Skip to content

CORENET-7108: Implement TLS profile compliance #720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tpantelis wants to merge 4 commits into
base: master
Choose a base branch
from
Open

CORENET-7108: Implement TLS profile compliance #720

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9214e50
Bump Kubernetes and controller-runtime dependencies
tpantelis Jun 15, 2026
cea0b5a
Add TLS profile support for daemonset kube-rbac-proxy
tpantelis Jun 16, 2026
23cd6a3
Add TLS profile support for operator webhook and metrics servers
tpantelis Jun 16, 2026
23fa5db
Remove kube-rbac-proxy and implement direct TLS metrics serving
tpantelis Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
The diff you're trying to view is too large. We only load the first 3000 changed files.
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,4 @@ kubeconfig

#misc
.vscode
.idea
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,7 +269,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
## Tool Versions
KUSTOMIZE_VERSION ?= v3.8.7
CONTROLLER_TOOLS_VERSION ?= v0.20.1
OPERATOR_SDK_VERSION=v1.33.0
OPERATOR_SDK_VERSION=v1.34.1

KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
.PHONY: kustomize
Expand Down
10 changes: 9 additions & 1 deletion bindata/manifests/daemon/daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,8 +86,16 @@ spec:
sleep 5
done
echo $(date -Iseconds) INFO: ingress-node-firewall-daemon-metrics-certs mounted, starting kube-rbac-proxy
exec /usr/bin/kube-rbac-proxy --secure-listen-address=:9301 \
exec /usr/bin/kube-rbac-proxy \
--secure-listen-address=:9301 \
{{- if .TLSMinVersion }}
--tls-min-version={{.TLSMinVersion}} \
{{- end }}
{{- if .TLSCipherSuites }}
--tls-cipher-suites={{.TLSCipherSuites}} \
{{- else }}
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
{{- end }}
--upstream=http://127.0.0.1:39401 \
--tls-private-key-file=${TLS_PK} \
--tls-cert-file=${TLS_CERT}
Expand Down
102 changes: 25 additions & 77 deletions bundle/manifests/ingress-node-firewall.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,11 +87,11 @@ metadata:
categories: Networking
certified: "false"
containerImage: quay.io/openshift/origin-ingress-node-firewall:latest
createdAt: "2025-09-04T08:08:17Z"
createdAt: "2026-06-24T21:29:30Z"
features.operators.openshift.io/disconnected: "true"
features.operators.openshift.io/fips-compliant: "true"
features.operators.openshift.io/proxy-aware: "false"
features.operators.openshift.io/tls-profiles: "false"
features.operators.openshift.io/tls-profiles: "true"
features.operators.openshift.io/token-auth-aws: "false"
features.operators.openshift.io/token-auth-azure: "false"
features.operators.openshift.io/token-auth-gcp: "false"
Expand Down Expand Up @@ -152,58 +152,42 @@ spec:
- update
- watch
- apiGroups:
- bpfman.io
- authentication.k8s.io
resources:
- bpfapplications
- tokenreviews
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ingressnodefirewall.openshift.io
- authorization.k8s.io
resources:
- ingressnodefirewallconfigs
- subjectaccessreviews
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ingressnodefirewall.openshift.io
resources:
- ingressnodefirewallconfigs/finalizers
verbs:
- update
- apiGroups:
- ingressnodefirewall.openshift.io
- bpfman.io
resources:
- ingressnodefirewallconfigs/status
- bpfapplications
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ingressnodefirewall.openshift.io
- config.openshift.io
resources:
- ingressnodefirewallnodestates
- apiservers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ingressnodefirewall.openshift.io
resources:
- ingressnodefirewallconfigs
- ingressnodefirewallnodestates
- ingressnodefirewalls
verbs:
- create
Expand All @@ -216,12 +200,14 @@ spec:
- apiGroups:
- ingressnodefirewall.openshift.io
resources:
- ingressnodefirewallconfigs/finalizers
- ingressnodefirewalls/finalizers
verbs:
- update
- apiGroups:
- ingressnodefirewall.openshift.io
resources:
- ingressnodefirewallconfigs/status
- ingressnodefirewalls/status
verbs:
- get
Expand Down Expand Up @@ -260,7 +246,8 @@ spec:
containers:
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:39400
- --metrics-bind-address=:9300
- --metrics-cert-dir=/etc/pki/tls/metrics-certs
- --leader-elect
- --enable-webhook
command:
Expand All @@ -286,6 +273,9 @@ spec:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 9300
name: https
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
Expand All @@ -299,53 +289,11 @@ spec:
requests:
cpu: 10m
memory: 64Mi
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- command:
- /bin/bash
- -c
- |
#!/bin/bash
set -euo pipefail
TLS_PK=/etc/pki/tls/metrics-certs/tls.key
TLS_CERT=/etc/pki/tls/metrics-certs/tls.crt
# As the secret mount is optional we must wait for the files to be present.
# If it isn't created there is probably an issue so we want to crashloop.
TS=$(date +%s)
WARN_TS=$(( ${TS} + $(( 20 * 60)) ))
HAS_LOGGED_INFO=0
log_missing_certs(){
CUR_TS=$(date +%s)
if [[ "${CUR_TS}" -gt "${WARN_TS}" ]]; then
echo $(date -Iseconds) WARN: ingress-node-firewall-controller-manager-metrics-certs not mounted after 20 minutes.
elif [[ "${HAS_LOGGED_INFO}" -eq 0 ]] ; then
echo $(date -Iseconds) INFO: ingress-node-firewall-controller-manager-metrics-certs not mounted. Waiting 20 minutes.
HAS_LOGGED_INFO=1
fi
}
while [[ ! -f "${TLS_PK}" || ! -f "${TLS_CERT}" ]] ; do
log_missing_certs
sleep 5
done
echo $(date -Iseconds) INFO: ingress-node-firewall-controller-manager-metrics-certs mounted, starting kube-rbac-proxy
exec /usr/bin/kube-rbac-proxy --secure-listen-address=:9300 \
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
--upstream=http://127.0.0.1:39400 \
--tls-private-key-file=${TLS_PK} \
--tls-cert-file=${TLS_CERT}
image: quay.io/openshift/origin-kube-rbac-proxy:latest
name: kube-rbac-proxy
ports:
- containerPort: 9300
name: https
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /etc/pki/tls/metrics-certs
name: ingress-node-firewall-controller-manager-metrics-certs
readOnly: true
Expand All @@ -360,7 +308,7 @@ spec:
secretName: webhook-server-cert
- name: ingress-node-firewall-controller-manager-metrics-certs
secret:
optional: true
optional: false
secretName: ingress-node-firewall-controller-manager-metrics-certs
permissions:
- rules:
Expand Down
21 changes: 4 additions & 17 deletions bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewallconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.20.1
creationTimestamp: null
name: ingressnodefirewallconfigs.ingressnodefirewall.openshift.io
spec:
Expand Down Expand Up @@ -70,16 +70,8 @@ spec:
description: Conditions show the current state of the Ingress Node
Firewall Config resource
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
Expand Down Expand Up @@ -120,12 +112,7 @@ spec:
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
Expand Down
2 changes: 1 addition & 1 deletion bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewallnodestates.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.20.1
creationTimestamp: null
name: ingressnodefirewallnodestates.ingressnodefirewall.openshift.io
spec:
Expand Down
2 changes: 1 addition & 1 deletion bundle/manifests/ingressnodefirewall.openshift.io_ingressnodefirewalls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.20.1
creationTimestamp: null
name: ingressnodefirewalls.ingressnodefirewall.openshift.io
spec:
Expand Down
52 changes: 8 additions & 44 deletions config/manager/manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,16 @@ spec:
- /manager
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:39400"
- "--metrics-bind-address=:9300"
- "--metrics-cert-dir=/etc/pki/tls/metrics-certs"
Comment thread
coderabbitai[bot] marked this conversation as resolved.
- "--leader-elect"
- "--enable-webhook"
image: controller:latest
name: manager
ports:
- containerPort: 9300
name: https
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
Expand All @@ -57,56 +62,15 @@ spec:
requests:
cpu: 10m
memory: 64Mi
- name: kube-rbac-proxy
image: quay.io/openshift/origin-kube-rbac-proxy:latest
command:
- /bin/bash
- -c
- |
#!/bin/bash
set -euo pipefail
TLS_PK=/etc/pki/tls/metrics-certs/tls.key
TLS_CERT=/etc/pki/tls/metrics-certs/tls.crt
# As the secret mount is optional we must wait for the files to be present.
# If it isn't created there is probably an issue so we want to crashloop.
TS=$(date +%s)
WARN_TS=$(( ${TS} + $(( 20 * 60)) ))
HAS_LOGGED_INFO=0
log_missing_certs(){
CUR_TS=$(date +%s)
if [[ "${CUR_TS}" -gt "${WARN_TS}" ]]; then
echo $(date -Iseconds) WARN: ingress-node-firewall-controller-manager-metrics-certs not mounted after 20 minutes.
elif [[ "${HAS_LOGGED_INFO}" -eq 0 ]] ; then
echo $(date -Iseconds) INFO: ingress-node-firewall-controller-manager-metrics-certs not mounted. Waiting 20 minutes.
HAS_LOGGED_INFO=1
fi
}
while [[ ! -f "${TLS_PK}" || ! -f "${TLS_CERT}" ]] ; do
log_missing_certs
sleep 5
done
echo $(date -Iseconds) INFO: ingress-node-firewall-controller-manager-metrics-certs mounted, starting kube-rbac-proxy
exec /usr/bin/kube-rbac-proxy --secure-listen-address=:9300 \
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
--upstream=http://127.0.0.1:39400 \
--tls-private-key-file=${TLS_PK} \
--tls-cert-file=${TLS_CERT}
ports:
- containerPort: 9300
name: https
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: ingress-node-firewall-controller-manager-metrics-certs
mountPath: /etc/pki/tls/metrics-certs
readOnly: True
readOnly: true
volumes:
- name: ingress-node-firewall-controller-manager-metrics-certs
secret:
secretName: ingress-node-firewall-controller-manager-metrics-certs
optional: true
optional: false
serviceAccountName: controller-manager
terminationGracePeriodSeconds: 10
2 changes: 1 addition & 1 deletion config/manifests/bases/ingress-node-firewall.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ metadata:
features.operators.openshift.io/disconnected: "true"
features.operators.openshift.io/fips-compliant: "true"
features.operators.openshift.io/proxy-aware: "false"
features.operators.openshift.io/tls-profiles: "false"
features.operators.openshift.io/tls-profiles: "true"
features.operators.openshift.io/token-auth-aws: "false"
features.operators.openshift.io/token-auth-azure: "false"
features.operators.openshift.io/token-auth-gcp: "false"
Expand Down
20 changes: 20 additions & 0 deletions config/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,18 @@ rules:
- patch
- update
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- bpfman.io
resources:
Expand All @@ -36,6 +48,14 @@ rules:
- patch
- update
- watch
- apiGroups:
- config.openshift.io
resources:
- apiservers
verbs:
- get
- list
- watch
- apiGroups:
- ingressnodefirewall.openshift.io
resources:
Expand Down
Loading