Skip to content

WIP: CCO-787: use apiserver tls config#965

Draft
jstuever wants to merge 1 commit intoopenshift:masterfrom
jstuever:CCO-787
Draft

WIP: CCO-787: use apiserver tls config#965
jstuever wants to merge 1 commit intoopenshift:masterfrom
jstuever:CCO-787

Conversation

@jstuever
Copy link
Contributor

@jstuever jstuever commented Jan 27, 2026

This change ensures the pod-identity-webhook is configured to use the same tls-min-version and tls-cipher-suites as the apiserver. It does so by adding parameters to the pod-identity-webhook command when these values are non-empty. This improves the pod-identity-webhook security posture by matching that of the apiserver, which can be modified by the user.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 27, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 27, 2026
edited by openshift-ci bot
Loading

@jstuever: This pull request references CCO-787 which is a valid jira issue.

Details

In response to this:

This change ensures the pod-identity-webhook is configured to use the same tls-min-version and tls-cipher-suites as the apiserver. It does so by adding parameters to the pod-identity-webhook command when these values are non-empty. This improves the pod-identity-webhook security posture by matching that of the apiserver, which can be modified by the user.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from 2uasimojo and suhanime January 27, 2026 20:59
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 27, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jstuever

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 27, 2026
@jstuever
Copy link
Contributor Author

jstuever commented Jan 27, 2026
edited
Loading

This PR depends on the necessary flags existing on the pod-identity-webhooks as well as the kube-rbac-proxy removal

@jstuever
Copy link
Contributor Author

jstuever commented Jan 27, 2026

/test e2e-aws-manual-oidc e2e-azure-manual-oidc e2e-gcp-manual-oidc

@jstuever
Copy link
Contributor Author

jstuever commented Jan 27, 2026

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 27, 2026
@codecov
Copy link

codecov bot commented Jan 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 63.82979% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.54%. Comparing base (ec9d4a0) to head (eab4769).
⚠️ Report is 5 commits behind head on master.

Files with missing lines Patch % Lines
...rator/podidentity/podidentitywebhook_controller.go 45.83% 11 Missing and 2 partials ⚠️
pkg/util/tls_config.go 82.60% 3 Missing and 1 partial ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #965      +/-   ##
==========================================
+ Coverage   46.48%   46.54%   +0.06%     
==========================================
  Files          98       99       +1     
  Lines       12181    12228      +47     
==========================================
+ Hits         5662     5692      +30     
- Misses       5869     5883      +14     
- Partials      650      653       +3
Files with missing lines Coverage Δ
pkg/util/tls_config.go 82.60% <82.60%> (ø)
...rator/podidentity/podidentitywebhook_controller.go 29.41% <45.83%> (+2.18%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jstuever jstuever changed the title CCO-787: feat: pod-identity-webhook pod to assume apiserver tls config CCO-787: pod-identity-webhook pod to assume apiserver tls config Jan 28, 2026
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 31, 2026
2uasimojo
2uasimojo reviewed Feb 2, 2026
View reviewed changes
Copy link
Member

@2uasimojo 2uasimojo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks sane, BUT it seems like it's reinventing logic supplied by upstream libs. Is there a reason you're not using those?

@jstuever
Copy link
Contributor Author

jstuever commented Feb 4, 2026

I need to add TLSAdherence and possibly TLSCurvePreferences.

@jstuever jstuever changed the title CCO-787: pod-identity-webhook pod to assume apiserver tls config WIP: CCO-787: pod-identity-webhook pod to assume apiserver tls config Feb 4, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 4, 2026
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 27, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 28, 2026
edited
Loading

@jstuever: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-manual-oidc eab4769 link false /test e2e-gcp-manual-oidc
ci/prow/e2e-azure-manual-oidc eab4769 link true /test e2e-azure-manual-oidc

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@jstuever jstuever changed the title WIP: CCO-787: pod-identity-webhook pod to assume apiserver tls config WIP: CCO-787: use apiserver tls config Mar 5, 2026
@jstuever jstuever marked this pull request as draft March 5, 2026 23:29
@jstuever
Copy link
Contributor Author

jstuever commented Mar 5, 2026
edited
Loading

This PR is draft until the dependent PRs merge

@jstuever
assume tls config from apiserver
4ae01a3 
This change ensures the metrics server and pod-identity-webhooks are
configured to use the same tls-min-version and tls-cipher-suites as the
apiserver. It does so by adding tlsconfig to the metrics port and
parameters to the pod-identity-webhook commands when these values are
non-empty. This improves the pod-identity-webhook security posture by
matching that of the apiserver, which can be modified by the user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@2uasimojo 2uasimojo 2uasimojo left review comments

@suhanime suhanime Awaiting requested review from suhanime

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jstuever @openshift-ci-robot @2uasimojo @openshift-merge-robot