Add TLSMaxVersion, TLSCipherSuites, and TLSCurvePreferences to webhook.Options for minimal tls customization

[jkhelil]

This change adds minimal TLS configuration API for webhooks : TLSMaxVersion, TLSCipherSuites, and TLSCurvePreferences fields to webhook.Options for granular TLS control

• TLSMaxVersion: enforce Modern profile
• TLSCipherSuites: custom cipher suites
• TLSCurvePreferences: elliptic curve configuration

Changes:

• Add TLSMaxVersion, TLSCipherSuites, and TLSCurvePreferences fields to webhook.Options
• Added unit tests for all new fields
• Added documentation for webhook tls (README)
• Maintains backward compatibility with existing TLSMinVersion usage

• 🎁 Add new feature
• 🐛 Fix bug

/kind enhancement

Fixes #3299

Release Note

Enhanced webhook TLS configuration with support for max version, custom cipher suites, and curve preferences.

Docs

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: jkhelil / name: khelil (c6bbfb2)

[knative-prow]

Welcome @jkhelil! It looks like this is your first PR to knative/pkg 🎉

[knative-prow]

Hi @jkhelil. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[vdemeester]

cc @dprotaso

[twoGiants]

/cc @twoGiants

[twoGiants]

Hi @jkhelil ! Thank you for the contribution 😸

I propose to go a more defensive approach or if we use the tls.Config to deprecate the current API. See my comments below.

[twoGiants]

First point I want to mention.

Not sure if providing access to the full tls.Config API is necessary. I prefer minimal API where possible, but I am not a TLS expert and maybe that is the call here BUT hear me out 😺 :

How about expanding the current API to support:

type Options struct {
    TLSMinVersion           uint16        // Existing
    TLSMaxVersion           uint16        // NEW - for Modern profile (TLS 1.3 only)
    TLSCipherSuites         []uint16      // NEW
    TLSCurvePreferences     []tls.CurveID // NEW
    TLSPreferServerCiphers  bool          // NEW - for Old profile
}

Then all you mentioned in the issue would be covered. But for future needs/changes another code change would be needed => which I personally prefer over a bigger API.

Second point I want to mention.

If it is decided to go the route of keeping the current TLSMinVersion AND adding the full tls.Config like in the PR => I would prefer to deprecating the current TLSMinVersion and then switch entirely to the tls.Config. Then the min version validation for >= 1.2 must be done on the provided tls.Config so that the current functionality remains preserved. Deprecation comments then be added here and in the documentation and in the code and we probably need an issue so we don't forget to remove it in the next or later versions. Also I would then enforce the user to be able to use only one of the options => either set TLSMinVersion or tls.Config but not both.

What do the others say? @vdemeester @dprotaso @creydr @Cali0707

[vdemeester]

I tend to agree with @twoGiants here 👼🏼

[jkhelil]

@twoGiants Thank you for the thoughtful review. I appreciate your preference for a minimal API, and I share that hesitation.
I've observed two patterns in the ecosystem:

1. Full api: net/http exposes complete TLSConfig https://pkg.go.dev/net/http#Server
2. Selected fields: Kubernetes apiserver exposes specific fields https://github.com/kubernetes/apiserver/blob/master/pkg/server/options/serving.go#L66

After reflection, I'm leaning toward the minimal API approach for the following reasons:

• We can keep the existing TLSMinVersion field without deprecation
• Reduces breaking changes and migration burden
• WEBHOOK_TLS_MIN_VERSION env var continues working as-is(prevents breaking TLS 1.2 clients)
• Users won't accidentally override certificate loading logic
• Smaller API surface to review and maintain

and it makes the pr much more simple

[twoGiants]

Maybe bug: Now if the user provides a GetCertificate function with his tls.Config it will be overwritten => this is not documented. Is this desired?

[jkhelil]

With the recent update, this is nolonger relevant

[twoGiants]

With the new configuration the TLSMinVersion can remain unset or even be set to some old insecure versions. Currently this is not possible => only TLS 1.2 and 1.3 are allowed and the default is TLS 1.3. There is a warning but the setup continues => I would prefer to return an error if it's lower than 1.2.

And as mentioned above => I would prefer to use one way OR the other and enforce the user to do so too.

[jkhelil]

With the latest changes, this concern is no longer relevant.

[twoGiants]

The default is 1.3.

[jkhelil]

With the latest changes, this concern is no longer relevant.

[twoGiants]

Missing testcase for tls.Config without TLSMinVerision or a lower than 1.2 version => which should not be possible.

[jkhelil]

With the latest changes, this concern is no longer relevant.

[dprotaso]

/ok-to-test

[dprotaso]

Change looks good - just see the linter warnings about extra whitespace

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.59%. Comparing base (9cc8410) to head (c6bbfb2).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3300   +/-   ##
=======================================
  Coverage   74.58%   74.59%           
=======================================
  Files         188      188           
  Lines        8187     8190    +3     
=======================================
+ Hits         6106     6109    +3     
  Misses       1841     1841           
  Partials      240      240           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dprotaso]

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, jkhelil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• webhook/OWNERS [dprotaso]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment