✨ Add tls-profile-sync sidecar to cluster-manager operator

[zhujian7]

Description

Add a tls-profile-sync sidecar container to the cluster-manager operator deployment for TLS profile compliance (OpenShift 4.22 requirement, ACM-26882).

The sidecar watches APIServer.spec.tlsSecurityProfile and syncs TLS settings to an ocm-tls-profile ConfigMap that upstream OCM components can consume, enabling dynamic TLS configuration without depending on OpenShift APIs.

Related Issue

• ACM-26882: Central TLS Profile consistency
• Design doc: 📖 Add TLS Profile Compliance Design document managedcluster-import-controller#1027
• Sidecar implementation (spoke-side): ✨ Add tls-profile-sync sidecar for OpenShift TLS profile compliance managedcluster-import-controller#1032

Changes Made

• hack/patches/cluster-manager-tls-sidecar.yaml — Strategic merge patch adding the tls-profile-sync sidecar container to the cluster-manager deployment. Uses managedcluster-import-controller image which bundles the sidecar binary.
• hack/patches/cluster-manager-tls-sync-clusterrole.yaml — RBAC ClusterRole for watching config.openshift.io/apiservers and managing configmaps.
• hack/patches/cluster-manager-tls-sync-clusterrolebinding.yaml — ClusterRoleBinding binding the role to the cluster-manager ServiceAccount.
• hack/bundle-automation/config.yaml — Added patches, additional_templates, and imageMappings entries for the sidecar.
• pkg/templates/charts/toggle/cluster-manager/ — Regenerated chart templates with sidecar container, RBAC, and updated values.yaml.
• pkg/templates/crds/cluster-manager/ — Updated CRD from upstream OCM bundle.

How it works

The chart generation pipeline (installer-dev-tools) applies the strategic merge patch to the cluster-manager deployment template before injectRequirements() runs. This means:

1. The sidecar container is merged into the deployment as pure YAML
2. fixImageReferences() converts the placeholder image to a Helm template variable
3. updateDeployments() adds standard Helm flow control (proxy env vars, security context, etc.)

Dependencies

• Requires installer-dev-tools: add-helm-chart-patching-support for the patches and additional_templates support in bundles-to-charts.py.

Checklist

• I have tested the changes locally and they are functioning as expected.
• I have updated the documentation (if necessary) to reflect the changes.
• I have added/updated relevant unit tests (if applicable).
• I have ensured that my code follows the project's coding standards.
• I have checked for any potential security issues and addressed them.
• I have added necessary comments to the code, especially in complex or unclear sections.
• I have rebased my branch on top of the latest main/master branch.

Additional Notes

• The sidecar gracefully handles non-OpenShift clusters (detects missing CRD, sleeps instead of crash-looping) — handled in the sidecar implementation itself.
• The sidecar image is the same managedcluster-import-controller image used on the spoke side, which bundles the tls-profile-sync binary.

Assisted by Claude

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: zhujian7
Once this PR has been reviewed and has the lgtm label, please assign ngraham20 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Rate limit exceeded

@zhujian7 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 5 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 7 minutes and 5 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 48c75413-6759-4035-aed3-4a0e43cd49bd

📥 Commits

Reviewing files that changed from the base of the PR and between 26e5420 and 72f3148.

📒 Files selected for processing (10)

• hack/bundle-automation/config.yaml
• hack/patches/cluster-manager-tls-sidecar.yaml
• hack/patches/cluster-manager-tls-sync-clusterrole.yaml
• hack/patches/cluster-manager-tls-sync-clusterrolebinding.yaml
• pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrole.yaml
• pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrolebinding.yaml
• pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager.yaml
• pkg/templates/charts/toggle/cluster-manager/values.yaml
• pkg/templates/crds/cluster-manager/operator.open-cluster-management.io_clustermanagers.yaml
• pkg/templates/rbac_gen.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[zhujian7]

/hold

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.