Skip to content

fix(manualapprovalgate): inject TLS env vars into MAG webhook#3582

Merged
tekton-robot merged 1 commit into
tektoncd:mainfrom
jkhelil:fix/srvkp-12613-mag-webhook-tls
Jun 26, 2026
Merged

fix(manualapprovalgate): inject TLS env vars into MAG webhook#3582
tekton-robot merged 1 commit into
tektoncd:mainfrom
jkhelil:fix/srvkp-12613-mag-webhook-tls

Conversation

@jkhelil

@jkhelil jkhelil commented Jun 26, 2026

Copy link
Copy Markdown
Member

Changes

The Manual Approval Gate (MAG) webhook deployment (manual-approval-gate-webhook) was not receiving TLS environment variables (WEBHOOK_TLS_MIN_VERSION, WEBHOOK_TLS_CIPHER_SUITES, WEBHOOK_TLS_CURVE_PREFERENCES) from the operator, making it inconsistent with all other Tekton webhook components.

Root Cause

The OpenShift extension for manualapprovalgate (pkg/reconciler/openshift/manualapprovalgate/extension.go) had an empty stub implementation — no TLS profile resolution, no transformers — while all other webhook components (operator-webhook, pipelines-webhook, triggers-webhook, pac-webhook) were already covered by the SRVKP-9462 epic.

Fix

Updated the MAG OpenShift extension to follow the same pattern used by PAC and Triggers:

  • PreReconcile now calls occommon.ResolveCentralTLSToEnvVars to fetch the cluster TLS profile from the shared APIServer lister
  • Transformers now calls occommon.InjectTLSEnvVars with WebhookEnvVarPrefix (WEBHOOK_) for the manual-approval-gate-webhook deployment / manual-approval container
  • The WEBHOOK_ prefix is required because the MAG webhook uses the Knative webhook framework (sharedmain.MainWithConfig), which reads WEBHOOK_TLS_* env vars

Files changed:

  • pkg/reconciler/openshift/manualapprovalgate/extension.go: Add TLS injection following PAC/Triggers pattern
  • pkg/reconciler/openshift/manualapprovalgate/extension_test.go: Add unit tests (no TLS config, inject into webhook, do not inject into unrelated deployments)

Fixes SRVKP-12613

Submitter Checklist

Release Notes

Fix Manual Approval Gate webhook not receiving cluster TLS configuration
(TLS_MIN_VERSION, TLS_CIPHER_SUITES, TLS_CURVE_PREFERENCES), making it
consistent with all other Tekton webhook components.

Made with Cursor

@jkhelil @cursoragent
fix(manualapprovalgate): inject TLS env vars into webhook
f2ed385 
The MAG webhook deployment (manual-approval-gate-webhook) was not
receiving TLS environment variables (WEBHOOK_TLS_MIN_VERSION,
WEBHOOK_TLS_CIPHER_SUITES, WEBHOOK_TLS_CURVE_PREFERENCES) from
the operator, unlike all other Tekton webhook components.

The OpenShift extension for manualapprovalgate had an empty
implementation with no TLS injection. This fix follows the same
pattern used by PAC and Triggers: resolve the cluster TLS profile
in PreReconcile and inject it via InjectTLSEnvVars using the
WEBHOOK_ prefix (required by the Knative webhook framework).

Fixes SRVKP-12613

Signed-off-by: Jawed khelil <jkhelil@redhat.com>
Assisted-by: Claude Sonnet 4.6 (via Cursor)
Co-authored-by: Cursor <cursoragent@cursor.com>
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jun 26, 2026
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jun 26, 2026
@tekton-robot

tekton-robot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pramodbindal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 26, 2026
@pramodbindal

pramodbindal commented Jun 26, 2026

Copy link
Copy Markdown
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jun 26, 2026
@tekton-robot tekton-robot merged commit ab29c4e into tektoncd:main Jun 26, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pramodbindal pramodbindal pramodbindal approved these changes
@infernus01 infernus01 Awaiting requested review from infernus01

Assignees

@pramodbindal pramodbindal

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkhelil @tekton-robot @pramodbindal