HIVE-3007: hiveadmission: TLS config from APIServer

go.mod

@@ -34,6 +34,7 @@ require (
 	github.com/onsi/gomega v1.37.0
 	github.com/openshift/api v0.0.0-20250313134101-8a7efbfb5316
 	github.com/openshift/build-machinery-go v0.0.0-20240613134303-8359781da660
+	github.com/openshift/client-go v0.0.0-20241203091221-452dfb8fa071
 	github.com/openshift/cluster-autoscaler-operator v0.0.1-0.20250219201631-227f7537c3b4
 	github.com/openshift/generic-admission-server v1.14.1-0.20250715141119-66c5d0a9c5e6
 	github.com/openshift/hive/apis v0.0.0
@@ -272,6 +273,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jgautheron/goconst v1.7.1 // indirect
 	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
@@ -323,7 +325,6 @@ require (
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/openshift/client-go v0.0.0-20241203091221-452dfb8fa071 // indirect
 	github.com/openshift/cloud-credential-operator v0.0.0-20240404165937-5e8812d64187 // indirect
 	github.com/ovirt/go-ovirt v0.0.0-20210809163552-d4276e35d3db // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
@@ -336,6 +337,7 @@ require (
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
 	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
 	github.com/raeperd/recvcheck v0.2.0 // indirect
+	github.com/robfig/cron v1.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/ryancurrah/gomodguard v1.3.5 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect

go.sum

@@ -571,6 +571,8 @@ github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSo
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
+github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
@@ -853,6 +855,8 @@ github.com/raeperd/recvcheck v0.2.0/go.mod h1:n04eYkwIR0JbgD73wT8wL4JjPC3wm0nFtz
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
+github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=

pkg/operator/hive/dynamicclient.go

@@ -38,6 +38,8 @@ func (r *ReconcileHiveConfig) clientFor(blankObj runtime.Object, namespace strin
 		c = dc.Resource(corev1.SchemeGroupVersion.WithResource("namespaces"))
 	case *configv1.ProxyList, *configv1.Proxy:
 		c = dc.Resource(configv1.SchemeGroupVersion.WithResource("proxies"))
+	case *configv1.APIServerList, *configv1.APIServer:
+		c = dc.Resource(configv1.SchemeGroupVersion.WithResource("apiservers"))
 	case *corev1.SecretList, *corev1.Secret:
 		c = dc.Resource(corev1.SchemeGroupVersion.WithResource("secrets"))
 	case *corev1.ServiceAccountList, *corev1.ServiceAccount:

pkg/operator/hive/hive_controller.go

@@ -88,6 +88,7 @@ func newReconciler(mgr manager.Manager) reconcile.Reconciler {
 	}
 }
 
+// TODO: I would think we could get `src` from `T`, no?
 func mapToHiveConfig[T client.Object](r reconcile.Reconciler, src string) func(context.Context, T) []reconcile.Request {
 	return func(ctx context.Context, _ T) []reconcile.Request {
 		retval := []reconcile.Request{}
@@ -288,6 +289,13 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 		return err
 	}
 
+	// Watch the APIServer for TLS config changes
+	err = c.Watch(source.Kind(mgr.GetCache(), &configv1.APIServer{},
+		handler.TypedEnqueueRequestsFromMapFunc(mapToHiveConfig[*configv1.APIServer](r, "APIServer"))))
+	if err != nil {
+		return err
+	}
+
 	// Fetch some common configuration from the hive-operator. All hive components should all be
 	// using the same image, pull policy, and other common shared configurations.
 	operatorDeployment := &appsv1.Deployment{}

pkg/operator/hive/hiveadmission.go

@@ -3,6 +3,7 @@ package hive
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
@@ -12,13 +13,22 @@ import (
 	controllerutils "github.com/openshift/hive/pkg/controller/utils"
 	"github.com/openshift/hive/pkg/operator/assets"
 	"github.com/openshift/hive/pkg/resource"
+	logrusutil "github.com/openshift/hive/pkg/util/logrus"
 
+	configv1 "github.com/openshift/api/config/v1"
+	configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
+	"github.com/openshift/library-go/pkg/operator/configobserver/apiserver"
 	"github.com/openshift/library-go/pkg/operator/resource/resourceread"
+	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
 
 	admregv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/client-go/tools/cache"
 	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 )
 
@@ -150,6 +160,10 @@ func (r *ReconcileHiveConfig) deployHiveAdmission(hLog log.FieldLogger, h resour
 	addConfigVolume(&hiveAdmDeployment.Spec.Template.Spec, r.supportedContractsConfigMapInfo(hLog), hiveAdmContainer)
 	addReleaseImageVerificationConfigMapEnv(hiveAdmContainer, instance)
 
+	if err := r.populateTLSConfig(hiveAdmContainer, hLog); err != nil {
+		return err
+	}
+
 	validatingWebhooks := make([]*admregv1.ValidatingWebhookConfiguration, len(webhookAssets))
 	for i, yaml := range webhookAssets {
 		validatingWebhooks[i] = readRuntimeObjectOrDie[*admregv1.ValidatingWebhookConfiguration](
@@ -215,6 +229,88 @@ func (r *ReconcileHiveConfig) deployHiveAdmission(hLog log.FieldLogger, h resour
 	return nil
 }
 
+// directAPIServerLister implements apiserver.APIServerLister by making direct API calls
+type directAPIServerLister struct {
+	reconciler *ReconcileHiveConfig
+}
+
+// PreRunHasSynced implements configobserver.Listers, minimally, because we're not caching.
+func (d *directAPIServerLister) PreRunHasSynced() []cache.InformerSynced {
+	return []cache.InformerSynced{}
+}
+
+// ResourceSyncer implements configobserver.Listers, but not really, because we're not caching.
+func (d *directAPIServerLister) ResourceSyncer() resourcesynccontroller.ResourceSyncer {
+	return nil
+}
+
+func (d *directAPIServerLister) APIServerLister() configlistersv1.APIServerLister {
+	return &directLister{reconciler: d.reconciler}
+}
+
+// directLister implements configlistersv1.APIServerLister with direct API calls via reconciler
+type directLister struct {
+	reconciler *ReconcileHiveConfig
+}
+
+func (d *directLister) List(selector labels.Selector) ([]*configv1.APIServer, error) {
+	list := &configv1.APIServerList{}
+	if err := d.reconciler.List(context.TODO(), list, "", metav1.ListOptions{}); err != nil {
+		return nil, err
+	}
+	result := make([]*configv1.APIServer, len(list.Items))
+	for i := range list.Items {
+		result[i] = &list.Items[i]
+	}
+	return result, nil
+}
+
+func (d *directLister) Get(name string) (*configv1.APIServer, error) {
+	apiServer := &configv1.APIServer{}
+	if err := d.reconciler.Get(context.TODO(), types.NamespacedName{Name: name}, apiServer); err != nil {
+		return nil, err
+	}
+	return apiServer, nil
+}
+
+func (r *ReconcileHiveConfig) populateTLSConfig(hiveAdmContainer *corev1.Container, hLog log.FieldLogger) error {
+	observedConfig, errs := apiserver.ObserveTLSSecurityProfileToArguments(
+		&directAPIServerLister{reconciler: r},
+		logrusutil.NewLoggingEventRecorder(hLog, "hiveadmission-tls-config"),
+		map[string]interface{}{})
+
+	if len(errs) > 0 {
+		return errors.Wrap(utilerrors.NewAggregate(errs), "failed to discover global TLS config from APIServer cluster")
+	}
+
+	hLog.WithField("config", observedConfig).Debug("observed TLS config")
+
+	if len(observedConfig) == 0 {
+		return errors.New("observed TLS config was empty")
+	}
+
+	asa, tlsmvk, tlscsk := "apiServerArguments", "tls-min-version", "tls-cipher-suites"
+
+	tlsmv, found, err := unstructured.NestedString(observedConfig, asa, tlsmvk)
+	if !found || err != nil {
+		return errors.Wrapf(err, "could not find %s.%s in observed TLS config %v", asa, tlsmvk, observedConfig)
+	}
+	tlscs, found, err := unstructured.NestedStringSlice(observedConfig, asa, tlscsk)
+	if !found || err != nil {
+		return errors.Wrapf(err, "could not find %s.%s in observed TLS config %v", asa, tlscsk, observedConfig)
+	}
+
+	// NOTE: These arguments (--tls-min-version, --tls-cipher-suites) are expected to be *absent*
+	// from the container we're given.
+	hiveAdmContainer.Command = append(
+		hiveAdmContainer.Command,
+		fmt.Sprintf("--%s=%s", tlsmvk, tlsmv),
+		fmt.Sprintf("--%s=%s", tlscsk, strings.Join(tlscs, ",")),
+	)
+
+	return nil
+}
+
 // Modern OpenShift injects two ConfigMaps into every namespace. One contains the service CA cert;
 // the other the kube root CA cert.
 func (r *ReconcileHiveConfig) getCACertsOpenShift(hLog log.FieldLogger, hiveNSName string) ([]byte, []byte, error) {