Add tls pkg by damdo · Pull Request #2 · openshift/controller-runtime-common

damdo · 2026-01-29T15:55:43Z

Stacked PR on top of #1

/hold

For #1 to merge first

joelanford

No need for this repo to have a vendor directory. That's only needed in repos that build images for OCP.

joelanford · 2026-02-02T17:49:15Z

+	// Shutdown is a function that will be called to trigger a graceful shutdown
+	// when the TLS profile changes.
+	Shutdown context.CancelFunc


WDYT about changing this to a general-purpose callback function that includes context about the old and new TLS profile?

Yeah that's a good idea, so the consumers can tweak their own logging if needed.
I've pushed a change for this. PTAL

joelanford · 2026-02-02T17:52:17Z

+			Eventually(shutdownCnt.Load).Should(Equal(int32(1)), "shutdown count should be 1 (shutdown triggered)")
+		})
+
+		It("should trigger a shutdown when switching to custom profile", func() {


What if the custom profile definition is identical to the pre-defined profile they were switching from? Seems like we may want to do a comparison of the actual TLS settings?

Seems like we may want to do a comparison of the actual TLS settings?

That's what we do already.

I've now added a test to cover this use case and demonstrate correct behaviour.

joelanford · 2026-02-02T17:53:11Z

+			Eventually(shutdownCnt.Load).Should(Equal(int32(1)), "shutdown count should be 1 (shutdown triggered)")
+		})
+
+		It("should trigger a shutdown when switching from custom to predefined profile", func() {


Same question as above, just in the reverse.

That's what we do already.

I've now added a test to cover this use case and demonstrate correct behaviour.

joelanford · 2026-02-02T17:56:04Z

Seems unrelated to controller-runtime and TLS?

It is needed to achieve the CRD loading for envtest based tests given we want to drop the vendor folder.
I had a chat with Joel about this, and we settled on looking those CRDs up from the gomod cache's folder, hence the package to do that. I can always do it inline but that's going to be copy-pasta in almost all the integration tests.

See its usage here: https://github.com/openshift/controller-runtime-common/pull/2/files#diff-47e880f6dcccfa8d22daf7e14a3bd3e45bab1cd723f76bc5e8753e94358428b7R62

Ack, makes sense. And that's a good justification for including here because envtest is so pervasive and needing to install CRDs from repos is a fairly common thing.

Maybe this turns into a nit-level suggestion then of making it obvious this is a test utility. Maybe like pkg/testutils/envtest? But totally a nit. Naming is hard ™️.

Ok, cool, I've moved this to said pkg. TY

damdo · 2026-02-03T16:02:48Z

@joelanford I've addressed all comments, this is ready for a second pass review.

joelanford · 2026-02-04T16:00:00Z

/lgtm
/approve

openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 29, 2026

damdo force-pushed the add-tls-pkg branch from d5cd5fd to 4b32b18 Compare January 29, 2026 17:23

joelanford reviewed Jan 31, 2026

View reviewed changes

Comment thread pkg/tls/tls.go Outdated

damdo force-pushed the add-tls-pkg branch from 4b32b18 to fc5f5d1 Compare February 2, 2026 16:24

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 2, 2026

damdo force-pushed the add-tls-pkg branch from fc5f5d1 to fff3dfb Compare February 2, 2026 17:41

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 2, 2026

damdo force-pushed the add-tls-pkg branch from fff3dfb to f04b3e0 Compare February 2, 2026 17:43

damdo mentioned this pull request Feb 2, 2026

Add controller-runtime based tls pkg openshift/library-go#2082

Closed

joelanford reviewed Feb 2, 2026

View reviewed changes

damdo mentioned this pull request Feb 3, 2026

crypto: add DefaultTLSProfileType const openshift/library-go#2111

Merged

damdo force-pushed the add-tls-pkg branch 4 times, most recently from 237ce42 to 03fa978 Compare February 3, 2026 15:59

damdo requested a review from joelanford February 3, 2026 16:02

damdo force-pushed the add-tls-pkg branch from 03fa978 to 32b726f Compare February 3, 2026 18:16

pkg: add tls pkg

ab84f25

damdo force-pushed the add-tls-pkg branch from 32b726f to ab84f25 Compare February 4, 2026 10:28

joelanford approved these changes Feb 4, 2026

View reviewed changes

openshift-ci Bot assigned joelanford Feb 4, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Feb 4, 2026

damdo merged commit 9b165b4 into openshift:main Feb 4, 2026

bharath-b-rh mentioned this pull request May 19, 2026

CM-966: Apply cluster TLS security profile to cert-manager operands openshift/cert-manager-operator#409

Open

6 tasks

Conversation

damdo commented Jan 29, 2026

Uh oh!

joelanford left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

damdo Feb 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

damdo commented Feb 3, 2026

Uh oh!

joelanford commented Feb 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

damdo Feb 2, 2026 •

edited

Loading