",
+				oldPolicy, newPolicy)
+			cancel()
+		},
+		OnProfileChange: func(_ context.Context, oldProfile, newProfile configv1.TLSProfileSpec) {
+			logger.Infof("TLS profile has changed, shutting down to reload, oldProfile: %v, newProfile: %v",
+				oldProfile, newProfile)
+			cancel()
+		},
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create TLS security profile watcher")
+		os.Exit(1)
+	}
+
 	if err = (&v1alpha1.ImageClusterInstall{}).SetupWebhookWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create webhook", "webhook", "ImageClusterInstall")
 		os.Exit(1)
@@ -197,7 +237,7 @@ func main() {
 	go EnqueueExistingImageClusterInstall(mgr)
 
 	setupLog.Info("starting manager")
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+	if err := mgr.Start(ctx); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
 	}

cmd/server/main.go

@@ -2,6 +2,9 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
+	"errors"
+	"flag"
 	"fmt"
 	"net/http"
 	"os"
@@ -11,8 +14,21 @@ import (
 	"time"
 
 	"github.com/kelseyhightower/envconfig"
-	"github.com/openshift/image-based-install-operator/internal/imageserver"
+	configv1 "github.com/openshift/api/config/v1"
+	configclientset "github.com/openshift/client-go/config/clientset/versioned"
+	crtls "github.com/openshift/controller-runtime-common/pkg/tls"
 	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/watch"
+
+	"github.com/openshift/image-based-install-operator/internal/imageserver"
+	"github.com/openshift/image-based-install-operator/internal/tlsconfig"
+
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 )
 
 var Options struct {
@@ -23,6 +39,13 @@ var Options struct {
 }
 
 func main() {
+	opts := zap.Options{
+		Development: true,
+	}
+	opts.BindFlags(flag.CommandLine)
+	flag.Parse()
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 	log := logrus.New()
 	log.SetReportCaller(true)
 
@@ -47,10 +70,27 @@ func main() {
 		ReadHeaderTimeout: 5 * time.Second,
 	}
 
+	watchCtx, watchCancel := context.WithCancel(context.Background())
+	defer watchCancel()
+	tlsProfileChanged := make(chan struct{}, 1)
+
 	go func() {
 		var err error
 		if Options.HTTPSKeyFile != "" && Options.HTTPSCertFile != "" {
+			var tlsResult tlsconfig.TLSConfigResult
 			log.Infof("Starting https handler on %s...", server.Addr)
+
+			restCfg := ctrl.GetConfigOrDie()
+			tlsResult, err = tlsconfig.ResolveTLSConfig(context.Background(), restCfg)
+			if err != nil {
+				log.WithError(err).Fatal("unable to configure HTTPS TLS")
+			}
+			go watchAndExitOnTLSChange(watchCtx, log, configclientset.NewForConfigOrDie(restCfg), tlsResult, tlsProfileChanged)
+
+			if tlsResult.TLSConfig != nil {
+				server.TLSConfig = &tls.Config{}
+				tlsResult.TLSConfig(server.TLSConfig)
+			}
 			err = server.ListenAndServeTLS(Options.HTTPSCertFile, Options.HTTPSKeyFile)
 		} else {
 			log.Infof("Starting http handler on %s...", server.Addr)
@@ -62,11 +102,20 @@ func main() {
 		}
 	}()
 
-	stop := make(chan os.Signal, 1)
-	signal.Notify(stop, os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
-	<-stop
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
+	defer signal.Stop(sigCh)
+
+	select {
+	case <-sigCh:
+	case <-tlsProfileChanged:
+		log.Info("initiating graceful shutdown after cluster TLS configuration change")
+	}
+	watchCancel()
 
-	if err := server.Shutdown(context.Background()); err != nil {
+	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer shutdownCancel()
+	if err := server.Shutdown(shutdownCtx); err != nil {
 		log.WithError(err).Error("shutdown failed")
 		if err := server.Close(); err != nil {
 			log.WithError(err).Fatal("emergency shutdown failed")
@@ -75,3 +124,56 @@ func main() {
 		log.Info("server terminated gracefully")
 	}
 }
+
+func watchAndExitOnTLSChange(ctx context.Context, log *logrus.Logger, configClient configclientset.Interface, current tlsconfig.TLSConfigResult, requestShutdown chan<- struct{}) {
+	w, err := configClient.ConfigV1().APIServers().Watch(ctx, metav1.ListOptions{
+		FieldSelector: "metadata.name=cluster",
+	})
+	if err != nil {
+		log.WithError(err).Error("failed to watch the APIServer, TLS updates will not be monitored")
+		return
+	}
+	defer w.Stop()
+
+	for event := range w.ResultChan() {
+		if event.Type != watch.Modified {
+			continue
+		}
+		updated, ok := event.Object.(*configv1.APIServer)
+		if !ok {
+			continue
+		}
+
+		if current.TLSAdherencePolicy != updated.Spec.TLSAdherence {
+			log.Infof("TLS adherence policy has changed, shutting down to reload, oldPolicy: %v, newPolicy: %v",
+				current.TLSAdherencePolicy, updated.Spec.TLSAdherence)
+			requestGracefulShutdown(requestShutdown)
+			return
+		}
+
+		profile, err := crtls.GetTLSProfileSpec(updated.Spec.TLSSecurityProfile)
+		if err != nil {
+			log.WithError(err).Error("failed to load TLS profile spec after APIServer update, ignoring")
+			continue
+		}
+		if !equality.Semantic.DeepEqual(current.TLSProfileSpec, profile) {
+			log.Infof("TLS profile has changed, shutting down to reload, oldProfile: %v, newProfile: %v",
+				current.TLSProfileSpec, profile)
+			requestGracefulShutdown(requestShutdown)
+			return
+		}
+	}
+
+	if errors.Is(ctx.Err(), context.Canceled) {
+		log.Info("stopped monitoring APIServer TLS updates")
+		return
+	}
+	log.Error("watch on APIServer exited, TLS updates will not be monitored")
+}
+
+func requestGracefulShutdown(ch chan<- struct{}) {
+	select {
+	case ch <- struct{}{}:
+	default:
+	}
+}

config/manager/manager.yaml

@@ -79,6 +79,8 @@ spec:
           mountPath: /data
         - name: webhook-certs
           mountPath: /webhook-certs
+        - name: metrics-certs
+          mountPath: /metrics-certs
       - command:
         - /usr/local/bin/server
         image: controller:latest
@@ -126,6 +128,9 @@ spec:
       - name: webhook-certs
         secret:
           secretName: ibi-webhook-serving-certs
+      - name: metrics-certs
+        secret:
+          secretName: ibi-metrics-serving-certs
       serviceAccountName: image-based-install-operator
       terminationGracePeriodSeconds: 10
 ---
@@ -143,3 +148,18 @@ spec:
     name: config-server
   selector:
     app: image-based-install-operator
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: image-based-install-metrics
+  namespace: image-based-install-operator
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: ibi-metrics-serving-certs
+spec:
+  ports:
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
+  selector:
+    app: image-based-install-operator