Skip to content

fix(manualapprovalgate): propagate TLS profile hash via TektonConfig#3657

Open
jkhelil wants to merge 1 commit into
tektoncd:mainfrom
jkhelil:fix/mag-tls-propagation-via-tektonconfig
Open

fix(manualapprovalgate): propagate TLS profile hash via TektonConfig#3657
jkhelil wants to merge 1 commit into
tektoncd:mainfrom
jkhelil:fix/mag-tls-propagation-via-tektonconfig

Conversation

@jkhelil

@jkhelil jkhelil commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

ManualApprovalGate is a standalone CR (not created or owned by TektonConfig). As a result it was never part of the platform-data-hash propagation chain, so when the cluster TLS profile changed (e.g. Intermediate → Modern), the MAG webhook deployment stayed stale — still showing WEBHOOK_TLS_MIN_VERSION: 1.2 with 9 ciphers instead of TLS 1.3 with 3 ciphers.

Root cause

The InstallerSetClient detects TLS changes by including platform-data-hash in the InstallerSet hash computation. TektonConfig writes this annotation onto every CR it owns (TektonPipeline, TektonChain, TektonResult, etc.) during PostReconcile. MAG was never wired into this flow because it was introduced as a standalone CRD without the TektonConfig integration (see #3656).

Fix

Added propagateMAGPlatformData() called from OpenShiftExtension.PostReconcile(). It:

  1. Computes the current TLS profile hash via GetPlatformData()
  2. Lists all existing ManualApprovalGate CRs
  3. Writes the hash into operator.tekton.dev/platform-data-hash on each CR (skipping if already up to date)

The existing MAG controller informer fires on the annotation change, triggers a reconcile, and the webhook deployment is re-applied with the correct TLS env vars. No changes to the MAG controller or reconciler are needed.

Safety

Scenario Behaviour
No MAG CR installed List returns empty — loop is a no-op
MAG CRD not present List returns error — logged as warning, PostReconcile continues
First-time hash write InstallerSet hash changes → one-time reconcile → correct TLS applied
Hash already current Annotation unchanged → no API call → no reconcile triggered

Long-term fix

Proper integration of MAG as a full TektonConfig child (ownerRef, spec field, shared package) is tracked in #3656. This PR is the minimal correct stopgap that follows the same architectural pattern as PAC propagation in PostReconcile.

Relates-To: SRVKP-9613
Closes #3656 (partially — the immediate TLS symptom; full child integration deferred)

Made with Cursor

@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 2, 2026
@tekton-robot tekton-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 2, 2026
@jkhelil

jkhelil commented Jul 2, 2026

Copy link
Copy Markdown
Member Author

/release-note-none

@tekton-robot tekton-robot added release-note-none Denotes a PR that doesnt merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 2, 2026
@jkhelil jkhelil marked this pull request as ready for review July 2, 2026 11:46
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 2, 2026
@tekton-robot tekton-robot requested review from khrm and pratap0007 July 2, 2026 11:46
@enarha

enarha commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

/approve

@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enarha

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 2, 2026
ManualApprovalGate is a standalone CR (not created by TektonConfig),
so it was never part of the platform-data-hash propagation chain.
When the cluster TLS profile changed, all other components updated
their webhook deployments automatically — but the MAG webhook stayed
stale, still showing the old TLS version and cipher suites.

Root cause: the InstallerSet client detects TLS changes via the
platform-data-hash annotation on the component CR. TektonConfig
writes this annotation onto every child CR it owns (TektonPipeline,
TektonChain, etc.) during PostReconcile. MAG was never wired in.

Fix: add propagateMAGPlatformData() called from TektonConfig's
OpenShiftExtension.PostReconcile(). It lists existing MAG CRs and
writes the current TLS profile hash into their platform-data-hash
annotation. The existing MAG controller informer then fires,
triggers a reconcile, and the webhook deployment is re-applied with
the correct TLS env vars.

This is best-effort and safe when MAG is not installed:
- no MAG CR present → list returns empty, loop is a no-op
- MAG CRD absent → list error is logged as a warning, PostReconcile
  continues normally and TektonConfig reconciliation is unaffected

The proper long-term fix (integrate MAG as a full TektonConfig child
with ownerRef and spec field) is tracked in:
tektoncd#3656

Relates-To: SRVKP-9613

Signed-off-by: Jawed khelil <jkhelil@redhat.com>
Assisted-by: Claude Sonnet 4.6 (via Cursor)
Co-authored-by: Cursor <cursoragent@cursor.com>
@jkhelil jkhelil force-pushed the fix/mag-tls-propagation-via-tektonconfig branch from 29cd1d7 to df1d8b9 Compare July 2, 2026 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. release-note-none Denotes a PR that doesnt merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat: integrate ManualApprovalGate as a TektonConfig child component

3 participants