feat: Configuring TLS options from Central TLS Profile

[akhilnittala]

What type of PR is this?
/kind enhancement

What does this PR do / why we need it:
This PR introduces configurability for TLS server settings across all Argo CD-related components managed by the operator, aligning with OpenShift Container Platform (OCP) requirements for Post-Quantum Cryptography (PQC) readiness starting from OCP 4.22.

OCP mandates that all layered products must support streamlined TLS configuration. This change ensures that Argo CD components can comply with future cryptographic standards and evolving security policies.
Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?
https://redhat.atlassian.net/browse/GITOPS-9073
Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:
Deploy Redis with tls enabled. checks arguments with underlying apiServer configuration.

[openshift-ci]

@akhilnittala: The label(s) kind/chore cannot be applied, because the repository doesn't have them.

Details

In response to this:

What type of PR is this?
/kind chore

What does this PR do / why we need it:
This PR introduces configurability for TLS server settings across all Argo CD-related components managed by the operator, aligning with OpenShift Container Platform (OCP) requirements for Post-Quantum Cryptography (PQC) readiness starting from OCP 4.22.

OCP mandates that all layered products must support streamlined TLS configuration. This change ensures that Argo CD components can comply with future cryptographic standards and evolving security policies.
Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?
https://redhat.atlassian.net/browse/GITOPS-9073
Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:
Deploy Redis with tls enabled. checks arguments with underlying apiServer configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wtam2018 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 228d2725-d477-41fd-a361-f6354893faa2

📥 Commits

Reviewing files that changed from the base of the PR and between 23d0911 and e7fc0a0.

📒 Files selected for processing (1)

• bundle/manifests/gitops-operator.clusterserviceversion.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• bundle/manifests/gitops-operator.clusterserviceversion.yaml

---

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features
  • The operator now applies the OpenShift cluster TLS security profile to both the webhook and metrics servers.
  • Added DISABLE_CLUSTER_TLS_PROFILE and --disable-cluster-tls-profile to disable TLS profile enforcement.
  • Detects TLS profile changes and restarts the operator to pick up updates.
• Bug Fixes
  • Improved ServiceMonitor reconciliation to safely handle the metrics server TLS ServerName.
• Chores
  • Updated RBAC to allow read access to config.openshift.io apiservers.
• Tests
  • Updated E2E checks for Redis TLS command flags.

Walkthrough

The PR integrates OpenShift cluster TLS security profile support into the gitops-operator. It adds get/list/watch RBAC on config.openshift.io/apiservers, introduces a DISABLE_CLUSTER_TLS_PROFILE flag and env var, fetches the cluster TLSProfileSpec at startup, applies it to webhook and metrics servers, watches for profile changes to trigger operator restart, wires the profile into ReconcileArgoCD, and fixes TLS ServerName pointer type alignment in metrics configuration. Dependency versions in go.mod are also bumped.

Changes

Cluster TLS Profile Integration

Layer / File(s)	Summary
RBAC permissions and dependency updates config/rbac/role.yaml, controllers/gitopsservice_controller.go, bundle/manifests/gitops-operator.clusterserviceversion.yaml, go.mod	Adds get/list/watch on config.openshift.io/apiservers to the manager ClusterRole in role.yaml and the CSV install permissions, adds the kubebuilder RBAC annotation in the controller, and bumps direct/indirect go.mod dependencies including openshift/api, controller-runtime, argocd-operator, and library-go.
DISABLE_CLUSTER_TLS_PROFILE flag and env var wiring cmd/main.go, config/manager/manager.yaml, bundle/manifests/gitops-operator.clusterserviceversion.yaml	Introduces the disableClusterTLSProfile boolean and --disable-cluster-tls-profile CLI flag, reads the DISABLE_CLUSTER_TLS_PROFILE env var override, creates a cancellable context from the signal handler, and adds the env var declaration to manager.yaml and the CSV deployment spec.
TLS profile fetch, server config, watcher, and ReconcileArgoCD wiring cmd/main.go	Adds context and tlspkg imports; fetches the cluster TLSProfileSpec via a bootstrap client when Config API is present and the profile is enabled; builds TLS option functions and applies them to webhook and metrics servers; starts a SecurityProfileWatcher that cancels the operator context on profile changes; passes MinTLSVersion and Ciphers as CentralTLSConfigProfile to ReconcileArgoCD; updates mgr.Start to use the cancellable ctx.
Metrics TLS ServerName pointer type fix controllers/argocd_metrics_controller.go, test/openshift/e2e/ginkgo/parallel/1-104_validate_prometheus_alert_test.go	Updates the ServiceMonitor endpoint TLS configuration to use pointer type for ServerName field in both the controller reconciliation logic and the e2e test, aligning with the field's declared pointer type.
Redis E2E tests for TLS configuration test/openshift/e2e/ginkgo/parallel/1-066_validate_redis_secure_comm_no_autotls_no_ha_test.go, test/openshift/e2e/ginkgo/parallel/1-068_validate_redis_secure_comm_autols_no_ha_test.go	Updates Redis secure communication E2E tests to expect explicit TLS protocol version and cipher suite configuration flags (--tls-protocols TLSv1.2 and --tls-ciphersuites) in the redis deployment command args, validating that the cluster TLS profile was correctly applied by the operator.

Sequence Diagram

sequenceDiagram
    participant Operator as main
    participant EnvFlag as env / CLI flag
    participant APIServer as config.openshift.io/apiservers
    participant tlspkg as tlspkg helpers
    participant Servers as Webhook + Metrics Servers
    participant Watcher as SecurityProfileWatcher
    participant Controller as ReconcileArgoCD

    Operator->>EnvFlag: read DISABLE_CLUSTER_TLS_PROFILE
    EnvFlag-->>Operator: disableClusterTLSProfile bool
    Operator->>APIServer: fetch TLSProfileSpec
    APIServer-->>Operator: MinTLSVersion, Ciphers
    Operator->>tlspkg: build TLS option functions
    tlspkg-->>Operator: tlsOpts
    Operator->>Servers: apply tlsOpts
    Operator->>Watcher: start watching apiservers
    Watcher-->>Operator: profile changed → cancel ctx → manager exits
    Operator->>Controller: pass CentralTLSConfigProfile

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: Configuring TLS options from Central TLS Profile' directly describes the main feature being introduced—configurable TLS options via a Central TLS Profile mechanism.
Description check	✅ Passed	The description explains the PR's purpose (introducing TLS configurability for Argo CD components), its context (OCP PQC readiness requirements), and links to a tracking issue, making it clearly related to the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/main.go`:
- Around line 156-160: The code creates a bootstrapClient using crclient.New()
and assigns any error to err, but immediately calls
tlspkg.FetchAPIServerTLSProfile() with that bootstrapClient on the next line
without checking if client creation failed. Add an error check immediately after
the crclient.New() call to verify err is nil before proceeding to use
bootstrapClient in the FetchAPIServerTLSProfile call. If err is not nil, handle
it appropriately by returning or exiting early to prevent using an invalid
client.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 719b3612-683d-49e6-8b68-a89bdc3cc706

📥 Commits

Reviewing files that changed from the base of the PR and between 9fee941 and d80dd4b.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• bundle/manifests/gitops-operator.clusterserviceversion.yaml
• cmd/main.go
• config/manager/manager.yaml
• config/rbac/role.yaml
• controllers/gitopsservice_controller.go
• go.mod

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controllers/argocd_metrics_controller.go`:
- Around line 400-401: The comparison at line 400 in the
argocd_metrics_controller.go file compares pointer addresses instead of string
values. The condition
`existingServiceMonitor.Spec.Endpoints[0].TLSConfig.ServerName !=
&desiredMetricsServerName` compares pointer addresses, which are different each
reconciliation cycle even when the string content is identical. Fix this by
dereferencing the pointer from
existingServiceMonitor.Spec.Endpoints[0].TLSConfig.ServerName and comparing it
to the string value desiredMetricsServerName instead, so the comparison checks
actual string equality rather than pointer address equality.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e2f178de-0bcf-4924-afb8-7ee735285c8c

📥 Commits

Reviewing files that changed from the base of the PR and between d80dd4b and 82cf637.

📒 Files selected for processing (3)

• bundle/manifests/gitops-operator.clusterserviceversion.yaml
• controllers/argocd_metrics_controller.go
• test/openshift/e2e/ginkgo/parallel/1-104_validate_prometheus_alert_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• bundle/manifests/gitops-operator.clusterserviceversion.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@test/openshift/e2e/ginkgo/parallel/1-066_validate_redis_secure_comm_no_autotls_no_ha_test.go`:
- Line 146: The expectedString variable contains hard-coded TLS cipher and
protocol values that lock the test to one specific TLS profile, making it fail
on clusters with different APIServer TLS profiles even when the operator is
working correctly. Instead of using the hard-coded expectedString, dynamically
read the cluster's live TLSProfileSpec from the APIServer and build the expected
Redis TLS flags (ciphers, protocols, etc.) based on the actual cluster profile
in the test before asserting against the deployment args. This can be done
either inline in the test or via a shared helper function to construct the
expected flags from the cluster's TLS profile.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4f2b652b-bc70-439f-8490-a32ba9ba55a5

📥 Commits

Reviewing files that changed from the base of the PR and between c9ee8b3 and 23d0911.

📒 Files selected for processing (2)

• test/openshift/e2e/ginkgo/parallel/1-066_validate_redis_secure_comm_no_autotls_no_ha_test.go
• test/openshift/e2e/ginkgo/parallel/1-068_validate_redis_secure_comm_autols_no_ha_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Make the TLS expectation profile-aware, not hard-coded.

Line 146 locks the test to one cipher/protocol set, so it can fail on clusters with a different APIServer TLS profile even when operator behavior is correct. That also weakens validation of the PR goal (inherit cluster profile dynamically). Build expected Redis TLS flags from the live cluster TLSProfileSpec in-test (or via a shared helper) before asserting deployment args.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@test/openshift/e2e/ginkgo/parallel/1-066_validate_redis_secure_comm_no_autotls_no_ha_test.go`
at line 146, The expectedString variable contains hard-coded TLS cipher and
protocol values that lock the test to one specific TLS profile, making it fail
on clusters with different APIServer TLS profiles even when the operator is
working correctly. Instead of using the hard-coded expectedString, dynamically
read the cluster's live TLSProfileSpec from the APIServer and build the expected
Redis TLS flags (ciphers, protocols, etc.) based on the actual cluster profile
in the test before asserting against the deployment args. This can be done
either inline in the test or via a shared helper function to construct the
expected flags from the cluster's TLS profile.

[openshift-ci]

@akhilnittala: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.14-kuttl-sequential	e7fc0a0	link	false	/test v4.14-kuttl-sequential
ci/prow/v4.14-e2e	e7fc0a0	link	false	/test v4.14-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[anandf]

Why this change is required?

[akhilnittala]

this change is required for controlling the controller runtime. example reference from https://docs.google.com/document/d/1cMc9E8psHfnoK06ntR8kHSWB8d3rMtmldhnmM4nImjs/edit?tab=t.4cxmujrb3zyn#heading=h.111788dqn5nc

In main: get initial profile, create manager (with TLSOpts if you have a TLS metrics server), create context with cancel, call setupTLSProfileWatcher(ctx, mgr, cancel), then mgr.Start(ctx). When the cluster profile changes, OnProfileChange runs; typically you cancel the context so the process exits and restarts with the new profile (e.g. under a pod restart).

[akhilnittala]

/retest