Skip to content

Commit 4cb4db9

Browse files
jkhelilcursoragent
authored andcommitted
fix(manualapprovalgate): propagate TLS profile hash via TektonConfig
ManualApprovalGate is a standalone CR (not created by TektonConfig), so it was never part of the platform-data-hash propagation chain. When the cluster TLS profile changed, all other components updated their webhook deployments automatically — but the MAG webhook stayed stale, still showing the old TLS version and cipher suites. Root cause: the InstallerSet client detects TLS changes via the platform-data-hash annotation on the component CR. TektonConfig writes this annotation onto every child CR it owns (TektonPipeline, TektonChain, etc.) during PostReconcile. MAG was never wired in. Fix: add propagateMAGPlatformData() called from TektonConfig's OpenShiftExtension.PostReconcile(). It lists existing MAG CRs and writes the current TLS profile hash into their platform-data-hash annotation. The existing MAG controller informer then fires, triggers a reconcile, and the webhook deployment is re-applied with the correct TLS env vars. This is best-effort and safe when MAG is not installed: - no MAG CR present → list returns empty, loop is a no-op - MAG CRD absent → list error is logged as a warning, PostReconcile continues normally and TektonConfig reconciliation is unaffected The proper long-term fix (integrate MAG as a full TektonConfig child with ownerRef and spec field) is tracked in: #3656 Relates-To: SRVKP-9613 Signed-off-by: Jawed khelil <jkhelil@redhat.com> Assisted-by: Claude Sonnet 4.6 (via Cursor) Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 07beee0 commit 4cb4db9

1 file changed

Lines changed: 38 additions & 0 deletions

File tree

pkg/reconciler/openshift/tektonconfig/extension.go

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -217,11 +217,49 @@ func (oe openshiftExtension) PostReconcile(ctx context.Context, comp v1alpha1.Te
217217
}
218218
}
219219

220+
// Propagate platform-data-hash to any existing ManualApprovalGate CR.
221+
// ManualApprovalGate is a standalone CR (not created by TektonConfig — see
222+
// https://github.com/tektoncd/operator/issues/3656), so it never receives
223+
// platform-data-hash through the normal child-CR path. We update it here
224+
// (same PostReconcile layer as PAC) so that the MAG controller re-applies
225+
// the webhook deployment with updated TLS env vars when the cluster TLS
226+
// profile changes.
227+
oe.propagateMAGPlatformData(ctx)
228+
220229
// execute console plugin reconciler
221230
// TLS config was already resolved and cached in PreReconcile via SetTLSConfig.
222231
return oe.consolePluginReconciler.reconcile(ctx, configInstance)
223232
}
224233

234+
// propagateMAGPlatformData writes the current TLS profile hash into the
235+
// platform-data-hash annotation of every existing ManualApprovalGate CR.
236+
// It is a best-effort operation — failures are logged but do not block the
237+
// TektonConfig reconciliation.
238+
func (oe openshiftExtension) propagateMAGPlatformData(ctx context.Context) {
239+
platformData := oe.GetPlatformData()
240+
if platformData == "" {
241+
return
242+
}
243+
logger := logging.FromContext(ctx)
244+
magList, err := oe.operatorClientSet.OperatorV1alpha1().ManualApprovalGates().List(ctx, metav1.ListOptions{})
245+
if err != nil {
246+
logger.Warnf("failed to list ManualApprovalGate CRs for platform-data-hash propagation: %v", err)
247+
return
248+
}
249+
for i := range magList.Items {
250+
mag := &magList.Items[i]
251+
if mag.Annotations[v1alpha1.PlatformDataHashKey] == platformData {
252+
continue
253+
}
254+
patch := fmt.Sprintf(`{"metadata":{"annotations":{%q:%q}}}`, v1alpha1.PlatformDataHashKey, platformData)
255+
if _, patchErr := oe.operatorClientSet.OperatorV1alpha1().ManualApprovalGates().Patch(
256+
ctx, mag.Name, types.MergePatchType, []byte(patch), metav1.PatchOptions{},
257+
); patchErr != nil {
258+
logger.Warnf("failed to patch platform-data-hash on ManualApprovalGate %s: %v", mag.Name, patchErr)
259+
}
260+
}
261+
}
262+
225263
func (oe openshiftExtension) GetPlatformData() string {
226264
tc, err := oe.tektonConfigLister.Get("config")
227265
if err != nil {

0 commit comments

Comments
 (0)