feat(tls): inject centrally managed TLS config into pipelines-as-codde

[jkhelil]

Summary

Extends the OpenShift TLS centralization pattern to the pipelines-as-code-webhook deployment (SRVKP-9616), completing the webhook TLS trilogy alongside the Pipelines and Triggers PRs.

What changes

openshiftpipelinesascode/extension.go — switched to pointer receiver; added tektonConfigLister and resolvedTLSConfig fields. PreReconcile resolves the cluster APIServer TLS profile via ResolveCentralTLSToEnvVars. Transformers injects TLS_MIN_VERSION and TLS_CIPHER_SUITES into the pipelines-as-code-webhook deployment (pac-webhook container) when a profile is resolved.

pipelinesascode/pipelinesascode.go — EnsureOpenShiftPipelinesAsCodeExists, createOPAC, and updateOPAC now accept and propagate a platformData string parameter, stamped as the operator.tekton.dev/platform-data-hash annotation on the OpenShiftPipelinesAsCode CR. This triggers re-reconciliation when the APIServer TLS profile changes.

openshift/tektonconfig/extension.go — PostReconcile passes oe.GetPlatformData() (the APIServer TLS hash) into EnsureOpenShiftPipelinesAsCodeExists.

kubernetes/tektonconfig/extension.go — Kubernetes-side caller updated to pass "" (no platform data on Kubernetes).

extension_test.go (new) — 3 table-driven tests: no TLS config, injection into pac-webhook, no injection into unrelated deployments.

Evidence

=== pipelines-as-code-webhook ===
TLS_MIN_VERSION=1.2
TLS_CIPHER_SUITES=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,...
=== OpenShiftPipelinesAsCode PlatformDataHashKey ===
{"operator.tekton.dev/platform-data-hash":"d96e4890584e1fc72e863f47ee42b735054cfe7e5af8df11c1ae9d499150c129"}
Changing the cluster APIServer TLS profile updates the hash annotation and triggers a redeploy with the new settings — same verified behavior as Pipelines and Triggers PRs.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Run make test lint before submitting a PR
• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

On OpenShift, the `pipelines-as-code-webhook` deployment now automatically inherits the cluster-wide TLS version and cipher suites from the OpenShift APIServer TLS security profile. Changes to the profile are automatically propagated without manual intervention.

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jkhelil]

/kind feature