Add tls pkg

go.mod

@@ -1,3 +1,77 @@
 module github.com/openshift/controller-runtime-common
 
 go 1.24.0
+
+require (
+	github.com/go-logr/logr v1.4.3
+	github.com/onsi/ginkgo/v2 v2.28.1
+	github.com/onsi/gomega v1.39.1
+	github.com/openshift/api v0.0.0-20260130140113-71e91db96ffc
+	github.com/openshift/library-go v0.0.0-20260203175009-3067285722b9
+	k8s.io/apimachinery v0.34.3
+	k8s.io/client-go v0.34.3
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570
+	sigs.k8s.io/controller-runtime v0.22.5
+)
+
+require (
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.23.2 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/mod v0.32.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/term v0.39.0 // indirect
+	golang.org/x/text v0.33.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/tools v0.41.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.34.3 // indirect
+	k8s.io/apiextensions-apiserver v0.34.3 // indirect
+	k8s.io/apiserver v0.34.3 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
+)

pkg/testutils/envtest/envtest.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2026 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package envtest provides utilities for working with the controller-runtime envtest package.
+package envtest
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+)
+
+// GetGoModuleDirectory returns the directory path for a go module.
+// It uses 'go list -m' to find the module directory, which will be in the
+// module cache if the module is not vendored.
+//
+// Example:
+//
+//	moduleDir, err := GetGoModuleDirectory("github.com/openshift/api")
+//	if err != nil {
+//	    return err
+//	}
+func GetGoModuleDirectory(ctx context.Context, module string) (string, error) {
+	cmd := exec.CommandContext(ctx, "go", "list", "-m", "-f", "{{.Dir}}", module)
+	output, err := cmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("failed to get module directory for %s: %w", module, err)
+	}
+	moduleDir := strings.TrimSpace(string(output))
+	if moduleDir == "" {
+		return "", fmt.Errorf("empty module directory returned for %s", module)
+	}
+	return moduleDir, nil
+}
+
+// GetCRDManifestsPath returns the full path to the CRD manifests directory within a go module.
+// It combines GetGoModuleDirectory with the provided path segments.
+//
+// Example:
+//
+//	crdPath, err := GetCRDManifestsPath(ctx, "github.com/openshift/api", "config", "v1", "zz_generated.crd-manifests")
+//	if err != nil {
+//	    return err
+//	}
+func GetCRDManifestsPath(ctx context.Context, module string, pathSegments ...string) (string, error) {
+	moduleDir, err := GetGoModuleDirectory(ctx, module)
+	if err != nil {
+		return "", err
+	}
+
+	path := filepath.Join(append([]string{moduleDir}, pathSegments...)...)
+	if _, err := os.Stat(path); err != nil {
+		return "", fmt.Errorf("path %s does not exist: %w", path, err)
+	}
+
+	return path, nil
+}

pkg/tls/controller.go

@@ -0,0 +1,141 @@
+/*
+Copyright 2026 Red Hat, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tls
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	"github.com/go-logr/logr"
+	configv1 "github.com/openshift/api/config/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+)
+
+// SecurityProfileWatcher watches the APIServer object for TLS profile changes
+// and triggers a graceful shutdown when the profile changes.
+type SecurityProfileWatcher struct {
+	client.Client
+
+	// InitialTLSProfileSpec is the TLS profile spec that was configured when the operator started.
+	InitialTLSProfileSpec configv1.TLSProfileSpec
+
+	// OnProfileChange is a function that will be called when the TLS profile changes.
+	// It receives the old (initial) and new (current) TLS profile specs.
+	// This allows the caller to make decisions based on the actual profile changes.
+	//
+	// The most common use case for this callback is
+	// to trigger a graceful shutdown of the operator
+	// to make it pick up the new configuration.
+	//
+	// Example:
+	//
+	// 	// Create a context that can be cancelled when there is a need to shut down the manager.
+	//  ctx, cancel := context.WithCancel(ctrl.SetupSignalHandler())
+	//  defer cancel()
+	//
+	//  watcher := &SecurityProfileWatcher{
+	// 	  OnProfileChange: func(old, new configv1.TLSProfileSpec) {
+	//      logger.Infof("TLS profile has changed, initiating a shutdown to reload it. %q: %+v, %q: %+v",
+	//        "old profile", old,
+	//        "new profile", new,
+	//      )
+	//      // Cancel the outer context to trigger a graceful shutdown of the manager.
+	//      cancel()
+	//    },
+	//  }
+	OnProfileChange func(oldTLSProfileSpec, newTLSProfileSpec configv1.TLSProfileSpec)
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *SecurityProfileWatcher) SetupWithManager(mgr ctrl.Manager) error {
+	if err := ctrl.NewControllerManagedBy(mgr).
+		Named("tlssecurityprofilewatcher").
+		For(&configv1.APIServer{}, builder.WithPredicates(
+			predicate.Funcs{
+				// Only watch the "cluster" APIServer object.
+				CreateFunc: func(e event.CreateEvent) bool {
+					return e.Object.GetName() == APIServerName
+				},
+				UpdateFunc: func(e event.UpdateEvent) bool {
+					return e.ObjectNew.GetName() == APIServerName
+				},
+				DeleteFunc: func(e event.DeleteEvent) bool {
+					return e.Object.GetName() == APIServerName
+				},
+				GenericFunc: func(e event.GenericEvent) bool {
+					return e.Object.GetName() == APIServerName
+				},
+			},
+		)).
+		// Override the default log constructor as it makes the logs very chatty.
+		WithLogConstructor(func(_ *reconcile.Request) logr.Logger {
+			return mgr.GetLogger().WithValues(
+				"controller", "tlssecurityprofilewatcher",
+			)
+		}).
+		Complete(r); err != nil {
+		return fmt.Errorf("could not set up controller for TLS security profile watcher: %w", err)
+	}
+
+	return nil
+}
+
+// Reconcile watches for changes to the APIServer TLS profile and triggers a shutdown
+// when the profile changes from the initial configuration.
+func (r *SecurityProfileWatcher) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	logger := log.FromContext(ctx, "name", req.Name)
+
+	logger.V(1).Info("Reconciling APIServer TLS profile")
+	defer logger.V(1).Info("Finished reconciling APIServer TLS profile")
+
+	// Fetch the APIServer object.
+	apiServer := &configv1.APIServer{}
+	if err := r.Get(ctx, req.NamespacedName, apiServer); err != nil {
+		if apierrors.IsNotFound(err) {
+			// If the APIServer object is not found, we don't need to do anything.
+			// This could happen if the object was deleted.
+			return ctrl.Result{}, nil
+		}
+
+		return ctrl.Result{}, fmt.Errorf("failed to get APIServer %s: %w", req.NamespacedName.String(), err)
+	}
+
+	// Get the current TLS profile spec.
+	currentTLSProfileSpec, err := GetTLSProfileSpec(apiServer.Spec.TLSSecurityProfile)
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("failed to get TLS profile from APIServer %s: %w", req.NamespacedName.String(), err)
+	}
+
+	// Compare the current TLS profile spec with the initial one.
+	if tlsProfileChanged := !reflect.DeepEqual(r.InitialTLSProfileSpec, currentTLSProfileSpec); tlsProfileChanged {
+		// TLS profile has changed, invoke the callback if it is set.
+		if r.OnProfileChange != nil {
+			r.OnProfileChange(r.InitialTLSProfileSpec, currentTLSProfileSpec)
+		}
+	}
+
+	// No need to requeue, as the callback will handle further actions.
+	return ctrl.Result{}, nil
+}