Skip to content

[feat]Add centrally managed TLS configuration for console-plugin nginx#3218

Merged
tekton-robot merged 1 commit into
tektoncd:mainfrom
jkhelil:SRVKP-9632
May 29, 2026
Merged

[feat]Add centrally managed TLS configuration for console-plugin nginx#3218
tekton-robot merged 1 commit into
tektoncd:mainfrom
jkhelil:SRVKP-9632

Conversation

@jkhelil
Copy link
Copy Markdown
Member

@jkhelil jkhelil commented Feb 16, 2026
edited
Loading

Summary

Enables the console-plugin nginx server to inherit TLS settings from the centrally managed APIServer TLS Profile for Post-Quantum Cryptography (PQC) readiness compliance.

Changes

  • Modified: pkg/reconciler/openshift/tektonconfig/console_plugin_reconciler.go

    • Added TLS parameters support (TLS_MIN_VERSION, TLS_CIPHER_SUITES, TLS_CURVE_PREFERENCES)
    • Implemented nginx.conf transformation to inject TLS directives
    • Added fail-safe defaults when env vars are not set
    • Cipher suites intentionally skipped (using nginx secure defaults)

  • Modified: pkg/reconciler/openshift/tektonconfig/console_plugin_reconciler_test.go

    • Added comprehensive unit tests for TLS configuration
    • 22 test cases covering all scenarios (default, partial, full config)

Test Results

Test 1: Default Configuration (No Env Vars)

Environment:

  • No TLS environment variables set

Generated nginx.conf:

server {
    ssl_protocols TLSv1.2 TLSv1.3;
    listen              8443 ssl;
    listen              [::]:8443 ssl;
    ssl_certificate     /var/cert/tls.crt;
    ssl_certificate_key /var/cert/tls.key;
    root                /usr/share/nginx/html;
}

Result: ✅ Pod starts successfully, TLS 1.3 negotiated, no errors

Test 2: With TLS Environment Variables

Environment:

TLS_MIN_VERSION=VersionTLS13
TLS_CURVE_PREFERENCES=X25519,prime256v1,secp384r1

Generated nginx.conf:

server {
    ssl_protocols TLSv1.3;
    ssl_ecdh_curve X25519:prime256v1:secp384r1;
    listen              8443 ssl;
    listen              [::]:8443 ssl;
    ssl_certificate     /var/cert/tls.crt;
    ssl_certificate_key /var/cert/tls.key;
    root                /usr/share/nginx/html;
}

Result: ✅ Pod starts successfully, TLS 1.3 negotiated, curves applied, no errors

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

The console-plugin nginx server now inherits TLS settings from the centrally managed APIServer TLS Profile, improving Post-Quantum Cryptography (PQC) readiness compliance on OpenShift.
The nginx server reads TLS configuration from api server profile (TLS_MIN_VERSION, TLS_CIPHER_SUITES, TLS_CURVE_PREFERENCES) and injects them into nginx.conf at runtime.
When no tls paramters are set, the server falls back to secure defaults (TLSv1.2 and TLSv1.3).
Cipher suites are intentionally delegated to nginx's built-in secure defaults.

@tekton-robot tekton-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesnt merit a release note. labels Feb 16, 2026
@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Feb 16, 2026
@jkhelil jkhelil changed the title [WIP]Add centrally managed TLS configuration for console-plugin nginx [feat]Add centrally managed TLS configuration for console-plugin nginx May 5, 2026
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 5, 2026
@jkhelil
Copy link
Copy Markdown
Member Author

jkhelil commented May 5, 2026
edited
Loading

Manual Validation — TLS Propagation from APIServer Profile to nginx

Tested on OCP cluster: api.ci-ln-sbyz8bb-76ef8.aws-4.ci.openshift.org:6443

Setup

kubectl patch tektonconfig config --type=merge \
  -p '{"spec":{"platforms":{"openShift":{"enableCentralTLSConfig":true}}}}'

Test 1 — Intermediate Profile (default, no tlsSecurityProfile set)

APIServer TLS Profile:

{"intermediate":{},"type":"Intermediate"}

Generated nginx.conf (server block):

  server {
    ssl_protocols TLSv1.2 TLSv1.3;
    listen              8443 ssl;
    listen              [::]:8443 ssl;
    ssl_certificate     /var/cert/tls.crt;
    ssl_certificate_key /var/cert/tls.key;
    root                /usr/share/nginx/html;
  }

ssl_protocols TLSv1.2 TLSv1.3 correctly reflects Intermediate profile

Test 2 — Old Profile (TLS 1.0+)

kubectl patch apiserver cluster --type=merge \
  -p '{"spec":{"tlsSecurityProfile":{"type":"Old","old":{}}}}'

Generated nginx.conf (server block) after reconcile:

  server {
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    listen              8443 ssl;
    ...
  }

ssl_protocols updated dynamically — InstallerSet recreated automatically

Observations

  • TLS profile changes propagate without operator restart — the hash-based reconcile loop detects the change and recreates the console plugin InstallerSet
  • TektonConfig status remains Ready: True throughout
  • ssl_protocols indentation matches the rest of the nginx server block (4 spaces)
  • Cipher suites are intentionally not configured (nginx TLS 1.3 secure defaults apply)

TektonConfig state: enableCentralTLSConfig: true, Ready: True
InstallerSet: tekton-config-console-plugin-manifests-xjwtk True

@jkhelil jkhelil force-pushed the SRVKP-9632 branch 3 times, most recently from 2b60193 to b354742 Compare May 11, 2026 11:24
@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesnt merit a release note. labels May 12, 2026
@jkhelil
Copy link
Copy Markdown
Member Author

jkhelil commented May 12, 2026

/kind feature

@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label May 12, 2026
@jkhelil jkhelil force-pushed the SRVKP-9632 branch 3 times, most recently from f5c1470 to bf9a842 Compare May 21, 2026 11:48
pratap0007
pratap0007 reviewed May 25, 2026
View reviewed changes
Comment thread pkg/reconciler/openshift/tektonconfig/console_plugin_reconciler.go
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 28, 2026

@jkhelil - NIT - PR description mentions about injecting VARS whereas the actual implementation is by setting the SSL directives of niginx conf. Thank you.

@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 28, 2026

@jkhelil - featurewise, this PR was assessed by following the below steps:

oc -n openshift-pipelines port-forward svc/pipelines-console-plugin 8443:8443 &

# Highest version probe
echo | openssl s_client -connect localhost:8443 -tls1_3 2>&1 | grep -E 'Protocol|Server Temp Key'
# Expected: Protocol: TLSv1.3, Server Temp Key: X25519MLKEM768 (the PQC group!) (PASSED)

# Force PQC only — proves the server picks it
echo | openssl s_client -connect localhost:8443 -tls1_3 -groups X25519MLKEM768 2>&1 | grep -E 'Server Temp Key|handshake failure'
# Expected: Server Temp Key: X25519MLKEM768 (no failure) (PASSED)

# Force pre-TLS1.2 — must be rejected when profile is Modern/Intermediate
echo | openssl s_client -connect localhost:8443 -tls1_1 2>&1 \
   | grep -Eo 'handshake failure|no protocols|alert'
# Expected: handshake failure  (PASSED)

The nginx image upstream is supportive of the expected directive and ML-KEM in openssl gropus

Screenshot From 2026-05-28 20-39-20

We need make sure of these while doing downstream build as well . Thank you

@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 28, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 28, 2026
@pratap0007
Copy link
Copy Markdown
Contributor

pratap0007 commented May 28, 2026

/lgtm

@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 29, 2026

/approve

@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 29, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anithapriyanatarajan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [anithapriyanatarajan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 29, 2026
@tekton-robot tekton-robot merged commit 4573cf5 into tektoncd:main May 29, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pratap0007 pratap0007 pratap0007 left review comments

@anithapriyanatarajan anithapriyanatarajan Awaiting requested review from anithapriyanatarajan

@pramodbindal pramodbindal Awaiting requested review from pramodbindal

Assignees

@pratap0007 pratap0007

@anithapriyanatarajan anithapriyanatarajan

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jkhelil @anithapriyanatarajan @pratap0007 @tekton-robot