Add TLS adherance feature gate

[richardsonnick]

User description

Add TLSAdherence feature gate for cluster-wide TLS configuration

This PR introduces the TLSAdherence feature gate and adds the tlsAdherence field to the APIServer config resource (apiserver.config.openshift.io/v1).

Summary

The tlsAdherence field controls how strictly components in the cluster adhere to the TLS security profile configured on the APIServer resource.

Valid values:

• Legacy (default): Backward-compatible behavior where components attempt to honor the configured TLS profile but may fall back to their individual defaults if conflicts arise. This mode is intended for clusters that need to maintain compatibility with existing configurations during migration.
• Strict: Enforces strict adherence to the TLS configuration. All components must honor the configured profile. This mode is recommended for security-conscious deployments and is required for certain compliance frameworks.

Feature Gate Details

• Feature Gate Name: TLSAdherence
• Enabled in: DevPreviewNoUpgrade, TechPreviewNoUpgrade
• Contact: @joelanford
• Jira Component: kube-apiserver

Related

• Enhancement: Add enhancement spec for centralized TLS configuration and enforcement enhancements#1910

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Hello @richardsonnick! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

📝 Walkthrough

Walkthrough

This change introduces TLS configuration enhancements to OpenShift API server and kubelet configurations. A new TLSAdherence field is added to APIServerSpec with "Legacy" and "Strict" enum values, controlled by a feature gate enabled in DevPreviewNoUpgrade and TechPreviewNoUpgrade tracks. Additionally, a Curves field (array of strings) is added to TLSProfileSpec to allow specification of elliptic curves for TLS handshakes. Related type definitions, generated code, CRD manifests for multiple deployment configurations, OpenAPI specifications, and feature gate definitions are updated accordingly.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: introducing a new TLSAdherence feature gate as the primary objective of this PR.
Description check	✅ Passed	The PR description clearly explains the TLSAdherence feature gate, its purpose, valid values, and implementation details, directly related to the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Defaulting not enforced: The new tlsAdherence field documents defaulting/unknown-value behavior (default Legacy, unknown treated as Strict with warning) but this PR only adds API types/CRD enum and does not show any code that enforces defaulting or handles unset/unknown values at runtime. Referred Code // tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile // configured on this APIServer resource. // // Valid values are "Legacy" and "Strict". // // When set to "Legacy" (the default), components attempt to honor the configured TLS profile // but may fall back to their individual defaults if conflicts arise. This mode is intended for // clusters that need to maintain compatibility with existing configurations during migration. // // When set to "Strict", all components must strictly honor the configured TLS profile. // This mode is recommended for security-conscious deployments and is required for // certain compliance frameworks. // // Components that encounter an unknown value for tlsAdherence should treat it as "Strict" // and log a warning to ensure forward compatibility while defaulting to the more secure behavior. // // When omitted, the default value is "Legacy". // +openshift:enable:FeatureGate=TLSAdherence // +optional TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Missing input constraints: The new curves field is introduced as a free-form string array without visible validation constraints (e.g., allowed values/patterns), so it is unclear from this diff alone whether invalid curve names are rejected or safely handled downstream. Referred Code // curves is used to specify the elliptic curves that are used during // the TLS handshake. Operators may remove entries their operands do // not support. For example, to use X25519 and P-256 (yaml): // // curves: // - X25519 // - P-256 Curves []string `json:"curves,omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Use pointer for an optional field *Change the TLSAdherence field to a pointer type (TLSAdherencePolicy) to correctly handle its optional nature and resolve ambiguity between an omitted value and an empty string. config/v1/types_apiserver.go [81-84] // When omitted, the default value is "Legacy". // +openshift:enable:FeatureGate=TLSAdherence // +optional -TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"` +TLSAdherence *TLSAdherencePolicy `json:"tlsAdherence,omitempty"` Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a significant ambiguity in the API design where omitting the TLSAdherence field leads to conflicting documented behaviors, and proposes using a pointer type, which is the idiomatic Go solution to distinguish between an omitted and an empty value.	Medium
High-level	Unify API documentation source The documentation for the tlsAdherence field is inconsistent across files. The Go type definition is missing an important note about excluded components that is present in the generated CRD, indicating a need to unify the documentation source. Examples: config/v1/types_apiserver.go [65-84] // tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile // configured on this APIServer resource. // // Valid values are "Legacy" and "Strict". // // When set to "Legacy" (the default), components attempt to honor the configured TLS profile // but may fall back to their individual defaults if conflicts arise. This mode is intended for // clusters that need to maintain compatibility with existing configurations during migration. // // When set to "Strict", all components must strictly honor the configured TLS profile. ... (clipped 10 lines) config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml [296-317] description: |- tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile configured on this APIServer resource. Valid values are "Legacy" and "Strict". When set to "Legacy" (the default), components attempt to honor the configured TLS profile but may fall back to their individual defaults if conflicts arise. This mode is intended for clusters that need to maintain compatibility with existing configurations during migration. ... (clipped 12 lines) Solution Walkthrough: Before: // file: config/v1/types_apiserver.go type APIServerSpec struct { // ... (documentation without the note) // When omitted, the default value is "Legacy". // +openshift:enable:FeatureGate=TLSAdherence // +optional TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"` // ... } After: // file: config/v1/types_apiserver.go type APIServerSpec struct { // ... (documentation with the note) // Note: The Kubelet and IngressController components are excluded from tlsAdherence control // as they have their own dedicated TLS configuration mechanisms via KubeletConfig and // IngressController CRs respectively. // // When omitted, the default value is "Legacy". // +openshift:enable:FeatureGate=TLSAdherence // +optional TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"` // ... } Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies a significant documentation inconsistency, where crucial information in the CRD is missing from the source Go type, indicating a flawed generation process.	Medium
General	Mark curves as optional atomic list Add +listType=atomic and +optional markers to the Curves field in TLSProfileSpec for consistency and correct CRD generation. config/v1/types_tlssecurityprofile.go [171-178] +// +listType=atomic +// +optional // curves is used to specify the elliptic curves that are used during // the TLS handshake. Operators may remove entries their operands do // not support. For example, to use X25519 and P-256 (yaml): // // curves: // - X25519 // - P-256 Curves []string `json:"curves,omitempty"` Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly points out that the new Curves field should have +listType=atomic and +optional markers for consistency with the existing Ciphers field and to ensure correct CRD generation, improving API consistency.	Low
More

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@config/v1/types_apiserver.go`:
- Around line 65-84: Update the TLSAdherence field documentation to include the
exclusion note from the CRD manifests: explicitly state that Kubelet and
IngressController are excluded from tlsAdherence control and instead use their
own TLS config (KubeletConfig and IngressController CRs). Edit the comment above
the TLSAdherence TLSAdherencePolicy field (the docblock that documents
TLSAdherence) to append a short sentence noting this exclusion so generated API
docs reflect the same caveat as the CRD manifests.

In `@features.md`:
- Line 78: The table row containing the "TLSAdherence" feature is missing a
space before the first pipe after the feature name, violating markdownlint table
spacing; edit the row that starts with "TLSAdherence" and insert a single space
before the following "|" so it reads "TLSAdherence |" (preserving the rest of
the cells exactly) to conform to the configured table style.

In `@openapi/generated_openapi/zz_generated.openapi.go`:
- Around line 12447-12461: Add a kubebuilder enum validation for the Curves
field so only supported TLS curve identifiers are accepted: add a comment marker
like +kubebuilder:validation:Enum=X25519;P-256;P-384;P-521 immediately above the
Curves []string field in the struct in config/v1/types_tlssecurityprofile.go
(mirror the pattern used for TLSProtocolVersion), then re-run
controller-gen/openapi generation to update
openapi/generated_openapi/zz_generated.openapi.go so the "curves" schema
includes the enum restriction.

🧹 Nitpick comments (5)

config/v1/types_tlssecurityprofile.go (1)

169-178: Consider adding listType=atomic for Curves for SSA consistency.
This mirrors the Ciphers list semantics and avoids any unexpected merge behavior.

🔧 Proposed tweak

 	//   curves:
 	//     - X25519
 	//     - P-256
 	//
+	// +listType=atomic
 	Curves []string `json:"curves,omitempty"`

openapi/generated_openapi/zz_generated.openapi.go (1)

9102-9108: Add enum validation for tlsAdherence to match the documented valid values.

The schema only declares a free-form string even though the description defines just "Legacy" and "Strict". That means invalid values will pass admission and only be handled at runtime. Consider adding kubebuilder enum (and, if desired, a default) on the source type so the generated OpenAPI enforces the allowed values.

[Suggested fix (apply in config/v1/types_apiserver.go, not this generated file):]

🔧 Example annotation update

 // +optional
+// +kubebuilder:validation:Enum=Legacy;Strict
+// +kubebuilder:default=Legacy
 TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`

payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml (1)

259-270: Consider adding x-kubernetes-list-type annotation for consistency.

The curves field is missing the x-kubernetes-list-type annotation that the ciphers field has (line 258 shows x-kubernetes-list-type: atomic for ciphers). For consistency and to ensure proper list merge behavior, consider adding the same annotation.

📝 Suggested fix

                       curves:
                         description: |-
                           curves is used to specify the elliptic curves that are used during
                           the TLS handshake.  Operators may remove entries their operands do
                           not support.  For example, to use X25519 and P-256 (yaml):

                             curves:
                               - X25519
                               - P-256
                         items:
                           type: string
                         type: array
+                        x-kubernetes-list-type: atomic

payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml (1)

287-298: Same annotation consistency issue as Default CRD.

The curves field here also lacks the x-kubernetes-list-type: atomic annotation that ciphers has. See the comment on the Default CRD for the suggested fix.

payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml (1)

355-366: Same annotation consistency issue.

The curves field here also lacks x-kubernetes-list-type: atomic. This is consistent across all the CRD files in this PR but differs from the ciphers field pattern.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Documentation inconsistency with CRD manifests.

The Go type documentation for TLSAdherence does not mention that Kubelet and IngressController components are excluded from tlsAdherence control, but the CRD manifests (TechPreviewNoUpgrade.crd.yaml and DevPreviewNoUpgrade.crd.yaml) include this important note:

"Note: The Kubelet and IngressController components are excluded from tlsAdherence control as they have their own dedicated TLS configuration mechanisms via KubeletConfig and IngressController CRs respectively."

Consider adding this exclusion note to the Go type documentation to maintain consistency and ensure generated API documentation reflects this important caveat.

📝 Suggested documentation addition

 	// Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
 	// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
 	//
+	// Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+	// as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+	// IngressController CRs respectively.
+	//
 	// When omitted, the default value is "Legacy".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
	// configured on this APIServer resource.
	//
	// Valid values are "Legacy" and "Strict".
	//
	// When set to "Legacy" (the default), components attempt to honor the configured TLS profile
	// but may fall back to their individual defaults if conflicts arise. This mode is intended for
	// clusters that need to maintain compatibility with existing configurations during migration.
	//
	// When set to "Strict", all components must strictly honor the configured TLS profile.
	// This mode is recommended for security-conscious deployments and is required for
	// certain compliance frameworks.
	//
	// Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
	// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
	//
	// When omitted, the default value is "Legacy".
	// +openshift:enable:FeatureGate=TLSAdherence
	// +optional
	TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`
	// tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
	// configured on this APIServer resource.
	//
	// Valid values are "Legacy" and "Strict".
	//
	// When set to "Legacy" (the default), components attempt to honor the configured TLS profile
	// but may fall back to their individual defaults if conflicts arise. This mode is intended for
	// clusters that need to maintain compatibility with existing configurations during migration.
	//
	// When set to "Strict", all components must strictly honor the configured TLS profile.
	// This mode is recommended for security-conscious deployments and is required for
	// certain compliance frameworks.
	//
	// Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
	// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
	//
	// Note: The Kubelet and IngressController components are excluded from tlsAdherence control
	// as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
	// IngressController CRs respectively.
	//
	// When omitted, the default value is "Legacy".
	// +openshift:enable:FeatureGate=TLSAdherence
	// +optional
	TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`

🤖 Prompt for AI Agents

In `@config/v1/types_apiserver.go` around lines 65 - 84, Update the TLSAdherence
field documentation to include the exclusion note from the CRD manifests:
explicitly state that Kubelet and IngressController are excluded from
tlsAdherence control and instead use their own TLS config (KubeletConfig and
IngressController CRs). Edit the comment above the TLSAdherence
TLSAdherencePolicy field (the docblock that documents TLSAdherence) to append a
short sentence noting this exclusion so generated API docs reflect the same
caveat as the CRD manifests.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix table pipe spacing to satisfy markdownlint.
The new row is missing a space before the pipe after the feature name, which violates the configured table style.

🔧 Suggested fix

-| TLSAdherence| | | <span style="background-color: `#519450`">Enabled</span> | <span style="background-color: `#519450`">Enabled</span> | | | <span style="background-color: `#519450`">Enabled</span> | <span style="background-color: `#519450`">Enabled</span>  |
+| TLSAdherence | | | <span style="background-color: `#519450`">Enabled</span> | <span style="background-color: `#519450`">Enabled</span> | | | <span style="background-color: `#519450`">Enabled</span> | <span style="background-color: `#519450`">Enabled</span>  |

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	| TLSAdherence| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> |
	| TLSAdherence | | | <span style="background-color: `#519450`">Enabled</span> | <span style="background-color: `#519450`">Enabled</span> | | | <span style="background-color: `#519450`">Enabled</span> | <span style="background-color: `#519450`">Enabled</span> |

🧰 Tools

🪛 markdownlint-cli2 (0.20.0)

78-78: Table column style
Table pipe is missing space to the left for style "compact"

(MD060, table-column-style)

---

78-78: Table column style
Table pipe has extra space to the left for style "compact"

(MD060, table-column-style)

🤖 Prompt for AI Agents

In `@features.md` at line 78, The table row containing the "TLSAdherence" feature
is missing a space before the first pipe after the feature name, violating
markdownlint table spacing; edit the row that starts with "TLSAdherence" and
insert a single space before the following "|" so it reads "TLSAdherence |"
(preserving the rest of the cells exactly) to conform to the configured table
style.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Go 1.21 1.22 crypto/tls supported curve names CurveID identifiers

💡 Result:

In Go 1.21 and Go 1.22, crypto/tls exposes these supported (named group) CurveID constants:

TLS group / curve name	Go constant	CurveID (uint16)
NIST P-256 (secp256r1)	tls.CurveP256	23
NIST P-384 (secp384r1)	tls.CurveP384	24
NIST P-521 (secp521r1)	tls.CurveP521	25
X25519	tls.X25519	29

These are the CurveID identifiers defined by crypto/tls for those versions. [1]

Sources:
[1] https://go.googlesource.com/go/+/go1.14.8/src/crypto/tls/common.go

---

🏁 Script executed:

# First, find the source code that generates this OpenAPI schema
# The file is auto-generated, so we need to find what generates it
fd -t f "*.go" | head -20 | xargs grep -l "curves is used to specify" 2>/dev/null | head -5

Repository: openshift/api

Length of output: 340

---

🏁 Script executed:

# Search for the source field definition
rg -A 5 -B 5 "curves.*TLS.*handshake" --type go

Repository: openshift/api

Length of output: 3653

---

🏁 Script executed:

# Check for OpenAPI generation tooling and look for the source type
find . -name "*openapi*" -o -name "*swagger*" | grep -v generated | head -10

Repository: openshift/api

Length of output: 427

---

🏁 Script executed:

# Look for struct definitions with a "curves" field that might be the source
rg "Curves\s*\[\]" --type go | head -20

Repository: openshift/api

Length of output: 359

---

🏁 Script executed:

# Read the source file that defines the Curves field
cat -n config/v1/types_tlssecurityprofile.go

Repository: openshift/api

Length of output: 11992

---

🏁 Script executed:

# Look for validation rules or constants in the codebase
rg "enum.*curve|Curve.*enum|CurveID|X25519|P-256|P-384|P-521" --type go config/v1/ | head -30

Repository: openshift/api

Length of output: 568

---

🏁 Script executed:

# Search for validation struct tags or validation rules in similar fields
rg "json:.*omitempty.*validation|kubebuilder:validation" --type go config/v1/types_tlssecurityprofile.go -A 3 -B 3

Repository: openshift/api

Length of output: 490

---

🏁 Script executed:

# Check how other string arrays are validated in the codebase
rg '\[\]string.*json' --type go config/v1/ -A 2 | grep -A 2 "kubebuilder" | head -40

Repository: openshift/api

Length of output: 39

---

Add validation for curves field to restrict entries to supported TLS curve identifiers.

The Curves field in config/v1/types_tlssecurityprofile.go (line 178) accepts any string with no validation, allowing invalid curve names to be accepted during config validation but fail later at TLS handshake time. Add a +kubebuilder:validation:Enum marker similar to the pattern used for TLSProtocolVersion to enforce only supported curves: X25519, P-256, P-384, P-521 (as supported by Go 1.21+ crypto/tls).

🤖 Prompt for AI Agents

In `@openapi/generated_openapi/zz_generated.openapi.go` around lines 12447 -
12461, Add a kubebuilder enum validation for the Curves field so only supported
TLS curve identifiers are accepted: add a comment marker like
+kubebuilder:validation:Enum=X25519;P-256;P-384;P-521 immediately above the
Curves []string field in the struct in config/v1/types_tlssecurityprofile.go
(mirror the pattern used for TLSProtocolVersion), then re-run
controller-gen/openapi generation to update
openapi/generated_openapi/zz_generated.openapi.go so the "curves" schema
includes the enum restriction.

[openshift-ci]

@richardsonnick: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	d0a2bac	link	true	/test verify
ci/prow/verify-crd-schema	d0a2bac	link	true	/test verify-crd-schema
ci/prow/lint	d0a2bac	link	true	/test lint
ci/prow/minor-e2e-upgrade-minor	d0a2bac	link	true	/test minor-e2e-upgrade-minor

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[joelanford]

I thought Legacy was going to essentially mean "only the externally exposed API server components", and Strict will mean "ALL cluster components with the exception of Kubelet-related and Ingress-related servers"?

I also think we should update GoDoc for the TLSSecurityProfile field, which currently says "for externally exposed servers". With TLSAdherence in the mix, what the profile is for depends on the TLSAdherence value.

But that should doc change should also only apply when the feature gate is enabled. I think @JoelSpeed said there's a way to do that?

[joelanford]

I also wonder if we should improve the naming of the enums to more accurately describe what they do? For example:

• LegacyExternalAPIServerComponentsOnly
• StrictAllComponents

Or something along those lines?

[joelanford]

Based on my read of openshift/enhancements#1894, it seems like very few components currently handle TLS curve configuration.

And I don't think we will be able to promote this full set of API changes unless components handle all of MinTLSVersion, CipherSuites, and Curves.

I am worried that the upstream's lack of curves support might take some time and would therefore block the rest of the feature around honoring the min TLS and cipher suites configuration.

Should we remove Curves from this PR or configure it to be present with a separate feature gate?

[joelanford]

If/when we do add Curves field, it needs to be introduced behind a feature gate.

[joelanford]

Curves should be removed or included behind a feature gate. My understanding is that we can't add a field to the Default CRD without first going through TechPreviewNoUpgrade.

[everettraven]

Adding to @joelanford 's comment - I'd prefer we keep the curves field entirely separate here to keep this well scoped. IIRC there is already a PR that is looking to add the curves field.