Skip to content

[WIP]Add centrally managed TLS configuration for console-plugin nginx#3218

Open
jkhelil wants to merge 1 commit intotektoncd:mainfrom
jkhelil:SRVKP-9632
Open

[WIP]Add centrally managed TLS configuration for console-plugin nginx#3218
jkhelil wants to merge 1 commit intotektoncd:mainfrom
jkhelil:SRVKP-9632

Conversation

@jkhelil
Copy link
Member

@jkhelil jkhelil commented Feb 16, 2026

Summary

Enables the console-plugin nginx server to inherit TLS settings from the centrally managed APIServer TLS Profile for Post-Quantum Cryptography (PQC) readiness compliance.

Changes

  • Modified: pkg/reconciler/openshift/tektonconfig/console_plugin_reconciler.go

    • Added TLS environment variable support (TLS_MIN_VERSION, TLS_CIPHER_SUITES, TLS_CURVE_PREFERENCES)
    • Implemented nginx.conf transformation to inject TLS directives
    • Added fail-safe defaults when env vars are not set
    • Cipher suites intentionally skipped (using nginx secure defaults)

  • Modified: pkg/reconciler/openshift/tektonconfig/console_plugin_reconciler_test.go

    • Added comprehensive unit tests for TLS configuration
    • 22 test cases covering all scenarios (default, partial, full config)

Test Results

Test 1: Default Configuration (No Env Vars)

Environment:

  • No TLS environment variables set

Generated nginx.conf:

server {
    ssl_protocols TLSv1.2 TLSv1.3;
    listen              8443 ssl;
    listen              [::]:8443 ssl;
    ssl_certificate     /var/cert/tls.crt;
    ssl_certificate_key /var/cert/tls.key;
    root                /usr/share/nginx/html;
}

Result: ✅ Pod starts successfully, TLS 1.3 negotiated, no errors

Test 2: With TLS Environment Variables

Environment:

TLS_MIN_VERSION=VersionTLS13
TLS_CURVE_PREFERENCES=X25519,prime256v1,secp384r1

Generated nginx.conf:

server {
    ssl_protocols TLSv1.3;
    ssl_ecdh_curve X25519:prime256v1:secp384r1;
    listen              8443 ssl;
    listen              [::]:8443 ssl;
    ssl_certificate     /var/cert/tls.crt;
    ssl_certificate_key /var/cert/tls.key;
    root                /usr/share/nginx/html;
}

Result: ✅ Pod starts successfully, TLS 1.3 negotiated, curves applied, no errors

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

Release Notes

NONE

@tekton-robot tekton-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesnt merit a release note. labels Feb 16, 2026
@tekton-robot
Copy link
Contributor

tekton-robot commented Feb 16, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Feb 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anithapriyanatarajan anithapriyanatarajan Awaiting requested review from anithapriyanatarajan

@pramodbindal pramodbindal Awaiting requested review from pramodbindal

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesnt merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkhelil @tekton-robot