CNTRLPLANE-2621: Restart operator when TLS config changes

[vincentdephily]

Updated config is injected by cluster-version-operator.

CNTRLPLANE-2621: Assess TLSv1.2 usage on openshift-etcd-operator ports

[openshift-ci-robot]

@vincentdephily: This pull request references CNTRLPLANE-2621 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Updated config is injected by cluster-version-operator.

CNTRLPLANE-2621: Assess TLSv1.2 usage on openshift-etcd-operator ports

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5d5ea6e8-1433-4aa5-a777-de283dbf392e

📥 Commits

Reviewing files that changed from the base of the PR and between 83f0833 and a79ec72.

📒 Files selected for processing (2)

• manifests/0000_20_etcd-operator_03_configmap.yaml
• manifests/0000_20_etcd-operator_06_deployment.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• manifests/0000_20_etcd-operator_06_deployment.yaml
• manifests/0000_20_etcd-operator_03_configmap.yaml

---

Walkthrough

The etcd-operator ConfigMap gained a TLS injection annotation and its embedded operator config had the servingInfo stanza (cipher suites and minTLSVersion: VersionTLS12) removed. The operator Deployment command gained an additional --terminate-on-files=/var/run/configmaps/config/config.yaml argument.

Changes

Cohort / File(s)	Summary
ConfigMap changes manifests/0000_20_etcd-operator_03_configmap.yaml	Added metadata.annotations: config.openshift.io/inject-tls: "true"; removed servingInfo block (removed cipherSuites list and minTLSVersion: VersionTLS12) from data.config.yaml.
Deployment args manifests/0000_20_etcd-operator_06_deployment.yaml	Added --terminate-on-files=/var/run/configmaps/config/config.yaml to the cluster-etcd-operator container args (existing args retained).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding TLS configuration injection and operator restart capability, which aligns with the ConfigMap annotation addition and deployment argument changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR modifies only Kubernetes manifest YAML files, not test code. Custom check for stable test names applies only to test frameworks and does not apply here.
Test Structure And Quality	✅ Passed	The PR only modifies manifest YAML files and contains no test code changes, making the test structure and quality check not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@vincentdephily: This pull request references CNTRLPLANE-2621 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Updated config is injected by cluster-version-operator.

CNTRLPLANE-2621: Assess TLSv1.2 usage on openshift-etcd-operator ports

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@vincentdephily: This pull request references CNTRLPLANE-2621 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Updated config is injected by cluster-version-operator.

CNTRLPLANE-2621: Assess TLSv1.2 usage on openshift-etcd-operator ports

Summary by CodeRabbit

• Improvements
• Enhanced TLS certificate injection configuration for improved security
• Improved graceful shutdown handling with configuration file monitoring

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[lance5890]

related to #1477

[lance5890]

maybe we should revert this https://github.com/openshift/cluster-etcd-operator/pull/1477/changes

[tjungblu]

@vincentdephily what's that annotation doing? because I think that CVO will continue to reconcile that configmap in case anything is injected there.

If so, we indeed need to revert the ciphers coming from #1477

[vincentdephily]

@tjungblu That annotation asks CVO to overwrite minTLSVersion and cipherSuites to the value configured cluster-wide.

The values set in etcd's manifest would be used for the initial startup, or if no cluster-wide value is set (a valid choice for the user to make). In other words, they're like a default value.

Unless there is an etcd-specific reason to change Go's default tls config, you should probably do like other operators and let CVO handle this via the annotation.

On that note, comparing your list with go's defaults looks like you've selected old ciphers, possibly limiting the protocol to TLS1.2. Why is that @lance5890 ? I would have expected the default to either be maximally-compatible or maximally-modern.

[tjungblu]

you should probably do like other operators and let CVO handle this via the annotation.

Agreed. Do you mind to commit a revert of #1477 here too? I'm lgtm otherwise

[lance5890]

yes, please feel free to revert my previous commit using git revert 3967769423fc86a65f8e5399c8b614b09580259e

[lance5890]

git revert 3967769

[lance5890]

yes, please feel free to revert my previous commit using git revert 3967769423fc86a65f8e5399c8b614b09580259e

[lance5890]

/assign

[openshift-ci-robot]

@vincentdephily: This pull request references CNTRLPLANE-2621 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Updated config is injected by cluster-version-operator.

CNTRLPLANE-2621: Assess TLSv1.2 usage on openshift-etcd-operator ports

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vincentdephily]

Reverted 3967769

[tjungblu]

/retest-required

[tjungblu]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tjungblu, vincentdephily

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [tjungblu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ingvagabund]

/verified by CVO testing

[openshift-ci-robot]

@ingvagabund: This PR has been marked as verified by CVO testing.

Details

In response to this:

/verified by CVO testing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ingvagabund]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD f4f878f and 2 for PR HEAD a79ec72 in total

[openshift-ci]

@vincentdephily: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.