✨ Add tls-profile-sync sidecar to cluster-manager operator

hack/bundle-automation/config.yaml

@@ -43,7 +43,15 @@
     - readOnlyRootFilesystem
     imageMappings:
       registration-operator: registration_operator
+      managedcluster-import-controller: managedcluster_import_controller
     name: cluster-manager
+    patches:
+    - target: cluster-manager.yaml
+      path: ../patches/cluster-manager-tls-sidecar.yaml
+      type: strategic-merge
+    additional_templates:
+    - ../patches/cluster-manager-tls-sync-clusterrole.yaml
+    - ../patches/cluster-manager-tls-sync-clusterrolebinding.yaml
   repo_name: registration-operator
 
 - branch: backplane-2.17

hack/patches/cluster-manager-tls-sidecar.yaml

@@ -0,0 +1,39 @@
+# Strategic merge patch: adds tls-profile-sync sidecar to cluster-manager deployment.
+# The sidecar watches OpenShift APIServer.spec.tlsSecurityProfile and syncs it
+# to an ocm-tls-profile ConfigMap for OCM components to consume.
+#
+# This is a pure YAML patch applied before injectRequirements(). The placeholder
+# image 'managedcluster-import-controller' is converted to a Helm template variable
+# by fixImageReferences() via the imageMapping in config.yaml.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cluster-manager
+spec:
+  template:
+    spec:
+      containers:
+      - name: registration-operator
+      - name: tls-profile-sync
+        image: managedcluster-import-controller
+        command:
+        - /usr/local/bin/tls-profile-sync
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        resources:
+          requests:
+            cpu: 10m
+            memory: 32Mi
+          limits:
+            memory: 128Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true

hack/patches/cluster-manager-tls-sync-clusterrole.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tls-profile-sync
+rules:
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch

hack/patches/cluster-manager-tls-sync-clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tls-profile-sync
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tls-profile-sync
+subjects:
+- kind: ServiceAccount
+  name: cluster-manager
+  namespace: '{{ .Values.global.namespace }}'

pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrole.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: '{{ .Values.org }}:{{ .Chart.Name }}:tls-profile-sync'
+rules:
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch

pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager-tls-sync-clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: '{{ .Values.org }}:{{ .Chart.Name }}:tls-profile-sync'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ .Values.org }}:{{ .Chart.Name }}:tls-profile-sync'
+subjects:
+- kind: ServiceAccount
+  name: cluster-manager
+  namespace: '{{ .Values.global.namespace }}'

pkg/templates/charts/toggle/cluster-manager/templates/cluster-manager.yaml

@@ -86,6 +86,39 @@ spec:
         volumeMounts:
         - mountPath: /tmp
           name: tmpdir
+      - command:
+        - /usr/local/bin/tls-profile-sync
+        env:
+{{- if .Values.hubconfig.proxyConfigs }}
+        - name: HTTP_PROXY
+          value: {{ .Values.hubconfig.proxyConfigs.HTTP_PROXY }}
+        - name: HTTPS_PROXY
+          value: {{ .Values.hubconfig.proxyConfigs.HTTPS_PROXY }}
+        - name: NO_PROXY
+          value: {{ .Values.hubconfig.proxyConfigs.NO_PROXY }}
+{{- end }}
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: '{{ .Values.global.imageOverrides.managedcluster_import_controller
+          }}'
+        imagePullPolicy: '{{ .Values.global.pullPolicy }}'
+        name: tls-profile-sync
+        resources:
+          limits:
+            memory: 128Mi
+          requests:
+            cpu: 10m
+            memory: 32Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
       hostIPC: false
       hostNetwork: false
       hostPID: false

pkg/templates/charts/toggle/cluster-manager/values.yaml

@@ -1,6 +1,7 @@
 global:
   deployOnOCP: true
   imageOverrides:
+    managedcluster_import_controller: ''
     registration_operator: ''
   namespace: default
   pullSecret: null

pkg/templates/crds/cluster-manager/operator.open-cluster-management.io_clustermanagers.yaml

@@ -398,6 +398,41 @@ spec:
                       type: object
                     type: array
                 type: object
+              placementConfiguration:
+                description: placementConfiguration contains the configuration of
+                  placement
+                properties:
+                  featureGates:
+                    description: "FeatureGates represents the list of feature gates
+                      for placement\nIf it is set empty, default feature gates will
+                      be used.\nIf it is set, featuregate/Foo is an example of one
+                      item in FeatureGates:\n  1. If featuregate/Foo does not exist,
+                      registration-operator will discard it\n  2. If featuregate/Foo
+                      exists and is false by default. It is now possible to set featuregate/Foo=[false|true]\n
+                      \ 3. If featuregate/Foo exists and is true by default. If a
+                      cluster-admin upgrading from 1 to 2 wants to continue having
+                      featuregate/Foo=false,\n \the can set featuregate/Foo=false
+                      before upgrading. Let's say the cluster-admin wants featuregate/Foo=false."
+                    items:
+                      properties:
+                        feature:
+                          description: Feature is the key of feature gate. e.g. featuregate/Foo.
+                          type: string
+                        mode:
+                          default: Disable
+                          description: |-
+                            Mode is either Enable, Disable, "" where "" is Disable by default.
+                            In Enable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=true".
+                            In Disable mode, a valid feature gate `featuregate/Foo` will be set to "--featuregate/Foo=false".
+                          enum:
+                          - Enable
+                          - Disable
+                          type: string
+                      required:
+                      - feature
+                      type: object
+                    type: array
+                type: object
               placementImagePullSpec:
                 default: quay.io/open-cluster-management/placement
                 description: placementImagePullSpec represents the desired image configuration