Merge pull request #1955 from tesshuflower/tls_profile_compliance_rsync-tls

OpenShift Tls profile compliance rsync-tls

Author: openshift-merge-bot[bot]

internal/controller/mover/rsynctls/mover.go

@@ -42,6 +42,7 @@ import (
 	volsyncv1alpha1 "github.com/backube/volsync/api/v1alpha1"
 	vserrors "github.com/backube/volsync/internal/controller/errors"
 	"github.com/backube/volsync/internal/controller/mover"
+	"github.com/backube/volsync/internal/controller/platform"
 	"github.com/backube/volsync/internal/controller/utils"
 	"github.com/backube/volsync/internal/controller/volumehandler"
 )
@@ -500,6 +501,25 @@ func (m *Mover) ensureJob(ctx context.Context, dataPVC *corev1.PersistentVolumeC
 			})
 		}
 
+		tlsProfileSpec, err := platform.GetTLSProfileIfOpenShift(ctx, m.client, logger)
+		if err != nil {
+			return err
+		}
+		if tlsProfileSpec != nil {
+			// TLS ProfileSpec is set, this is OpenShift
+			minTLSVersion, err := platform.ParseTLSVersionForStunnelPSK(tlsProfileSpec.MinTLSVersion)
+			if err != nil {
+				logger.Error(err, "Unable to parse minTLSVersion from TLSProfileSpec",
+					"tlsProfileSpec.MinTLSVersion", tlsProfileSpec.MinTLSVersion)
+				return err
+			}
+			// Set env var to set sslVersionMin in sTunnel
+			podSpec.Containers[0].Env = append(podSpec.Containers[0].Env, corev1.EnvVar{
+				Name:  "SSL_VERSION_MIN",
+				Value: minTLSVersion,
+			})
+		}
+
 		// Run mover in debug mode if required
 		podSpec.Containers[0].Env = utils.AppendDebugMoverEnvVar(m.owner, podSpec.Containers[0].Env)
 

internal/controller/platform/properties_test.go

@@ -32,9 +32,10 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/config"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	ocpconfigv1 "github.com/openshift/api/config/v1"
@@ -44,8 +45,6 @@ import (
 	"github.com/backube/volsync/internal/controller/utils"
 )
 
-var logger = zap.New(zap.UseDevMode(true), zap.WriteTo(GinkgoWriter))
-
 var _ = Describe("A cluster w/o StorageContextConstraints", func() {
 	BeforeEach(func() {
 		// Make sure we're not caching properties
@@ -361,11 +360,21 @@ var _ = Describe("A cluster w/ StorageContextConstraints", func() {
 			cancelFuncCalled := false
 
 			var testManagerCancel context.CancelFunc
+			var testManagerDone chan struct{}
 
 			BeforeEach(func() {
+				cancelFuncCalled = false
+
 				testManager, err := ctrl.NewManager(cfg, ctrl.Options{
 					Scheme:  scheme.Scheme,
 					Metrics: metricsserver.Options{BindAddress: "0"},
+					// Set global controller options - allow dup controller names as these don't get unregistered
+					// when tearing down the manager - so our TLSSecurityProfileWatcher will fail the dup name
+					// validation (we don't have the option of setting the name ourself) when this runs multiple
+					// times for separate tests
+					Controller: config.Controller{
+						SkipNameValidation: ptr.To(true),
+					},
 				})
 				Expect(err).ToNot(HaveOccurred())
 
@@ -384,15 +393,20 @@ var _ = Describe("A cluster w/ StorageContextConstraints", func() {
 
 				var testManagerCtx context.Context
 				testManagerCtx, testManagerCancel = context.WithCancel(ctx)
-				// Start the manager
+				testManagerDone = make(chan struct{})
+				// Start the manager; wait for Start to return in AfterEach so the next test
+				// does not register another controller (with same name) while this mgr is running
 				go func() {
 					defer GinkgoRecover()
-					err = testManager.Start(testManagerCtx)
+					defer close(testManagerDone)
+					err := testManager.Start(testManagerCtx)
 					Expect(err).NotTo(HaveOccurred())
+					logger.Info("test manager stopped")
 				}()
 			})
 			AfterEach(func() {
 				testManagerCancel()
+				Eventually(testManagerDone, maxWait, interval).Should(BeClosed())
 			})
 
 			It("Should not call cancel function if no TLS profile change", func() {

internal/controller/platform/suite_test.go

@@ -47,6 +47,8 @@ var testEnv *envtest.Environment
 var cancel context.CancelFunc
 var ctx context.Context
 
+var logger = zap.New(zap.UseDevMode(true), zap.WriteTo(GinkgoWriter))
+
 func TestAPIs(t *testing.T) {
 	RegisterFailHandler(Fail)
 

internal/controller/platform/tlsprofile.go

@@ -19,6 +19,7 @@ package platform
 
 import (
 	"context"
+	"fmt"
 
 	"crypto/tls"
 
@@ -92,3 +93,24 @@ func InitTLSSecurityProfileWatcherWithManager(mgr manager.Manager,
 
 	return tlsProfileWatcher.SetupWithManager(mgr)
 }
+
+// Parse string version of ocpconfigv1.TLSProtocolVersion in format that others (such as stunnel) can interpret
+// For our stunnel implementation (used by rsync-tls) we will use tlsv1.3 as the minimum
+// unless something higher is picked (in future). No need to support older TLS versions
+// as we're not allowing generic clients, only our rsync-tls client from replicationsource
+func ParseTLSVersionForStunnelPSK(version ocpconfigv1.TLSProtocolVersion) (string, error) {
+	switch version {
+	case ocpconfigv1.VersionTLS10:
+		fallthrough
+	case ocpconfigv1.VersionTLS11:
+		fallthrough
+	case ocpconfigv1.VersionTLS12:
+		fallthrough
+	case ocpconfigv1.VersionTLS13:
+		return "TLSv1.3", nil
+	// Unfortunately this will need an update when new TLS versions become
+	// available so we can convert to the format expected by openssl/stunnel
+	default:
+		return "", fmt.Errorf("unknown TLS version: %s", version)
+	}
+}

internal/controller/platform/tlsprofile_test.go

@@ -0,0 +1,53 @@
+/*
+Copyright 2026 The VolSync authors.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published
+by the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
+package platform
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	ocpconfigv1 "github.com/openshift/api/config/v1"
+)
+
+var _ = Describe("Test tlsprofile helper funcs", func() {
+	Describe("ParseTLSVersionForStunnelPSK - should use TLS 1.3", func() {
+		It("Should convert the golang TLS version string into one sTunnel/openssl can use", func() {
+			tlsVersion, err := ParseTLSVersionForStunnelPSK(ocpconfigv1.VersionTLS10)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(tlsVersion).To(Equal("TLSv1.3"))
+
+			tlsVersion, err = ParseTLSVersionForStunnelPSK(ocpconfigv1.VersionTLS11)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(tlsVersion).To(Equal("TLSv1.3"))
+
+			tlsVersion, err = ParseTLSVersionForStunnelPSK(ocpconfigv1.VersionTLS12)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(tlsVersion).To(Equal("TLSv1.3"))
+
+			tlsVersion, err = ParseTLSVersionForStunnelPSK(ocpconfigv1.VersionTLS13)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(tlsVersion).To(Equal("TLSv1.3"))
+
+			// Unknown version
+			var fakeVersion ocpconfigv1.TLSProtocolVersion = "VersionNotExisting"
+			tlsVersion, err = ParseTLSVersionForStunnelPSK(fakeVersion)
+			Expect(err).To(HaveOccurred())
+			Expect(tlsVersion).To(Equal(""))
+		})
+	})
+})

mover-rsync-tls/server.sh

@@ -72,6 +72,11 @@ if [[ ! -d $TARGET ]] && ! test -b $BLOCK_TARGET; then
     exit 1
 fi
 
+if [[ -n ${SSL_VERSION_MIN} ]]; then
+    # Append sslVersionMin to stunnel conf
+    SSLVERSIONMIN="sslVersionMin = ${SSL_VERSION_MIN}"
+fi
+
 if [[ -d $TARGET ]]; then
     ##############################
     ## Filesystem volume, use rsync
@@ -131,6 +136,7 @@ syslog = no
 [rsync]
 ciphers = PSK
 PSKsecrets = $PSK_FILE
+$SSLVERSIONMIN
 ; Port to listen for incoming connections from remote
 accept = $STUNNEL_LISTEN_PORT
 ; We are the server
@@ -176,6 +182,7 @@ syslog = no
 [diskrsync]
 ciphers = PSK
 PSKsecrets = $PSK_FILE
+$SSLVERSIONMIN
 ; Port to listen for incoming connections from remote
 accept = $STUNNEL_LISTEN_PORT
 ; We are the server