Merge pull request #1378 from jcmoraisjr/OCPBUGS-62238-router-tls-metrics

OCPBUGS-62238: configure tls profile for router metrics

Author: openshift-merge-bot[bot]

pkg/operator/controller/ingress/deployment.go

@@ -20,6 +20,7 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
+	"github.com/openshift/library-go/pkg/crypto"
 
 	"github.com/openshift/cluster-ingress-operator/pkg/manifests"
 	"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
@@ -983,6 +984,18 @@ func desiredRouterDeployment(ci *operatorv1.IngressController, config *Config, i
 	}
 	env = append(env, corev1.EnvVar{Name: "SSL_MIN_VERSION", Value: minTLSVersion})
 
+	tlsProfileMetrics := tlsProfileSpecForSecurityProfile(apiConfig.Spec.TLSSecurityProfile)
+
+	// User facing config uses OpenSSL names. Internally we always use IANA ones.
+	// OpenSSLToIANACipherSuites() converts and also removes any invalid cipher, otherwise router would crash.
+	ianaNames := crypto.OpenSSLToIANACipherSuites(tlsProfileMetrics.Ciphers)
+	if len(ianaNames) == 0 {
+		log.Info("no valid ciphers found on TLS profile configuration, using Intermediate profile")
+		ianaNames = crypto.OpenSSLToIANACipherSuites(configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers)
+	}
+	env = append(env, corev1.EnvVar{Name: "ROUTER_METRICS_TLS_CIPHERS", Value: strings.Join(ianaNames, ":")})
+	env = append(env, corev1.EnvVar{Name: "ROUTER_METRICS_TLS_MIN_VERSION", Value: string(tlsProfileMetrics.MinTLSVersion)})
+
 	usingIPv4 := false
 	usingIPv6 := false
 	for _, clusterNetworkEntry := range networkConfig.Status.ClusterNetwork {