OCPBUGS-58475: Enforce secure TLS settings in CMO #2618

danielmellado · 2025-07-11T08:00:35Z

This commit enforces secure TLS settings in order to eliminate insecure
cipher warnings in cluster-monitoring-operator logs. It changes
Alertmanager configurations used by Prometheus and Thanos.

Set min_version: TLS1.2 and explicitly define secure cipher_suites
Applied to all additional Alertmanager configs
Updated tests accordingly

I added CHANGELOG entry for this change.
No user facing changes, so no entry in CHANGELOG was needed.

openshift-ci-robot · 2025-07-11T08:00:43Z

@danielmellado: This pull request references Jira Issue OCPBUGS-58475, which is invalid:

expected the bug to target the "4.20.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR enforces secure TLS settings in order to eliminate insecure
cipher warnings in cluster-monitoring-operator logs. It changes
Alertmanager configurations used by Prometheus and Thanos.

Set min_version: TLS1.2 and explicitly define secure cipher_suites

Applied to all additional Alertmanager configs

Updated tests accordingly

I added CHANGELOG entry for this change.

No user facing changes, so no entry in CHANGELOG was needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

danielmellado · 2025-07-11T08:03:08Z

/jira refresh

openshift-ci-robot · 2025-07-11T08:03:19Z

@danielmellado: This pull request references Jira Issue OCPBUGS-58475, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.20.0) matches configured target version for branch (4.20.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @juzhao

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-07-11T08:14:52Z

@danielmellado: This pull request references Jira Issue OCPBUGS-58475, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.20.0) matches configured target version for branch (4.20.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @juzhao

Details

In response to this:

This PR enforces secure TLS settings in order to eliminate insecure
cipher warnings in cluster-monitoring-operator logs. It changes
Alertmanager configurations used by Prometheus and Thanos.

Set min_version: TLS1.2 and explicitly define secure cipher_suites

Applied to all additional Alertmanager configs

Updated tests accordingly

I added CHANGELOG entry for this change.

No user facing changes, so no entry in CHANGELOG was needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

danielmellado · 2025-07-11T08:28:14Z

/test golangci-lint

This commit enforces secure TLS settings in order to eliminate insecure cipher warnings in cluster-monitoring-operator logs. It changes Alertmanager configurations used by Prometheus and Thanos. - Set `min_version: TLS1.2` and explicitly define secure `cipher_suites` - Applied to all additional Alertmanager configs - Updated tests accordingly Signed-off-by: Daniel Mellado <[email protected]>

danielmellado · 2025-07-12T06:55:05Z

/retest-required

danielmellado · 2025-07-12T09:20:34Z

/retest-required

danielmellado · 2025-07-14T07:32:37Z

/retest-required

danielmellado · 2025-07-14T12:55:58Z

/retest-required

danielmellado · 2025-07-22T09:21:19Z

/retest-required

openshift-ci · 2025-07-22T12:42:40Z

@danielmellado: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-single-node	`6f7b88e`	link	false	`/test e2e-aws-ovn-single-node`
ci/prow/okd-scos-e2e-aws-ovn	`6f7b88e`	link	false	`/test okd-scos-e2e-aws-ovn`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

danielmellado · 2025-07-22T13:10:15Z

/retest-required

danielmellado · 2025-07-24T06:29:09Z

/cc @marioferh

marioferh

/lgtm

openshift-ci · 2025-07-24T07:35:41Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danielmellado, marioferh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [danielmellado,marioferh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

marioferh · 2025-07-24T07:35:44Z

/retest-required

openshift-ci-robot · 2025-07-24T10:48:08Z

@danielmellado: Jira Issue OCPBUGS-58475: All pull requests linked via external trackers have merged:

openshift/cluster-monitoring-operator#2618

Jira Issue OCPBUGS-58475 has been moved to the MODIFIED state.

Details

In response to this:

This commit enforces secure TLS settings in order to eliminate insecure
cipher warnings in cluster-monitoring-operator logs. It changes
Alertmanager configurations used by Prometheus and Thanos.

Set min_version: TLS1.2 and explicitly define secure cipher_suites

Applied to all additional Alertmanager configs

Updated tests accordingly

I added CHANGELOG entry for this change.

No user facing changes, so no entry in CHANGELOG was needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-bot · 2025-07-24T12:36:39Z

[ART PR BUILD NOTIFIER]

Distgit: cluster-monitoring-operator
This PR has been included in build cluster-monitoring-operator-container-v4.20.0-202507241216.p0.gd59e266.assembly.stream.el9.
All builds following this will include this PR.

openshift-ci bot requested review from machine424 and rexagod July 11, 2025 08:01

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 11, 2025

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 11, 2025

openshift-ci bot requested a review from juzhao July 11, 2025 08:03

danielmellado force-pushed the fix_tls branch from a379f5d to 21f0159 Compare July 11, 2025 08:14

danielmellado force-pushed the fix_tls branch from 21f0159 to 31581c3 Compare July 11, 2025 08:23

danielmellado force-pushed the fix_tls branch 3 times, most recently from 35bc3bd to b046c00 Compare July 11, 2025 16:54

danielmellado force-pushed the fix_tls branch from b046c00 to 6f7b88e Compare July 11, 2025 17:03

openshift-ci bot requested a review from marioferh July 24, 2025 06:29

marioferh reviewed Jul 24, 2025

View reviewed changes

openshift-ci bot assigned marioferh Jul 24, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 24, 2025

openshift-merge-bot bot merged commit d59e266 into openshift:main Jul 24, 2025
19 of 21 checks passed

openshift-ci-robot mentioned this pull request Aug 19, 2025

OCPBUGS-58475: Enforce secure TLS settings in CMO server #2647

Merged

2 tasks

OCPBUGS-58475: Enforce secure TLS settings in CMO #2618

OCPBUGS-58475: Enforce secure TLS settings in CMO #2618

Uh oh!

Conversation

danielmellado commented Jul 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Jul 11, 2025

Uh oh!

danielmellado commented Jul 11, 2025

Uh oh!

openshift-ci-robot commented Jul 11, 2025

Uh oh!

openshift-ci-robot commented Jul 11, 2025

Uh oh!

danielmellado commented Jul 11, 2025

Uh oh!

danielmellado commented Jul 12, 2025

Uh oh!

danielmellado commented Jul 12, 2025

Uh oh!

danielmellado commented Jul 14, 2025

Uh oh!

danielmellado commented Jul 14, 2025

Uh oh!

danielmellado commented Jul 22, 2025

Uh oh!

openshift-ci bot commented Jul 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

danielmellado commented Jul 22, 2025

Uh oh!

danielmellado commented Jul 24, 2025

Uh oh!

marioferh left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci bot commented Jul 24, 2025

Uh oh!

marioferh commented Jul 24, 2025

Uh oh!

Uh oh!

openshift-ci-robot commented Jul 24, 2025

Uh oh!

openshift-bot commented Jul 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

danielmellado commented Jul 11, 2025 •

edited

Loading

openshift-ci bot commented Jul 22, 2025 •

edited

Loading