feat(tls): inject centrally managed TLS config into pipelines-as-code by jkhelil · Pull Request #3385 · tektoncd/operator

jkhelil · 2026-04-30T10:41:36Z

Summary

Extends the OpenShift TLS centralization pattern to the pipelines-as-code-webhook deployment (SRVKP-9616), completing the webhook TLS trilogy alongside the Pipelines and Triggers PRs.

What changes

openshiftpipelinesascode/extension.go — switched to pointer receiver; added tektonConfigLister and resolvedTLSConfig fields. PreReconcile resolves the cluster APIServer TLS profile via ResolveCentralTLSToEnvVars. Transformers injects TLS_MIN_VERSION and TLS_CIPHER_SUITES into the pipelines-as-code-webhook deployment (pac-webhook container) when a profile is resolved.

pipelinesascode/pipelinesascode.go — EnsureOpenShiftPipelinesAsCodeExists, createOPAC, and updateOPAC now accept and propagate a platformData string parameter, stamped as the operator.tekton.dev/platform-data-hash annotation on the OpenShiftPipelinesAsCode CR. This triggers re-reconciliation when the APIServer TLS profile changes.

openshift/tektonconfig/extension.go — PostReconcile passes oe.GetPlatformData() (the APIServer TLS hash) into EnsureOpenShiftPipelinesAsCodeExists.

kubernetes/tektonconfig/extension.go — Kubernetes-side caller updated to pass "" (no platform data on Kubernetes).

extension_test.go (new) — 3 table-driven tests: no TLS config, injection into pac-webhook, no injection into unrelated deployments.

Evidence

=== pipelines-as-code-webhook ===
TLS_MIN_VERSION=1.2
TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,...
=== OpenShiftPipelinesAsCode PlatformDataHashKey ===
{"operator.tekton.dev/platform-data-hash":"d96e4890584e1fc72e863f47ee42b735054cfe7e5af8df11c1ae9d499150c129"}
Changing the cluster APIServer TLS profile updates the hash annotation and triggers a redeploy with the new settings — same verified behavior as Pipelines and Triggers PRs.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

Run make test lint before submitting a PR
Includes tests (if functionality changed/added)
Includes docs (if user facing)
Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

On OpenShift, the `pipelines-as-code-webhook` deployment now automatically inherits the cluster-wide TLS version and cipher suites from the OpenShift APIServer TLS security profile. Changes to the profile are automatically propagated without manual intervention.

jkhelil · 2026-04-30T10:42:49Z

/kind feature

jkhelil · 2026-05-05T10:43:15Z

Evidence: TLS injection into PAC controller, watcher, and webhook + dynamic propagation

This comment extends the original evidence to cover the full PAC TLS scope:

pipelines-as-code-controller (pac-controller)
pipelines-as-code-watcher (pac-watcher)
pipelines-as-code-webhook (pac-webhook)

And validates the automatic propagation flow end-to-end after a fix to the InstallerSet hash computation.

1. Baseline — APIServer: Intermediate (TLSv1.2)

$ kubectl get apiserver cluster -o jsonpath='{.spec.tlsSecurityProfile.type}'
Intermediate

$ kubectl get openshiftpipelinesascode pipelines-as-code \
    -o jsonpath='{.metadata.annotations.operator\.tekton\.dev/platform-data-hash}'
d96e4890584e1fc72e863f47ee42b735054cfe7e5af8df11c1ae9d499150c129

$ kubectl get tektoninstallerset openshiftpipelinesascode-main-deployment-ldjp7 \
    -o jsonpath='{.metadata.annotations.operator\.tekton\.dev/last-applied-hash}'
952b8c90d99c31da85c8e8f1ac93bc84fff0d47c78ec06121fcdde813a062365

All three PAC deployments — TLS_MIN_VERSION=1.2, confirmed in both the InstallerSet manifests and the live Deployments:

=== pipelines-as-code-controller (pac-controller) ===
  TLS_MIN_VERSION=1.2
  TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,...

=== pipelines-as-code-watcher (pac-watcher) ===
  TLS_MIN_VERSION=1.2
  TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,...

=== pipelines-as-code-webhook (pac-webhook) ===
  TLS_MIN_VERSION=1.2
  TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,...

2. Switch to Old profile (TLSv1.0)

$ kubectl patch apiserver cluster --type=merge \
    -p '{"spec":{"tlsSecurityProfile":{"type":"Old","old":{}}}}'
apiserver.config.openshift.io/cluster patched

~20 seconds later, automatic propagation — no operator restart, no manual intervention:

$ kubectl get openshiftpipelinesascode pipelines-as-code \
    -o jsonpath='{.metadata.annotations.operator\.tekton\.dev/platform-data-hash}'
c44729544d9530f284d40bdab2891509f656c9f9512e06c45fa6b122daf28ec9   ← changed

$ kubectl get tektoninstallerset openshiftpipelinesascode-main-deployment-ldjp7 \
    -o jsonpath='{.metadata.annotations.operator\.tekton\.dev/last-applied-hash}'
eedb46d65fd06a9181fc1c3d01b4e80419f8687cb68dc9759a3118fd01b4ad21   ← updated

All three PAC deployments updated automatically:

=== pipelines-as-code-controller (pac-controller) ===
  TLS_MIN_VERSION=1.0   ← updated from 1.2

=== pipelines-as-code-watcher (pac-watcher) ===
  TLS_MIN_VERSION=1.0   ← updated from 1.2

=== pipelines-as-code-webhook (pac-webhook) ===
  TLS_MIN_VERSION=1.0   ← updated from 1.2

3. Restore Intermediate — reverts automatically

$ kubectl patch apiserver cluster --type=merge \
    -p '{"spec":{"tlsSecurityProfile":{"type":"Intermediate","old":null}}}'
apiserver.config.openshift.io/cluster patched

~20 seconds later:

pipelines-as-code-controller (pac-controller): TLS_MIN_VERSION=1.2   ← reverted
pipelines-as-code-watcher (pac-watcher):       TLS_MIN_VERSION=1.2   ← reverted
pipelines-as-code-webhook (pac-webhook):        TLS_MIN_VERSION=1.2   ← reverted

Summary table

Event	`platform-data-hash`	InstallerSet `last-applied-hash`	`TLS_MIN_VERSION` (all 3 PAC deployments)
Baseline (Intermediate)	`d96e4890…`	`952b8c90…`	`1.2`
After switch to Old	`c44729544…`	`eedb46d65…`	`1.0`
After restore Intermediate	`d96e4890…`	reverted	`1.2`

Operator image: quay.io/jkhelil/operator-1d69a75f22dd094880847eac907fb2c1@sha256:3b90671df72a91c3a82821ac7779eec0f047929823a92d012e03f54158271c7a

jkhelil · 2026-05-12T05:39:23Z

/kind feature

anithapriyanatarajan · 2026-05-21T03:12:10Z

@jkhelil - same comment as for PR#3383 and PR#3384 related to webhook env vars. Please consider updating the var names prefixed with WEBHOOK_

anithapriyanatarajan · 2026-05-21T17:32:34Z

@jkhelil - Thank you for the update. The controller and watcher correctly have the env vars as TLS_CIPHER_SUITES and TLS_MIN_VERSION while the webhook has the values as WEBHOOK_TLS_MIN_VERSION and WEBHOOK_TLS_CIPHER_SUITES.

Could you check the ci failure for e2e tests?

theakshaypant · 2026-05-25T10:54:49Z

+	expectedHash, err := hash.Compute(struct {
+		Spec             interface{}
+		PlatformDataHash string
+	}{
+		Spec:             comp.GetSpec(),
+		PlatformDataHash: comp.GetAnnotations()[v1alpha1.PlatformDataHashKey],
+	})


Question: Why did we need to replace the usage of specHashInput here when it essentially does the same thing, with the key name being different (PlatformData -> PlatformDataHash)?

Same for other occurrences of hash calculation.

jkhelil · 2026-05-26T06:26:50Z

/retest

jkhelil · 2026-05-26T13:14:55Z

/retest

anithapriyanatarajan · 2026-05-28T13:26:31Z

@jkhelil - NIT: Do we need the TLS vars injected to controller and watcher deployments?

anithapriyanatarajan · 2026-05-28T15:19:01Z

/lgtm

… deployment and webhook Extend the OpenShift TLS centralization pattern to the Pipelines-as-Code webhook. The openshiftpipelinesascode extension now resolves the cluster-wide APIServer TLS security profile in PreReconcile and injects the resulting TLS_MIN_VERSION and TLS_CIPHER_SUITES environment variables into the pipelines-as-code-webhook deployment (pac-webhook container) via the Transformers step. PlatformDataHashKey propagation is wired through EnsureOpenShiftPipelinesAsCodeExists / createOPAC / updateOPAC so that any change to the cluster APIServer TLS profile automatically re-reconciles the OpenShiftPipelinesAsCode CR and redeploys the webhook with the updated settings. Resolves: SRVKP-9616 Made-with: Cursor

tekton-robot · 2026-05-29T04:35:59Z

New changes are detected. LGTM label has been removed.

tekton-robot · 2026-05-29T04:36:04Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: theakshaypant
To complete the pull request process, please ask for approval from anithapriyanatarajan after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jkhelil · 2026-05-29T05:51:41Z

/retest

tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Apr 30, 2026

tekton-robot requested review from pramodbindal and pratap0007 April 30, 2026 10:41

tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Apr 30, 2026

tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Apr 30, 2026

jkhelil force-pushed the tls-pac-webhook branch 3 times, most recently from 03034ff to 6894bb5 Compare May 5, 2026 10:43

jkhelil force-pushed the tls-pac-webhook branch from 6894bb5 to 4b70c98 Compare May 5, 2026 11:22

anithapriyanatarajan changed the title ~~feat(tls): inject centrally managed TLS config into pipelines-as-codde~~ feat(tls): inject centrally managed TLS config into pipelines-as-code May 21, 2026

tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 21, 2026

jkhelil force-pushed the tls-pac-webhook branch from 4b70c98 to bfd5d31 Compare May 21, 2026 11:45

tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 21, 2026

theakshaypant reviewed May 25, 2026

View reviewed changes

jkhelil force-pushed the tls-pac-webhook branch 3 times, most recently from 2c8f2cd to 0041dde Compare May 26, 2026 06:48

jkhelil force-pushed the tls-pac-webhook branch from 0041dde to 0334429 Compare May 28, 2026 08:02

theakshaypant approved these changes May 28, 2026

View reviewed changes

tekton-robot assigned anithapriyanatarajan May 28, 2026

tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 28, 2026

jkhelil force-pushed the tls-pac-webhook branch from 0334429 to 6b652b8 Compare May 29, 2026 04:35

tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label May 29, 2026

Conversation

jkhelil commented Apr 30, 2026

Summary

What changes

Evidence

Submitter Checklist

Release Notes

Uh oh!

jkhelil commented Apr 30, 2026

Uh oh!

jkhelil commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Evidence: TLS injection into PAC controller, watcher, and webhook + dynamic propagation

1. Baseline — APIServer: Intermediate (TLSv1.2)

2. Switch to Old profile (TLSv1.0)

3. Restore Intermediate — reverts automatically

Summary table

Uh oh!

jkhelil commented May 12, 2026

Uh oh!

anithapriyanatarajan commented May 21, 2026

Uh oh!

anithapriyanatarajan commented May 21, 2026

Uh oh!

theakshaypant May 25, 2026

Choose a reason for hiding this comment

Uh oh!

jkhelil commented May 26, 2026

Uh oh!

jkhelil commented May 26, 2026

Uh oh!

anithapriyanatarajan commented May 28, 2026

Uh oh!

anithapriyanatarajan commented May 28, 2026

Uh oh!

tekton-robot commented May 29, 2026

Uh oh!

tekton-robot commented May 29, 2026

Uh oh!

jkhelil commented May 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

jkhelil commented May 5, 2026 •

edited

Loading