CNTRLPLANE-2797: hypershift-operator webhooks port 9443 respect cluster TLS security profile

[ricardomaraschini]

What this PR does / why we need it:

Configure hypershift-operator webhook server to use TLS settings from the management cluster's APIServer configuration when available.

• Detect CapabilityAPIServer to check for OpenShift APIServer config
• Apply cluster TLS min version and cipher suites to webhook server
• Gracefully skip on non-OpenShift clusters

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • Webhook TLS now follows the management cluster API server's TLS profile (min TLS version and cipher suites) for stronger, consistent security.
  • Operator now detects when the cluster exposes API server configuration so TLS settings can be driven from the cluster.

• Tests

  • Added tests covering capability detection and TLS-profile-to-server configuration mapping.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 63a68793-a00d-4341-8c5e-8b877eca16ed

📥 Commits

Reviewing files that changed from the base of the PR and between 2bcbf06 and 6aea3a7.

📒 Files selected for processing (5)

• hypershift-operator/main.go
• support/capabilities/management_cluster_capabilities.go
• support/capabilities/management_cluster_capabilities_test.go
• support/config/cipher.go
• support/config/cipher_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• support/capabilities/management_cluster_capabilities_test.go
• support/config/cipher.go

---

📝 Walkthrough

Walkthrough

The PR moves discovery/capability detection earlier (using restConfig), adds a new capability constant CapabilityAPIServer, and extends DetectManagementClusterCapabilities to detect the config.openshift.io apiserver resource. When CapabilityAPIServer is present, the operator creates a typed config client, retrieves the APIServer "cluster" object, derives TLS min version and cipher suites via new helpers, and assigns those setters to webhook.Options.TLSOpts before constructing the webhook server. Errors from discovery, capability detection, config client creation, APIServer retrieval, or TLS option derivation are now returned.

Sequence Diagram

sequenceDiagram
    participant Main as Operator Main
    participant Rest as REST Config
    participant Discovery as Discovery Client
    participant Capabilities as Capability Detection
    participant ConfigClient as Config Client
    participant APIServer as APIServer Resource
    participant Webhook as Webhook Server

    Main->>Rest: use restConfig to create Discovery
    Main->>Discovery: create discovery client
    Main->>Capabilities: DetectManagementClusterCapabilities(discovery)
    Capabilities->>Discovery: query config.openshift.io for apiservers
    Discovery-->>Capabilities: resource present/absent
    Capabilities-->>Main: return discovered capabilities

    alt CapabilityAPIServer present
        Main->>ConfigClient: create typed config client
        Main->>APIServer: Get APIServer "cluster"
        APIServer-->>Main: return Spec.TLSSecurityProfile
        Main->>Main: SetMinTLSVersionUsingAPIServer()
        Main->>Main: SetCipherSuitesUsingAPIServer()
        Main->>Main: assign TLSOpts on webhook.Options
    else CapabilityAPIServer absent
        Main->>Main: leave webhook.Options TLSOpts unset
    end

    Main->>Webhook: NewServer(webhook.Options)
    Webhook-->>Main: server initialized / error

Loading

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@ricardomaraschini: This pull request references CNTRLPLANE-2797 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Configure hypershift-operator webhook server to use TLS settings from the management cluster's APIServer configuration when available.

• Detect CapabilityAPIServer to check for OpenShift APIServer config
• Apply cluster TLS min version and cipher suites to webhook server
• Gracefully skip on non-OpenShift clusters

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ricardomaraschini: This pull request references CNTRLPLANE-2797 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Configure hypershift-operator webhook server to use TLS settings from the management cluster's APIServer configuration when available.

• Detect CapabilityAPIServer to check for OpenShift APIServer config
• Apply cluster TLS min version and cipher suites to webhook server
• Gracefully skip on non-OpenShift clusters

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ricardomaraschini]

Keeping this on hold for now.

/hold

[openshift-ci-robot]

@ricardomaraschini: This pull request references CNTRLPLANE-2797 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Configure hypershift-operator webhook server to use TLS settings from the management cluster's APIServer configuration when available.

• Detect CapabilityAPIServer to check for OpenShift APIServer config
• Apply cluster TLS min version and cipher suites to webhook server
• Gracefully skip on non-OpenShift clusters

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

Release Notes

• New Features

• Webhook TLS configuration is now dynamically configured based on the management cluster's API server settings for improved security alignment.

• Operator detects support for custom API server configuration resources to enable dynamic TLS profile adaptation.

• Tests

• Added comprehensive test coverage for TLS configuration detection and application.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gangwgr]

Pre-merge verified

[gangwgr]

/verified by @gangwgr

[openshift-ci-robot]

@gangwgr: This PR has been marked as verified by @gangwgr.

Details

In response to this:

/verified by @gangwgr

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

/test e2e-aks

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, ricardomaraschini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryan-cox]

/lgtm cancel

[cwbotbot]

Test Results

e2e-aks

• Status: ✅ PASS
• Started: 2026-03-30T13:26:40Z
• View Job
• View Job History

[ricardomaraschini]

/unhold

[Nirshal]

/lgtm

[openshift-ci-robot]

Tests from second stage were triggered manually. Pipeline can be controlled only manually, until HEAD changes. Use command to trigger second stage.

[openshift-ci-robot]

@ricardomaraschini: This pull request references CNTRLPLANE-2797 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

Configure hypershift-operator webhook server to use TLS settings from the management cluster's APIServer configuration when available.

• Detect CapabilityAPIServer to check for OpenShift APIServer config
• Apply cluster TLS min version and cipher suites to webhook server
• Gracefully skip on non-OpenShift clusters

Which issue(s) this PR fixes:

Fixes

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

• Webhook TLS now follows the management cluster API server's TLS profile (min TLS version and cipher suites) for stronger, consistent security.

• Operator now detects when the cluster exposes API server configuration so TLS settings can be driven from the cluster.

• Tests

• Added tests covering capability detection and TLS-profile-to-server configuration mapping.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

/verified by @gangwgr

[openshift-ci-robot]

@bryan-cox: This PR has been marked as verified by @gangwgr.

Details

In response to this:

/verified by @gangwgr

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

/lgtm

putting it back on from rebase

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks-4-21
/test e2e-aws-4-21
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[codecov]

Codecov Report

❌ Patch coverage is 37.03704% with 34 lines in your changes missing coverage. Please review.
✅ Project coverage is 26.90%. Comparing base (7e9b7be) to head (6aea3a7).
⚠️ Report is 11 commits behind head on main.

Files with missing lines	Patch %	Lines
hypershift-operator/main.go	0.00%	28 Missing ⚠️
...rt/capabilities/management_cluster_capabilities.go	57.14%	2 Missing and 1 partial ⚠️
support/config/cipher.go	84.21%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8078      +/-   ##
==========================================
+ Coverage   26.86%   26.90%   +0.03%     
==========================================
  Files        1090     1090              
  Lines      105285   105327      +42     
==========================================
+ Hits        28281    28333      +52     
+ Misses      74573    74561      -12     
- Partials     2431     2433       +2     

Files with missing lines	Coverage Δ
...rt/capabilities/management_cluster_capabilities.go	53.23% <57.14%> (+0.20%)	⬆️
support/config/cipher.go	94.11% <84.21%> (+94.11%)	⬆️
hypershift-operator/main.go	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ricardomaraschini]

/retest

[openshift-ci]

@ricardomaraschini: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.