openshift · qJkee · Mar 9, 2026
diff --git a/bundle/manifests/lvm.topolvm.io_lvmclusters.yaml b/bundle/manifests/lvm.topolvm.io_lvmclusters.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.19.0
   creationTimestamp: null
   name: lvmclusters.lvm.topolvm.io
 spec:

diff --git a/bundle/manifests/lvm.topolvm.io_lvmvolumegroupnodestatuses.yaml b/bundle/manifests/lvm.topolvm.io_lvmvolumegroupnodestatuses.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.19.0
   creationTimestamp: null
   name: lvmvolumegroupnodestatuses.lvm.topolvm.io
 spec:

diff --git a/bundle/manifests/lvm.topolvm.io_lvmvolumegroups.yaml b/bundle/manifests/lvm.topolvm.io_lvmvolumegroups.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.19.0
   creationTimestamp: null
   name: lvmvolumegroups.lvm.topolvm.io
 spec:

diff --git a/bundle/manifests/lvms-operator.clusterserviceversion.yaml b/bundle/manifests/lvms-operator.clusterserviceversion.yaml
@@ -215,6 +215,14 @@ spec:
           - replicasets
           verbs:
           - get
+        - apiGroups:
+          - config.openshift.io
+          resources:
+          - apiservers
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - config.openshift.io
           resources:
@@ -418,6 +426,14 @@ spec:
           - get
           - list
           - watch
+        - apiGroups:
+          - config.openshift.io
+          resources:
+          - apiservers
+          verbs:
+          - get
+          - list
+          - watch
         serviceAccountName: vg-manager
       deployments:
       - label:

diff --git a/catalog/lvms-operator/v0.0.1.yaml b/catalog/lvms-operator/v0.0.1.yaml
diff --git a/cmd/operator/operator.go b/cmd/operator/operator.go
@@ -29,6 +29,8 @@ import (
 	"github.com/container-storage-interface/spec/lib/go/csi"
 	"github.com/go-logr/logr"
 	"github.com/kubernetes-csi/csi-lib-utils/connection"
+	v1 "github.com/openshift/api/config/v1"
+	ctrlRuntimeCommon "github.com/openshift/controller-runtime-common/pkg/tls"
 	"github.com/openshift/lvm-operator/v4/internal/controllers/constants"
 	"github.com/openshift/lvm-operator/v4/internal/controllers/lvmcluster"
 	"github.com/openshift/lvm-operator/v4/internal/controllers/lvmcluster/logpassthrough"
@@ -186,6 +188,16 @@ func run(cmd *cobra.Command, _ []string, opts *Options) error {
 		return fmt.Errorf("failed to run wipe migration logic: %w", err)
 	}
 
+	tlsProfile, err := ctrlRuntimeCommon.FetchAPIServerTLSProfile(ctx, setupClient)
+	if err != nil {
+		return fmt.Errorf("failed to get tls profile: %w", err)
+	}
+
+	tlsConfig, unsupportedCiphers := ctrlRuntimeCommon.NewTLSConfigFromProfile(tlsProfile)
+	if len(unsupportedCiphers) > 0 {
+		opts.SetupLog.Info("some ciphers from TLS profile are not supported", "unsupportedCiphers", unsupportedCiphers)
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme: opts.Scheme,
 		Metrics: metricsserver.Options{
@@ -194,12 +206,14 @@ func run(cmd *cobra.Command, _ []string, opts *Options) error {
 			FilterProvider: filters.WithAuthenticationAndAuthorization,
 			TLSOpts: []func(*tls.Config){
 				func(c *tls.Config) { c.NextProtos = []string{"http/1.1"} },
+				tlsConfig,
 			},
 		},
 		WebhookServer: &webhook.DefaultServer{Options: webhook.Options{
 			Port: 9443,
 			TLSOpts: []func(*tls.Config){
 				func(c *tls.Config) { c.NextProtos = []string{"http/1.1"} },
+				tlsConfig,
 			},
 		}},
 		Cache: cache.Options{
@@ -227,6 +241,21 @@ func run(cmd *cobra.Command, _ []string, opts *Options) error {
 		return fmt.Errorf("unable to start manager: %w", err)
 	}
 
+	tlsWatcherController := &ctrlRuntimeCommon.SecurityProfileWatcher{
+		InitialTLSProfileSpec: tlsProfile,
+		OnProfileChange: func(ctx context.Context, oldTLSProfileSpec, newTLSProfileSpec v1.TLSProfileSpec) {
+			ctrl.Log.WithName("TLSWatcher").Info("TLS profile has changed, initiating a shutdown to reload it",
+				"old profile", oldTLSProfileSpec,
+				"new profile", newTLSProfileSpec,
+			)
+			cancel()
+		},
+	}
+
+	if err := tlsWatcherController.SetupWithManager(mgr); err != nil {
+		return fmt.Errorf("unable to create controller for TLS config observation: %w", err)
+	}
+
 	// register controllers
 	if err = (&lvmcluster.Reconciler{
 		Client:                           mgr.GetClient(),

diff --git a/cmd/vgmanager/vgmanager.go b/cmd/vgmanager/vgmanager.go
@@ -31,6 +31,8 @@ import (
 	"github.com/container-storage-interface/spec/lib/go/csi"
 	"github.com/fsnotify/fsnotify"
 	"github.com/go-logr/logr"
+	v1 "github.com/openshift/api/config/v1"
+	ctrlRuntimeCommon "github.com/openshift/controller-runtime-common/pkg/tls"
 	"github.com/openshift/lvm-operator/v4/internal/cluster"
 	"github.com/openshift/lvm-operator/v4/internal/controllers/constants"
 	"github.com/openshift/lvm-operator/v4/internal/controllers/lvmcluster/resource"
@@ -52,6 +54,7 @@ import (
 	"google.golang.org/grpc/health/grpc_health_v1"
 	registerapi "k8s.io/kubelet/pkg/apis/pluginregistration/v1"
 	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -74,6 +77,7 @@ const (
 )
 
 var ErrConfigModified = errors.New("lvmd config file is modified")
+var ErrTLSProfileModified = errors.New("API server TLS profile changed")
 var ErrNoDeviceClassesAvailable = errors.New("no device classes in lvmd.yaml configured, can not startup correctly")
 var ErrCSIPluginNotYetRegistered = errors.New("CSI plugin not yet registered")
 
@@ -141,6 +145,21 @@ func run(cmd *cobra.Command, _ []string, opts *Options) error {
 		return fmt.Errorf("unable to get operatorNamespace: %w", err)
 	}
 
+	setupClient, err := client.New(ctrl.GetConfigOrDie(), client.Options{Scheme: opts.Scheme})
+	if err != nil {
+		return fmt.Errorf("unable to initialize setup client for pre-manager startup checks: %w", err)
+	}
+
+	tlsProfile, err := ctrlRuntimeCommon.FetchAPIServerTLSProfile(ctx, setupClient)
+	if err != nil {
+		return fmt.Errorf("failed to get tls profile: %w", err)
+	}
+
+	tlsConfig, unsupportedCiphers := ctrlRuntimeCommon.NewTLSConfigFromProfile(tlsProfile)
+	if len(unsupportedCiphers) > 0 {
+		opts.SetupLog.Info("some ciphers from TLS profile are not supported", "unsupportedCiphers", unsupportedCiphers)
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme: opts.Scheme,
 		Metrics: metricsserver.Options{
@@ -149,18 +168,18 @@ func run(cmd *cobra.Command, _ []string, opts *Options) error {
 			FilterProvider: filters.WithAuthenticationAndAuthorization,
 			TLSOpts: []func(*tls.Config){
 				func(c *tls.Config) {
-					opts.SetupLog.Info("disabling http/2")
 					c.NextProtos = []string{"http/1.1"}
 				},
+				tlsConfig,
 			},
 		},
 		WebhookServer: &webhook.DefaultServer{Options: webhook.Options{
 			Port: 9443,
 			TLSOpts: []func(*tls.Config){
 				func(c *tls.Config) {
-					opts.SetupLog.Info("disabling http/2")
 					c.NextProtos = []string{"http/1.1"}
 				},
+				tlsConfig,
 			},
 		}},
 		HealthProbeBindAddress: opts.healthProbeAddr,
@@ -169,13 +188,31 @@ func run(cmd *cobra.Command, _ []string, opts *Options) error {
 			DefaultNamespaces: map[string]cache.Config{
 				operatorNamespace: {},
 			},
+			ByObject: map[client.Object]cache.ByObject{
+				&v1.APIServer{}: {},
+			},
 		},
 		GracefulShutdownTimeout: ptr.To(time.Duration(-1)),
 	})
 	if err != nil {
 		return fmt.Errorf("unable to start manager: %w", err)
 	}
 
+	tlsWatcherController := &ctrlRuntimeCommon.SecurityProfileWatcher{
+		InitialTLSProfileSpec: tlsProfile,
+		OnProfileChange: func(ctx context.Context, oldTLSProfileSpec, newTLSProfileSpec v1.TLSProfileSpec) {
+			ctrl.Log.WithName("TLSWatcher").Info("TLS profile has changed, initiating a shutdown to reload it",
+				"old profile", oldTLSProfileSpec,
+				"new profile", newTLSProfileSpec,
+			)
+			cancelWithCause(ErrTLSProfileModified)
+		},
+	}
+
+	if err := tlsWatcherController.SetupWithManager(mgr); err != nil {
+		return fmt.Errorf("unable to create controller for TLS config observation: %w", err)
+	}
+
 	registrationServer := icsi.NewRegistrationServer(
 		cancelWithCause,
 		constants.TopolvmCSIDriverName,
@@ -266,11 +303,15 @@ func run(cmd *cobra.Command, _ []string, opts *Options) error {
 		return fmt.Errorf("problem running manager: %w", err)
 	}
 
-	if errors.Is(context.Cause(ctx), ErrConfigModified) {
+	cause := context.Cause(ctx)
+	if errors.Is(cause, ErrConfigModified) {
 		opts.SetupLog.Info("exiting pod due to modified configuration")
 		os.Exit(0)
-	} else if errors.Is(context.Cause(ctx), icsi.ErrPluginRegistrationFailed) {
-		opts.SetupLog.Error(context.Cause(ctx), "exiting pod due to failed plugin registration")
+	} else if errors.Is(cause, ErrTLSProfileModified) {
+		opts.SetupLog.Info("exiting pod due to modified TLS profile")
+		os.Exit(0)
+	} else if errors.Is(cause, icsi.ErrPluginRegistrationFailed) {
+		opts.SetupLog.Error(cause, "exiting pod due to failed plugin registration")
 		os.Exit(0)
 	} else if err := ctx.Err(); err != nil {
 		opts.SetupLog.Error(err, "exiting abnormally")

diff --git a/config/crd/bases/lvm.topolvm.io_lvmclusters.yaml b/config/crd/bases/lvm.topolvm.io_lvmclusters.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: lvmclusters.lvm.topolvm.io
 spec:
   group: lvm.topolvm.io

diff --git a/config/crd/bases/lvm.topolvm.io_lvmvolumegroupnodestatuses.yaml b/config/crd/bases/lvm.topolvm.io_lvmvolumegroupnodestatuses.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: lvmvolumegroupnodestatuses.lvm.topolvm.io
 spec:
   group: lvm.topolvm.io

diff --git a/config/crd/bases/lvm.topolvm.io_lvmvolumegroups.yaml b/config/crd/bases/lvm.topolvm.io_lvmvolumegroups.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: lvmvolumegroups.lvm.topolvm.io
 spec:
   group: lvm.topolvm.io

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -97,6 +97,14 @@ rules:
   - replicasets
   verbs:
   - get
+- apiGroups:
+  - config.openshift.io
+  resources:
+  - apiservers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - config.openshift.io
   resources:

diff --git a/config/rbac/vg_manager_clusterrole.yaml b/config/rbac/vg_manager_clusterrole.yaml
@@ -35,3 +35,11 @@ rules:
     - get
     - list
     - watch
+- apiGroups:
+    - config.openshift.io
+  resources:
+    - apiservers
+  verbs:
+    - get
+    - list
+    - watch