WIP: OCPBUGS-88737: Update PSM/package server to support TLS profiles

go.mod

@@ -13,6 +13,7 @@ require (
 	github.com/mikefarah/yq/v3 v3.0.0-20201202084205-8846255d1c37
 	github.com/onsi/ginkgo/v2 v2.31.0
 	github.com/openshift/api v0.0.0-20260204104751-e09e5a4ebcd0
+	github.com/openshift/library-go v0.0.0-20260204111611-b7d4fa0e292a
 	github.com/operator-framework/api v0.44.0
 	github.com/operator-framework/operator-lifecycle-manager v0.0.0-00010101000000-000000000000
 	github.com/operator-framework/operator-registry v1.72.0
@@ -155,7 +156,6 @@ require (
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opencontainers/runtime-spec v1.3.0 // indirect
 	github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 // indirect
-	github.com/openshift/library-go v0.0.0-20260204111611-b7d4fa0e292a // indirect
 	github.com/otiai10/copy v1.14.1 // indirect
 	github.com/otiai10/mint v1.6.3 // indirect
 	github.com/pkg/errors v0.9.1 // indirect

pkg/manifests/csv.yaml

@@ -69,6 +69,12 @@ spec:
               verbs:
                 - get
                 - list
+            - apiGroups:
+                - "config.openshift.io"
+              resources:
+                - apiservers
+              verbs:
+                - get
       deployments:
         - name: packageserver
           spec:

pkg/package-server-manager/config.go

@@ -66,17 +66,18 @@ func getTopologyModeFromInfra(infra *configv1.Infrastructure) bool {
 // resource matches that of the codified defaults and high availability configurations, where
 // codified defaults are defined by the csv returned by the manifests.NewPackageServerCSV
 // function.
-func ensureCSV(log logr.Logger, image string, interval string, csv *olmv1alpha1.ClusterServiceVersion, highlyAvailableMode bool) (bool, error) {
+func ensureCSV(log logr.Logger, image string, interval string, flags []string, csv *olmv1alpha1.ClusterServiceVersion, highlyAvailableMode bool) (bool, error) {
 
-	flags := []string{}
+	runFlags := []string{}
 	if interval != "" {
-		flags = append(flags, "--interval", interval)
+		runFlags = append(runFlags, "--interval", interval)
 	}
+	runFlags = append(runFlags, flags...)
 	expectedCSV, err := manifests.NewPackageServerCSV(
 		manifests.WithName(csv.Name),
 		manifests.WithNamespace(csv.Namespace),
 		manifests.WithImage(image),
-		manifests.WithRunFlags(flags),
+		manifests.WithRunFlags(runFlags),
 	)
 	if err != nil {
 		return false, err

pkg/package-server-manager/controller.go

@@ -19,16 +19,20 @@ package controllers
 import (
 	"context"
 	"fmt"
+	"strings"
 	"sync"
 
 	"github.com/go-logr/logr"
 
 	configv1 "github.com/openshift/api/config/v1"
+	libcrypto "github.com/openshift/library-go/pkg/crypto"
 	"github.com/openshift/operator-framework-olm/pkg/manifests"
+	olmapiserver "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/apiserver"
 	olmv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 
@@ -85,6 +89,22 @@ func (r *PackageServerCSVReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		flags = append(flags, "--interval", r.Interval)
 	}
 
+	var apiServer configv1.APIServer
+	if err := r.Client.Get(ctx, types.NamespacedName{Name: "cluster"}, &apiServer); err != nil {
+		if !apierrors.IsNotFound(err) {
+			return ctrl.Result{}, err
+		}
+	} else {
+		minVersion, cipherSuites := olmapiserver.GetSecurityProfileConfig(apiServer.Spec.TLSSecurityProfile)
+		minVersionStr := libcrypto.TLSVersionToNameOrDie(minVersion)
+		cipherSuitesStr := strings.Join(libcrypto.CipherSuitesToNamesOrDie(cipherSuites), ",")
+		flags = append(flags,
+			"--tls-min-version", minVersionStr,
+			"--tls-cipher-suites", cipherSuitesStr,
+		)
+		log.Info("applying cluster TLS security profile to packageserver", "minVersion", minVersionStr, "cipherSuites", cipherSuitesStr)
+	}
+
 	required, err := manifests.NewPackageServerCSV(
 		manifests.WithName(r.Name),
 		manifests.WithNamespace(r.Namespace),
@@ -96,7 +116,7 @@ func (r *PackageServerCSVReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		return ctrl.Result{}, err
 	}
 	res, err := controllerutil.CreateOrUpdate(ctx, r.Client, required, func() error {
-		return reconcileCSV(r.Log, r.Image, r.Interval, required, highAvailabilityMode)
+		return reconcileCSV(r.Log, r.Image, r.Interval, flags, required, highAvailabilityMode)
 	})
 
 	log.Info("reconciliation result", "res", res)
@@ -123,12 +143,12 @@ func ensureRBAC(client client.Client, ctx context.Context, namespace string, log
 	return nil
 }
 
-func reconcileCSV(log logr.Logger, image string, interval string, csv *olmv1alpha1.ClusterServiceVersion, highAvailabilityMode bool) error {
+func reconcileCSV(log logr.Logger, image string, interval string, flags []string, csv *olmv1alpha1.ClusterServiceVersion, highAvailabilityMode bool) error {
 	if csv.ObjectMeta.CreationTimestamp.IsZero() {
 		log.Info("attempting to create the packageserver csv")
 	}
 
-	modified, err := ensureCSV(log, image, interval, csv, highAvailabilityMode)
+	modified, err := ensureCSV(log, image, interval, flags, csv, highAvailabilityMode)
 	if err != nil {
 		return fmt.Errorf("error ensuring CSV: %v", err)
 	}
@@ -158,10 +178,26 @@ func (r *PackageServerCSVReconciler) infrastructureHandler(_ context.Context, ob
 	}
 }
 
+func (r *PackageServerCSVReconciler) apiServerHandler(_ context.Context, obj client.Object) []reconcile.Request {
+	if obj.GetName() != "cluster" {
+		return nil
+	}
+	r.Log.Info("requeueing the packageserver deployment after encountering APIServer TLS profile change")
+	return []reconcile.Request{
+		{
+			NamespacedName: types.NamespacedName{
+				Name:      r.Name,
+				Namespace: r.Namespace,
+			},
+		},
+	}
+}
+
 // SetupWithManager sets up the controller with the Manager.
 func (r *PackageServerCSVReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&olmv1alpha1.ClusterServiceVersion{}).
 		Watches(&configv1.Infrastructure{}, handler.EnqueueRequestsFromMapFunc(r.infrastructureHandler)).
+		Watches(&configv1.APIServer{}, handler.EnqueueRequestsFromMapFunc(r.apiServerHandler)).
 		Complete(r)
 }

pkg/package-server-manager/controller_test.go

@@ -261,7 +261,7 @@ func TestEnsureCSV(t *testing.T) {
 		tc := tc
 
 		t.Run(tc.name, func(t *testing.T) {
-			gotBool, gotErr := ensureCSV(logger, image, interval, tc.inputCSV, tc.highlyAvailable)
+			gotBool, gotErr := ensureCSV(logger, image, interval, nil, tc.inputCSV, tc.highlyAvailable)
 			require.EqualValues(t, tc.want.expectedBool, gotBool)
 			require.EqualValues(t, tc.want.expectedErr, gotErr)
 			require.EqualValues(t, tc.inputCSV.Spec, tc.expectedCSV.Spec)

staging/operator-lifecycle-manager/deploy/chart/templates/_packageserver.clusterserviceversion.yaml

@@ -67,6 +67,14 @@ spec:
           verbs:
           - get
           - list
+        - apiGroups:
+          - "config.openshift.io"
+          resources:
+          - apiservers
+          resourceNames:
+          - cluster
+          verbs:
+          - get
       deployments:
       - name: packageserver
         {{- include "packageserver.deployment-spec" . | nindent 8 }}

staging/operator-lifecycle-manager/deploy/upstream/quickstart/olm.yaml

@@ -264,6 +264,14 @@ spec:
           verbs:
           - get
           - list
+        - apiGroups:
+          - "config.openshift.io"
+          resources:
+          - apiservers
+          resourceNames:
+          - cluster
+          verbs:
+          - get
       deployments:
       - name: packageserver
         spec:

staging/operator-lifecycle-manager/pkg/package-server/server/server.go

@@ -23,13 +23,18 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/util/workqueue"
 
+	configv1client "github.com/openshift/client-go/config/clientset/versioned"
+	libcrypto "github.com/openshift/library-go/pkg/crypto"
 	operatorsv1 "github.com/operator-framework/api/pkg/operators/v1"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/api/client"
 	olminformers "github.com/operator-framework/operator-lifecycle-manager/pkg/api/client/informers/externalversions"
+	olmapiserver "github.com/operator-framework/operator-lifecycle-manager/pkg/lib/apiserver"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/openshiftconfig"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/queueinformer"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/apiserver"
 	genericpackageserver "github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/apiserver/generic"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/package-server/provider"
+	apidiscovery "k8s.io/client-go/discovery"
 )
 
 const DefaultWakeupInterval = 12 * time.Hour
@@ -202,19 +207,13 @@ func (o *PackageServerOptions) Run(ctx context.Context) error {
 		string(genericfeatures.UnauthenticatedHTTP2DOSMitigation): true,
 	})
 
-	// Grab the config for the API server
-	config, err := o.Config(ctx)
-	if err != nil {
-		return err
-	}
-	config.GenericConfig.EnableMetrics = true
-
-	// Set up the client config
+	// Set up the client config before calling Config() so it can be used to
+	// apply the cluster TLS security profile to the serving options.
 	var clientConfig *rest.Config
+	var err error
 	if len(o.Kubeconfig) > 0 {
 		loadingRules := &clientcmd.ClientConfigLoadingRules{ExplicitPath: o.Kubeconfig}
 		loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{})
-
 		clientConfig, err = loader.ClientConfig()
 	} else {
 		clientConfig, err = rest.InClusterConfig()
@@ -223,6 +222,23 @@ func (o *PackageServerOptions) Run(ctx context.Context) error {
 		return fmt.Errorf("unable to construct lister client config: %v", err)
 	}
 
+	// If --tls-min-version was not supplied (e.g. no PSM-injected flags yet), fall
+	// back to a direct GET of the cluster APIServer CR so the packageserver still
+	// honours the cluster TLS security profile on first boot or during upgrades.
+	if o.SecureServing.MinTLSVersion == "" {
+		if err := applyClusterTLSProfile(ctx, clientConfig, o.SecureServing); err != nil {
+			return fmt.Errorf("failed to apply cluster TLS profile to serving options: %w", err)
+		}
+	}
+
+	// Grab the config for the API server
+	var config *apiserver.Config
+	config, err = o.Config(ctx)
+	if err != nil {
+		return err
+	}
+	config.GenericConfig.EnableMetrics = true
+
 	kubeClient, err := kubernetes.NewForConfig(clientConfig)
 	if err != nil {
 		return fmt.Errorf("unable to construct lister client: %v", err)
@@ -326,3 +342,58 @@ func (op *Operator) syncOLMConfig(obj interface{}) error {
 
 	return nil
 }
+
+// applyClusterTLSProfile fetches the cluster-wide APIServer TLS security profile
+// and applies it to the SecureServingOptions. It is a no-op on non-OpenShift clusters.
+// This is the fallback path used when --tls-min-version is not provided via flags
+// (i.e. before the PSM has had a chance to inject them).
+func applyClusterTLSProfile(ctx context.Context, config *rest.Config, serving *genericoptions.SecureServingOptionsWithLoopback) error {
+	const lookupTimeout = 30 * time.Second
+	profileCtx, cancel := context.WithTimeout(ctx, lookupTimeout)
+	defer cancel()
+
+	profileConfig := rest.CopyConfig(config)
+	if profileConfig.Timeout == 0 || profileConfig.Timeout > lookupTimeout {
+		profileConfig.Timeout = lookupTimeout
+	}
+
+	kubeClient, err := kubernetes.NewForConfig(profileConfig)
+	if err != nil {
+		return fmt.Errorf("failed to create kubernetes client: %w", err)
+	}
+	cfgClient, err := configv1client.NewForConfig(profileConfig)
+	if err != nil {
+		return fmt.Errorf("failed to create config client: %w", err)
+	}
+	return applyClusterTLSProfileWithClients(profileCtx, kubeClient.Discovery(), cfgClient, serving)
+}
+
+// applyClusterTLSProfileWithClients is the testable core of applyClusterTLSProfile.
+// It applies the cluster-wide APIServer TLS security profile to the SecureServingOptions,
+// but only for fields not already set by explicit flags (--tls-min-version / --tls-cipher-suites).
+// It is a no-op on non-OpenShift clusters.
+func applyClusterTLSProfileWithClients(ctx context.Context, discovery apidiscovery.DiscoveryInterface, cfgClient configv1client.Interface, serving *genericoptions.SecureServingOptionsWithLoopback) error {
+	available, err := openshiftconfig.IsAPIAvailable(discovery)
+	if err != nil {
+		return fmt.Errorf("failed to check OpenShift config API: %w", err)
+	}
+	if !available {
+		return nil
+	}
+
+	apiServer, err := cfgClient.ConfigV1().APIServers().Get(ctx, "cluster", metav1.GetOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to get APIServer config: %w", err)
+	}
+
+	minVersion, cipherSuites := olmapiserver.GetSecurityProfileConfig(apiServer.Spec.TLSSecurityProfile)
+	// Only override fields not already set by explicit flags.
+	if serving.MinTLSVersion == "" {
+		serving.MinTLSVersion = libcrypto.TLSVersionToNameOrDie(minVersion)
+	}
+	if len(serving.CipherSuites) == 0 {
+		serving.CipherSuites = libcrypto.CipherSuitesToNamesOrDie(cipherSuites)
+	}
+	log.Infof("Applying cluster TLS security profile: minVersion=%s cipherSuites=%v", serving.MinTLSVersion, serving.CipherSuites)
+	return nil
+}