Skip to content

mig-controller: inherit TLS options from MigController#47

Open
Acedus wants to merge 3 commits intokubevirt:mainfrom
Acedus:inherit-tls-options-from-mig-controller
Open

mig-controller: inherit TLS options from MigController#47
Acedus wants to merge 3 commits intokubevirt:mainfrom
Acedus:inherit-tls-options-from-mig-controller

Conversation

@Acedus
Copy link
Copy Markdown

@Acedus Acedus commented Mar 30, 2026

What this PR does / why we need it:
Previously the metrics-server and webhook would be initiated with
default TLS configuration. This change makes it so the TLS configuration
is updated during runtime for every request according to the
MigController TLSSecurityProfile.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

Release note:

mig-controller metrics-server and webhook now correctly inherit TLS options from the MigController TLSSecurityProfile.

@Acedus
go.mod: add kubevirt-migration-operator requirement
3b6d3ef 
Needed for the kubevirt-migration-controller to watch the
MigrationController CR and infer its TLS configuration from.

Signed-off-by: Adi Aloni <aaloni@redhat.com>
@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Mar 30, 2026
@kubevirt-bot kubevirt-bot requested review from akalenyu and awels March 30, 2026 14:13
@kubevirt-bot
Copy link
Copy Markdown

kubevirt-bot commented Mar 30, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign akalenyu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Acedus Acedus force-pushed the inherit-tls-options-from-mig-controller branch from e278157 to 5ce78a1 Compare March 30, 2026 14:21
@awels
Copy link
Copy Markdown
Member

awels commented Mar 31, 2026

/test pull-kubevirt-migration-controller-e2e

@Acedus
component-helpers, tls_watcher: Add ManagedTLSWatcher
419bb54 
ManagedTLSWatcher watches the MigController CR's tlsSecurityProfile to
dynamically update the TLS configuration for incoming connections on
exposed endpoints.

Signed-off-by: Adi Aloni <aaloni@redhat.com>
@Acedus Acedus force-pushed the inherit-tls-options-from-mig-controller branch from 5ce78a1 to ec1c0e3 Compare April 12, 2026 11:47
akalenyu
akalenyu reviewed Apr 12, 2026
View reviewed changes
pkg/component-helpers/tls_watcher.go
Comment on lines +110 to +113
list := &migrationsv1alpha1.MigControllerList{}
if err := c.List(ctx, list); err != nil {
log.Info("MigController CRD not available, using default TLS configuration", "error", err)
<-ctx.Done()
Copy link
Copy Markdown
Contributor

@akalenyu akalenyu Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not a part of the operator tls watcher impl. are we sure we need this?

Copy link
Copy Markdown
Author

@Acedus Acedus Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason for this is because we're unaware of whether the MigController CR even exists to begin with so we fallback if it's unavailable and let controller-runtime dynamically create the informer from default cache on first use.

Copy link
Copy Markdown
Contributor

@akalenyu akalenyu Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ctx.Done() would just kill it, no?

Copy link
Copy Markdown
Author

@Acedus Acedus Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It won't be dynamic that's for sure... but I think it's worth arguing that we won't ever hit the dynamic TLS usecase without a MigController CRD installed, so we could probably get away with conditionally setting the TLSWatcher to ready.

akalenyu
akalenyu reviewed Apr 12, 2026
View reviewed changes
@Acedus
cmd/main.go: inherit TLS options from MigController
381c3c2 
Previously the metrics-server and webhook would be initiated with
default TLS configuration. This change makes it so the TLS configuration
is updated during runtime for every request according to the
MigController TLSSecurityProfile.

Signed-off-by: Adi Aloni <aaloni@redhat.com>
@Acedus Acedus force-pushed the inherit-tls-options-from-mig-controller branch from ec1c0e3 to 381c3c2 Compare April 12, 2026 12:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akalenyu akalenyu akalenyu left review comments

@awels awels Awaiting requested review from awels

Assignees

No one assigned

Labels

dco-signoff: yes Indicates the PR's author has DCO signed all their commits. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Acedus @kubevirt-bot @awels @akalenyu