Refactor APIServer TLS setup into common function (#3751)

Consolidates duplicated APIServer TLS configuration setup code from
OLM and Catalog operators into a single SetupAPIServerTLSConfig function.


Assisted-By: Claude

Signed-off-by: Todd Short <todd.short@me.com>

Author: tmshort

cmd/catalog/main.go

@@ -10,7 +10,6 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1"
 
-	configclientset "github.com/openshift/client-go/config/clientset/versioned"
 	configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
 	"github.com/sirupsen/logrus"
 	k8sscheme "k8s.io/client-go/kubernetes/scheme"
@@ -21,7 +20,6 @@ import (
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/catalog"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/catalogtemplate"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/apiserver"
-	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/openshiftconfig"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorstatus"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/server"
@@ -77,34 +75,9 @@ func (o *options) run(ctx context.Context, logger *logrus.Logger) error {
 	}
 
 	// Setup APIServer TLS configuration for HTTPS servers
-	discovery := opClient.KubernetesInterface().Discovery()
-	openshiftConfigAPIExists, err := openshiftconfig.IsAPIAvailable(discovery)
+	apiServerTLSQuerier, apiServerFactory, err := apiserver.SetupAPIServerTLSConfig(logger, config)
 	if err != nil {
-		return fmt.Errorf("error checking for OpenShift config API support: %w", err)
-	}
-
-	apiServerTLSQuerier := apiserver.NoopQuerier()
-	var apiServerFactory interface{ Start(<-chan struct{}) }
-	if openshiftConfigAPIExists {
-		logger.Info("OpenShift APIServer API available - setting up watch for APIServer TLS configuration")
-
-		versionedConfigClient, err := configclientset.NewForConfig(config)
-		if err != nil {
-			return fmt.Errorf("error configuring openshift config client: %w", err)
-		}
-
-		apiServerInformer, apiServerSyncer, querier, factory, err := apiserver.NewSyncer(logger, versionedConfigClient)
-		if err != nil {
-			return fmt.Errorf("error initializing APIServer TLS syncer: %w", err)
-		}
-
-		logger.Info("APIServer TLS configuration will be applied to HTTPS servers")
-		apiServerTLSQuerier = querier
-
-		// Register event handlers for APIServer resource changes
-		apiserver.RegisterEventHandlers(apiServerInformer, apiServerSyncer)
-
-		apiServerFactory = factory
+		return fmt.Errorf("error setting up APIServer TLS configuration: %w", err)
 	}
 
 	// Setup metrics/health server with TLS configuration

cmd/olm/main.go

@@ -24,7 +24,6 @@ import (
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/controller/operators/openshift"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/feature"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/apiserver"
-	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/openshiftconfig"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorstatus"
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/queueinformer"
@@ -156,30 +155,11 @@ func main() {
 	}
 
 	// Setup APIServer TLS configuration for HTTPS servers
-	discovery := opClient.KubernetesInterface().Discovery()
-	openshiftConfigAPIExists, err := openshiftconfig.IsAPIAvailable(discovery)
+	apiServerTLSQuerier, apiServerFactory, err := apiserver.SetupAPIServerTLSConfig(logger, config)
 	if err != nil {
-		logger.WithError(err).Fatal("error checking for OpenShift config API support")
-	}
-
-	apiServerTLSQuerier := apiserver.NoopQuerier()
-	var apiServerFactory interface{ Start(<-chan struct{}) }
-	if openshiftConfigAPIExists {
-		logger.Info("OpenShift APIServer API available - setting up watch for APIServer TLS configuration")
-
-		apiServerInformer, apiServerSyncer, querier, factory, err := apiserver.NewSyncer(logger, versionedConfigClient)
-		if err != nil {
-			logger.WithError(err).Fatal("error initializing APIServer TLS syncer")
-		}
-
-		logger.Info("APIServer TLS configuration will be applied to HTTPS servers")
-		apiServerTLSQuerier = querier
-
-		// Register event handlers for APIServer resource changes
-		apiserver.RegisterEventHandlers(apiServerInformer, apiServerSyncer)
-
-		apiServerFactory = factory
+		logger.WithError(err).Fatal("error setting up APIServer TLS configuration")
 	}
+	openshiftConfigAPIExists := apiServerFactory != nil
 
 	// Setup metrics/health server with TLS configuration
 	listenAndServe, err := server.GetListenAndServeFunc(

pkg/lib/apiserver/syncer.go

@@ -11,7 +11,10 @@ import (
 	apiconfigv1 "github.com/openshift/api/config/v1"
 	configv1client "github.com/openshift/client-go/config/clientset/versioned"
 	configv1 "github.com/openshift/client-go/config/informers/externalversions/config/v1"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/openshiftconfig"
 	"github.com/sirupsen/logrus"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 )
 
@@ -58,6 +61,53 @@ func RegisterEventHandlers(informer configv1.APIServerInformer, syncer *Syncer)
 	})
 }
 
+// SetupAPIServerTLSConfig sets up the APIServer TLS configuration for HTTPS servers.
+// It checks if OpenShift config API is available and if so, creates the necessary
+// syncer and informer infrastructure to watch for cluster-wide TLS configuration changes.
+//
+// Returns:
+//   - querier: A Querier that can be used to get TLS configuration (NoopQuerier if OpenShift API not available)
+//   - factory: A SharedInformerFactory that must be started after operators are ready (nil if OpenShift API not available)
+//   - error: Any error encountered during setup
+func SetupAPIServerTLSConfig(logger *logrus.Logger, config *rest.Config) (Querier, interface{ Start(<-chan struct{}) }, error) {
+	// Create Kubernetes client for discovery
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error creating kubernetes client: %w", err)
+	}
+
+	// Check if OpenShift config API is available
+	openshiftConfigAPIExists, err := openshiftconfig.IsAPIAvailable(clientset.Discovery())
+	if err != nil {
+		return nil, nil, fmt.Errorf("error checking for OpenShift config API support: %w", err)
+	}
+
+	if !openshiftConfigAPIExists {
+		return NoopQuerier(), nil, nil
+	}
+
+	logger.Info("OpenShift APIServer API available - setting up watch for APIServer TLS configuration")
+
+	// Create versioned config client
+	versionedConfigClient, err := configv1client.NewForConfig(config)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error configuring openshift config client: %w", err)
+	}
+
+	// Create syncer and informer
+	apiServerInformer, apiServerSyncer, apiServerQuerier, apiServerFactory, err := NewSyncer(logger, versionedConfigClient)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error initializing APIServer TLS syncer: %w", err)
+	}
+
+	logger.Info("APIServer TLS configuration will be applied to HTTPS servers")
+
+	// Register event handlers for APIServer resource changes
+	RegisterEventHandlers(apiServerInformer, apiServerSyncer)
+
+	return apiServerQuerier, apiServerFactory, nil
+}
+
 // Syncer deals with watching APIServer type(s) on the cluster and let the caller
 // query for cluster scoped APIServer TLS configuration.
 type Syncer struct {