OTA-1764: feat(cvo): add TLS cipher suites and minimum version flags

[DavidHurta]

What this PR does / why we need it:

Add new flags to the hosted CVO to comply with the centralized TLS configuration in HyperShift. These flags are to override the CVO's internal TLS profile, which is used for its metrics server. Flags to be added with openshift/cluster-version-operator#1338.

Which issue(s) this PR fixes:

Fixes #OTA-1764

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@DavidHurta: This pull request references OTA-1764 which is a valid jira issue.

Details

In response to this:

What this PR does / why we need it:

Add new flags to the hosted CVO to comply with the centralized TLS configuration in HyperShift. These flags are to override the CVO's internal TLS profile, which is used for its metrics server. Flags to be added with openshift/cluster-version-operator#1338.

Which issue(s) this PR fixes:

Fixes #OTA-1764

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: df6700ca-5c7f-4cc2-863e-f70b7c152ec1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@DavidHurta: This pull request references OTA-1764 which is a valid jira issue.

Details

In response to this:

What this PR does / why we need it:

Add new flags to the hosted CVO to comply with the centralized TLS configuration in HyperShift. These flags are to override the CVO's internal TLS profile, which is used for its metrics server. Flags to be added with openshift/cluster-version-operator#1338.

Which issue(s) this PR fixes:

Fixes #OTA-1764

Special notes for your reviewer:

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: DavidHurta
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@DavidHurta: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	4571f71	link	true	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hypershift-jira-solve-ci]

I now have the complete picture. Both failures stem from the same root cause — a merge conflict. Here is the report:

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-security
• Build ID: 2053884407126691840
• PR: #8013 — OTA-1764: feat(cvo): add TLS cipher suites and minimum version flags
• Author: DavidHurta
• GitHub Merge State: CONFLICTING / DIRTY

Test Failure Analysis

Error

Auto-merging control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go
CONFLICT (content): Merge conflict in control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go
Automatic merge failed; fix conflicts and then commit the result.
# Error: exit status 1

Summary

Both CI failures (ci/prow/security → FAILURE, tide → ERROR) are caused by a merge conflict in control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go. The job aborted during the git checkout/merge phase before any CI step could execute — no security scan ran, no artifacts were produced. Tide reports an ERROR state because it cannot merge a PR in CONFLICTING status. The conflict was introduced when PR #8354 (CNTRLPLANE-3340: Extract support/podspec package from support/util) merged on 2026-04-28, refactoring all util.UpdateContainer/util.UpsertEnvVar calls to a new podspec package — while PR #8013 (branched 2026-03-19) still references the old util.* API.

Root Cause

The root cause is a stale PR branch that conflicts with a cross-cutting refactoring that landed on main after the PR was created.

PR #8013 (opened 2026-03-19) adds TLS cipher suite and minimum TLS version flags to the CVO deployment. It modifies control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go using:

• util.UpdateContainer(...) to update the CVO container spec
• util.UpsertEnvVar(...) to set environment variables
• New TLS-related arguments injected into the container args

PR #8354 (merged 2026-04-28) performed a large-scale refactoring that extracted a new support/podspec package from support/util. This renamed all calls across the codebase:

• util.UpdateContainer → podspec.UpdateContainer
• util.UpsertEnvVar → podspec.UpsertEnvVar
• Import path changed from "github.com/openshift/hypershift/support/util" to "github.com/openshift/hypershift/support/podspec"

Because both PRs modify the same lines in deployment.go (import block + function calls in the deployment reconciliation), git cannot auto-merge them. The conflict spans:

1. Import declarations — PR OTA-1764: feat(cvo): add TLS cipher suites and minimum version flags #8013 uses support/util, main now requires support/podspec
2. Function call sites — PR OTA-1764: feat(cvo): add TLS cipher suites and minimum version flags #8013 calls util.UpdateContainer(ComponentName, ...) with new TLS args; main expects podspec.UpdateContainer(ComponentName, ...)

This is not a flaky test, infrastructure issue, or product bug. It is a straightforward merge conflict caused by concurrent development.

Recommendations

1. Rebase PR OTA-1764: feat(cvo): add TLS cipher suites and minimum version flags #8013 onto current main to pick up the util → podspec refactoring from PR CNTRLPLANE-3340: Extract support/podspec package from support/util #8354
2. Resolve the conflict by adopting the new package names while preserving the TLS logic:
   • Replace util.UpdateContainer with podspec.UpdateContainer
   • Replace util.UpsertEnvVar with podspec.UpsertEnvVar
   • Update the import from "github.com/openshift/hypershift/support/util" to "github.com/openshift/hypershift/support/podspec"
3. Push the rebased branch — both the security job and tide will automatically re-evaluate
4. No code logic changes should be needed beyond the package rename — the TLS cipher suite feature additions should remain intact

Evidence

Evidence	Detail
Conflicting file	control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go
PR merge state	CONFLICTING / DIRTY (confirmed via GitHub API)
Build log error	CONFLICT (content): Merge conflict ... Automatic merge failed; fix conflicts and then commit the result. # Error: exit status 1
Conflicting PR	#8354 — CNTRLPLANE-3340: Extract support/podspec package from support/util (merged 2026-04-28)
PR #8013 branch date	Created 2026-03-19 (before #8354 merged)
Artifacts produced	None — job aborted at git merge stage before any CI step executed
tide error cause	Tide cannot merge a PR with CONFLICTING merge status
security job cause	Prow could not check out a clean merged workspace due to the conflict

---

[hongkailiu]

I would do the nil checking first.
Same on line 111 and line 114.

[hypershift-jira-solve-ci]

The background task completed but the analysis is already finished — the PR checks output confirms what we already found. The report above is the complete analysis.

To summarize: both CI failures are caused by a merge conflict in control-plane-operator/controllers/hostedcontrolplane/v2/cvo/deployment.go. A refactoring commit (b9aa6acc9fb9) landed on main after the PR was created, renaming util.UpdateContainer → podspec.UpdateContainer across ~120 callers. The PR modifies the same lines using the old util.* names, so git can't auto-merge. No tests ran — the fix is simply to rebase the branch onto current main.

---