From 72f31482b53c098cfb5440c1706d471b1d0d2d89 Mon Sep 17 00:00:00 2001 From: zhujian Date: Fri, 3 Apr 2026 11:31:14 +0800 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Add=20tls-profile-sync=20sidecar=20?= =?UTF-8?q?to=20cluster-manager=20operator?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Inject a tls-profile-sync sidecar container into the cluster-manager operator deployment for TLS profile compliance (OpenShift 4.22). The sidecar watches APIServer.spec.tlsSecurityProfile and syncs TLS settings to an ocm-tls-profile ConfigMap that OCM components consume, enabling dynamic TLS configuration without upstream OpenShift dependency. Changes: - Add strategic-merge patch and RBAC templates under hack/patches/ - Update config.yaml with patches and additional_templates for cluster-manager chart generation - Regenerate cluster-manager chart with sidecar container and RBAC - Update CRD from upstream OCM bundle Depends on: https://github.com/zhujian7/installer-dev-tools/tree/add-helm-chart-patching-support Assisted by Claude Signed-off-by: zhujian --- hack/bundle-automation/config.yaml | 8 ++++ hack/patches/cluster-manager-tls-sidecar.yaml | 39 +++++++++++++++++++ .../cluster-manager-tls-sync-clusterrole.yaml | 24 ++++++++++++ ...r-manager-tls-sync-clusterrolebinding.yaml | 12 ++++++ .../cluster-manager-tls-sync-clusterrole.yaml | 24 ++++++++++++ ...r-manager-tls-sync-clusterrolebinding.yaml | 12 ++++++ .../templates/cluster-manager.yaml | 33 ++++++++++++++++ .../charts/toggle/cluster-manager/values.yaml | 1 + ...cluster-management.io_clustermanagers.yaml | 35 +++++++++++++++++ pkg/templates/rbac_gen.go | 2 + 10 files changed, 190 insertions(+) create mode 100644 hack/patches/cluster-manager-tls-sidecar.yaml create mode 100644 hack/patches/cluster-manager-tls-sync-clusterrole.yaml create mode 100644 hack/patches/cluster-manager-tls-sync-clusterrolebinding.yaml create mode 100644 pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrole.yaml create mode 100644 pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrolebinding.yaml diff --git a/hack/bundle-automation/config.yaml b/hack/bundle-automation/config.yaml index a333b71ec..db1549697 100644 --- a/hack/bundle-automation/config.yaml +++ b/hack/bundle-automation/config.yaml @@ -43,7 +43,15 @@ - readOnlyRootFilesystem imageMappings: registration-operator: registration_operator + managedcluster-import-controller: managedcluster_import_controller name: cluster-manager + patches: + - target: cluster-manager.yaml + path: ../patches/cluster-manager-tls-sidecar.yaml + type: strategic-merge + additional_templates: + - ../patches/cluster-manager-tls-sync-clusterrole.yaml + - ../patches/cluster-manager-tls-sync-clusterrolebinding.yaml repo_name: registration-operator - branch: backplane-2.17 diff --git a/hack/patches/cluster-manager-tls-sidecar.yaml b/hack/patches/cluster-manager-tls-sidecar.yaml new file mode 100644 index 000000000..d9585f3dd --- /dev/null +++ b/hack/patches/cluster-manager-tls-sidecar.yaml @@ -0,0 +1,39 @@ +# Strategic merge patch: adds tls-profile-sync sidecar to cluster-manager deployment. +# The sidecar watches OpenShift APIServer.spec.tlsSecurityProfile and syncs it +# to an ocm-tls-profile ConfigMap for OCM components to consume. +# +# This is a pure YAML patch applied before injectRequirements(). The placeholder +# image 'managedcluster-import-controller' is converted to a Helm template variable +# by fixImageReferences() via the imageMapping in config.yaml. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cluster-manager +spec: + template: + spec: + containers: + - name: registration-operator + - name: tls-profile-sync + image: managedcluster-import-controller + command: + - /usr/local/bin/tls-profile-sync + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true diff --git a/hack/patches/cluster-manager-tls-sync-clusterrole.yaml b/hack/patches/cluster-manager-tls-sync-clusterrole.yaml new file mode 100644 index 000000000..dba50b136 --- /dev/null +++ b/hack/patches/cluster-manager-tls-sync-clusterrole.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tls-profile-sync +rules: +- apiGroups: + - config.openshift.io + resources: + - apiservers + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch diff --git a/hack/patches/cluster-manager-tls-sync-clusterrolebinding.yaml b/hack/patches/cluster-manager-tls-sync-clusterrolebinding.yaml new file mode 100644 index 000000000..767623ca2 --- /dev/null +++ b/hack/patches/cluster-manager-tls-sync-clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tls-profile-sync +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tls-profile-sync +subjects: +- kind: ServiceAccount + name: cluster-manager + namespace: '{{ .Values.global.namespace }}' diff --git a/pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrole.yaml b/pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrole.yaml new file mode 100644 index 000000000..d217b1f42 --- /dev/null +++ b/pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrole.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: '{{ .Values.org }}:{{ .Chart.Name }}:tls-profile-sync' +rules: +- apiGroups: + - config.openshift.io + resources: + - apiservers + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch diff --git a/pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrolebinding.yaml b/pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrolebinding.yaml new file mode 100644 index 000000000..51b316320 --- /dev/null +++ b/pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: '{{ .Values.org }}:{{ .Chart.Name }}:tls-profile-sync' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ .Values.org }}:{{ .Chart.Name }}:tls-profile-sync' +subjects: +- kind: ServiceAccount + name: cluster-manager + namespace: '{{ .Values.global.namespace }}' diff --git a/pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager.yaml b/pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager.yaml index ddec0660d..e23bd8295 100644 --- a/pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager.yaml +++ b/pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager.yaml @@ -86,6 +86,39 @@ spec: volumeMounts: - mountPath: /tmp name: tmpdir + - command: + - /usr/local/bin/tls-profile-sync + env: +{{- if .Values.hubconfig.proxyConfigs }} + - name: HTTP_PROXY + value: {{ .Values.hubconfig.proxyConfigs.HTTP_PROXY }} + - name: HTTPS_PROXY + value: {{ .Values.hubconfig.proxyConfigs.HTTPS_PROXY }} + - name: NO_PROXY + value: {{ .Values.hubconfig.proxyConfigs.NO_PROXY }} +{{- end }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ .Values.global.imageOverrides.managedcluster_import_controller + }}' + imagePullPolicy: '{{ .Values.global.pullPolicy }}' + name: tls-profile-sync + resources: + limits: + memory: 128Mi + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true hostIPC: false hostNetwork: false hostPID: false diff --git a/pkg/templates/charts/toggle/cluster-manager/values.yaml b/pkg/templates/charts/toggle/cluster-manager/values.yaml index a4d1aa4f2..48d2aae62 100644 --- a/pkg/templates/charts/toggle/cluster-manager/values.yaml +++ b/pkg/templates/charts/toggle/cluster-manager/values.yaml @@ -1,6 +1,7 @@ global: deployOnOCP: true imageOverrides: + managedcluster_import_controller: '' registration_operator: '' namespace: default pullSecret: null diff --git a/pkg/templates/crds/cluster-manager/operator.open-cluster-management.io_clustermanagers.yaml b/pkg/templates/crds/cluster-manager/operator.open-cluster-management.io_clustermanagers.yaml index ad54f2df0..a6b5d7f7e 100644 --- a/pkg/templates/crds/cluster-manager/operator.open-cluster-management.io_clustermanagers.yaml +++ b/pkg/templates/crds/cluster-manager/operator.open-cluster-management.io_clustermanagers.yaml @@ -398,6 +398,41 @@ spec: type: object type: array type: object + placementConfiguration: + description: placementConfiguration contains the configuration of + placement + properties: + featureGates: + description: "FeatureGates represents the list of feature gates + for placement\nIf it is set empty, default feature gates will + be used.\nIf it is set, featuregate/Foo is an example of one + item in FeatureGates:\n 1. If featuregate/Foo does not exist, + registration-operator will discard it\n 2. If featuregate/Foo + exists and is false by default. It is now possible to set featuregate/Foo=[false|true]\n + \ 3. If featuregate/Foo exists and is true by default. If a + cluster-admin upgrading from 1 to 2 wants to continue having + featuregate/Foo=false,\n \the can set featuregate/Foo=false + before upgrading. Let's say the cluster-admin wants featuregate/Foo=false." + items: + properties: + feature: + description: Feature is the key of feature gate. e.g. featuregate/Foo. + type: string + mode: + default: Disable + description: |- + Mode is either Enable, Disable, "" where "" is Disable by default. + In Enable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=true". + In Disable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=false". + enum: + - Enable + - Disable + type: string + required: + - feature + type: object + type: array + type: object placementImagePullSpec: default: quay.io/open-cluster-management/placement description: placementImagePullSpec represents the desired image configuration diff --git a/pkg/templates/rbac_gen.go b/pkg/templates/rbac_gen.go index 36195c9b6..412be69d2 100644 --- a/pkg/templates/rbac_gen.go +++ b/pkg/templates/rbac_gen.go @@ -12,6 +12,7 @@ package main //+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;patch;update;watch //+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;patch;update;watch //+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;patch;update;watch +//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch //+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete @@ -394,6 +395,7 @@ package main //+kubebuilder:rbac:groups=config.openshift.io,resources=apiservers,verbs=get;list;watch //+kubebuilder:rbac:groups=config.openshift.io,resources=apiservers,verbs=get;list;watch //+kubebuilder:rbac:groups=config.openshift.io,resources=apiservers,verbs=get;list;watch +//+kubebuilder:rbac:groups=config.openshift.io,resources=apiservers,verbs=get;list;watch //+kubebuilder:rbac:groups=config.openshift.io,resources=apiservers;authentications,verbs=list;get;watch //+kubebuilder:rbac:groups=config.openshift.io,resources=apiservers;proxies,verbs=get;list;watch //+kubebuilder:rbac:groups=config.openshift.io,resources=clusteroperators;clusterversions;dnses;infrastructures;proxies,verbs=get;list;watch