CM-966: Apply cluster TLS security profile to cert-manager operands

api/operator/v1alpha1/certmanager_types.go

@@ -22,6 +22,7 @@ type CertManagerSpec struct {
 	//   - "--acme-http01-solver-nameservers="8.8.8.8:53,1.1.1.1:53"
 	//   - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
 	//   - "--dns01-recursive-nameservers-only"
+	//   - "--certificate-request-minimum-backoff-duration=30m"
 	//
 	// For OverrideEnvs,
 	// This field appends values to .spec.template.spec.containers[...].env. The container

bundle/manifests/cert-manager-operator.clusterserviceversion.yaml

@@ -562,6 +562,14 @@ spec:
           - sign
           - update
           - watch
+        - apiGroups:
+          - config.openshift.io
+          resources:
+          - apiservers
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - config.openshift.io
           resources:

bundle/manifests/operator.openshift.io_certmanagers.yaml

@@ -324,6 +324,7 @@ spec:
                     - "--acme-http01-solver-nameservers="8.8.8.8:53,1.1.1.1:53"
                     - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
                     - "--dns01-recursive-nameservers-only"
+                    - "--certificate-request-minimum-backoff-duration=30m"
 
                   For OverrideEnvs,
                   This field appends values to .spec.template.spec.containers[...].env. The container

config/crd/bases/operator.openshift.io_certmanagers.yaml

@@ -324,6 +324,7 @@ spec:
                     - "--acme-http01-solver-nameservers="8.8.8.8:53,1.1.1.1:53"
                     - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
                     - "--dns01-recursive-nameservers-only"
+                    - "--certificate-request-minimum-backoff-duration=30m"
 
                   For OverrideEnvs,
                   This field appends values to .spec.template.spec.containers[...].env. The container

config/rbac/role.yaml

@@ -153,6 +153,14 @@ rules:
   - sign
   - update
   - watch
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - config.openshift.io
   resources:

pkg/controller/certmanager/certmanager_controller.go

@@ -50,6 +50,7 @@ type CertManagerReconciler struct {
 //+kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="apps",resources=deployments;replicasets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups="config.openshift.io",resources=certmanagers;clusteroperators;clusteroperators/status;infrastructures,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="config.openshift.io",resources=apiservers,verbs=get;list;watch
 
 //+kubebuilder:rbac:groups="cert-manager.io",resources=certificaterequests;certificaterequests/finalizers;certificaterequests/status;certificates;certificates/finalizers;certificates/status;clusterissuers;clusterissuers/status;issuers;issuers/status,verbs=get;list;watch;create;update;patch;delete;deletecollection
 //+kubebuilder:rbac:groups="certificates.k8s.io",resources=certificatesigningrequests;certificatesigningrequests/status,verbs=get;list;watch;create;update;patch;delete

pkg/controller/certmanager/generic_deployment_controller.go

@@ -12,6 +12,7 @@ import (
 	"github.com/openshift/library-go/pkg/operator/status"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 
+	deploymentpkg "github.com/openshift/cert-manager-operator/pkg/controller/deployment"
 	"github.com/openshift/cert-manager-operator/pkg/operator/assets"
 	certmanoperatorinformers "github.com/openshift/cert-manager-operator/pkg/operator/informers/externalversions"
 	"github.com/openshift/cert-manager-operator/pkg/operator/utils"
@@ -67,6 +68,9 @@ func newGenericDeploymentController(
 		))
 
 		informers = append(informers, infraInformerFactory.Config().V1().Infrastructures().Informer())
+
+		hooks = append(hooks, deploymentpkg.WithClusterTLSProfileFromAPIServer(infraInformerFactory.Config().V1().APIServers()))
+		informers = append(informers, infraInformerFactory.Config().V1().APIServers().Informer())
 	}
 
 	return deploymentcontroller.NewDeploymentController(

pkg/controller/deployment/tls_helpers.go

@@ -0,0 +1,53 @@
+package deployment
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+)
+
+const (
+	certmanagerControllerDeployment = "cert-manager"
+	certmanagerWebhookDeployment    = "cert-manager-webhook"
+	certmanagerCAinjectorDeployment = "cert-manager-cainjector"
+
+	argKeyValSeparator = "="
+)
+
+// mergeContainerArgs merges the source args with override values
+// using a map that tracks unique keys for each arg containing a
+// key value pair of form `key[=value]`.
+func mergeContainerArgs(sourceArgs []string, overrideArgs []string) (destArgs []string) {
+	destArgMap := map[string]string{}
+	parseArgMap(destArgMap, sourceArgs)
+	parseArgMap(destArgMap, overrideArgs)
+
+	destArgs = make([]string, len(destArgMap))
+	i := 0
+	for key, val := range destArgMap {
+		if len(val) > 0 {
+			destArgs[i] = fmt.Sprintf("%s%s%s", key, argKeyValSeparator, val)
+		} else {
+			destArgs[i] = key
+		}
+		i++
+	}
+	sort.Strings(destArgs)
+	return destArgs
+}
+
+// parseArgMap adds new entries to the map using keys
+// parsed from each arg (of the form `key=[value]`) from the
+// list of args.
+func parseArgMap(argMap map[string]string, args []string) {
+	for _, arg := range args {
+		splitted := strings.Split(arg, argKeyValSeparator)
+		if len(splitted) > 0 && arg != "" {
+			key := splitted[0]
+			// ensure that for given arg eg. "--gate=FeatureA=true"
+			// the value remains "FeatureA=true" instead of just "FeatureA"
+			value := strings.Join(splitted[1:], argKeyValSeparator)
+			argMap[key] = value
+		}
+	}
+}

pkg/controller/deployment/tls_profile_hook.go

@@ -0,0 +1,49 @@
+package deployment
+
+import (
+	"fmt"
+
+	appsv1 "k8s.io/api/apps/v1"
+
+	operatorv1 "github.com/openshift/api/operator/v1"
+	configinformersv1 "github.com/openshift/client-go/config/informers/externalversions/config/v1"
+
+	"github.com/openshift/cert-manager-operator/pkg/tlsprofile"
+)
+
+// WithClusterTLSProfileFromAPIServer applies TLS settings from
+// apiserver.config.openshift.io/cluster to cert-manager operands. It is only
+// registered when the shared config.openshift.io informer factory is available
+// (OpenShift clusters).
+func WithClusterTLSProfileFromAPIServer(apiServerInformer configinformersv1.APIServerInformer) func(*operatorv1.OperatorSpec, *appsv1.Deployment) error {
+	return func(_ *operatorv1.OperatorSpec, deployment *appsv1.Deployment) error {
+		if len(deployment.Spec.Template.Spec.Containers) != 1 {
+			return nil
+		}
+
+		apiServer, err := apiServerInformer.Lister().Get("cluster")
+		if err != nil {
+			return fmt.Errorf("failed to get apiserver.config.openshift.io/cluster: %w", err)
+		}
+
+		effective, err := tlsprofile.EffectiveSpec(apiServer.Spec.TLSSecurityProfile)
+		if err != nil {
+			return err
+		}
+
+		var extra []string
+		switch deployment.Name {
+		case certmanagerWebhookDeployment:
+			extra = tlsprofile.CertManagerWebhookTLSArgs(effective)
+		case certmanagerControllerDeployment, certmanagerCAinjectorDeployment:
+			extra = tlsprofile.CertManagerOperandMetricsTLSArgs(effective)
+		default:
+			return nil
+		}
+
+		container := deployment.Spec.Template.Spec.Containers[0]
+		container.Args = mergeContainerArgs(container.Args, extra)
+		deployment.Spec.Template.Spec.Containers[0] = container
+		return nil
+	}
+}