feat(tls): inject centrally managed TLS config into pipelines webhook

[jkhelil]

The tekton-pipelines-webhook managed its own TLS configuration locally, preventing Post-Quantum Cryptography (PQC) readiness. Changes to the cluster's APIServer TLS profile had no effect on the webhook.

Solution

Wire the OpenShift APIServer TLS security profile into the webhook deployment via environment variables (TLS_MIN_VERSION, TLS_CIPHER_SUITES, TLS_CURVE_PREFERENCES), and ensure any future profile changes automatically re-reconcile the webhook.

Changes:

openshift/tektonpipeline/extension.go — resolve TLS profile in PreReconcile, inject it via Transformers into the tekton-pipelines-webhook Deployment
openshift/tektonconfig/controller.go — watch APIServer resource; on TLS profile change, re-enqueue TektonConfig
openshift/tektonconfig/extension.go — GetPlatformData() returns a SHA-256 hash of the resolved TLS profile
shared/tektonconfig/tektonconfig.go — stamp the hash as operator.tekton.dev/platform-data-hash on the TektonPipeline CR
shared/tektonconfig/pipeline/pipeline.go — propagate the annotation during CR updates
kubernetes/tektoninstallerset/client/ — include PlatformDataHashKey in the InstallerSet spec hash so manifest re-application is triggered when the TLS profile changes
Feature is opt-in via TektonConfig.spec.platforms.openShift.enableCentralTLSConfig

Evidence

Enabling the feature injects the cluster's TLS profile into the webhook:

$ oc patch tektonconfig config --type=merge \
    -p '{"spec":{"platforms":{"openShift":{"enableCentralTLSConfig":true}}}}'
$ oc get deploy tekton-pipelines-webhook -n openshift-pipelines \
    -o jsonpath='{range .spec.template.spec.containers[0].env[*]}{.name}={.value}{"\n"}{end}' | grep TLS_
TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,...,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_MIN_VERSION=1.2

Changing the APIServer TLS profile automatically updates the webhook (no operator restart):

# Restrict to 3 ciphers
$ oc patch apiserver cluster --type=merge -p '{
  "spec":{"tlsSecurityProfile":{"type":"Custom","custom":{
    "ciphers":["ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384"],
    "minTLSVersion":"VersionTLS12"
  }}}}'
# Operator log:
# "APIServer TLS security profile changed, triggering TektonConfig reconciliation"
# PlatformDataHashKey updated:  d96e4890 → 89c859ef
$ oc get deploy tekton-pipelines-webhook -n openshift-pipelines \
    -o jsonpath='{range .spec.template.spec.containers[0].env[*]}{.name}={.value}{"\n"}{end}' | grep TLS_
TLS_CIPHER_SUITES=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_MIN_VERSION=1.2
# Restore default → webhook reverts automatically, hash returns to d96e4890

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Run make test lint before submitting a PR
• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

The tekton-pipelines-webhook now inherits TLS configuration (minimum version and cipher suites) from the OpenShift cluster's APIServer TLS security profile when enableCentralTLSConfig is set in TektonConfig. Changes to the cluster TLS profile are automatically propagated to the webhook without operator restarts, enabling PQC readiness (SRVKP-9614).

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jkhelil]

/kind feature