Skip to content

OCPBUGS-78774: Add TLS Profile compliance#76

Open
jmesnil wants to merge 2 commits intoopenshift:mainfrom
jmesnil:OCPBUGS-78774_2
Open

OCPBUGS-78774: Add TLS Profile compliance#76
jmesnil wants to merge 2 commits intoopenshift:mainfrom
jmesnil:OCPBUGS-78774_2

Conversation

@jmesnil
Copy link
Copy Markdown
Contributor

@jmesnil jmesnil commented Mar 30, 2026

Both the extractor (Rust) and exporter (Go) now fetch the TLS security
profile from the API Server (apiservers.config.openshift.io/cluster)
and apply it dynamically. Plain TCP and plain HTTP are removed entirely.

Extractor: uses openssl crate with kube client to fetch the profile at
startup. Exporter: fetches profile, maps OpenSSL cipher names to Go
crypto/tls constants, serves HTTPS, connects to extractor over TLS with
CA verification, and exits on profile change for pod restart.

Manifests updated with TLS secret volume, CLI args, and RBAC for
APIServer read access.

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Mar 30, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 30, 2026

@jmesnil: This pull request references Jira Issue OCPBUGS-78774, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Both the extractor (Rust) and exporter (Go) now fetch the TLS security
profile from the API Server (apiservers.config.openshift.io/cluster)
and apply it dynamically. Plain TCP and plain HTTP are removed entirely.

Extractor: uses openssl crate with kube client to fetch the profile at
startup. Exporter: fetches profile, maps OpenSSL cipher names to Go
crypto/tls constants, serves HTTPS, connects to extractor over TLS with
CA verification, and exits on profile change for pod restart.

Manifests updated with TLS secret volume, CLI args, and RBAC for
APIServer read access.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@jmesnil jmesnil mentioned this pull request Mar 30, 2026
Closed
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 30, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jmesnil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 30, 2026
@jmesnil @claude
feat: add TLS profile compliance for OCPBUGS-78774
7f12568 
Both the extractor (Rust) and exporter (Go) now fetch the TLS security
profile from the API Server (apiservers.config.openshift.io/cluster)
and apply it dynamically. Plain TCP and plain HTTP are removed entirely.

Extractor: uses openssl crate with kube client to fetch the profile at
startup. Exporter: fetches profile, maps OpenSSL cipher names to Go
crypto/tls constants, serves HTTPS, connects to extractor over TLS with
CA verification, and exits on profile change for pod restart.

Manifests updated with TLS secret volume, CLI args, and RBAC for
APIServer read access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jmesnil @claude
chore: add gitignored vendored Rust dependency files
6c0e13e 
Force-add vcpkg test-data files that were excluded by .gitignore
rules (*.dll, *.so, *.exe) to ensure complete vendor directory.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 30, 2026

@jmesnil: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/rust-unit-tests 6c0e13e link true /test rust-unit-tests
ci/prow/e2e-aws 6c0e13e link true /test e2e-aws
ci/prow/e2e-tests 6c0e13e link true /test e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmesnil @openshift-ci-robot