feat(tls): inject centrally managed TLS config into triggers webhook

[jkhelil]

JIRA: SRVKP-9615

Problem

The tekton-triggers-webhook managed its own TLS configuration locally, preventing OpenShift's Post-Quantum Cryptography (PQC) readiness. Changes to the cluster's APIServer TLS profile had no effect on the webhook.

Solution

Wire the OpenShift APIServer TLS security profile into the triggers webhook deployment via environment variables (TLS_MIN_VERSION, TLS_CIPHER_SUITES, TLS_CURVE_PREFERENCES), and ensure any future profile changes automatically re-reconcile the webhook.

Changes:

openshift/tektontrigger/extension.go — resolve TLS profile in PreReconcile, inject it via Transformers into the tekton-triggers-webhook Deployment
shared/tektonconfig/tektonconfig.go — stamp operator.tekton.dev/platform-data-hash on the TektonTrigger CR
shared/tektonconfig/trigger/trigger.go — propagate the annotation during CR updates
Feature is opt-in via TektonConfig.spec.platforms.openShift.enableCentralTLSConfig
Evidence
Enabling the feature injects the cluster's TLS profile into the webhook:

$ oc patch tektonconfig config --type=merge \
    -p '{"spec":{"platforms":{"openShift":{"enableCentralTLSConfig":true}}}}'
$ oc get deploy tekton-triggers-webhook -n openshift-pipelines \
    -o jsonpath='{range .spec.template.spec.containers[0].env[*]}{.name}={.value}{"\n"}{end}' | grep TLS_
TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,...,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_MIN_VERSION=1.2
Changing the APIServer TLS profile automatically updates the webhook:

Restrict to 3 ciphers

$ oc patch apiserver cluster --type=merge -p '{
  "spec":{"tlsSecurityProfile":{"type":"Custom","custom":{
    "ciphers":["ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384"],
    "minTLSVersion":"VersionTLS12"
  }}}}'
# platform-data-hash updated:  d96e4890 → 89c859ef
$ oc get deploy tekton-triggers-webhook -n openshift-pipelines \
    -o jsonpath='{range .spec.template.spec.containers[0].env[*]}{.name}={.value}{"\n"}{end}' | grep TLS_
TLS_CIPHER_SUITES=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_MIN_VERSION=1.2
# Restore default → webhook reverts automatically, hash returns to d96e4890

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Run make test lint before submitting a PR
• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

The tekton-triggers-webhook now inherits TLS configuration (minimum version and cipher suites) from the OpenShift cluster's APIServer TLS security profile when enableCentralTLSConfig is set in TektonConfig. Changes to the cluster TLS profile are automatically propagated to the webhook without operator restarts, enabling PQC readiness (SRVKP-9615)

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jkhelil]

/kind feature

[jkhelil]

/retest