OCPBUGS-62285: Add APIServer CR configobserver and pull TLS configuration from it. Assisted by Claude (Sonnet 4.5).

Author: marty-power

pkg/cmd/checkendpoints/cmd.go

@@ -5,13 +5,18 @@ import (
 	"os"
 	"time"
 
+	operatorv1 "github.com/openshift/api/operator/v1"
+	configclient "github.com/openshift/client-go/config/clientset/versioned"
+	configinformers "github.com/openshift/client-go/config/informers/externalversions"
 	operatorcontrolplaneclient "github.com/openshift/client-go/operatorcontrolplane/clientset/versioned"
 	operatorcontrolplaneinformers "github.com/openshift/client-go/operatorcontrolplane/informers/externalversions"
 	"github.com/openshift/cluster-network-operator/pkg/cmd/checkendpoints/controller"
 	"github.com/openshift/cluster-network-operator/pkg/version"
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/resource/retry"
+	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
+	"github.com/openshift/library-go/pkg/operator/v1helpers"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
@@ -29,9 +34,11 @@ func NewCheckEndpointsCommand() *cobra.Command {
 		kubeClient := kubernetes.NewForConfigOrDie(cctx.ProtoKubeConfig)
 		apiextensionsClient := apiextensionsclient.NewForConfigOrDie(cctx.KubeConfig)
 		operatorcontrolplaneClient := operatorcontrolplaneclient.NewForConfigOrDie(cctx.KubeConfig)
+		configClient := configclient.NewForConfigOrDie(cctx.KubeConfig)
 		kubeInformers := informers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Minute, informers.WithNamespace(namespace))
 		operatorcontrolplaneInformers := operatorcontrolplaneinformers.NewSharedInformerFactoryWithOptions(operatorcontrolplaneClient, 10*time.Minute, operatorcontrolplaneinformers.WithNamespace(namespace))
 		apiextensionsInformers := apiextensionsinformers.NewSharedInformerFactory(apiextensionsClient, 10*time.Minute)
+		configInformers := configinformers.NewSharedInformerFactory(configClient, 10*time.Minute)
 
 		// create a recorder that sets the pod node as the involved object in events
 		var involvedObjectRef *corev1.ObjectReference
@@ -58,12 +65,48 @@ func NewCheckEndpointsCommand() *cobra.Command {
 		}
 		recorder := events.NewRecorder(kubeClient.CoreV1().Events(namespace), "check-endpoint", involvedObjectRef, clock.RealClock{})
 
+		// Create a no-op operator client for the config observer
+		operatorClient := v1helpers.NewFakeOperatorClient(
+			&operatorv1.OperatorSpec{},
+			&operatorv1.OperatorStatus{},
+			nil,
+		)
+
+		// Create KubeInformersForNamespaces for the resource syncer
+		kubeInformersForNamespaces := v1helpers.NewKubeInformersForNamespaces(kubeClient, namespace)
+
+		// Create a no-op resource syncer
+		resourceSyncer := resourcesynccontroller.NewResourceSyncController(
+			"network-check-source",
+			operatorClient,
+			kubeInformersForNamespaces,
+			kubeClient.CoreV1(),
+			kubeClient.CoreV1(),
+			recorder,
+		)
+
+		// Create the APIServer config observer controller
+		apiServerConfigObserver, err := controller.NewAPIServerConfigObserverController(
+			operatorClient,
+			configInformers.Config().V1().APIServers(),
+			resourceSyncer,
+			recorder,
+		)
+		if err != nil {
+			return err
+		}
+
+		// Create TLS config provider from the config observer
+		tlsConfigProvider := controller.NewTLSConfigProvider(apiServerConfigObserver)
+
+		// Create the network connectivity check controller with TLS config provider
 		check := controller.NewPodNetworkConnectivityCheckController(
 			podName,
 			namespace,
 			operatorcontrolplaneClient.ControlplaneV1alpha1(),
 			operatorcontrolplaneInformers.Controlplane().V1alpha1().PodNetworkConnectivityChecks(),
 			kubeInformers.Core().V1().Secrets(),
+			tlsConfigProvider,
 			recorder,
 		)
 
@@ -95,9 +138,11 @@ func NewCheckEndpointsCommand() *cobra.Command {
 		}
 
 		// continue startup
+		configInformers.Start(ctx.Done())
 		operatorcontrolplaneInformers.Start(ctx.Done())
 		kubeInformers.Start(ctx.Done())
 		go check.Run(ctx, 1)
+		go apiServerConfigObserver.Run(ctx, 1)
 		go stopController.Run(ctx, 1)
 		<-ctx.Done()
 		return nil

pkg/cmd/checkendpoints/controller/apiserver_configobserver_controller.go

@@ -0,0 +1,93 @@
+package controller
+
+import (
+	"fmt"
+
+	configv1 "github.com/openshift/api/config/v1"
+	configinformers "github.com/openshift/client-go/config/informers/externalversions/config/v1"
+	configlisters "github.com/openshift/client-go/config/listers/config/v1"
+	"github.com/openshift/library-go/pkg/controller/factory"
+	"github.com/openshift/library-go/pkg/operator/configobserver"
+	apiserver "github.com/openshift/library-go/pkg/operator/configobserver/apiserver"
+	"github.com/openshift/library-go/pkg/operator/events"
+	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
+	"github.com/openshift/library-go/pkg/operator/v1helpers"
+	"k8s.io/client-go/tools/cache"
+)
+
+// APIServerConfigObserverController observes the APIServer CR and extracts
+// TLS security profile configuration for use by the network check source.
+type APIServerConfigObserverController struct {
+	factory.Controller
+	apiServerLister configlisters.APIServerLister
+}
+
+// Listers implements configobserver.Listers and apiserver.APIServerLister
+// to provide access to the resource syncer and APIServer lister
+type Listers struct {
+	apiServerLister configlisters.APIServerLister
+	resourceSyncer  resourcesynccontroller.ResourceSyncer
+}
+
+func (l Listers) APIServerLister() configlisters.APIServerLister {
+	return l.apiServerLister
+}
+
+func (l Listers) ResourceSyncer() resourcesynccontroller.ResourceSyncer {
+	return l.resourceSyncer
+}
+
+func (l Listers) PreRunHasSynced() []cache.InformerSynced {
+	return []cache.InformerSynced{}
+}
+
+// NewAPIServerConfigObserverController creates a new controller that observes
+// the APIServer CR and updates the observed configuration based on the TLS
+// security profile settings.
+func NewAPIServerConfigObserverController(
+	operatorClient v1helpers.OperatorClient,
+	apiServerInformer configinformers.APIServerInformer,
+	resourceSyncer resourcesynccontroller.ResourceSyncer,
+	eventRecorder events.Recorder,
+) (*APIServerConfigObserverController, error) {
+	// Define the paths where TLS configuration should be stored in the operator config
+	tlsSecurityProfilePaths := [][]string{
+		{"tlsSecurityProfile"},
+	}
+
+	// Create listers for the config observer
+	listers := Listers{
+		apiServerLister: apiServerInformer.Lister(),
+		resourceSyncer:  resourceSyncer,
+	}
+
+	// Create the config observer with the TLS security profile observer function
+	// This returns a factory.Controller that handles syncing automatically
+	controller := configobserver.NewConfigObserver(
+		"APIServerConfigObserver",
+		operatorClient,
+		eventRecorder,
+		listers,
+		[]factory.Informer{apiServerInformer.Informer()},
+		apiserver.ObserveTLSSecurityProfileWithPaths(
+			tlsSecurityProfilePaths,
+			apiServerInformer,
+		),
+	)
+
+	return &APIServerConfigObserverController{
+		Controller:      controller,
+		apiServerLister: apiServerInformer.Lister(),
+	}, nil
+}
+
+// GetObservedTLSSecurityProfile retrieves the currently observed TLS security profile
+// from the APIServer CR. This can be used by other components that need access to
+// the TLS configuration.
+func (c *APIServerConfigObserverController) GetObservedTLSSecurityProfile() (*configv1.TLSSecurityProfile, error) {
+	apiServer, err := c.apiServerLister.Get("cluster")
+	if err != nil {
+		return nil, fmt.Errorf("failed to get APIServer 'cluster': %w", err)
+	}
+	return apiServer.Spec.TLSSecurityProfile, nil
+}

pkg/cmd/checkendpoints/controller/connection_checker.go

@@ -31,17 +31,18 @@ type ConnectionChecker interface {
 type GetCheckFunc func() *operatorcontrolplanev1alpha1.PodNetworkConnectivityCheck
 
 // NewConnectionChecker returns a ConnectionChecker.
-func NewConnectionChecker(name, podName, podNamespace string, getCheck GetCheckFunc, client v1alpha1helpers.PodNetworkConnectivityCheckClient, clientCertGetter CertificatesGetter, recorder Recorder) ConnectionChecker {
+func NewConnectionChecker(name, podName, podNamespace string, getCheck GetCheckFunc, client v1alpha1helpers.PodNetworkConnectivityCheckClient, clientCertGetter CertificatesGetter, tlsConfigProvider TLSConfigProvider, recorder Recorder) ConnectionChecker {
 	return &connectionChecker{
-		name:             name,
-		podName:          podName,
-		getCheck:         getCheck,
-		client:           client,
-		clientCertGetter: clientCertGetter,
-		recorder:         recorder,
-		updates:          NewUpdatesManager(checkPeriod, checkTimeout, newUpdatesProcessor(client, name)),
-		stop:             make(chan interface{}),
-		metrics:          NewMetricsContext(podNamespace, name),
+		name:              name,
+		podName:           podName,
+		getCheck:          getCheck,
+		client:            client,
+		clientCertGetter:  clientCertGetter,
+		tlsConfigProvider: tlsConfigProvider,
+		recorder:          recorder,
+		updates:           NewUpdatesManager(checkPeriod, checkTimeout, newUpdatesProcessor(client, name)),
+		stop:              make(chan interface{}),
+		metrics:           NewMetricsContext(podNamespace, name),
 	}
 }
 
@@ -59,12 +60,13 @@ type connectionChecker struct {
 	podName  string
 	getCheck GetCheckFunc
 
-	client           v1alpha1helpers.PodNetworkConnectivityCheckClient
-	clientCertGetter CertificatesGetter
-	recorder         Recorder
-	updates          UpdatesManager
-	stop             chan interface{}
-	metrics          MetricsContext
+	client            v1alpha1helpers.PodNetworkConnectivityCheckClient
+	clientCertGetter  CertificatesGetter
+	tlsConfigProvider TLSConfigProvider
+	recorder          Recorder
+	updates           UpdatesManager
+	stop              chan interface{}
+	metrics           MetricsContext
 }
 
 // checkConnection checks the connection periodically, updating status as needed
@@ -156,7 +158,11 @@ func (c *connectionChecker) getTCPConnectLatency(ctx context.Context, address st
 
 	// perform tls handshake to avoid spamming the logs of tls endpoints
 	host, _, _ := net.SplitHostPort(address)
-	tlsConn := tls.Client(tcpConn, &tls.Config{Certificates: c.clientCertGetter(), ServerName: host, InsecureSkipVerify: true})
+
+	// Get TLS config from the provider (which uses the observed APIServer TLS security profile)
+	tlsConfig := c.tlsConfigProvider.GetTLSConfig(host, c.clientCertGetter())
+
+	tlsConn := tls.Client(tcpConn, tlsConfig)
 	if err = tlsConn.Handshake(); err != nil {
 		// ignore any error. most likely non-tls connection, plus we're not really testing tls
 		klog.V(4).Infof("%s: tls error ignored: %v", address, err)

pkg/cmd/checkendpoints/controller/pod_network_connectivity_check_controller.go

@@ -31,12 +31,13 @@ type PodNetworkConnectivityCheckController interface {
 // the connectivity checks.
 type controller struct {
 	factory.Controller
-	podName      string
-	podNamespace string
-	checksGetter operatorcontrolplaneclientv1alpha1.PodNetworkConnectivityCheckInterface
-	checkLister  v1alpha1.PodNetworkConnectivityCheckNamespaceLister
-	secretLister corelistersv1.SecretLister
-	recorder     Recorder
+	podName           string
+	podNamespace      string
+	checksGetter      operatorcontrolplaneclientv1alpha1.PodNetworkConnectivityCheckInterface
+	checkLister       v1alpha1.PodNetworkConnectivityCheckNamespaceLister
+	secretLister      corelistersv1.SecretLister
+	tlsConfigProvider TLSConfigProvider
+	recorder          Recorder
 	// each PodNetworkConnectivityCheck gets its own ConnectionChecker
 	updaters map[string]ConnectionChecker
 }
@@ -46,15 +47,18 @@ type controller struct {
 func NewPodNetworkConnectivityCheckController(podName, podNamespace string,
 	checksGetter operatorcontrolplaneclientv1alpha1.PodNetworkConnectivityChecksGetter,
 	checkInformer alpha1.PodNetworkConnectivityCheckInformer,
-	secretInformer coreinformersv1.SecretInformer, recorder events.Recorder) PodNetworkConnectivityCheckController {
+	secretInformer coreinformersv1.SecretInformer,
+	tlsConfigProvider TLSConfigProvider,
+	recorder events.Recorder) PodNetworkConnectivityCheckController {
 	c := &controller{
-		podName:      podName,
-		podNamespace: podNamespace,
-		checksGetter: checksGetter.PodNetworkConnectivityChecks(podNamespace),
-		checkLister:  checkInformer.Lister().PodNetworkConnectivityChecks(podNamespace),
-		secretLister: secretInformer.Lister(),
-		recorder:     NewBackoffEventRecorder(recorder),
-		updaters:     map[string]ConnectionChecker{},
+		podName:           podName,
+		podNamespace:      podNamespace,
+		checksGetter:      checksGetter.PodNetworkConnectivityChecks(podNamespace),
+		checkLister:       checkInformer.Lister().PodNetworkConnectivityChecks(podNamespace),
+		secretLister:      secretInformer.Lister(),
+		tlsConfigProvider: tlsConfigProvider,
+		recorder:          NewBackoffEventRecorder(recorder),
+		updaters:          map[string]ConnectionChecker{},
 	}
 	c.Controller = factory.New().
 		WithSync(c.Sync).
@@ -83,7 +87,7 @@ func (c *controller) Sync(ctx context.Context, syncContext factory.SyncContext)
 	// create & start status updaters if needed
 	for _, check := range checks {
 		if updater := c.updaters[check.Name]; updater == nil {
-			c.updaters[check.Name] = NewConnectionChecker(check.Name, c.podName, c.podNamespace, c.newCheckFunc(check.Name), c, c.getClientCerts(check), c.recorder)
+			c.updaters[check.Name] = NewConnectionChecker(check.Name, c.podName, c.podNamespace, c.newCheckFunc(check.Name), c, c.getClientCerts(check), c.tlsConfigProvider, c.recorder)
 			go c.updaters[check.Name].Run(ctx)
 		}
 	}