feat(tls): centrally managed TLS for webhook and proxy-webhook (SRVKP-9612, SRVKP-9613)

[jkhelil]

Changes

Implements centrally managed TLS for both the tekton-operator-webhook and
tekton-operator-proxy-webhook on OpenShift by inheriting the cluster-wide TLS
security profile from the OpenShift APIServer resource.

tekton-operator-webhook (fixes SRVKP-9612)

• cmd/openshift/webhook/main.go: at startup, sets up an APIServer informer
  via the shared occommon.SetupAPIServerTLSWatch. Reads the current TLS
  profile with occommon.GetTLSProfileFromAPIServer + TLSEnvVarsFromProfile
  and injects WEBHOOK_TLS_MIN_VERSION and WEBHOOK_TLS_CIPHER_SUITES as
  process-level env vars before Knative bootstraps. On TLS profile change, the
  webhook calls os.Exit(1) so Kubernetes restarts it with the updated settings.

tekton-operator-proxy-webhook (fixes SRVKP-9613)

• cmd/openshift/proxy-webhook/main.go: same pattern as the webhook above.
  signals.NewContext() is now called once in main() and reused throughout,
  avoiding a panic from double-initialisation of the signal handler.
  proxy.Getctx() is removed from controller.go — context setup is now
  inlined directly in main(), consistent with all other webhook binaries.
• cmd/kubernetes/proxy-webhook/main.go: context setup also inlined; no TLS
  watch (Kubernetes-only binary).
• cmd/openshift/operator/kodata/webhook/webhook.yaml: adds get/list/watch
  on apiservers.config.openshift.io to the tekton-operators-proxy-admin
  ClusterRole so the proxy webhook can read the TLS profile at startup.

Shared infrastructure

• pkg/reconciler/openshift/common/apiserver_watch.go (new): extracts
  SetupAPIServerTLSWatch, APIServerTLSProfileChanged, and
  SkipAPIServerTLSWatch into a reusable package. Both the TektonConfig
  controller and the webhook binaries now call the same function.
• pkg/reconciler/openshift/common/apiserver_watch_test.go (new): unit tests
  for APIServerTLSProfileChanged.
• pkg/reconciler/openshift/tektonconfig/controller.go: simplified to delegate
  to occommon.SetupAPIServerTLSWatch; private tlsProfileChanged and
  customProfilesEqual functions removed.
• pkg/reconciler/openshift/tektonpipeline/extension.go: adds
  common.ReplaceNamespaceInClusterRoleBinding to the OpenShift TektonPipeline
  extension transformers so the proxy-webhook ClusterRoleBinding subject
  namespace is correctly set to the target namespace (e.g. openshift-pipelines)
  instead of the static placeholder tekton-pipelines.

TLS version safety

WEBHOOK_TLS_MIN_VERSION is only set when the effective value is "1.2" or
"1.3". Profiles that permit older versions (e.g. the OpenShift Old profile
which uses VersionTLS10) are handled gracefully: the min-version env var is
skipped and Knative falls back to its safe default of TLS 1.2. Cipher suites
from the profile are still propagated in all cases.

Submitter Checklist

• Run make test lint before submitting a PR
• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

On OpenShift, the tekton-operator-webhook and tekton-operator-proxy-webhook now
inherit their TLS security settings (minimum TLS version and cipher suites) from
the cluster-wide OpenShift APIServer TLS security profile. Both webhooks restart
automatically when the profile changes so the new settings take effect immediately.

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jkhelil]

Cluster Evidence — TLS Profile Propagation

Tested on a live OpenShift cluster with the code from this PR.

---

Environment

APIServer cluster spec: {"audit":{"profile":"Default"}}
# spec.tlsSecurityProfile is nil → library-go resolves to Intermediate (TLS 1.2 min, strong ciphers)

---

1. RBAC — ClusterRole & ClusterRoleBinding

$ oc get clusterrole tekton-operators-proxy-admin -o yaml | grep -A4 "config.openshift.io"
  - apiGroups: ["config.openshift.io"]
    resources: ["apiservers"]
    verbs: ["get", "list", "watch"]

$ oc get clusterrolebinding tekton-operators-proxy-webhook-admin \
    -o jsonpath='name={.subjects[0].name} namespace={.subjects[0].namespace}'
name=tekton-operators-proxy-webhook namespace=openshift-pipelines

$ oc auth can-i get apiservers.config.openshift.io \
    --as=system:serviceaccount:openshift-pipelines:tekton-operators-proxy-webhook
yes

---

2. TLS Profile Propagated — both webhooks negotiate TLS 1.3

# proxy-webhook (openshift-pipelines namespace)
$ echo | openssl s_client -connect tekton-operator-proxy-webhook.openshift-pipelines.svc:443 2>&1 \
    | grep -E 'Protocol|Cipher|New,'
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256

# operator-webhook (openshift-operators namespace)
$ echo | openssl s_client -connect tekton-operator-webhook.openshift-operators.svc:443 2>&1 \
    | grep -E 'Protocol|Cipher|New,'
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256

Both webhooks negotiate TLS 1.3 / TLS_AES_128_GCM_SHA256, consistent with the
Intermediate profile which the Knative framework selects when WEBHOOK_TLS_MIN_VERSION
is set to "1.2" (Go's crypto/tls always prefers TLS 1.3 when the peer supports it).

---

3. Change Detection — webhook restarts on profile update

# Pods BEFORE patching APIServer to Intermediate (explicit)
tekton-operator-proxy-webhook-5d56599669-5xllx   1/1  Running  7 (29m ago)
tekton-operator-webhook-7f7b587766-x9tgt         1/1  Running  0 (23m ago)

# Patch applied
$ oc patch apiserver cluster --type=merge \
    -p '{"spec":{"tlsSecurityProfile":{"type":"Intermediate","intermediate":{}}}}'
apiserver.config.openshift.io/cluster patched

# Pods AFTER ~12 seconds — both restarted
tekton-operator-proxy-webhook-5d56599669-5xllx   1/1  Running  8 (12s ago)
tekton-operator-webhook-7f7b587766-x9tgt         1/1  Running  1 (14s ago)

Log lines from the previous run of each pod (captured via --previous):

# proxy-webhook
{"caller":"common/apiserver_watch.go:76","msg":"APIServer TLS security profile changed"}
2026/05/07 12:51:50 APIServer TLS profile changed — restarting proxy webhook to apply updated settings

# operator-webhook
{"caller":"common/apiserver_watch.go:76","msg":"APIServer TLS security profile changed"}
2026/05/07 12:51:50 APIServer TLS profile changed — restarting webhook to apply updated settings

Both webhooks detected the profile change via the shared SetupAPIServerTLSWatch
informer and exited cleanly (os.Exit(1)). Kubernetes restarted them and they came
back healthy within ~15 seconds, picking up the new TLS settings on startup.

---

4. Proxy webhook — actively serving admission requests

$ oc logs -n openshift-pipelines tekton-operator-proxy-webhook-... | grep -c ServeHTTP
137   # admission requests served during the test window

[anithapriyanatarajan]

/kind enhancement

[tekton-robot]

@anithapriyanatarajan: The label(s) kind/enhancement cannot be applied, because the repository doesn't have them.

Details

In response to this:

/kind enhancement

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[anithapriyanatarajan]

/kind feature