Skip to content

CMP-4147: Use OpenShift API server TLS configuration#1106

Open
rhmdnd wants to merge 3 commits intoComplianceAsCode:masterfrom
rhmdnd:CMP-4147
Open

CMP-4147: Use OpenShift API server TLS configuration#1106
rhmdnd wants to merge 3 commits intoComplianceAsCode:masterfrom
rhmdnd:CMP-4147

Conversation

@rhmdnd
Copy link
Collaborator

@rhmdnd rhmdnd commented Mar 11, 2026

Look to the OpenShift API server for TLS configuration settings instead
of hardcoding our own. This makes the operator respect cluster-wide TLS
settings when configured to do so.

@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Mar 11, 2026

@rhmdnd: This pull request references CMP-4147 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Look to the OpenShift API server for TLS configuration settings instead
of hardcoding our own. This makes the operator respect cluster-wide TLS
settings when configured to do so.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from Vincent056 and jhrozek March 11, 2026 21:01
@openshift-ci
Copy link

openshift-ci bot commented Mar 11, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhmdnd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

rhmdnd
rhmdnd commented Mar 11, 2026
View reviewed changes
cmd/manager/operator.go
}
return nil
}

Copy link
Collaborator Author

@rhmdnd rhmdnd Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

revert this

@github-actions
Copy link

github-actions bot commented Mar 11, 2026

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1106-88e3807081737d637590918ae3e6b1e150948f75

@richardsonnick
Copy link

richardsonnick commented Mar 12, 2026

This PR depends on #2114 and #7635. Which add the tlsAdherence helpers and API fields.

rhmdnd added 3 commits March 18, 2026 15:13
@rhmdnd
Bump dependencies to update openshift/api and openshift/library-go
4c8e834 
We need to vendor in updated versions of the openshift/api and
openshift/librar-go so we can implement TLS consistency. Specifically so
that the Compliance Operator looks to the OpenShift API server for its
TLS settings.

We need to update some areas of our code affected by API changes in the
new dependencies.

 - Update MakeSelfSignedCAConfig: The library-go MakeSelfSignedCAConfig
   function arguments changed. Use the correct type based on the latest
   versions of library-go, which which time.Duration instead of an int.

 - Fix prometheus label types in e2e tests: Newer versions of prometheus
   changed Label types. This commit updates the test code we use so that
   we can bump the dependency and pull in newer versions of prometheus.

 - Bumped the version of MCO to be compatible with newer versions of the
   OpenShift API, which removed several feature gate constants that MCO
   was using.

Assisted-By: Claude Code (Opus 4.6)
@rhmdnd
Fix test code to handle new MCO updates
4a20615 
The dependency updates for openshift/api and openshift/library-go pulled
in new versions of structured-merge-diff (v4 -> v6), which is apparently
more strict and fails with how we're using MCO in unit tests. This
commit uses WithObjectTracker to bypass field management in unit tests.
It also uses constants for various assertions instead of the returned
objects kind or group values (which are getting reset to "" after
calling Get(), which is a new behavior on controller-runtime to be
consistent with what the OpenShift API server does).
@rhmdnd
CMP-4147: Use OpenShift API server TLS configuration
9abbfef 
Look to the OpenShift API server for TLS configuration settings instead
of hardcoding our own. This makes the operator respect cluster-wide TLS
settings when configured to do so.
@github-actions
Copy link

github-actions bot commented Mar 18, 2026

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1106-9abbfeff361dfde564bbd82f34f97cfb0f6c6014

@openshift-ci
Copy link

openshift-ci bot commented Mar 18, 2026

@rhmdnd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-rosa 9abbfef link true /test e2e-rosa
ci/prow/e2e-aws-parallel-arm 9abbfef link true /test e2e-aws-parallel-arm
ci/prow/e2e-aws-serial-arm 9abbfef link true /test e2e-aws-serial-arm
ci/prow/e2e-aws-serial 9abbfef link true /test e2e-aws-serial
ci/prow/e2e-aws-parallel 9abbfef link true /test e2e-aws-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek Awaiting requested review from jhrozek

@Vincent056 Vincent056 Awaiting requested review from Vincent056

Assignees

No one assigned

Labels

approved do-not-merge/work-in-progress jira/valid-reference

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rhmdnd @openshift-ci-robot @richardsonnick