Add support for TLS profiles

Use Mozilla's profiles to define TLS profiles for operator-controller
and catalogd. These are configured via command-line options, and can
be customized.

The idea is that downstream, cluster-olm-operator will be able to
glean the appropriate configuration, and provide that to the
components.

There is a semi-automatic method to update the profiles, if that
ever happens (`make update-tls-profiles`).

This adds `gojq` via bingo, which is a golang implementation of jq
for the update-tls-profiles target.

Signed-off-by: Todd Short <tshort@redhat.com>

Author: tmshort

.bingo/Variables.mk

@@ -41,6 +41,12 @@ $(CRD_REF_DOCS): $(BINGO_DIR)/crd-ref-docs.mod
 	@echo "(re)installing $(GOBIN)/crd-ref-docs-v0.1.0"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=crd-ref-docs.mod -o=$(GOBIN)/crd-ref-docs-v0.1.0 "github.com/elastic/crd-ref-docs"
 
+GOJQ := $(GOBIN)/gojq-v0.12.17
+$(GOJQ): $(BINGO_DIR)/gojq.mod
+	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
+	@echo "(re)installing $(GOBIN)/gojq-v0.12.17"
+	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=gojq.mod -o=$(GOBIN)/gojq-v0.12.17 "github.com/itchyny/gojq/cmd/gojq"
+
 GOLANGCI_LINT := $(GOBIN)/golangci-lint-v2.1.6
 $(GOLANGCI_LINT): $(BINGO_DIR)/golangci-lint.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.

.bingo/gojq.mod

@@ -0,0 +1,5 @@
+module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
+
+go 1.24.4
+
+require github.com/itchyny/gojq v0.12.17 // cmd/gojq

.bingo/gojq.sum

@@ -0,0 +1,17 @@
+github.com/itchyny/gojq v0.12.17 h1:8av8eGduDb5+rvEdaOO+zQUjA04MS0m3Ps8HiD+fceg=
+github.com/itchyny/gojq v0.12.17/go.mod h1:WBrEMkgAfAGO1LUcGOckBl5O726KPp+OlkKug0I/FEY=
+github.com/itchyny/timefmt-go v0.1.6 h1:ia3s54iciXDdzWzwaVKXZPbiXzxxnv1SPGFfM/myJ5Q=
+github.com/itchyny/timefmt-go v0.1.6/go.mod h1:RRDZYC5s9ErkjQvTvvU7keJjxUYzIISJGxm9/mAERQg=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
+github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

.bingo/variables.env

@@ -16,6 +16,8 @@ CRD_DIFF="${GOBIN}/crd-diff-v0.2.0"
 
 CRD_REF_DOCS="${GOBIN}/crd-ref-docs-v0.1.0"
 
+GOJQ="${GOBIN}/gojq-v0.12.17"
+
 GOLANGCI_LINT="${GOBIN}/golangci-lint-v2.1.6"
 
 GORELEASER="${GOBIN}/goreleaser-v1.26.2"

Makefile

@@ -189,6 +189,10 @@ fix-lint: $(GOLANGCI_LINT) #EXHELP Fix lint issues
 fmt: #EXHELP Formats code
 	go fmt ./...
 
+.PHONY: update-tls-profiles
+update-tls-profiles: $(GOJQ) #EXHELP Update TLS profiles from the Mozilla wiki
+	env JQ=$(GOJQ) hack/tools/update-tls-profiles.sh
+
 .PHONY: verify-crd-compatibility
 CRD_DIFF_ORIGINAL_REF := git://main?path=
 CRD_DIFF_UPDATED_REF := file://

cmd/catalogd/main.go

@@ -64,6 +64,7 @@ import (
 	imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image"
 	"github.com/operator-framework/operator-controller/internal/shared/util/pullsecretcache"
 	sautil "github.com/operator-framework/operator-controller/internal/shared/util/sa"
+	"github.com/operator-framework/operator-controller/internal/shared/util/tlsprofiles"
 	"github.com/operator-framework/operator-controller/internal/shared/version"
 )
 
@@ -142,6 +143,7 @@ func init() {
 	klog.InitFlags(flag.CommandLine)
 	flags.AddGoFlagSet(flag.CommandLine)
 	features.CatalogdFeatureGate.AddFlag(flags)
+	tlsprofiles.AddFlags(flags)
 
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(ocv1.AddToScheme(scheme))
@@ -216,12 +218,18 @@ func run(ctx context.Context) error {
 		// For details, see: https://github.com/kubernetes/kubernetes/issues/121197
 		config.NextProtos = []string{"http/1.1"}
 	}
+	tlsProfile, err := tlsprofiles.GetTLSConfigFunc()
+	if err != nil {
+		setupLog.Error(err, "failed to get TLS profile")
+		return err
+	}
 
 	// Create webhook server and configure TLS
 	webhookServer := crwebhook.NewServer(crwebhook.Options{
 		Port: cfg.webhookPort,
 		TLSOpts: []func(*tls.Config){
 			tlsOpts,
+			tlsProfile,
 		},
 	})
 
@@ -233,7 +241,7 @@ func run(ctx context.Context) error {
 		metricsServerOptions.SecureServing = true
 		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization
 
-		metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, tlsOpts)
+		metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, tlsOpts, tlsProfile)
 	} else {
 		// Note that the metrics server is not serving if the BindAddress is set to "0".
 		// Therefore, the metrics server is disabled by default. It is only enabled

cmd/operator-controller/main.go

@@ -82,6 +82,7 @@ import (
 	imageutil "github.com/operator-framework/operator-controller/internal/shared/util/image"
 	"github.com/operator-framework/operator-controller/internal/shared/util/pullsecretcache"
 	sautil "github.com/operator-framework/operator-controller/internal/shared/util/sa"
+	"github.com/operator-framework/operator-controller/internal/shared/util/tlsprofiles"
 	"github.com/operator-framework/operator-controller/internal/shared/version"
 )
 
@@ -166,6 +167,9 @@ func init() {
 	//add feature gate flags to flagset
 	features.OperatorControllerFeatureGate.AddFlag(flags)
 
+	//add TLS flags
+	tlsprofiles.AddFlags(flags)
+
 	ctrl.SetLogger(klog.NewKlogr())
 }
 func validateMetricsFlags() error {
@@ -274,6 +278,12 @@ func run() error {
 			// the risks. More info https://github.com/golang/go/issues/63417
 			config.NextProtos = []string{"http/1.1"}
 		})
+		tlsProfile, err := tlsprofiles.GetTLSConfigFunc()
+		if err != nil {
+			setupLog.Error(err, "failed to get TLS profile")
+			return err
+		}
+		metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, tlsProfile)
 	} else {
 		// Note that the metrics server is not serving if the BindAddress is set to "0".
 		// Therefore, the metrics server is disabled by default. It is only enabled

hack/tools/update-tls-profiles.sh

@@ -0,0 +1,56 @@
+#!/bin/env bash
+
+set -e
+
+if [ -z "${JQ}" ]; then
+    echo "JQ not defined"
+    exit 1
+fi
+
+OUTPUT=internal/shared/util/tlsprofiles/tlsprofiles_data.go
+INPUT=https://ssl-config.mozilla.org/guidelines/latest.json
+
+TMPFILE="$(mktemp)"
+trap 'rm -rf "$TMPFILE"' EXIT
+
+curl -L -s ${INPUT} > ${TMPFILE}
+
+version=$(${JQ} -r '.version' ${TMPFILE})
+
+cat > ${OUTPUT} <<EOF
+package tlsprofiles
+
+// DO NOT EDIT, GENERATED BY ${0}
+// DATA SOURCE: ${INPUT}
+// DATA VERSION: ${version}
+
+import (
+"crypto/tls"
+)
+
+var modernCiphers = []uint16{
+EOF
+${JQ} -r '.configurations.modern.ciphersuites.[] | . |= "tls." + . + ","' ${TMPFILE} >> ${OUTPUT}
+cat >> ${OUTPUT} <<EOF
+}
+
+var intermediateCiphers = []uint16{
+EOF
+
+${JQ} -r '.configurations.intermediate.ciphersuites[] | . |= "tls." + . + ","' ${TMPFILE} >> ${OUTPUT}
+${JQ} -r '.configurations.intermediate.ciphers.go[] | . |= "tls." + . + ","' ${TMPFILE} >> ${OUTPUT}
+cat >> ${OUTPUT} <<EOF
+}
+
+var oldCiphers = []uint16{
+EOF
+
+${JQ} -r '.configurations.old.ciphersuites[] | . |= "tls." + . + ","' ${TMPFILE} >> ${OUTPUT}
+${JQ} -r '.configurations.old.ciphers.go[] | . |= "tls." + . + ","' ${TMPFILE} >> ${OUTPUT}
+
+cat >> ${OUTPUT} <<EOF
+}
+EOF
+
+# Make go happy
+go fmt ${OUTPUT}