webhook: new flag to configure the webhook server's minimum TLS version

Author: alebedev87

docs/deploy/configurations.md

@@ -106,6 +106,7 @@ Currently, you can set only 1 namespace to watch in this flag. See [this Kuberne
 |webhook-cert-dir                       | string                          | /tmp/k8s-webhook-server/serving-certs | The directory that contains the server key and certificate |
 |webhook-cert-file                      | string                          | tls.crt | The server certificate name |
 |webhook-key-file                       | string                          | tls.key | The server key name |
+|webhook-tls-min-version                | string                          | 1.3     | The minimum TLS version acceptable by the webhook server |
 
 
 ### disable-ingress-class-annotation

main.go

@@ -91,7 +91,11 @@ func main() {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)
 	}
-	config.ConfigureWebhookServer(controllerCFG.RuntimeConfig, mgr)
+	err = config.ConfigureWebhookServer(controllerCFG.RuntimeConfig, mgr)
+	if err != nil {
+		setupLog.Error(err, "unable to configure webhook server")
+		os.Exit(1)
+	}
 	clientSet, err := kubernetes.NewForConfig(mgr.GetConfig())
 	if err != nil {
 		setupLog.Error(err, "unable to obtain clientSet")

pkg/config/runtime_config.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"fmt"
 	"time"
 
 	"github.com/spf13/pflag"
@@ -26,6 +27,7 @@ const (
 	flagWebhookCertDir          = "webhook-cert-dir"
 	flagWebhookCertName         = "webhook-cert-file"
 	flagWebhookKeyName          = "webhook-key-file"
+	flagWebhookTLSMinVersion    = "webhook-tls-min-version"
 
 	defaultKubeconfig              = ""
 	defaultLeaderElectionID        = "aws-load-balancer-controller-leader"
@@ -40,10 +42,18 @@ const (
 	defaultQPS = 1e6
 	// High enough Burst to fit all expected use cases. Burst=0 is not set here, because
 	// client code is overriding it.
-	defaultBurst           = 1e6
-	defaultWebhookCertDir  = ""
-	defaultWebhookCertName = ""
-	defaultWebhookKeyName  = ""
+	defaultBurst                = 1e6
+	defaultWebhookCertDir       = ""
+	defaultWebhookCertName      = ""
+	defaultWebhookKeyName       = ""
+	defaultWebhookTLSMinVersion = "1.3"
+)
+
+var (
+	supportedTLSVersions = map[string]struct{}{
+		"1.2": {},
+		"1.3": {},
+	}
 )
 
 // RuntimeConfig stores the configuration for the controller-runtime
@@ -61,6 +71,7 @@ type RuntimeConfig struct {
 	WebhookCertDir          string
 	WebhookCertName         string
 	WebhookKeyName          string
+	WebhookTLSMinVersion    string
 }
 
 // BindFlags binds the command line flags to the fields in the config object
@@ -87,6 +98,7 @@ func (c *RuntimeConfig) BindFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&c.WebhookCertDir, flagWebhookCertDir, defaultWebhookCertDir, "WebhookCertDir is the directory that contains the webhook server key and certificate.")
 	fs.StringVar(&c.WebhookCertName, flagWebhookCertName, defaultWebhookCertName, "WebhookCertName is the webhook server certificate name.")
 	fs.StringVar(&c.WebhookKeyName, flagWebhookKeyName, defaultWebhookKeyName, "WebhookKeyName is the webhook server key name.")
+	fs.StringVar(&c.WebhookTLSMinVersion, flagWebhookTLSMinVersion, defaultWebhookTLSMinVersion, "Minimum TLS version acceptable by the webhook server.")
 
 }
 
@@ -128,8 +140,12 @@ func BuildRuntimeOptions(rtCfg RuntimeConfig, scheme *runtime.Scheme) ctrl.Optio
 }
 
 // ConfigureWebhookServer set up the server cert for the webhook server.
-func ConfigureWebhookServer(rtCfg RuntimeConfig, mgr ctrl.Manager) {
+func ConfigureWebhookServer(rtCfg RuntimeConfig, mgr ctrl.Manager) error {
 	mgr.GetWebhookServer().CertName = rtCfg.WebhookCertName
 	mgr.GetWebhookServer().KeyName = rtCfg.WebhookKeyName
-	mgr.GetWebhookServer().TLSMinVersion = "1.3"
+	if _, found := supportedTLSVersions[rtCfg.WebhookTLSMinVersion]; !found {
+		return fmt.Errorf("unsupported tls version %q", rtCfg.WebhookTLSMinVersion)
+	}
+	mgr.GetWebhookServer().TLSMinVersion = rtCfg.WebhookTLSMinVersion
+	return nil
 }