feat: Configuring TLS options from Central TLS Profile

[akhilnittala]

What type of PR is this?
/kind enhancement

What does this PR do / why we need it:
This PR introduces configurability for TLS server settings across all Argo CD-related components managed by the operator, aligning with OpenShift Container Platform (OCP) requirements for Post-Quantum Cryptography (PQC) readiness starting from OCP 4.22.

OCP mandates that all layered products must support streamlined TLS configuration. This change ensures that Argo CD components can comply with future cryptographic standards and evolving security policies.
Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?
https://redhat.atlassian.net/browse/GITOPS-9073
Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:
Deploy Redis with tls enabled. checks arguments with underlying apiServer configuration.

[openshift-ci]

@akhilnittala: The label(s) kind/chore cannot be applied, because the repository doesn't have them.

Details

In response to this:

What type of PR is this?
/kind chore

What does this PR do / why we need it:
This PR introduces configurability for TLS server settings across all Argo CD-related components managed by the operator, aligning with OpenShift Container Platform (OCP) requirements for Post-Quantum Cryptography (PQC) readiness starting from OCP 4.22.

OCP mandates that all layered products must support streamlined TLS configuration. This change ensures that Argo CD components can comply with future cryptographic standards and evolving security policies.
Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?
https://redhat.atlassian.net/browse/GITOPS-9073
Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:
Deploy Redis with tls enabled. checks arguments with underlying apiServer configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wtam2018 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1ec666f7-248f-413e-8d78-c586a807ef83

📥 Commits

Reviewing files that changed from the base of the PR and between 82cf637 and c9ee8b3.

📒 Files selected for processing (2)

• cmd/main.go
• controllers/argocd_metrics_controller.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

🚧 Files skipped from review as they are similar to previous changes (2)

• controllers/argocd_metrics_controller.go
• cmd/main.go

---

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features

  • Operator now applies the OpenShift cluster TLS security profile to both the webhook and metrics servers.
  • Added DISABLE_CLUSTER_TLS_PROFILE and --disable-cluster-tls-profile to disable TLS profile enforcement.
  • Operator now reacts to TLS profile changes by shutting down so it can recover with updated settings.

• Bug Fixes

  • Improved ServiceMonitor reconciliation to safely handle the metrics server TLS ServerName pointer field.

• Chores

  • Updated OpenShift RBAC permissions to include config.openshift.io apiservers access.

Walkthrough

The PR integrates OpenShift cluster TLS security profile support into the gitops-operator. It adds get/list/watch RBAC on config.openshift.io/apiservers, introduces a DISABLE_CLUSTER_TLS_PROFILE flag and env var, fetches the cluster TLSProfileSpec at startup, applies it to webhook and metrics servers, watches for profile changes to trigger operator restart, wires the profile into ReconcileArgoCD, and fixes TLS ServerName pointer type alignment in metrics configuration. Dependency versions in go.mod are also bumped.

Changes

Cluster TLS Profile Integration

Layer / File(s)	Summary
RBAC permissions and dependency updates config/rbac/role.yaml, bundle/manifests/gitops-operator.clusterserviceversion.yaml, controllers/gitopsservice_controller.go, go.mod	Adds get/list/watch on config.openshift.io/apiservers to the manager ClusterRole in role.yaml and the CSV install permissions, adds the kubebuilder RBAC annotation in the controller, updates the CSV createdAt timestamp, and bumps direct/indirect go.mod dependencies including openshift/api, controller-runtime, argocd-operator, and library-go.
DISABLE_CLUSTER_TLS_PROFILE flag and env var wiring cmd/main.go, config/manager/manager.yaml, bundle/manifests/gitops-operator.clusterserviceversion.yaml	Introduces the disableClusterTLSProfile boolean and --disable-cluster-tls-profile CLI flag, reads the DISABLE_CLUSTER_TLS_PROFILE env var override, creates a cancellable context from the signal handler, and adds the env var declaration to manager.yaml and the CSV deployment spec.
TLS profile fetch, server config, watcher, and ReconcileArgoCD wiring cmd/main.go	Adds context and tlspkg imports; fetches the cluster TLSProfileSpec via a bootstrap client when Config API is present and the profile is enabled; builds TLS option functions and applies them to webhook and metrics servers; starts a SecurityProfileWatcher that cancels the operator context on profile changes; passes MinTLSVersion and Ciphers as CentralTLSConfigProfile to ReconcileArgoCD; updates mgr.Start to use the cancellable ctx.
Metrics TLS ServerName pointer type fix controllers/argocd_metrics_controller.go, test/openshift/e2e/ginkgo/parallel/1-104_validate_prometheus_alert_test.go	Updates the ServiceMonitor endpoint TLS configuration to use pointer type for ServerName field in both the controller reconciliation logic and the e2e test, aligning with the field's declared pointer type.

Sequence Diagram

sequenceDiagram
    participant Operator as main
    participant EnvFlag as env / CLI flag
    participant APIServer as config.openshift.io/apiservers
    participant tlspkg as tlspkg helpers
    participant Servers as Webhook + Metrics Servers
    participant Watcher as SecurityProfileWatcher
    participant Controller as ReconcileArgoCD

    Operator->>EnvFlag: read DISABLE_CLUSTER_TLS_PROFILE
    EnvFlag-->>Operator: disableClusterTLSProfile bool
    Operator->>APIServer: fetch TLSProfileSpec
    APIServer-->>Operator: MinTLSVersion, Ciphers
    Operator->>tlspkg: build TLS option functions
    tlspkg-->>Operator: tlsOpts
    Operator->>Servers: apply tlsOpts
    Operator->>Watcher: start watching apiservers
    Watcher-->>Operator: profile changed → cancel ctx → manager exits
    Operator->>Controller: pass CentralTLSConfigProfile

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly summarizes the main enhancement: configuring TLS options from OpenShift's Central TLS Profile, which aligns perfectly with the changeset's primary objective.
Description check	✅ Passed	The description clearly relates to the changeset by explaining the TLS configuration enhancement, its purpose for OCP compliance, and relevant testing details.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/main.go`:
- Around line 156-160: The code creates a bootstrapClient using crclient.New()
and assigns any error to err, but immediately calls
tlspkg.FetchAPIServerTLSProfile() with that bootstrapClient on the next line
without checking if client creation failed. Add an error check immediately after
the crclient.New() call to verify err is nil before proceeding to use
bootstrapClient in the FetchAPIServerTLSProfile call. If err is not nil, handle
it appropriately by returning or exiting early to prevent using an invalid
client.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 719b3612-683d-49e6-8b68-a89bdc3cc706

📥 Commits

Reviewing files that changed from the base of the PR and between 9fee941 and d80dd4b.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• bundle/manifests/gitops-operator.clusterserviceversion.yaml
• cmd/main.go
• config/manager/manager.yaml
• config/rbac/role.yaml
• controllers/gitopsservice_controller.go
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controllers/argocd_metrics_controller.go`:
- Around line 400-401: The comparison at line 400 in the
argocd_metrics_controller.go file compares pointer addresses instead of string
values. The condition
`existingServiceMonitor.Spec.Endpoints[0].TLSConfig.ServerName !=
&desiredMetricsServerName` compares pointer addresses, which are different each
reconciliation cycle even when the string content is identical. Fix this by
dereferencing the pointer from
existingServiceMonitor.Spec.Endpoints[0].TLSConfig.ServerName and comparing it
to the string value desiredMetricsServerName instead, so the comparison checks
actual string equality rather than pointer address equality.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e2f178de-0bcf-4924-afb8-7ee735285c8c

📥 Commits

Reviewing files that changed from the base of the PR and between d80dd4b and 82cf637.

📒 Files selected for processing (3)

• bundle/manifests/gitops-operator.clusterserviceversion.yaml
• controllers/argocd_metrics_controller.go
• test/openshift/e2e/ginkgo/parallel/1-104_validate_prometheus_alert_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• bundle/manifests/gitops-operator.clusterserviceversion.yaml

[openshift-ci]

@akhilnittala: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.14-kuttl-sequential	c9ee8b3	link	false	/test v4.14-kuttl-sequential

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.