CORENET-7114: Add TLS profile support to the ReconcileOperConfig controller

bindata/network/node-identity/managed/node-identity.yaml

@@ -126,6 +126,12 @@ spec:
             # OVN-K will try to remove hybrid overlay node annotations even when the hybrid overlay is not enabled.
             # https://github.com/ovn-org/ovn-kubernetes/blob/ac6820df0b338a246f10f412cd5ec903bd234694/go-controller/pkg/ovn/master.go#L791
             ho_enable="--enable-hybrid-overlay"
+            # DROP: remove when older OVN-K images that require --enable-interconnect are no longer supported
+            enable_interconnect_flag=
+            if /usr/bin/ovnkube-identity --help 2>&1 | grep -q -- '--enable-interconnect'; then
+              enable_interconnect_flag="--enable-interconnect"
+            fi
+
             echo "I$(date "+%m%d %H:%M:%S.%N") - network-node-identity - start webhook"
             # extra-allowed-user: service account `ovn-kubernetes-control-plane`
             # sets pod annotations in multi-homing layer3 network controller (cluster-manager)
@@ -135,7 +141,7 @@ spec:
                 --webhook-host="" \
                 --webhook-port={{.NetworkNodeIdentityPort}} \
                 ${ho_enable} \
-                --enable-interconnect \
+                ${enable_interconnect_flag} \
                 --disable-approver \
                 --extra-allowed-user="system:serviceaccount:openshift-ovn-kubernetes:ovn-kubernetes-control-plane" \
                 --pod-admission-conditions="/var/run/ovnkube-identity-config/additional-pod-admission-cond.json" \

bindata/network/node-identity/self-hosted/node-identity.yaml

@@ -48,6 +48,12 @@ spec:
             # OVN-K will try to remove hybrid overlay node annotations even when the hybrid overlay is not enabled.
             # https://github.com/ovn-org/ovn-kubernetes/blob/ac6820df0b338a246f10f412cd5ec903bd234694/go-controller/pkg/ovn/master.go#L791
             ho_enable="--enable-hybrid-overlay"
+            # DROP: remove when older OVN-K images that require --enable-interconnect are no longer supported
+            enable_interconnect_flag=
+            if /usr/bin/ovnkube-identity --help 2>&1 | grep -q -- '--enable-interconnect'; then
+              enable_interconnect_flag="--enable-interconnect"
+            fi
+
             echo "I$(date "+%m%d %H:%M:%S.%N") - network-node-identity - start webhook"
             # extra-allowed-user: service account `ovn-kubernetes-control-plane`
             # sets pod annotations in multi-homing layer3 network controller (cluster-manager)
@@ -56,7 +62,7 @@ spec:
                 --webhook-host={{.NetworkNodeIdentityIP}} \
                 --webhook-port={{.NetworkNodeIdentityPort}} \
                 ${ho_enable} \
-                --enable-interconnect \
+                ${enable_interconnect_flag} \
                 --disable-approver \
                 --extra-allowed-user="system:serviceaccount:openshift-ovn-kubernetes:ovn-kubernetes-control-plane" \
                 --wait-for-kubernetes-api={{.NetworkNodeIdentityTerminationDurationSeconds}}s \

bindata/network/ovn-kubernetes/common/008-script-lib.yaml

@@ -682,6 +682,12 @@ data:
         ovn_v6_transit_switch_subnet_opt="--cluster-manager-v6-transit-subnet {{.V6TransitSwitchSubnet}}"
       fi
 
+      # DROP: remove when older OVN-K images that require --enable-interconnect are no longer supported
+      enable_interconnect_flag=
+      if /usr/bin/ovnkube --help 2>&1 | grep -q -- '--enable-interconnect'; then
+        enable_interconnect_flag="--enable-interconnect"
+      fi
+
       exec /usr/bin/ovnkube \
         ${init_ovnkube_controller} \
         --init-node "${K8S_NODE}" \
@@ -703,7 +709,7 @@ data:
         ${evpn_enable_flag} \
         ${network_observability_enabled_flag} \
         --zone ${K8S_NODE} \
-        --enable-interconnect \
+        ${enable_interconnect_flag} \
         --enable-multicast \
         --acl-logging-rate-limit "{{.OVNPolicyAuditRateLimit}}" \
         ${gw_interface_flag} \

bindata/network/ovn-kubernetes/managed/ovnkube-control-plane.yaml

@@ -195,9 +195,15 @@ spec:
             evpn_enable_flag="--enable-evpn"
           fi
 
+          # DROP: remove when older OVN-K images that require --enable-interconnect are no longer supported
+          enable_interconnect_flag=
+          if /usr/bin/ovnkube --help 2>&1 | grep -q -- '--enable-interconnect'; then
+            enable_interconnect_flag="--enable-interconnect"
+          fi
+
           echo "I$(date "+%m%d %H:%M:%S.%N") - ovnkube-control-plane - start ovnkube --init-cluster-manager ${K8S_NODE}"
           exec /usr/bin/ovnkube \
-            --enable-interconnect \
+            ${enable_interconnect_flag} \
             --enable-multicast \
             --init-cluster-manager "${K8S_NODE}" \
             --config-file=/run/ovnkube-config/ovnkube.conf \

bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml

@@ -151,9 +151,15 @@ spec:
             exit 1
           fi
 
+          # DROP: remove when older OVN-K images that require --enable-interconnect are no longer supported
+          enable_interconnect_flag=
+          if /usr/bin/ovnkube --help 2>&1 | grep -q -- '--enable-interconnect'; then
+            enable_interconnect_flag="--enable-interconnect"
+          fi
+
           echo "I$(date "+%m%d %H:%M:%S.%N") - ovnkube-control-plane - start ovnkube --init-cluster-manager ${K8S_NODE}"
           exec /usr/bin/ovnkube \
-            --enable-interconnect \
+            ${enable_interconnect_flag} \
             --enable-multicast \
             --init-cluster-manager "${K8S_NODE}" \
             --config-file=/run/ovnkube-config/ovnkube.conf \

bindata/networking-console-plugin/000-namespace.yaml

@@ -7,6 +7,7 @@ metadata:
   annotations:
     openshift.io/description: "Namespace for running the networking-console-plugin pods that enables the Networking console section"
     workload.openshift.io/allowed: "management"
+    openshift.io/node-selector: ""
 ---
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1

go.mod

@@ -26,7 +26,7 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kube-proxy v0.35.2
 	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2
-	sigs.k8s.io/controller-runtime v0.23.1
+	sigs.k8s.io/controller-runtime v0.23.3
 )
 
 require (
@@ -102,7 +102,8 @@ require (
 require (
 	github.com/openshift/api v0.0.0-20260320151444-324a1bcb9f55
 	github.com/openshift/client-go v0.0.0-20260320040014-4b5fc2cdad98
-	github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6
+	github.com/openshift/controller-runtime-common v0.0.0-20260428152732-64ee174f5e2e
+	github.com/openshift/library-go v0.0.0-20260318140748-04979c746b4d
 	github.com/openshift/machine-config-operator v0.0.1-0.20250724162154-ab14c8e2843b
 	k8s.io/apiextensions-apiserver v0.35.2
 	k8s.io/client-go v0.35.2
@@ -140,7 +141,6 @@ require (
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/onsi/ginkgo/v2 v2.28.1 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/stretchr/objx v0.5.3 // indirect

go.sum

@@ -215,8 +215,10 @@ github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af h1:Ui
 github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
 github.com/openshift/client-go v0.0.0-20260320040014-4b5fc2cdad98 h1:Ssuo/zELWqb7pFCwzB3QGEA4QeLW948hL2AhWq2SWjs=
 github.com/openshift/client-go v0.0.0-20260320040014-4b5fc2cdad98/go.mod h1:8O4jIKdcr5YR9FFQEeokYoCplCUN+j9hZj4u/2yg0As=
-github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6 h1:xjqy0OolrFdJ+ofI/aD0+2k9+MSk5anP5dXifFt539Q=
-github.com/openshift/library-go v0.0.0-20260303171201-5d9eb6295ff6/go.mod h1:D797O/ssKTNglbrGchjIguFq+DbyRYdeds5w4/VTrKM=
+github.com/openshift/controller-runtime-common v0.0.0-20260428152732-64ee174f5e2e h1:k89oIo2EjX0PRSdi1kesktCyWp50SC9WwKurvupvRGs=
+github.com/openshift/controller-runtime-common v0.0.0-20260428152732-64ee174f5e2e/go.mod h1:XGabTMnNbz0M5Oa7IbscZp/jmcc7aHobvOCUWwkzKvM=
+github.com/openshift/library-go v0.0.0-20260318140748-04979c746b4d h1:i3STSVfFi+39gOAramKPySB6WrvuD0rAIssSNOnTwyg=
+github.com/openshift/library-go v0.0.0-20260318140748-04979c746b4d/go.mod h1:3bi4pLpYRdVd1aEhsHfRTJkwxwPLfRZ+ZePn3RmJd2k=
 github.com/openshift/machine-config-operator v0.0.1-0.20250724162154-ab14c8e2843b h1:LvoFr/2IEj0BWy7mKBdR7ueAHpMJGju1EkEIZrXa+DM=
 github.com/openshift/machine-config-operator v0.0.1-0.20250724162154-ab14c8e2843b/go.mod h1:UL1OVkRAUkB4aaFZrLlSvuY0jayfdF+o+ZxKiKaaArc=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
@@ -482,8 +484,8 @@ k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0x
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 h1:hSfpvjjTQXQY2Fol2CS0QHMNs/WI1MOSGzCm1KhM5ec=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/controller-runtime v0.23.1 h1:TjJSM80Nf43Mg21+RCy3J70aj/W6KyvDtOlpKf+PupE=
-sigs.k8s.io/controller-runtime v0.23.1/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0=
+sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4iqwZ80=
+sigs.k8s.io/controller-runtime v0.23.3/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0=
 sigs.k8s.io/controller-tools v0.20.1 h1:gkfMt9YodI0K85oT8rVi80NTXO/kDmabKR5Ajn5GYxs=
 sigs.k8s.io/controller-tools v0.20.1/go.mod h1:b4qPmjGU3iZwqn34alUU5tILhNa9+VXK+J3QV0fT/uU=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=

pkg/bootstrap/types.go

@@ -101,6 +101,7 @@ type BootstrapResult struct {
 
 	OVN             OVNBootstrapResult
 	IPTablesAlerter IPTablesAlerterBootstrapResult
+	TLSProfile      TLSProfile
 }
 
 type InfraStatus struct {
@@ -176,3 +177,8 @@ type FlowsConfig struct {
 	// Sampling is the sampling rate on the reporter. 100 means one flow on 100 is sent. 0 means disabled.
 	Sampling *uint
 }
+
+type TLSProfile struct {
+	Spec      configv1.TLSProfileSpec
+	Adherence configv1.TLSAdherencePolicy
+}

pkg/client/fake/fake_client.go

@@ -100,15 +100,27 @@ func NewFakeClient(objs ...crclient.Object) cnoclient.Client {
 		}
 	}
 	co := &configv1.ClusterOperator{ObjectMeta: metav1.ObjectMeta{Name: ""}}
+
 	fc := FakeClusterClient{
 		kClient:      faketyped.NewClientset(ooTyped...),
 		dynclient:    fakedynamic.NewSimpleDynamicClient(scheme.Scheme, oo...),
 		crclient:     crfake.NewClientBuilder().WithStatusSubresource(co).WithObjects(objs...).Build(),
 		osOperClient: osoperfakeclient.NewClientset(),
 	}
+
+	// Create a management cluster client for HyperShift scenarios
+	// This represents a separate cluster, so it starts empty
+	managementClient := FakeClusterClient{
+		kClient:      faketyped.NewClientset(),
+		dynclient:    fakedynamic.NewSimpleDynamicClient(scheme.Scheme),
+		crclient:     crfake.NewClientBuilder().WithStatusSubresource(co).Build(),
+		osOperClient: osoperfakeclient.NewClientset(),
+	}
+
 	return &FakeClient{
 		clusterClients: map[string]*FakeClusterClient{
-			names.DefaultClusterName: &fc,
+			names.DefaultClusterName:    &fc,
+			names.ManagementClusterName: &managementClient,
 		},
 	}
 }

pkg/controller/operconfig/operconfig_controller.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/openshift/cluster-network-operator/pkg/hypershift"
+	openshifttls "github.com/openshift/controller-runtime-common/pkg/tls"
 	"github.com/pkg/errors"
 
 	configv1 "github.com/openshift/api/config/v1"
@@ -32,6 +33,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/watch"
 	v1coreinformers "k8s.io/client-go/informers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
@@ -177,6 +179,96 @@ func add(mgr manager.Manager, r *ReconcileOperConfig) error {
 		return err
 	}
 
+	// Watch for changes to the APIServer TLS profile
+	err = c.Watch(source.Kind[crclient.Object](mgr.GetCache(), &configv1.APIServer{},
+		handler.EnqueueRequestsFromMapFunc(reconcileOperConfig),
+		predicate.Funcs{
+			CreateFunc: func(evt event.CreateEvent) bool {
+				// Don't reconcile on initial creation/add events
+				return false
+			},
+			UpdateFunc: func(evt event.UpdateEvent) bool {
+				newAPI, ok := evt.ObjectNew.(*configv1.APIServer)
+				if !ok || newAPI.GetName() != openshifttls.APIServerName {
+					return false
+				}
+
+				oldAPI := evt.ObjectOld.(*configv1.APIServer)
+
+				// Only reconcile if TLS profile or adherence changed
+				tlsProfileChanged := !reflect.DeepEqual(oldAPI.Spec.TLSSecurityProfile, newAPI.Spec.TLSSecurityProfile)
+				adherenceChanged := oldAPI.Spec.TLSAdherence != newAPI.Spec.TLSAdherence
+
+				return tlsProfileChanged || adherenceChanged
+			},
+		},
+	))
+	if err != nil {
+		return err
+	}
+
+	// In HyperShift mode, watch for changes to the HostedCluster TLS profile in the management cluster.
+	hc := hypershift.NewHyperShiftConfig()
+	if hc.Enabled {
+		// Create a dynamic informer for HostedCluster in the management cluster
+		dynClient := r.client.ClientFor(names.ManagementClusterName).Dynamic()
+		hostedClusterInformer := cache.NewSharedIndexInformer(
+			cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
+				ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
+					return dynClient.Resource(hypershift.HostedClusterGVR).Namespace(hc.Namespace).List(ctx, options)
+				},
+				WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) {
+					return dynClient.Resource(hypershift.HostedClusterGVR).Namespace(hc.Namespace).Watch(ctx, options)
+				},
+			}, dynClient),
+			&uns.Unstructured{},
+			0, // don't resync
+			cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
+		)
+
+		r.client.ClientFor(names.ManagementClusterName).AddCustomInformer(hostedClusterInformer)
+
+		err = c.Watch(&source.Informer{
+			Informer: hostedClusterInformer,
+			Handler:  handler.EnqueueRequestsFromMapFunc(reconcileOperConfig),
+			Predicates: []predicate.TypedPredicate[crclient.Object]{
+				predicate.NewPredicateFuncs(func(obj crclient.Object) bool {
+					// Only watch our specific HostedCluster
+					return obj.GetName() == hc.Name && obj.GetNamespace() == hc.Namespace
+				}),
+				predicate.Funcs{
+					CreateFunc: func(evt event.CreateEvent) bool {
+						// Don't reconcile on initial creation/add events
+						return false
+					},
+					UpdateFunc: func(evt event.UpdateEvent) bool {
+						newObj, ok := evt.ObjectNew.(*uns.Unstructured)
+						if !ok {
+							return false
+						}
+
+						oldObj, ok := evt.ObjectOld.(*uns.Unstructured)
+						if !ok {
+							return false
+						}
+
+						oldTLSProfile, _, _ := uns.NestedFieldCopy(oldObj.Object, "spec", "configuration", "apiServer", "tlsSecurityProfile")
+						newTLSProfile, _, _ := uns.NestedFieldCopy(newObj.Object, "spec", "configuration", "apiServer", "tlsSecurityProfile")
+
+						oldAdherence, _, _ := uns.NestedString(oldObj.Object, "spec", "configuration", "apiServer", "tlsAdherence")
+						newAdherence, _, _ := uns.NestedString(newObj.Object, "spec", "configuration", "apiServer", "tlsAdherence")
+
+						// Only reconcile if TLS profile or adherence changed
+						return !reflect.DeepEqual(oldTLSProfile, newTLSProfile) || oldAdherence != newAdherence
+					},
+				},
+			},
+		})
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 

pkg/controller/statusmanager/status_manager.go

@@ -473,21 +473,13 @@ func (status *StatusManager) set(reachedAvailableLevel bool, conditions ...operv
 		}
 
 		if operStatus == nil {
-			if _, exists := status.failureFirstSeen[OperatorConfig]; !exists {
-				status.failureFirstSeen[OperatorConfig] = status.clock.Now()
-				return nil
-			}
-			if status.clock.Since(status.failureFirstSeen[OperatorConfig]) < degradedFailureDurationThreshold {
-				return nil
-			}
 			cohelpers.SetStatusCondition(&co.Status.Conditions, configv1.ClusterOperatorStatusCondition{
 				Type:    configv1.OperatorDegraded,
 				Status:  configv1.ConditionTrue,
 				Reason:  "NoOperConfig",
 				Message: "Failed to get networks.operator.openshift.io cluster",
 			}, clock.RealClock{})
 		} else {
-			delete(status.failureFirstSeen, OperatorConfig)
 			if reachedAvailableLevel {
 				co.Status.Versions = []configv1.OperandVersion{
 					{Name: "operator", Version: operStatus.Version},

pkg/controller/statusmanager/status_manager_test.go

@@ -147,16 +147,6 @@ func TestStatusManager_set(t *testing.T) {
 	// No operator config yet; should reflect this in the cluster operator
 	status.set(false)
 
-	// NoOperConfig doesn't get set degraded yet (debounced for 2 min)
-	_, err := getCO(client, "testing")
-	if err == nil {
-		t.Fatalf("ClusterOperator should not exist yet (NoOperConfig debounced)")
-	}
-
-	// Advance clock past the debounce threshold
-	status.clock.(*testingclock.FakeClock).Step(3 * time.Minute)
-	status.set(false)
-
 	co, err := getCO(client, "testing")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)