STOR-2954: feat: have CVO inject the centralized TLS configuration into the operator's config

[ingvagabund]

Also, have the operator restart whenever the config changes.

wip-docs: openshift/enhancements#2020

Summary by CodeRabbit

• Chores
  • Added a dedicated operator ConfigMap and updated deployments to mount and consume it.
  • Enabled operator graceful shutdown tied to the presence of the mounted config file.
  • Updated HyperShift/managed deployment templates to append guest kubeconfig, add control‑plane/component image env vars, and pass a guest-kubeconfig argument.
  • Adjusted pod annotations, labels, security context and scheduling preferences to align with platform requirements.

[openshift-ci-robot]

@ingvagabund: This pull request references STOR-2954 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Also, have the operator restart whenever the config changes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c065e864-eb56-41ce-b35e-1a8f633774a9

📥 Commits

Reviewing files that changed from the base of the PR and between be400cd and 58bf9ab.

📒 Files selected for processing (5)

• manifests/04_configmap.yaml
• manifests/10_deployment-hypershift.yaml
• manifests/10_deployment-ibm-cloud-managed.yaml
• manifests/10_deployment.yaml
• profile-patches/hypershift/10_deployment.yaml-patch

🚧 Files skipped from review as they are similar to previous changes (5)

• manifests/04_configmap.yaml
• manifests/10_deployment.yaml
• manifests/10_deployment-ibm-cloud-managed.yaml
• manifests/10_deployment-hypershift.yaml
• profile-patches/hypershift/10_deployment.yaml-patch

---

Walkthrough

This PR adds a ConfigMap containing a GenericOperatorConfig and updates standard, HyperShift, and IBM Cloud managed cluster-storage-operator deployments to mount that ConfigMap and pass its config file path via --config and --terminate-on-files. A HyperShift profile patch appends guest-kubeconfig entries and adds image environment variables.

Changes

Operator Configuration Introduction

Layer / File(s)	Summary
Operator configuration contract manifests/04_configmap.yaml	New ConfigMap cluster-storage-operator-config containing GenericOperatorConfig with OpenShift capability and annotation metadata.
Standard Deployment configuration wiring manifests/10_deployment.yaml	Container args include --config=/var/run/configmaps/config/config.yaml and --terminate-on-files pointing to the same path; ConfigMap volume and mount are added to wire the configuration file.
HyperShift Deployment configuration and serving cert wiring manifests/10_deployment-hypershift.yaml	Container args and volumeMounts/volumes are updated to mount both the operator config ConfigMap and the serving certificate secret; volumes section adds cluster-storage-operator-serving-cert and cluster-storage-operator-config.
IBM Cloud managed Deployment configuration wiring manifests/10_deployment-ibm-cloud-managed.yaml	Container args include config file path and termination flag; ConfigMap volume and mount are added to make the config available at /var/run/configmaps/config.
HyperShift profile-patch adjustments profile-patches/hypershift/10_deployment.yaml-patch	Patch now appends guest-kubeconfig volume and mount entries instead of replacing arrays, and adds container env vars for control-plane/CSI/proxy/liveness images.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	The new test storage_performant_policy.go uses [OCPFeatureGate:StoragePerformantSecurityPolicy] but lacks MicroShift skip mechanisms. OCPFeatureGates are unavailable on MicroShift per USHIFT-3142.	Add [Skipped:MicroShift] label to the test name or guard with exutil.IsMicroShiftCluster() check and g.Skip(). The test references a feature gate not available on MicroShift.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: enabling CVO to inject centralized TLS configuration into the operator's config and ensuring restart on changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This check is not applicable to the PR. The repository uses standard Go testing package tests, not Ginkgo, and the PR does not modify any test files.
Test Structure And Quality	✅ Passed	Tests follow Go standards with table-driven patterns, proper setup/cleanup via defer, meaningful assertion messages, and codebase-consistent patterns using fake clients and csoclients infrastructure.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are limited to Kubernetes manifests for TLS configuration injection. Check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes are TLS configuration management only. No new scheduling constraints, affinity rules, or topology-breaking patterns. Deployments correctly handle HA, SNO, and HyperShift topologies.
Ote Binary Stdout Contract	✅ Passed	OTE binary's main() properly calls logs.InitLogs() which redirects klog to stderr by default; no fmt.Print/Println/Printf or stdout writes in process-level code detected.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only modifies Kubernetes manifest and patch YAML files; no new Ginkgo e2e tests are added. The check is not applicable.
No-Weak-Crypto	✅ Passed	No weak cryptography found. PR only adds YAML manifests/patches for TLS config injection. No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, no custom crypto code, no insecure comparisons.
Container-Privileges	✅ Passed	All containers have allowPrivilegeEscalation: false with ALL capabilities dropped; pods run as non-root. No privileged, hostPID/Network/IPC, or SYS_ADMIN found.
No-Sensitive-Data-In-Logs	✅ Passed	PR modifies only manifest files to configure TLS injection. The ConfigMap template contains no sensitive data, and no code in the operator logs configuration, secrets, or credentials.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

[ingvagabund]

/retest-required

[coderabbitai]

🧹 Nitpick comments (1)

profile-patches/hypershift/10_deployment.yaml-patch (1)

37-75: ⚡ Quick win

Prefer appending env vars with /- instead of fixed indices in JSON Patch

In profile-patches/hypershift/10_deployment.yaml-patch the env vars are added at /spec/template/spec/containers/0/env/33 … /env/40. JSON Patch add with /array/<index> inserts at a fixed position and shifts the rest, so upstream changes to the env array ordering/length can make this patch fragile or mis-target. Switching these ops to /env/- makes them append safely (and matches the existing /volumeMounts/- style in this patch).

♻️ Suggested patch shape

-  path: /spec/template/spec/containers/0/env/33
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/34
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/35
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/36
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/37
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/38
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/39
+  path: /spec/template/spec/containers/0/env/-
...
-  path: /spec/template/spec/containers/0/env/40
+  path: /spec/template/spec/containers/0/env/-

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@profile-patches/hypershift/10_deployment.yaml-patch` around lines 37 - 75,
The JSON Patch uses fixed env indices (/spec/template/spec/containers/0/env/33 …
/env/40) which makes the patch brittle; update each add operation to append
instead by changing the path to /spec/template/spec/containers/0/env/- for all
ENV entries (HYPERSHIFT_IMAGE, AWS_EBS_DRIVER_CONTROL_PLANE_IMAGE,
AZURE_DISK_DRIVER_CONTROL_PLANE_IMAGE, LIVENESS_PROBE_CONTROL_PLANE_IMAGE,
AZURE_FILE_DRIVER_CONTROL_PLANE_IMAGE,
OPENSTACK_CINDER_DRIVER_CONTROL_PLANE_IMAGE, MANILA_DRIVER_CONTROL_PLANE_IMAGE,
KUBE_RBAC_PROXY_CONTROL_PLANE_IMAGE) so they are appended safely (matching the
existing /volumeMounts/- style).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@profile-patches/hypershift/10_deployment.yaml-patch`:
- Around line 37-75: The JSON Patch uses fixed env indices
(/spec/template/spec/containers/0/env/33 … /env/40) which makes the patch
brittle; update each add operation to append instead by changing the path to
/spec/template/spec/containers/0/env/- for all ENV entries (HYPERSHIFT_IMAGE,
AWS_EBS_DRIVER_CONTROL_PLANE_IMAGE, AZURE_DISK_DRIVER_CONTROL_PLANE_IMAGE,
LIVENESS_PROBE_CONTROL_PLANE_IMAGE, AZURE_FILE_DRIVER_CONTROL_PLANE_IMAGE,
OPENSTACK_CINDER_DRIVER_CONTROL_PLANE_IMAGE, MANILA_DRIVER_CONTROL_PLANE_IMAGE,
KUBE_RBAC_PROXY_CONTROL_PLANE_IMAGE) so they are appended safely (matching the
existing /volumeMounts/- style).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 7adc3ab9-2d1d-4cb8-9a9a-fb9077369df7

📥 Commits

Reviewing files that changed from the base of the PR and between 0883e0b and be400cd.

📒 Files selected for processing (5)

• manifests/04_configmap.yaml
• manifests/10_deployment-hypershift.yaml
• manifests/10_deployment-ibm-cloud-managed.yaml
• manifests/10_deployment.yaml
• profile-patches/hypershift/10_deployment.yaml-patch

🚧 Files skipped from review as they are similar to previous changes (4)

• manifests/10_deployment.yaml
• manifests/10_deployment-ibm-cloud-managed.yaml
• manifests/04_configmap.yaml
• manifests/10_deployment-hypershift.yaml

[ingvagabund]

From https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-storage-operator/703/pull-ci-openshift-cluster-storage-operator-main-e2e-aws-csi/2060322735082442752/artifacts/e2e-aws-csi/gather-extra/artifacts/configmaps.json:

        {
            "apiVersion": "v1",
            "data": {
                "config.yaml": "apiVersion: operator.openshift.io/v1alpha1\nkind: GenericOperatorConfig\nservingInfo:\n  cipherSuites:\n  - TLS_AES_128_GCM_SHA256\n  - TLS_AES_256_GCM_SHA384\n  - TLS_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n  minTLSVersion: VersionTLS12\n"
            },
            "kind": "ConfigMap",
            "metadata": {
                "annotations": {
                    "capability.openshift.io/name": "Storage",
                    "config.openshift.io/inject-tls": "true",
                    "include.release.openshift.io/hypershift": "true",
                    "include.release.openshift.io/ibm-cloud-managed": "true",
                    "include.release.openshift.io/self-managed-high-availability": "true",
                    "include.release.openshift.io/single-node-developer": "true"
                },
                "creationTimestamp": "2026-05-29T11:54:09Z",
                "name": "cluster-storage-operator-config",
                "namespace": "openshift-cluster-storage-operator",
                "ownerReferences": [
                    {
                        "apiVersion": "config.openshift.io/v1",
                        "controller": true,
                        "kind": "ClusterVersion",
                        "name": "version",
                        "uid": "6079762a-b2b2-4d0b-a321-c9a558950840"
                    }
                ],
                "resourceVersion": "2022",
                "uid": "4b10a857-116e-491d-986a-4835e6857dcf"
            }
        },

TLS injected

[dfajmon]

/retest

[dfajmon]

/lgtm

[jsafrane]

This will cause CVO creating the config map in guest cluster, where nobody reads it. I'd remove this annotation.

[ingvagabund]

Done.

[jsafrane]

Who creates the ConfigMap in a hosted control plane? I think it will need something like openshift/hypershift#8011 to create it there.

We can merge this PR + then someone must copy 10_deployment-hypershift.yaml‎ to hypershift here and add ConfigMap creation in the same hypershift PR to make sure nothing breaks.

[ingvagabund]

Gotcha. I can do it.

[dfajmon]

/test e2e-gcp-csi

[openshift-ci]

@ingvagabund: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dfajmon]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dfajmon, ingvagabund

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dfajmon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment