Add APIServer TLS controller for OpenShift cluster-wide TLS configuration

Implements a controller that watches the OpenShift APIServer resource and
provides thread-safe access to TLS configuration for HTTPS servers/clients.

The controller is modeled after the existing proxy controller.

This is intended to be used by the OLM operator, Catalog operator and
marketplace operator (but it will need to be copied). It will also be
used by the downstream PSM component.

Signed-off-by: Todd Short <todd.short@me.com>
Assisted-By: Claude

Author: tmshort

go.mod

@@ -20,6 +20,7 @@ require (
 	github.com/onsi/gomega v1.38.3
 	github.com/openshift/api v0.0.0-20251111193948-50e2ece149d7
 	github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235
+	github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462
 	github.com/operator-framework/api v0.37.0
 	github.com/operator-framework/operator-registry v1.61.0
 	github.com/otiai10/copy v1.14.1

go.sum

@@ -223,6 +223,7 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.7 h1:QxkVTxwColcduO+LP7eJO56r2hFiG8zEbfAAzRv52KQ=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.7/go.mod h1:Pe7gBlGdc8clY5LJ0LpJXMt5AmgmWNH1g+oFFVUHOEc=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -322,6 +323,8 @@ github.com/openshift/api v0.0.0-20251111193948-50e2ece149d7 h1:MemawsK6SpxEaE5y0
 github.com/openshift/api v0.0.0-20251111193948-50e2ece149d7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
 github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235 h1:9JBeIXmnHlpXTQPi7LPmu1jdxznBhAE7bb1K+3D8gxY=
 github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM=
+github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462 h1:zX9Od4Jg8sVmwQLwk6Vd+BX7tcyC/462FVvDdzHEPPk=
+github.com/openshift/library-go v0.0.0-20260108135436-db8dbd64c462/go.mod h1:nIzWQQE49XbiKizVnVOip9CEB7HJ0hoJwNi3g3YKnKc=
 github.com/operator-framework/api v0.37.0 h1:2XCMWitBnumtJTqzip6LQKUwpM2pXVlt3gkpdlkbaCE=
 github.com/operator-framework/api v0.37.0/go.mod h1:NZs4vB+Jiamyv3pdPDjZtuC4U7KX0eq4z2r5hKY5fUA=
 github.com/operator-framework/operator-registry v1.61.0 h1:LgX6lP5hUHfpMTMygsnySc7PKxibzqIoqWUm6NPWl2M=

pkg/lib/apiserver/available.go

@@ -0,0 +1,40 @@
+package apiserver
+
+import (
+	"errors"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	apidiscovery "k8s.io/client-go/discovery"
+)
+
+const (
+	// This is the error message thrown by ServerSupportsVersion function
+	// when an API version is not supported by the server.
+	notSupportedErrorMessage = "server does not support API version"
+)
+
+// IsAPIAvailable returns true if OpenShift config API is present on the cluster.
+// Otherwise, supported is set to false.
+func IsAPIAvailable(discovery apidiscovery.DiscoveryInterface) (supported bool, err error) {
+	if discovery == nil {
+		err = errors.New("discovery interface can not be <nil>")
+		return
+	}
+
+	opStatusGV := schema.GroupVersion{
+		Group:   "config.openshift.io",
+		Version: "v1",
+	}
+	if discoveryErr := apidiscovery.ServerSupportsVersion(discovery, opStatusGV); discoveryErr != nil {
+		if strings.Contains(discoveryErr.Error(), notSupportedErrorMessage) {
+			return
+		}
+
+		err = discoveryErr
+		return
+	}
+
+	supported = true
+	return
+}

pkg/lib/apiserver/querier.go

@@ -0,0 +1,35 @@
+package apiserver
+
+import (
+	"crypto/tls"
+	"fmt"
+)
+
+// NoopQuerier returns an instance of noopQuerier. It's used for upstream where
+// we don't have any cluster APIServer configuration.
+func NoopQuerier() Querier {
+	return &noopQuerier{}
+}
+
+// Querier is an interface that wraps the QueryTLSConfig method.
+//
+// QueryTLSConfig updates the provided TLS configuration with cluster-wide
+// TLS security profile settings (MinVersion, CipherSuites, PreferServerCipherSuites).
+type Querier interface {
+	QueryTLSConfig(config *tls.Config) error
+}
+
+type noopQuerier struct {
+}
+
+// QueryTLSConfig applies secure default TLS settings to the provided config.
+// This is used on non-OpenShift clusters where there is no APIServer resource,
+// but we still want to ensure secure TLS configuration.
+func (*noopQuerier) QueryTLSConfig(config *tls.Config) error {
+	if config == nil {
+		return fmt.Errorf("tls.Config cannot be nil")
+	}
+
+	// Apply secure defaults for non-OpenShift clusters
+	return ApplySecureDefaults(config)
+}

pkg/lib/apiserver/querier_test.go

@@ -0,0 +1,86 @@
+package apiserver_test
+
+import (
+	"crypto/tls"
+	"testing"
+
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/apiserver"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNoopQuerier_QueryTLSConfig(t *testing.T) {
+	tests := []struct {
+		name        string
+		config      *tls.Config
+		expectError bool
+		errorMsg    string
+	}{
+		{
+			name:        "WithNilConfig",
+			config:      nil,
+			expectError: true,
+			errorMsg:    "tls.Config cannot be nil",
+		},
+		{
+			name:        "WithEmptyConfig",
+			config:      &tls.Config{},
+			expectError: false,
+		},
+		{
+			name: "WithPartialConfig",
+			config: &tls.Config{
+				MinVersion: tls.VersionTLS12,
+			},
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			querier := apiserver.NoopQuerier()
+			err := querier.QueryTLSConfig(tt.config)
+
+			if tt.expectError {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tt.errorMsg)
+			} else {
+				require.NoError(t, err)
+				// Verify secure defaults are applied
+				assert.NotZero(t, tt.config.MinVersion, "MinVersion should be set to a default")
+				assert.NotEmpty(t, tt.config.CipherSuites, "CipherSuites should be set to defaults")
+				assert.True(t, tt.config.PreferServerCipherSuites, "PreferServerCipherSuites should be true")
+			}
+		})
+	}
+}
+
+func TestNoopQuerier_AppliesSecureDefaults(t *testing.T) {
+	querier := apiserver.NoopQuerier()
+	config := &tls.Config{}
+
+	err := querier.QueryTLSConfig(config)
+	require.NoError(t, err)
+
+	// Verify secure defaults
+	assert.GreaterOrEqual(t, config.MinVersion, uint16(tls.VersionTLS12), "Should use at least TLS 1.2")
+	assert.NotEmpty(t, config.CipherSuites, "Should have cipher suites configured")
+
+	// Verify cipher suites are valid
+	for _, cipher := range config.CipherSuites {
+		assert.NotZero(t, cipher, "Cipher suite should not be zero")
+	}
+}
+
+func TestNoopQuerier_DoesNotOverwriteNonZeroMinVersion(t *testing.T) {
+	querier := apiserver.NoopQuerier()
+	config := &tls.Config{
+		MinVersion: tls.VersionTLS13,
+	}
+
+	err := querier.QueryTLSConfig(config)
+	require.NoError(t, err)
+
+	// MinVersion should be preserved if already set
+	assert.Equal(t, uint16(tls.VersionTLS13), config.MinVersion, "Should preserve existing MinVersion")
+}