add config cm and set safer cipherSuites for operator

[lance5890]

As the openshift-config-operator log shows it uses insecure cipher suites:

I0707 04:28:51.656535       1 cmd.go:241] Using service-serving-cert provided certificates
I0707 04:28:51.656863       1 leaderelection.go:122] The leader election gives 4 retries and allows for 30s of clock skew. The kube-apiserver downtime tolerance is 78s. Worst non-graceful lease acquisition is 2m43s. Worst graceful lease acquisition is {26s}.
I0707 04:28:51.657907       1 observer_polling.go:159] Starting file observer
I0707 04:28:51.692682       1 builder.go:299] config-operator version 4.16.0-202408081442.p0.g441d29c.assembly.stream.el9-441d29c-441d29c92b1759d1780a525112e764280b78b0d6
I0707 04:28:52.070266       1 secure_serving.go:57] Forcing use of http/1.1 only
W0707 04:28:52.070287       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected.
W0707 04:28:52.070292       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected.
I0707 04:28:52.074875       1 leaderelection.go:250] attempting to acquire leader lease openshift-config-operator/config-operator-lock...

[coderabbitai]

Walkthrough

Introduces a new ConfigMap with operator configuration and updates the Deployment to mount this ConfigMap and pass its path via a new --config flag to the operator container.

Changes

Cohort / File(s)	Summary of changes
Operator configuration ConfigMap manifests/0000_10_config-operator_02_configmap.yaml	Adds ConfigMap openshift-config-operator-config in openshift-config-operator namespace with config.yaml (GenericOperatorConfig). Includes TLS cipher suites and minTLSVersion: VersionTLS12. Adds annotations for multiple deployment modes.
Deployment wiring to ConfigMap manifests/0000_10_config-operator_07_deployment.yaml	Adds config volume (ConfigMap: openshift-config-operator-config), mounts at /var/run/configmaps/config, and appends --config=/var/run/configmaps/config/config.yaml to container command.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks (3 passed)

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly captures the primary change—adding a config ConfigMap and configuring safer TLS cipher suites for the operator—and directly reflects the modified manifests that add the ConfigMap and wire it into the Deployment. It is concise and clear enough for a reviewer to understand the main intent.
Description Check	✅ Passed	The description includes operator log excerpts showing insecure-cipher warnings and explicitly states the PR's goal to add a config ConfigMap and set safer cipher suites, so it is clearly related to the changeset and meets the lenient acceptance criteria.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @lance5890. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lance5890
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

manifests/0000_10_config-operator_02_configmap.yaml (3)

16-22: Consider FIPS-mode clusters.

CHACHA20-Poly1305 is non-FIPS; it’s fine to include, but in strict FIPS it will be ignored. If you want zero noise in FIPS, consider omitting the CHACHA entries or documenting the behavior.

Proposed alternative (AES-GCM only):

       cipherSuites:
       - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
       - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
       - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
       - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

---

16-23: Optional: make cert/key explicit in config to avoid ambiguity.

If the binary reads certs from config, set certFile/keyFile to the mounted service-serving-cert paths.

     servingInfo:
+      certFile: /var/run/secrets/serving-cert/tls.crt
+      keyFile: /var/run/secrets/serving-cert/tls.key
       cipherSuites:

---

23-23: TLS 1.2 minimum is OK; consider TLS 1.3 if supported.

If the operator and clients support TLS 1.3, you could raise the floor. Cipher list is ignored for TLS 1.3.

-      minTLSVersion: VersionTLS12
+      minTLSVersion: VersionTLS13

manifests/0000_10_config-operator_07_deployment.yaml (2)

43-45: Fail fast on missing ConfigMap.

Mark the volume as non-optional to avoid silently starting without config.

       - name: config
         configMap:
           name: openshift-config-operator-config
+          optional: false

---

111-112: Mount config read-only.

Tighten container FS perms; ConfigMaps don’t need write access.

-        - mountPath: /var/run/configmaps/config
-          name: config
+        - mountPath: /var/run/configmaps/config
+          name: config
+          readOnly: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 657754e and 7be36e2.

📒 Files selected for processing (2)

• manifests/0000_10_config-operator_02_configmap.yaml (1 hunks)
• manifests/0000_10_config-operator_07_deployment.yaml (3 hunks)

🔇 Additional comments (5)

manifests/0000_10_config-operator_02_configmap.yaml (3)

6-10: Annotations look correct for payload inclusion.

No issues spotted with include.release.* annotations.

---

16-22: Good: CBC suites removed; modern cipher set only.

List aligns with safer AES-GCM and CHACHA20-Poly1305 suites.

---

13-15: Confirm operator binary actually consumes GenericOperatorConfig via --config

• manifests/0000_10_config-operator_07_deployment.yaml passes --config=/var/run/configmaps/config/config.yaml and manifests/0000_10_config-operator_02_configmap.yaml contains apiVersion: operator.openshift.io/v1alpha1, kind: GenericOperatorConfig (servingInfo: minTLSVersion/cipherSuites).
• Repo search shows no local parsing of GenericOperatorConfig — verify controllercmd.NewControllerCommandConfig (github.com/openshift/library-go/pkg/controller/controllercmd) actually reads/parses that file and applies servingInfo; if it doesn't, the ConfigMap will be ineffective.

manifests/0000_10_config-operator_07_deployment.yaml (2)

43-45: ConfigMap volume wiring LGTM.

Name/namespace match the ConfigMap; good.

---

83-83: Confirmed: binary accepts --config and library-go will load servingInfo.

The operator builds its Cobra command via controllercmd.NewControllerCommandConfig(...).NewCommand() and thus inherits library-go's ControllerFlags/ControllerCommandConfig behavior (reads the provided config file and populates ControllerContext.Server/servingInfo) — so the manifest arg --config=/var/run/configmaps/config/config.yaml is supported. (pkg.go.dev)

Files checked: pkg/cmd/operator/cmd.go, manifests/0000_10_config-operator_07_deployment.yaml:83.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale