UPSTREAM 3454: disable HTTP2 for webhook server

alebedev87 · alebedev87 · commit 14105339cb55 · 2023-11-03T12:48:32.000+01:00
Bug reference: OCPBUGS-22344
diff --git a/pkg/config/runtime_config.go b/pkg/config/runtime_config.go
@@ -1,6 +1,7 @@
 package config
 
 import (
+	"crypto/tls"
 	"time"
 
 	"github.com/spf13/pflag"
@@ -26,6 +27,7 @@ const (
 	flagWebhookCertDir          = "webhook-cert-dir"
 	flagWebhookCertName         = "webhook-cert-file"
 	flagWebhookKeyName          = "webhook-key-file"
+	flagWebhookDsibleHTTP2      = "webhook-disable-http2"
 
 	defaultKubeconfig              = ""
 	defaultLeaderElectionID        = "aws-load-balancer-controller-leader"
@@ -40,10 +42,11 @@ const (
 	defaultQPS = 1e6
 	// High enough Burst to fit all expected use cases. Burst=0 is not set here, because
 	// client code is overriding it.
-	defaultBurst           = 1e6
-	defaultWebhookCertDir  = ""
-	defaultWebhookCertName = ""
-	defaultWebhookKeyName  = ""
+	defaultBurst               = 1e6
+	defaultWebhookCertDir      = ""
+	defaultWebhookCertName     = ""
+	defaultWebhookKeyName      = ""
+	defaultWebhookDisableHTTP2 = false
 )
 
 // RuntimeConfig stores the configuration for the controller-runtime
@@ -61,6 +64,7 @@ type RuntimeConfig struct {
 	WebhookCertDir          string
 	WebhookCertName         string
 	WebhookKeyName          string
+	WebhookDisableHTTP2     bool
 }
 
 // BindFlags binds the command line flags to the fields in the config object
@@ -87,6 +91,7 @@ func (c *RuntimeConfig) BindFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&c.WebhookCertDir, flagWebhookCertDir, defaultWebhookCertDir, "WebhookCertDir is the directory that contains the webhook server key and certificate.")
 	fs.StringVar(&c.WebhookCertName, flagWebhookCertName, defaultWebhookCertName, "WebhookCertName is the webhook server certificate name.")
 	fs.StringVar(&c.WebhookKeyName, flagWebhookKeyName, defaultWebhookKeyName, "WebhookKeyName is the webhook server key name.")
+	fs.BoolVar(&c.WebhookDisableHTTP2, flagWebhookDsibleHTTP2, defaultWebhookDisableHTTP2, "WebhookDisableHTTP2 disables HTTP2 for the webhook server.")
 
 }
 
@@ -131,5 +136,12 @@ func BuildRuntimeOptions(rtCfg RuntimeConfig, scheme *runtime.Scheme) ctrl.Optio
 func ConfigureWebhookServer(rtCfg RuntimeConfig, mgr ctrl.Manager) {
 	mgr.GetWebhookServer().CertName = rtCfg.WebhookCertName
 	mgr.GetWebhookServer().KeyName = rtCfg.WebhookKeyName
-	mgr.GetWebhookServer().TLSMinVersion = "1.2"
+	mgr.GetWebhookServer().TLSOpts = []func(config *tls.Config){
+		func(config *tls.Config) {
+			config.MinVersion = tls.VersionTLS12
+			if rtCfg.WebhookDisableHTTP2 {
+				config.NextProtos = []string{"http/1.1"}
+			}
+		},
+	}
 }
