Add TLS adherance feature gate

[richardsonnick]

User description

Add TLSAdherence feature gate for cluster-wide TLS configuration

This PR introduces the TLSAdherence feature gate and adds the tlsAdherence field to the APIServer config resource (apiserver.config.openshift.io/v1).

Summary

The tlsAdherence field controls how strictly components in the cluster adhere to the TLS security profile configured on the APIServer resource.

Valid values:

• Legacy (default): Backward-compatible behavior where components attempt to honor the configured TLS profile but may fall back to their individual defaults if conflicts arise. This mode is intended for clusters that need to maintain compatibility with existing configurations during migration.
• Strict: Enforces strict adherence to the TLS configuration. All components must honor the configured profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.

Feature Gate Details

• Feature Gate Name: TLSAdherence
• Enabled in: DevPreviewNoUpgrade, TechPreviewNoUpgrade
• Contact: @joelanford
• Jira Component: kube-apiserver

Related

• Enhancement: Add enhancement spec for centralized TLS configuration and enforcement enhancements#1910

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @richardsonnick! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces a new TLSAdherence field to the APIServer configuration specification. The change adds a TLSAdherencePolicy type with two enum values: LegacyExternalAPIServerComponentsOnly and StrictAllComponents. The field is wired through the Go type definitions, CRD schemas, generated OpenAPI documentation, and feature gate configurations. A cluster-wide validation rule prevents removal once set. The feature is registered as a feature gate and enabled in DevPreviewNoUpgrade and TechPreviewNoUpgrade modes. Test coverage is provided for valid creations, updates, removal attempts, and unsupported values.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add TLS adherance feature gate' directly matches the main objective: introducing the TLSAdherence feature gate for cluster-wide TLS configuration.
Description check	✅ Passed	The description comprehensively explains the TLSAdherence feature gate addition, valid values, feature gate details, and related enhancement, all of which are directly reflected in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Defaulting not enforced: The new tlsAdherence field documents defaulting/unknown-value behavior (default Legacy, unknown treated as Strict with warning) but this PR only adds API types/CRD enum and does not show any code that enforces defaulting or handles unset/unknown values at runtime. Referred Code // tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile // configured on this APIServer resource. // // Valid values are "Legacy" and "Strict". // // When set to "Legacy" (the default), components attempt to honor the configured TLS profile // but may fall back to their individual defaults if conflicts arise. This mode is intended for // clusters that need to maintain compatibility with existing configurations during migration. // // When set to "Strict", all components must strictly honor the configured TLS profile. // This mode is recommended for security-conscious deployments and is required for // certain compliance frameworks. // // Components that encounter an unknown value for tlsAdherence should treat it as "Strict" // and log a warning to ensure forward compatibility while defaulting to the more secure behavior. // // When omitted, the default value is "Legacy". // +openshift:enable:FeatureGate=TLSAdherence // +optional TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Missing input constraints: The new curves field is introduced as a free-form string array without visible validation constraints (e.g., allowed values/patterns), so it is unclear from this diff alone whether invalid curve names are rejected or safely handled downstream. Referred Code // curves is used to specify the elliptic curves that are used during // the TLS handshake. Operators may remove entries their operands do // not support. For example, to use X25519 and P-256 (yaml): // // curves: // - X25519 // - P-256 Curves []string `json:"curves,omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Use pointer for an optional field *Change the TLSAdherence field to a pointer type (TLSAdherencePolicy) to correctly handle its optional nature and resolve ambiguity between an omitted value and an empty string. config/v1/types_apiserver.go [81-84] // When omitted, the default value is "Legacy". // +openshift:enable:FeatureGate=TLSAdherence // +optional -TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"` +TLSAdherence *TLSAdherencePolicy `json:"tlsAdherence,omitempty"` Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a significant ambiguity in the API design where omitting the TLSAdherence field leads to conflicting documented behaviors, and proposes using a pointer type, which is the idiomatic Go solution to distinguish between an omitted and an empty value.	Medium
High-level	✅ Unify API documentation source Suggestion Impact: The commit addressed the documentation inconsistency, but not by adding the excluded-components note to the Go type. Instead, it removed that note from the generated CRD and updated both Go and CRD text (including renamed enum values) so the descriptions align. code diff: # File: config/v1/types_apiserver.go @@ -65,20 +65,21 @@ // tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile // configured on this APIServer resource. // - // Valid values are "Legacy" and "Strict". - // - // When set to "Legacy" (the default), components attempt to honor the configured TLS profile - // but may fall back to their individual defaults if conflicts arise. This mode is intended for - // clusters that need to maintain compatibility with existing configurations during migration. - // - // When set to "Strict", all components must strictly honor the configured TLS profile. + // Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents". + // + // When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor + // the configured TLS profile but may fall back to their individual defaults if conflicts arise. + // This mode is intended for clusters that need to maintain compatibility with existing + // configurations during migration. + // + // When set to "StrictAllComponents", all components must strictly honor the configured TLS profile. // This mode is recommended for security-conscious deployments and is required for // certain compliance frameworks. // - // Components that encounter an unknown value for tlsAdherence should treat it as "Strict" + // Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents" // and log a warning to ensure forward compatibility while defaulting to the more secure behavior. // - // When omitted, the default value is "Legacy". + // When omitted, the default value is "LegacyExternalAPIServerComponentsOnly". // +openshift:enable:FeatureGate=TLSAdherence // +optional TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"` @@ -258,20 +259,20 @@ } // TLSAdherencePolicy defines how strictly components adhere to the TLS security profile. -// +kubebuilder:validation:Enum=Legacy;Strict +// +kubebuilder:validation:Enum=LegacyExternalAPIServerComponentsOnly;StrictAllComponents type TLSAdherencePolicy string const ( - // TLSAdherenceLegacy provides backward-compatible behavior where components attempt to - // honor the configured TLS profile but may fall back to their individual defaults if - // conflicts arise. This mode is intended for clusters that need to maintain compatibility - // with existing configurations during migration. - TLSAdherenceLegacy TLSAdherencePolicy = "Legacy" - - // TLSAdherenceStrict enforces strict adherence to the TLS configuration. All components - // must honor the configured profile. This mode is recommended for security-conscious - // deployments and is required for certain compliance frameworks. - TLSAdherenceStrict TLSAdherencePolicy = "Strict" + // TLSAdherenceLegacyExternalAPIServerComponentsOnly provides backward-compatible behavior + // where components attempt to honor the configured TLS profile but may fall back to their + // individual defaults if conflicts arise. This mode is intended for clusters that need to + // maintain compatibility with existing configurations during migration. + TLSAdherenceLegacyExternalAPIServerComponentsOnly TLSAdherencePolicy = "LegacyExternalAPIServerComponentsOnly" + + // TLSAdherenceStrictAllComponents enforces strict adherence to the TLS configuration. + // All components must honor the configured profile. This mode is recommended for + // security-conscious deployments and is required for certain compliance frameworks. + TLSAdherenceStrictAllComponents TLSAdherencePolicy = "StrictAllComponents" ) // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object # File: config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -297,27 +297,24 @@ tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile configured on this APIServer resource. - Valid values are "Legacy" and "Strict". - - When set to "Legacy" (the default), components attempt to honor the configured TLS profile - but may fall back to their individual defaults if conflicts arise. This mode is intended for - clusters that need to maintain compatibility with existing configurations during migration. - - When set to "Strict", all components must strictly honor the configured TLS profile. + Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents". + + When set to "LegacyExternalAPIServerComponentsOnly" (the default), components attempt to honor + the configured TLS profile but may fall back to their individual defaults if conflicts arise. + This mode is intended for clusters that need to maintain compatibility with existing + configurations during migration. + + When set to "StrictAllComponents", all components must strictly honor the configured TLS profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks. - Components that encounter an unknown value for tlsAdherence should treat it as "Strict" + Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents" and log a warning to ensure forward compatibility while defaulting to the more secure behavior. - Note: The Kubelet and IngressController components are excluded from tlsAdherence control - as they have their own dedicated TLS configuration mechanisms via KubeletConfig and - IngressController CRs respectively. - - When omitted, the default value is "Legacy". + When omitted, the default value is "LegacyExternalAPIServerComponentsOnly". enum: - - Legacy - - Strict + - LegacyExternalAPIServerComponentsOnly + - StrictAllComponents type: string The documentation for the tlsAdherence field is inconsistent across files. The Go type definition is missing an important note about excluded components that is present in the generated CRD, indicating a need to unify the documentation source. Examples: config/v1/types_apiserver.go [65-84] // tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile // configured on this APIServer resource. // // Valid values are "Legacy" and "Strict". // // When set to "Legacy" (the default), components attempt to honor the configured TLS profile // but may fall back to their individual defaults if conflicts arise. This mode is intended for // clusters that need to maintain compatibility with existing configurations during migration. // // When set to "Strict", all components must strictly honor the configured TLS profile. ... (clipped 10 lines) config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml [296-317] description: |- tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile configured on this APIServer resource. Valid values are "Legacy" and "Strict". When set to "Legacy" (the default), components attempt to honor the configured TLS profile but may fall back to their individual defaults if conflicts arise. This mode is intended for clusters that need to maintain compatibility with existing configurations during migration. ... (clipped 12 lines) Solution Walkthrough: Before: // file: config/v1/types_apiserver.go type APIServerSpec struct { // ... (documentation without the note) // When omitted, the default value is "Legacy". // +openshift:enable:FeatureGate=TLSAdherence // +optional TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"` // ... } After: // file: config/v1/types_apiserver.go type APIServerSpec struct { // ... (documentation with the note) // Note: The Kubelet and IngressController components are excluded from tlsAdherence control // as they have their own dedicated TLS configuration mechanisms via KubeletConfig and // IngressController CRs respectively. // // When omitted, the default value is "Legacy". // +openshift:enable:FeatureGate=TLSAdherence // +optional TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"` // ... } Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies a significant documentation inconsistency, where crucial information in the CRD is missing from the source Go type, indicating a flawed generation process.	Medium
General	Mark curves as optional atomic list Add +listType=atomic and +optional markers to the Curves field in TLSProfileSpec for consistency and correct CRD generation. config/v1/types_tlssecurityprofile.go [171-178] +// +listType=atomic +// +optional // curves is used to specify the elliptic curves that are used during // the TLS handshake. Operators may remove entries their operands do // not support. For example, to use X25519 and P-256 (yaml): // // curves: // - X25519 // - P-256 Curves []string `json:"curves,omitempty"` Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly points out that the new Curves field should have +listType=atomic and +optional markers for consistency with the existing Ciphers field and to ensure correct CRD generation, improving API consistency.	Low
Update

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@config/v1/types_apiserver.go`:
- Around line 65-84: Update the TLSAdherence field documentation to include the
exclusion note from the CRD manifests: explicitly state that Kubelet and
IngressController are excluded from tlsAdherence control and instead use their
own TLS config (KubeletConfig and IngressController CRs). Edit the comment above
the TLSAdherence TLSAdherencePolicy field (the docblock that documents
TLSAdherence) to append a short sentence noting this exclusion so generated API
docs reflect the same caveat as the CRD manifests.

In `@features.md`:
- Line 78: The table row containing the "TLSAdherence" feature is missing a
space before the first pipe after the feature name, violating markdownlint table
spacing; edit the row that starts with "TLSAdherence" and insert a single space
before the following "|" so it reads "TLSAdherence |" (preserving the rest of
the cells exactly) to conform to the configured table style.

In `@openapi/generated_openapi/zz_generated.openapi.go`:
- Around line 12447-12461: Add a kubebuilder enum validation for the Curves
field so only supported TLS curve identifiers are accepted: add a comment marker
like +kubebuilder:validation:Enum=X25519;P-256;P-384;P-521 immediately above the
Curves []string field in the struct in config/v1/types_tlssecurityprofile.go
(mirror the pattern used for TLSProtocolVersion), then re-run
controller-gen/openapi generation to update
openapi/generated_openapi/zz_generated.openapi.go so the "curves" schema
includes the enum restriction.

🧹 Nitpick comments (5)

config/v1/types_tlssecurityprofile.go (1)

169-178: Consider adding listType=atomic for Curves for SSA consistency.
This mirrors the Ciphers list semantics and avoids any unexpected merge behavior.

🔧 Proposed tweak

 	//   curves:
 	//     - X25519
 	//     - P-256
 	//
+	// +listType=atomic
 	Curves []string `json:"curves,omitempty"`

openapi/generated_openapi/zz_generated.openapi.go (1)

9102-9108: Add enum validation for tlsAdherence to match the documented valid values.

The schema only declares a free-form string even though the description defines just "Legacy" and "Strict". That means invalid values will pass admission and only be handled at runtime. Consider adding kubebuilder enum (and, if desired, a default) on the source type so the generated OpenAPI enforces the allowed values.

[Suggested fix (apply in config/v1/types_apiserver.go, not this generated file):]

🔧 Example annotation update

 // +optional
+// +kubebuilder:validation:Enum=Legacy;Strict
+// +kubebuilder:default=Legacy
 TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`

payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml (1)

259-270: Consider adding x-kubernetes-list-type annotation for consistency.

The curves field is missing the x-kubernetes-list-type annotation that the ciphers field has (line 258 shows x-kubernetes-list-type: atomic for ciphers). For consistency and to ensure proper list merge behavior, consider adding the same annotation.

📝 Suggested fix

                       curves:
                         description: |-
                           curves is used to specify the elliptic curves that are used during
                           the TLS handshake.  Operators may remove entries their operands do
                           not support.  For example, to use X25519 and P-256 (yaml):

                             curves:
                               - X25519
                               - P-256
                         items:
                           type: string
                         type: array
+                        x-kubernetes-list-type: atomic

payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

287-298: Same annotation consistency issue as Default CRD.

The curves field here also lacks the x-kubernetes-list-type: atomic annotation that ciphers has. See the comment on the Default CRD for the suggested fix.

payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

355-366: Same annotation consistency issue.

The curves field here also lacks x-kubernetes-list-type: atomic. This is consistent across all the CRD files in this PR but differs from the ciphers field pattern.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Go 1.21 1.22 crypto/tls supported curve names CurveID identifiers

💡 Result:

In Go 1.21 and Go 1.22, crypto/tls exposes these supported (named group) CurveID constants:

TLS group / curve name	Go constant	CurveID (uint16)
NIST P-256 (secp256r1)	tls.CurveP256	23
NIST P-384 (secp384r1)	tls.CurveP384	24
NIST P-521 (secp521r1)	tls.CurveP521	25
X25519	tls.X25519	29

These are the CurveID identifiers defined by crypto/tls for those versions. [1]

Sources:
[1] https://go.googlesource.com/go/+/go1.14.8/src/crypto/tls/common.go

---

🏁 Script executed:

# First, find the source code that generates this OpenAPI schema
# The file is auto-generated, so we need to find what generates it
fd -t f "*.go" | head -20 | xargs grep -l "curves is used to specify" 2>/dev/null | head -5

Repository: openshift/api

Length of output: 340

---

🏁 Script executed:

# Search for the source field definition
rg -A 5 -B 5 "curves.*TLS.*handshake" --type go

Repository: openshift/api

Length of output: 3653

---

🏁 Script executed:

# Check for OpenAPI generation tooling and look for the source type
find . -name "*openapi*" -o -name "*swagger*" | grep -v generated | head -10

Repository: openshift/api

Length of output: 427

---

🏁 Script executed:

# Look for struct definitions with a "curves" field that might be the source
rg "Curves\s*\[\]" --type go | head -20

Repository: openshift/api

Length of output: 359

---

🏁 Script executed:

# Read the source file that defines the Curves field
cat -n config/v1/types_tlssecurityprofile.go

Repository: openshift/api

Length of output: 11992

---

🏁 Script executed:

# Look for validation rules or constants in the codebase
rg "enum.*curve|Curve.*enum|CurveID|X25519|P-256|P-384|P-521" --type go config/v1/ | head -30

Repository: openshift/api

Length of output: 568

---

🏁 Script executed:

# Search for validation struct tags or validation rules in similar fields
rg "json:.*omitempty.*validation|kubebuilder:validation" --type go config/v1/types_tlssecurityprofile.go -A 3 -B 3

Repository: openshift/api

Length of output: 490

---

🏁 Script executed:

# Check how other string arrays are validated in the codebase
rg '\[\]string.*json' --type go config/v1/ -A 2 | grep -A 2 "kubebuilder" | head -40

Repository: openshift/api

Length of output: 39

---

Add validation for curves field to restrict entries to supported TLS curve identifiers.

The Curves field in config/v1/types_tlssecurityprofile.go (line 178) accepts any string with no validation, allowing invalid curve names to be accepted during config validation but fail later at TLS handshake time. Add a +kubebuilder:validation:Enum marker similar to the pattern used for TLSProtocolVersion to enforce only supported curves: X25519, P-256, P-384, P-521 (as supported by Go 1.21+ crypto/tls).

🤖 Prompt for AI Agents

In `@openapi/generated_openapi/zz_generated.openapi.go` around lines 12447 -
12461, Add a kubebuilder enum validation for the Curves field so only supported
TLS curve identifiers are accepted: add a comment marker like
+kubebuilder:validation:Enum=X25519;P-256;P-384;P-521 immediately above the
Curves []string field in the struct in config/v1/types_tlssecurityprofile.go
(mirror the pattern used for TLSProtocolVersion), then re-run
controller-gen/openapi generation to update
openapi/generated_openapi/zz_generated.openapi.go so the "curves" schema
includes the enum restriction.

[joelanford]

I thought Legacy was going to essentially mean "only the externally exposed API server components", and Strict will mean "ALL cluster components with the exception of Kubelet-related and Ingress-related servers"?

I also think we should update GoDoc for the TLSSecurityProfile field, which currently says "for externally exposed servers". With TLSAdherence in the mix, what the profile is for depends on the TLSAdherence value.

But that should doc change should also only apply when the feature gate is enabled. I think @JoelSpeed said there's a way to do that?

[joelanford]

I also wonder if we should improve the naming of the enums to more accurately describe what they do? For example:

• LegacyExternalAPIServerComponentsOnly
• StrictAllComponents

Or something along those lines?

[richardsonnick]

I think these names are far better. Going with LegacyExternalAPIServerComponentsOnly and StrictAllComponents

[joelanford]

Based on my read of openshift/enhancements#1894, it seems like very few components currently handle TLS curve configuration.

And I don't think we will be able to promote this full set of API changes unless components handle all of MinTLSVersion, CipherSuites, and Curves.

I am worried that the upstream's lack of curves support might take some time and would therefore block the rest of the feature around honoring the min TLS and cipher suites configuration.

Should we remove Curves from this PR or configure it to be present with a separate feature gate?

[richardsonnick]

Yeah that should not be here. It has since been removed. This PR applies solely to the adherence fate.

[joelanford]

If/when we do add Curves field, it needs to be introduced behind a feature gate.

[joelanford]

Curves should be removed or included behind a feature gate. My understanding is that we can't add a field to the Default CRD without first going through TechPreviewNoUpgrade.

[everettraven]

Adding to @joelanford 's comment - I'd prefer we keep the curves field entirely separate here to keep this well scoped. IIRC there is already a PR that is looking to add the curves field.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml`:
- Around line 295-318: The CRD docs claim tlsAdherence defaults to
"LegacyExternalAPIServerComponentsOnly" but the schema lacks a default; add the
kubebuilder default tag to the APIServer Go field (the tlsAdherence field on the
APIServer type) as +kubebuilder:default=LegacyExternalAPIServerComponentsOnly so
the generated CRD includes the default, and run codegen to update the YAML; also
ensure operators consuming the APIServer resource handle omitted/empty
tlsAdherence by treating it as Legacy until the default is live. Additionally,
add x-kubernetes-list-type: atomic to the curves list (to match ciphers) in the
generated CRD so both lists have consistent list-type semantics.

🧹 Nitpick comments (1)

payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml (1)

352-364: Consider marking curves as an atomic list for consistency with ciphers.

ciphers is explicitly atomic; curves would benefit from the same list-type to avoid merge ambiguity in SSA. Prefer adding +listType=atomic on the Go field and regenerating manifests.

♻️ Suggested manifest shape

       curves:
         description: |-
           curves is used to specify the elliptic curves that are used during
           the TLS handshake.  Operators may remove entries their operands do
           not support.  For example, to use X25519 and P-256 (yaml):

             curves:
               - X25519
               - P-256
         items:
           type: string
         type: array
+        x-kubernetes-list-type: atomic

[joelanford]

We need to configure validation on this field, and set the default.

// +kubebuilder:validation:items:Enum:=LegacyExternalAPIServerComponentsOnly;StrictAllComponents
// +kubebuilder:default:=LegacyExternalAPIServerComponentsOnly

[joelanford]

Oh I see you are defining the Enum validation on the type, which is fine. Let's also include the +kubebuilder:default marker there as well.

[joelanford]

Hmm, reading the tlsAdherence description again, it seems like you are wanting it to be possible for an empty string to be allowed to be persisted for this field in etcd, which would allow us in theory to change the default semantic later in the future from legacy to strict without a change in the actual tlsAdherence value.

In practice, I think the problem with that idea is that each component essentially has their own implementation of this API and we'd have to do a really good job coordinating a semantic switch from legacy to strict.

What do folks think about:

1. Actually writing LegacyExternalAPIServerComponentsOnly to etcd by default.
2. Telling implementers they specifically only need to look for StrictAllComponents and will not have to worry about the possibility of "" with changing semantics later.
3. When want to set StrictAllComponents as the new default, we make sure newly installed clusters get that, and we potentially block upgrades of clusters that still use LegacyExternalAPIServerComponentsOnly? Or maybe there's some other way to encourage users to switch to StrictAllComponents?

[everettraven]

For configuration APIs we generally try to avoid setting the default via +kubebuilder:default marker so that we can change the default behavior of the "no-opinion" mechanism.

In this case, I don't think we will be doing that but I still wouldn't use the +kubebuilder:default marker because then we won't be able to distinguish whether or not the user intentionally set the field or if we defaulted it on their behalf and you technically get locked into that default being a contractual default.

[joelanford]

so that we can change the default behavior of the "no-opinion" mechanism.

Thanks, I was hoping you'd have some good advice here. It is the intent to eventually make all components honor the cluster-wide default, so I supposed we'll just have to deal with trying to coordinate a semantic change across a bunch of components at once when the time comes.

To facilitate that, I'd suggest a library-go function somehow like this:

// in configv1
const TLSAdherenceNoOpinion = ""

func ShouldAllComponentsAdhere(tlsAdherence configv1.TLSAdherence) bool {
    if tlsAdherence == configv1.TLSAdherenceNoOpinion || tlsAdherence == configv1.LegacyExternalAPIServerComponentsOnly {
        return false
    }
    return true
}

And then when we want to change the semantic, we'd update that function to:

func ShouldAllComponentsAdhere(tlsAdherence configv1.TLSAdherence) bool {
    if tlsAdherence == configv1.LegacyExternalAPIServerComponentsOnly {
        return false
    }
    return true
}

[everettraven]

That aligns with what I envisioned.

Can we make sure to update the EP with a mention of this kind of check/library that implementors are expected to use?

[richardsonnick]

Added a mention of this helper function.
Also created a draft diff in library-go to add this function: openshift/library-go#2114

Will need to land this first to get the TLSAdherencePolicy type into library-go

[joelanford]

Overall, I think this is looking pretty good for TechPreview. I think the main thing is providing clarity to implementers. Which is "use existing TLS configuration settings when tlsAdherence is LegacyExternalAPIServerComponentsOnly. Otherwise, honor what is is tlsSecurityProfile".

Not sure what @everettraven thinks, but I think we could potentially work out the finer details of the defaulting and descriptions in follow-ups if we agree on the necessary bits to get implementers going.

The TLS Curves changes have been removed.

[everettraven]

Overall, this looks pretty good. Have a handful of comments

[everettraven]

Once we settle on this in the EP, we should update this.

My current expectation is that this isn't an exclusion but rather a preference scenario where, if specified, the Kubelet / Ingress Controller components will be configured with what is specified in their existing APIs.

[joelanford]

I think that makes sense. It positions apiserver as the truly cluster-wide default. And it is still aligned with the fact that other components may have their own special configuration knobs that override the default.

[richardsonnick]

I think this makes sense. Updated this to leave out the exclusion language and instead present the behavior as a "preference"

[everettraven]

For configuration APIs we generally try to avoid setting the default via +kubebuilder:default marker so that we can change the default behavior of the "no-opinion" mechanism.

In this case, I don't think we will be doing that but I still wouldn't use the +kubebuilder:default marker because then we won't be able to distinguish whether or not the user intentionally set the field or if we defaulted it on their behalf and you technically get locked into that default being a contractual default.

[everettraven]

We have some standard terminology we like to use here for consistency. As an example:

api/config/v1/types_network.go

Lines 244 to 246 in 6186972

	// When omitted, this means the user has no opinion and the platform is left
	// to choose reasonable defaults. These defaults are subject to change over time.
	// The current default is All.

We should follow this convention as well so we aren't locked into a contractual default in case we want to do something like change the default behavior to strict but still give admins an option to specify that they want to stay on the legacy mode.

[everettraven]

Are we targeting for this to be the same maturity level for both standalone OCP and HyperShift (HCP)?

HyperShift does embed the APIServer configuration spec in https://github.com/openshift/hypershift/blob/825484eb33d14b4ab849b428d134582320655fcf/api/hypershift/v1beta1/hostedcluster_types.go#L1957-L1961 and if we aren't careful they might end up defaulting this new field to GA.

Regardless, I think we may want a sibling PR to ensure that a feature-gate entry at the appropriate level is added to https://github.com/openshift/hypershift/tree/main/api/hypershift/v1beta1/featuregates to prevent an accidental GA. We've been bitten by this in the past and it causes all kinds of headaches, so its probably best to avoid that here.

[richardsonnick]

Added a featuregate in hypershift that adds TLSAdherence to:

• The disabled list in the Default feature gate files
• The enabled list in the TechPreviewNoUpgrade feature gate files

PR: openshift/hypershift#7635

[JoelSpeed]

In a recent call we discussed the fact that we might need different TLSSecurityProfile structs for APIServer vs Ingress. If we had separate structs, would this field still be a sibling of the TLSSecurityProfile, or would it be a member of the TLSSecurityProfile?

[everettraven]

My understanding is that this adherence field is only applicable for the APIServer type because it will be the central configuration type.

Ingress/Kubelet specific configurations would be overrides to the central configuration and Ingress and Kubelet would be expected to strictly adhere to those.

@joelanford @richardsonnick please correct me if I'm wrong here.

[richardsonnick]

This is my understanding as well. The ingress/kubelet configurations are overrides to the (central authoritative) apiserver type

[JoelSpeed]

I understand that relationship, that wasn't actually the key part of my question

If we had separate structs, would this field still be a sibling of the TLSSecurityProfile, or would it be a member of the TLSSecurityProfile?

[everettraven]

IMO, still a sibling.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml`:
- Around line 295-328: The CRD description promises a default for tlsAdherence
but the schema lacks one; add a kubebuilder default tag to the Go API so the
generated CRD enforces "LegacyExternalAPIServerComponentsOnly". Update the
APIServerSpec struct's tlsAdherence field in the Go type (type APIServerSpec,
field tlsAdherence) with a kubebuilder default marker (e.g.
+kubebuilder:default=LegacyExternalAPIServerComponentsOnly), re-run the CRD
generation (controller-gen / repo-specific generation task) to regenerate
payload-manifests/crds so the YAML contains the default, and commit the
regenerated CRD.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add schema default to match the “omitted defaults to Legacy…” contract.

The description promises a default, but the schema doesn’t set one. This leaves behavior dependent on consumer-side fallback. Please add a default (via the Go type annotation and regen) to make the CRD enforce the documented contract.

✅ Suggested schema change (generated output)

              tlsAdherence:
                description: |-
                  ...
+               default: LegacyExternalAPIServerComponentsOnly
                enum:
                - LegacyExternalAPIServerComponentsOnly
                - StrictAllComponents
                type: string

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	tlsAdherence:
	description: |-
	tlsAdherence controls which components in the cluster adhere to the TLS security profile
	configured on this APIServer resource.
	Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
	When set to "LegacyExternalAPIServerComponentsOnly", only the externally exposed
	API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
	TLS profile. Other components continue to use their individual TLS configurations.
	When set to "StrictAllComponents", all components must honor the configured TLS profile
	unless they have a component-specific TLS configuration that overrides it.
	This mode is recommended for security-conscious deployments and is required for
	certain compliance frameworks.
	Note: The Kubelet and IngressController components are excluded from tlsAdherence control
	as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
	IngressController CRs respectively. These component-specific configurations take precedence
	over the cluster-wide tlsSecurityProfile when set.
	Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
	and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
	This field is optional. When omitted, it is interpreted as "no opinion" and the cluster
	defaults to LegacyExternalAPIServerComponentsOnly behavior. Future versions of OpenShift
	may require explicitly setting this field to "StrictAllComponents" before upgrading.
	Administrators are encouraged to migrate to "StrictAllComponents" proactively.
	Once set, this field may be changed to a different value.
	enum:
	- LegacyExternalAPIServerComponentsOnly
	- StrictAllComponents
	type: string
	tlsAdherence:
	description: |-
	tlsAdherence controls which components in the cluster adhere to the TLS security profile
	configured on this APIServer resource.
	Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
	When set to "LegacyExternalAPIServerComponentsOnly", only the externally exposed
	API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
	TLS profile. Other components continue to use their individual TLS configurations.
	When set to "StrictAllComponents", all components must honor the configured TLS profile
	unless they have a component-specific TLS configuration that overrides it.
	This mode is recommended for security-conscious deployments and is required for
	certain compliance frameworks.
	Note: The Kubelet and IngressController components are excluded from tlsAdherence control
	as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
	IngressController CRs respectively. These component-specific configurations take precedence
	over the cluster-wide tlsSecurityProfile when set.
	Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
	and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
	This field is optional. When omitted, it is interpreted as "no opinion" and the cluster
	defaults to LegacyExternalAPIServerComponentsOnly behavior. Future versions of OpenShift
	may require explicitly setting this field to "StrictAllComponents" before upgrading.
	Administrators are encouraged to migrate to "StrictAllComponents" proactively.
	Once set, this field may be changed to a different value.
	default: LegacyExternalAPIServerComponentsOnly
	enum:
	- LegacyExternalAPIServerComponentsOnly
	- StrictAllComponents
	type: string

🤖 Prompt for AI Agents

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml`
around lines 295 - 328, The CRD description promises a default for tlsAdherence
but the schema lacks one; add a kubebuilder default tag to the Go API so the
generated CRD enforces "LegacyExternalAPIServerComponentsOnly". Update the
APIServerSpec struct's tlsAdherence field in the Go type (type APIServerSpec,
field tlsAdherence) with a kubebuilder default marker (e.g.
+kubebuilder:default=LegacyExternalAPIServerComponentsOnly), re-run the CRD
generation (controller-gen / repo-specific generation task) to regenerate
payload-manifests/crds so the YAML contains the default, and commit the
regenerated CRD.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml`:
- Around line 316-317: The description for tlsAdherence is ambiguous about
“unknown values” — update the explanatory text (the paragraph referencing
tlsAdherence and StrictAllComponents) to clarify that unknown values cannot
occur under the current enum-validated schema and would only appear if the CRD
were extended in a future version; instruct components to treat any unrecognized
tlsAdherence (e.g., introduced by a newer CRD version) as "StrictAllComponents"
and log a warning for forward compatibility, rather than implying unknown values
are currently accepted.

[everettraven]

A few things I missed on the first round

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@config/v1/types_apiserver.go`:
- Around line 271-275: The TLSAdherencePolicy enum validation currently omits
the empty/"no opinion" value while the code defines TLSAdherencePolicyNoOpinion
= "" and docs mention setting the field to empty; update the kubebuilder enum
tag on type TLSAdherencePolicy to include the empty string (""), or
alternatively remove the guidance/constant TLSAdherencePolicyNoOpinion and
adjust docs to disallow empty—ensure changes touch the TLSAdherencePolicy type
declaration and related constants so generated CRDs include the intended allowed
values.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml`:
- Around line 227-260: The CRD promises a default of
"LegacyExternalAPIServerComponentsOnly" for tlsAdherence but the schema lacks
it; add a kubebuilder default tag to the Go API type (e.g., the tlsAdherence
field on the APIServerSpec / struct field TLSAdherence) like `//
+kubebuilder:default=LegacyExternalAPIServerComponentsOnly` (or the equivalent
tag on TLSAdherence) and then regenerate the CRD (controller-tools/openapi) so
the generated payload-manifests/crds YAML includes the enum default entry;
ensure the field name referenced matches the struct field (TLSAdherence /
tlsAdherence) used by code generation.

[everettraven]

A few things I noticed:

1. Let's make sure we are attaching this feature to the correct Jira component.
2. It looks like the payload manifests that were generated are missing adding the tlsAdherence field to the DPNU and TPNU manifests.
3. Integration tests are failing due to some kind of generation issue - let's make sure you are rebased on the latest master branch changes and regenerate files. Let me know if there are persistent issues here and I'll do some digging.

[everettraven]

I had missed this originally, but is this the appropriate Jira component to be reporting issues to?

I would expect this to be the team implementing and co-ordinating the work for this feature because this is the component that any bugs identified with this feature should be routed to.

If you feel strongly this should be routed to the kube-apiserver component, lets get an ack from the staff engineers/management of the control plane team that they are OK with fielding bugs related to this feature.

[richardsonnick]

For 1 and 2, it looks like completely bonked the rebase this morning. Apologies. Should be fixed now.

For 3: kube-apiserver may be the wrong component. I don't really have any strong convictions on who should own bugs for this. Does "Networking" fit the bill better? The TLSProfile.curves fate is assigned to "Networking".

[openshift-ci]

@richardsonnick: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-client-go	4d7e3a0	link	true	/test verify-client-go
ci/prow/unit	4d7e3a0	link	true	/test unit
ci/prow/verify	4d7e3a0	link	true	/test verify
ci/prow/lint	4d7e3a0	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.