CNTRLPLANE-3611: propagate tls profile to aws-pod-identity-webhook

[ricardomaraschini]

What this PR does / why we need it:

It was detected that the containers aws-pod-identity-webhook and azure-workload-identity-webhook aren't respecting the HostedControlPlane TLS profile. As part of the PQC work the following flags need to be set:

--tls-min-version
needs to comply with the hcp apiserver min tls version.
--tls-cipher-suites
needs to comply with the hcp apiserver cipher suites config.

Both flags are now set according to hcp.spec.configuration.apiServer.tlsSecurityProfile for both webhook containers. These flags influence how the containers listen on their respective ports (aws-pod-identity-webhook on port 4443 and azure-workload-identity-webhook on port 4443).

Changes include:

• aws-pod-identity-webhook: Added TLS profile propagation with comprehensive test coverage
• azure-workload-identity-webhook: Added TLS profile propagation with comprehensive test coverage for all profile types (Old, Intermediate, Modern, Custom)
• Refactored test utilities to use shared findContainerByNameInPod() helper function
• Updated auto-generated fixtures to reflect the new TLS configuration

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• Improvements
  • Pod identity webhook now respects HostedControlPlane TLS security profiles more precisely.
  • Minimum TLS version is applied only when recognized; cipher suites are included only when configured.
  • TLS version values are normalized so configured versions are correctly interpreted and enforced.
• Tests
  • Added unit tests validating TLS version normalization and webhook command-line TLS flag behavior across profile variations.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@ricardomaraschini: This pull request references CNTRLPLANE-3611 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

What this PR does / why we need it:

It was detected that the container aws-pod-identity-webhook isn't respecting the HostedControlPlane TLS profile. As part of the PQC work the following flags need to be set:

• --tls-min-version
• needs to comply with the hcp apiserver min tls version.
• --tls-cipher-suites
• needs to comply with the hcp apiserver cipher suites config.

Both flags are now set according to hcp.spec.configuration.apiServer.tlsSecurityProfile.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The pull request refactors the applyAWSPodIdentityWebhookContainer function to build the aws-pod-identity-webhook container command dynamically by conditionally appending TLS configuration flags based on the HostedControlPlane TLS security profile. It adds --tls-min-version and --tls-cipher-suites flags when configured. A new unexported convertTLSVersion helper translates Kubernetes TLS version enums (TLS10–TLS13) into numeric version strings (1.0–1.3).

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Tests lack meaningful assertion failure messages. While single-responsibility and patterns are good, assertions like g.Expect(result).To(Equal(tc.expected)) and `g.Expect(webhookContainer).NotTo(...	Add meaningful failure messages to all Expect() assertions. Example: g.Expect(webhookContainer).NotTo(BeNil(), "failed to find aws-pod-identity-webhook container in pod spec")

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: refactoring the aws-pod-identity-webhook container to respect and propagate TLS profile settings from the HostedControlPlane configuration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only standard Go table-driven tests with gomega matchers, not Ginkgo tests. Check applies only to Ginkgo test names; therefore not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes are limited to configuring TLS command-line flags for a container; no scheduling constraints, affinity rules, topology spread, node selectors, or replica count logic based on topology are i...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds standard Go unit tests, not Ginkgo e2e tests. Custom check targets Ginkgo e2e tests only (It/Describe/Context/When patterns), which are not present in this PR.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected. Code uses only strong TLS versions (1.2...
Container-Privileges	✅ Passed	PR changes only add TLS configuration flags to aws-pod-identity-webhook container command. No privileged settings (privileged: true, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation, or roo...
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposure in logs. The PR adds TLS configuration flags (--tls-min-version, --tls-cipher-suites) and AWS region to container command args without logging them. No passwords, tokens,...
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@control-plane-operator/controllers/hostedcontrolplane/v2/kas/deployment.go`:
- Around line 315-319: The conversion of TLS enums can fail silently: when
config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()) yields a
value but convertTLSVersion(...) returns "", add explicit handling to surface
that failure; e.g., after calling convertTLSVersion(tlsMinVersion) detect empty
string and either log a warning/error (including the original tlsMinVersion, the
HostedControlPlane identity from hcp, and that the --tls-min-version flag will
be omitted) or return/propagate a validation error so the misconfiguration is
visible; update the block around convertTLSVersion, tlsMinVersion, and the
command append of "--tls-min-version" to include this log/validation.
- Around line 357-370: Add a new table-driven unit test named
TestConvertTLSVersion in package kas (file deployment_test.go) that calls the
helper convertTLSVersion with inputs "VersionTLS10", "VersionTLS11",
"VersionTLS12", "VersionTLS13", an unknown string like "VersionTLS99", and the
empty string, asserting returned values "1.0", "1.1", "1.2", "1.3", and ""
respectively; use t.Run for each case and fail the test when the actual return
from convertTLSVersion does not match the expected value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: aea43979-896a-48e1-b5b6-ce4da195d70c

📥 Commits

Reviewing files that changed from the base of the PR and between c3fac8c and ce4c692.

⛔ Files ignored due to path filters (2)

• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kube_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/kube-apiserver/zz_fixture_TestControlPlaneComponents_kube_apiserver_deployment.yaml is excluded by !**/testdata/**

📒 Files selected for processing (1)

• control-plane-operator/controllers/hostedcontrolplane/v2/kas/deployment.go

[codecov]

Codecov Report

❌ Patch coverage is 85.71429% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.75%. Comparing base (832b848) to head (d0083c9).
⚠️ Report is 44 commits behind head on main.

Files with missing lines	Patch %	Lines
...ontrollers/hostedcontrolplane/v2/kas/deployment.go	85.71%	5 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8713      +/-   ##
==========================================
+ Coverage   41.50%   41.75%   +0.25%     
==========================================
  Files         758      758              
  Lines       93689    93970     +281     
==========================================
+ Hits        38882    39238     +356     
+ Misses      52070    51986      -84     
- Partials     2737     2746       +9     

Files with missing lines	Coverage Δ
...ontrollers/hostedcontrolplane/v2/kas/deployment.go	42.38% <85.71%> (+15.59%)	⬆️

... and 23 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	35.02% <ø> (+0.16%)	⬆️
cpo-hostedcontrolplane	44.32% <85.71%> (+0.72%)	⬆️
cpo-other	43.45% <ø> (+0.27%)	⬆️
hypershift-operator	51.70% <ø> (+0.13%)	⬆️
other	31.56% <ø> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jparrill]

Dropped some comments. Thanks!

[jparrill]

The upstream openshift/aws-pod-identity-webhook accepts both formats ("VersionTLS12" and "1.2") in its ValidateTLSMinVersion(). Every other component in v2/ (kube-scheduler, KCM, machine-approver, oauth-apiserver) passes config.MinTLSVersion() directly without conversion. I think you could drop convertTLSVersion entirely and pass the string through — simpler and consistent with the rest of the codebase.

[ricardomaraschini]

This is what I gain for only reading the --help output. Good point, make things simpler. It is done.

[jparrill]

Should applyAzureWorkloadIdentityWebhookContainer get the same treatment? It also serves a TLS endpoint and currently uses whatever the binary defaults to. If this is part of the PQC work, the Azure path has the same gap. Might be worth a follow-up linked to CNTRLPLANE-3611.

[ricardomaraschini]

This is done in a different commit here. Please take a look.

[jparrill]

This container-lookup pattern is repeated in all 5 test cases. You could extract a small helper to cut the noise:

func findWebhookContainer(g *GomegaWithT, podSpec *corev1.PodSpec) *corev1.Container {
	for i := range podSpec.Containers {
		if podSpec.Containers[i].Name == "aws-pod-identity-webhook" {
			return &podSpec.Containers[i]
		}
	}
	g.Expect(true).To(BeFalse(), "aws-pod-identity-webhook container not found")
	return nil
}

[ricardomaraschini]

done.

[jparrill]

This correctly checks for --tls-min-version=1.3, but doesn't verify that --tls-cipher-suites is absent. For Modern, CipherSuites() returns empty (TLS 1.3 ciphers aren't in the OpenSSL-to-IANA map). Worth locking down:

g.Expect(slices.ContainsFunc(webhookContainer.Command, func(arg string) bool {
	return strings.HasPrefix(arg, "--tls-cipher-suites=")
})).To(BeFalse())

[ricardomaraschini]

done.

[jparrill]

nit: might be worth adding a case for configv1.TLSProfileOldType — maps to VersionTLS10 with legacy CBC ciphers. Would complete the profile matrix.

[ricardomaraschini]

done.

[hypershift-jira-solve-ci]

Now I have all the evidence. The PR adds configv1 "github.com/openshift/api/config/v1" into the same import group as hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1", but based on the gci configuration, these belong in different groups. Let me verify:

The gci config defines these ordered sections:

1. standard - stdlib
2. dot - dot imports
3. prefix(github.com/openshift/hypershift) - hypershift imports
4. prefix(github.com/openshift) - openshift imports (NON-hypershift)
5. prefix(github.com/aws) - AWS imports
6. prefix(github.com/Azure) - Azure imports
7. prefix(k8s.io) - k8s imports
8. prefix(sigs.k8s.io) - sigs imports
9. default - everything else

So configv1 "github.com/openshift/api/config/v1" matches prefix(github.com/openshift) (section 4), while hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" matches prefix(github.com/openshift/hypershift) (section 3). They must be in separate groups, separated by a blank line.

The PR placed them together in the same import group — that's the violation.

Test Failure Analysis Complete

Job Information

• Prow Job: lint / Lint (GitHub Actions)
• Build ID: 27605245124 / Job 81615536559
• PR: #8713 — CNTRLPLANE-3611: propagate tls profile to aws-pod-identity-webhook
• Author: ricardomaraschini
• Run URL: https://github.com/openshift/hypershift/actions/runs/27605245124/job/81615536559

Test Failure Analysis

Error

control-plane-operator/controllers/hostedcontrolplane/v2/kas/azure_workload_identity_webhook_test.go:8:1: File is not properly formatted (gci)
	configv1 "github.com/openshift/api/config/v1"
^
1 issues:
* gci: 1
make: *** [Makefile:120: lint] Error 1

Summary

The golangci-lint gci (Go Imports Classifier) linter found an import ordering violation in azure_workload_identity_webhook_test.go. The PR adds the import configv1 "github.com/openshift/api/config/v1" on line 8 and places it in the same import group as github.com/openshift/hypershift/... imports, but the project's .golangci.yml defines these as belonging to separate, ordered sections — github.com/openshift/hypershift imports must come before github.com/openshift imports, each in their own blank-line-separated group.

Root Cause

The .golangci.yml configures gci with custom-order: true and defines import sections in this order:

1. standard — Go stdlib ("testing")
2. dot — Dot imports (. "github.com/onsi/gomega")
3. prefix(github.com/openshift/hypershift) — HyperShift-specific imports
4. prefix(github.com/openshift) — Other OpenShift imports (e.g., github.com/openshift/api/...)
5. prefix(k8s.io) — Kubernetes imports
6. default — Everything else

The PR added the new import configv1 "github.com/openshift/api/config/v1" on line 8, placing it in the same import group as the github.com/openshift/hypershift/... imports (lines 9–10). However, github.com/openshift/api/config/v1 matches the prefix(github.com/openshift) section (section 4), while github.com/openshift/hypershift/... matches prefix(github.com/openshift/hypershift) (section 3). These must be separated by a blank line, with the hypershift imports coming first.

Current (incorrect) import block in the PR:

import (
    "testing"

    . "github.com/onsi/gomega"

    configv1 "github.com/openshift/api/config/v1"    // ← section 4 (openshift)
    hyperv1 "github.com/openshift/hypershift/api/..."  // ← section 3 (hypershift)
    "github.com/openshift/hypershift/control-plane-..." // ← section 3 (hypershift)

    corev1 "k8s.io/api/core/v1"                       // ← section 7 (k8s.io)
    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"     // ← section 7 (k8s.io)
)

Required (correct) import ordering:

import (
    "testing"

    . "github.com/onsi/gomega"

    hyperv1 "github.com/openshift/hypershift/api/..."
    "github.com/openshift/hypershift/control-plane-..."

    configv1 "github.com/openshift/api/config/v1"

    corev1 "k8s.io/api/core/v1"
    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

The configv1 import must be in its own group, between the hypershift imports and the k8s.io imports.

Recommendations

1. Fix the import ordering in control-plane-operator/controllers/hostedcontrolplane/v2/kas/azure_workload_identity_webhook_test.go: Move configv1 "github.com/openshift/api/config/v1" to its own blank-line-separated group between the github.com/openshift/hypershift/... imports and the k8s.io/... imports.

2. Auto-fix option: Run golangci-lint run --fix --config ./.golangci.yml from the repo root — the gci linter supports auto-fixing import ordering and will rewrite the file correctly.

3. Prevent recurrence: Configure your editor (VS Code, GoLand) to use the project's gci import ordering rules, or run make lint locally before pushing.

Evidence

Evidence	Detail
Failing file	control-plane-operator/controllers/hostedcontrolplane/v2/kas/azure_workload_identity_webhook_test.go:8:1
Linter	gci (Go Imports Classifier) — import ordering enforcement
Violation	configv1 "github.com/openshift/api/config/v1" placed in same group as github.com/openshift/hypershift/... imports
Expected section for configv1	prefix(github.com/openshift) — section 4 in gci config
Expected section for hyperv1	prefix(github.com/openshift/hypershift) — section 3 in gci config
Config file	.golangci.yml — gci.sections with custom-order: true
golangci-lint version	2.11.4 (built with go1.25.7)
Exit code	2 (from make lint → exit code 1 propagated)
Issues count	1022 issues pre-processing → 1 issue after filtering (the gci violation)

---

[openshift-ci]

@ricardomaraschini: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jparrill]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jparrill, ricardomaraschini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jparrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment