HIVE-3007: hiveadmission: TLS config from APIServer

[2uasimojo]

Honor global TLS configuration by discovering TLS minimum version and cipher suites from the APIServer cluster object and adding their respective arguments to the hiveadmission Deployment.

Assisted-By: The Claude (claude-sonnet-4-5@20250929)

Claude helped me figure out minimal implementations for the Listers and Recorder I needed to invoke library-go's
ObserveTLSSecurityProfileToArguments() function. (I feel like I shouldn't have had to create whole implementations to make this work. But maybe it's because this repo is using archaic mechanisms to interact with the KAS.)

[openshift-ci-robot]

@2uasimojo: This pull request references HIVE-3007 which is a valid jira issue.

Details

In response to this:

Honor global TLS configuration by discovering TLS minimum version and cipher suites from the APIServer cluster object and adding their respective arguments to the hiveadmission Deployment.

Assisted-By: The Claude (claude-sonnet-4-5@20250929)

Claude helped me figure out minimal implementations for the Listers and Recorder I needed to invoke library-go's
ObserveTLSSecurityProfileToArguments() function. (I feel like I shouldn't have had to create whole implementations to make this work. But maybe it's because this repo is using archaic mechanisms to interact with the KAS.)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [2uasimojo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[2uasimojo]

This is currently in dependency hell.

• library-go is too old for k8s/client-go
• Can't upgrade library-go without bumping k8s to 34 and/or revendoring installer

We'll wait for #2796 and try again (library-go @release-4.20 to avoid k8s bump).

[2uasimojo]

/hold

[codecov]

Codecov Report

❌ Patch coverage is 0% with 73 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.29%. Comparing base (26db049) to head (00995b0).

Files with missing lines	Patch %	Lines
pkg/operator/hive/hiveadmission.go	0.00%	44 Missing ⚠️
pkg/util/logrus/eventrecorder.go	0.00%	23 Missing ⚠️
pkg/operator/hive/hive_controller.go	0.00%	4 Missing ⚠️
pkg/operator/hive/dynamicclient.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2800      +/-   ##
==========================================
- Coverage   50.40%   50.29%   -0.11%     
==========================================
  Files         279      280       +1     
  Lines       34194    34267      +73     
==========================================
  Hits        17236    17236              
- Misses      15597    15670      +73     
  Partials     1361     1361              

Files with missing lines	Coverage Δ
pkg/operator/hive/dynamicclient.go	0.00% <0.00%> (ø)
pkg/operator/hive/hive_controller.go	0.00% <0.00%> (ø)
pkg/util/logrus/eventrecorder.go	0.00% <0.00%> (ø)
pkg/operator/hive/hiveadmission.go	0.00% <0.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@2uasimojo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	00995b0	link	true	/test security
ci/prow/e2e-openstack	00995b0	link	true	/test e2e-openstack
ci/prow/e2e-azure	00995b0	link	true	/test e2e-azure
ci/prow/e2e	00995b0	link	true	/test e2e
ci/prow/e2e-pool	00995b0	link	true	/test e2e-pool
ci/prow/e2e-vsphere	00995b0	link	true	/test e2e-vsphere
ci/prow/e2e-gcp	00995b0	link	true	/test e2e-gcp

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.