Skip to content

Add TLS adherance feature gate #2680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
richardsonnick wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Add TLS adherance feature gate #2680

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fe308fa
Add: Support for specifying elliptic curves in TLS handshake
Sep 30, 2025
93fe07b
Update config/v1/types_tlssecurityprofile.go
richardsonnick Oct 2, 2025
e633d3a
Merge branch 'openshift:master' into master
richardsonnick Nov 6, 2025
2b68a19
Merge branch 'openshift:master' into master
richardsonnick Nov 20, 2025
6957eeb
Merge branch 'openshift:master' into master
richardsonnick Jan 20, 2026
74c76ea
Merge branch 'openshift:master' into master
richardsonnick Jan 29, 2026
d0a2bac
Add TLSAdherence feature gate
richardsonnick Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions config/v1/types_apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,26 @@ type APIServerSpec struct {
// The current default is the Intermediate profile.
// +optional
TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
// tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
// configured on this APIServer resource.
//
// Valid values are "Legacy" and "Strict".
//
// When set to "Legacy" (the default), components attempt to honor the configured TLS profile
// but may fall back to their individual defaults if conflicts arise. This mode is intended for
// clusters that need to maintain compatibility with existing configurations during migration.
Comment on lines +70 to +72
Copy link
Member

@joelanford joelanford Jan 29, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought Legacy was going to essentially mean "only the externally exposed API server components", and Strict will mean "ALL cluster components with the exception of Kubelet-related and Ingress-related servers"?

I also think we should update GoDoc for the TLSSecurityProfile field, which currently says "for externally exposed servers". With TLSAdherence in the mix, what the profile is for depends on the TLSAdherence value.

But that should doc change should also only apply when the feature gate is enabled. I think @JoelSpeed said there's a way to do that?

Copy link
Member

@joelanford joelanford Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also wonder if we should improve the naming of the enums to more accurately describe what they do? For example:

  • LegacyExternalAPIServerComponentsOnly
  • StrictAllComponents

Or something along those lines?

//
// When set to "Strict", all components must strictly honor the configured TLS profile.
// This mode is recommended for security-conscious deployments and is required for
// certain compliance frameworks.
//
// Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
//
// When omitted, the default value is "Legacy".
// +openshift:enable:FeatureGate=TLSAdherence
// +optional
TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`
Comment on lines +65 to +84
Copy link

@coderabbitai coderabbitai bot Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Documentation inconsistency with CRD manifests.

The Go type documentation for TLSAdherence does not mention that Kubelet and IngressController components are excluded from tlsAdherence control, but the CRD manifests (TechPreviewNoUpgrade.crd.yaml and DevPreviewNoUpgrade.crd.yaml) include this important note:

"Note: The Kubelet and IngressController components are excluded from tlsAdherence control as they have their own dedicated TLS configuration mechanisms via KubeletConfig and IngressController CRs respectively."

Consider adding this exclusion note to the Go type documentation to maintain consistency and ensure generated API documentation reflects this important caveat.

📝 Suggested documentation addition 
 	// Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
 	// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
 	//
+	// Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+	// as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+	// IngressController CRs respectively.
+	//
 	// When omitted, the default value is "Legacy".
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
// configured on this APIServer resource.
//
// Valid values are "Legacy" and "Strict".
//
// When set to "Legacy" (the default), components attempt to honor the configured TLS profile
// but may fall back to their individual defaults if conflicts arise. This mode is intended for
// clusters that need to maintain compatibility with existing configurations during migration.
//
// When set to "Strict", all components must strictly honor the configured TLS profile.
// This mode is recommended for security-conscious deployments and is required for
// certain compliance frameworks.
//
// Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
//
// When omitted, the default value is "Legacy".
// +openshift:enable:FeatureGate=TLSAdherence
// +optional
TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`
// tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
// configured on this APIServer resource.
//
// Valid values are "Legacy" and "Strict".
//
// When set to "Legacy" (the default), components attempt to honor the configured TLS profile
// but may fall back to their individual defaults if conflicts arise. This mode is intended for
// clusters that need to maintain compatibility with existing configurations during migration.
//
// When set to "Strict", all components must strictly honor the configured TLS profile.
// This mode is recommended for security-conscious deployments and is required for
// certain compliance frameworks.
//
// Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
//
// Note: The Kubelet and IngressController components are excluded from tlsAdherence control
// as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
// IngressController CRs respectively.
//
// When omitted, the default value is "Legacy".
// +openshift:enable:FeatureGate=TLSAdherence
// +optional
TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`
🤖 Prompt for AI Agents 
In `@config/v1/types_apiserver.go` around lines 65 - 84, Update the TLSAdherence
field documentation to include the exclusion note from the CRD manifests:
explicitly state that Kubelet and IngressController are excluded from
tlsAdherence control and instead use their own TLS config (KubeletConfig and
IngressController CRs). Edit the comment above the TLSAdherence
TLSAdherencePolicy field (the docblock that documents TLSAdherence) to append a
short sentence noting this exclusion so generated API docs reflect the same
caveat as the CRD manifests.

// audit specifies the settings for audit configuration to be applied to all OpenShift-provided
// API servers in the cluster.
// +optional
Expand Down Expand Up @@ -237,6 +257,23 @@ const (
type APIServerStatus struct {
}

// TLSAdherencePolicy defines how strictly components adhere to the TLS security profile.
// +kubebuilder:validation:Enum=Legacy;Strict
type TLSAdherencePolicy string

const (
// TLSAdherenceLegacy provides backward-compatible behavior where components attempt to
// honor the configured TLS profile but may fall back to their individual defaults if
// conflicts arise. This mode is intended for clusters that need to maintain compatibility
// with existing configurations during migration.
TLSAdherenceLegacy TLSAdherencePolicy = "Legacy"

// TLSAdherenceStrict enforces strict adherence to the TLS configuration. All components
// must honor the configured profile. This mode is recommended for security-conscious
// deployments and is required for certain compliance frameworks.
TLSAdherenceStrict TLSAdherencePolicy = "Strict"
)

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
Expand Down
8 changes: 8 additions & 0 deletions config/v1/types_tlssecurityprofile.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,14 @@ type TLSProfileSpec struct {
//
// +listType=atomic
Ciphers []string `json:"ciphers"`
// curves is used to specify the elliptic curves that are used during
// the TLS handshake. Operators may remove entries their operands do
// not support. For example, to use X25519 and P-256 (yaml):
//
// curves:
// - X25519
// - P-256
Copy link
Member

@joelanford joelanford Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If/when we do add Curves field, it needs to be introduced behind a feature gate.

Curves []string `json:"curves,omitempty"`
Comment on lines +171 to +178
Copy link
Member

@joelanford joelanford Jan 29, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on my read of openshift/enhancements#1894, it seems like very few components currently handle TLS curve configuration.

And I don't think we will be able to promote this full set of API changes unless components handle all of MinTLSVersion, CipherSuites, and Curves.

I am worried that the upstream's lack of curves support might take some time and would therefore block the rest of the feature around honoring the min TLS and cipher suites configuration.

Should we remove Curves from this PR or configure it to be present with a separate feature gate?

// minTLSVersion is used to specify the minimal version of the TLS protocol
// that is negotiated during the TLS handshake. For example, to use TLS
// versions 1.1, 1.2 and 1.3 (yaml):
Expand Down
39 changes: 39 additions & 0 deletions ...zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,33 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
tlsAdherence:
description: |-
tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
configured on this APIServer resource.

Valid values are "Legacy" and "Strict".

When set to "Legacy" (the default), components attempt to honor the configured TLS profile
but may fall back to their individual defaults if conflicts arise. This mode is intended for
clusters that need to maintain compatibility with existing configurations during migration.

When set to "Strict", all components must strictly honor the configured TLS profile.
This mode is recommended for security-conscious deployments and is required for
certain compliance frameworks.

Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
and log a warning to ensure forward compatibility while defaulting to the more secure behavior.

Note: The Kubelet and IngressController components are excluded from tlsAdherence control
as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
IngressController CRs respectively.

When omitted, the default value is "Legacy".
enum:
- Legacy
- Strict
type: string
tlsSecurityProfile:
description: |-
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
Expand Down Expand Up @@ -325,6 +352,18 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
12 changes: 12 additions & 0 deletions config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,18 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
39 changes: 39 additions & 0 deletions ...enerated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,33 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
tlsAdherence:
description: |-
tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
configured on this APIServer resource.

Valid values are "Legacy" and "Strict".

When set to "Legacy" (the default), components attempt to honor the configured TLS profile
but may fall back to their individual defaults if conflicts arise. This mode is intended for
clusters that need to maintain compatibility with existing configurations during migration.

When set to "Strict", all components must strictly honor the configured TLS profile.
This mode is recommended for security-conscious deployments and is required for
certain compliance frameworks.

Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
and log a warning to ensure forward compatibility while defaulting to the more secure behavior.

Note: The Kubelet and IngressController components are excluded from tlsAdherence control
as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
IngressController CRs respectively.

When omitted, the default value is "Legacy".
enum:
- Legacy
- Strict
type: string
tlsSecurityProfile:
description: |-
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
Expand Down Expand Up @@ -325,6 +352,18 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
12 changes: 12 additions & 0 deletions config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-OKD.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,18 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
39 changes: 39 additions & 0 deletions ...nerated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,33 @@ spec:
type: array
x-kubernetes-list-type: atomic
type: object
tlsAdherence:
description: |-
tlsAdherence controls how strictly components in the cluster adhere to the TLS security profile
configured on this APIServer resource.

Valid values are "Legacy" and "Strict".

When set to "Legacy" (the default), components attempt to honor the configured TLS profile
but may fall back to their individual defaults if conflicts arise. This mode is intended for
clusters that need to maintain compatibility with existing configurations during migration.

When set to "Strict", all components must strictly honor the configured TLS profile.
This mode is recommended for security-conscious deployments and is required for
certain compliance frameworks.

Components that encounter an unknown value for tlsAdherence should treat it as "Strict"
and log a warning to ensure forward compatibility while defaulting to the more secure behavior.

Note: The Kubelet and IngressController components are excluded from tlsAdherence control
as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
IngressController CRs respectively.

When omitted, the default value is "Legacy".
enum:
- Legacy
- Strict
type: string
tlsSecurityProfile:
description: |-
tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.
Expand Down Expand Up @@ -257,6 +284,18 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
5 changes: 5 additions & 0 deletions config/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions config/v1/zz_generated.featuregated-crd-manifests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ apiservers.config.openshift.io:
FeatureGates:
- KMSEncryption
- KMSEncryptionProvider
- TLSAdherence
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
FilenameRunLevel: "0000_10"
Expand Down
12 changes: 12 additions & 0 deletions ...1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,18 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
12 changes: 12 additions & 0 deletions ...zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryption.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,18 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
12 changes: 12 additions & 0 deletions ...ated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,18 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
Loading