Rapid reset scaffold remediation (#54)

Signed-off-by: Catherine Chan-Tse <[email protected]>

Author: oceanc80

internal/ansible/flags/flag.go

@@ -15,12 +15,14 @@
 package flags
 
 import (
+	"crypto/tls"
 	"runtime"
 	"time"
 
 	"github.com/spf13/pflag"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
 // Flags - Options to be used by an ansible operator
@@ -44,6 +46,8 @@ type Flags struct {
 	AnsibleArgs                string
 	AnsibleLogEvents           string
 	ProxyPort                  int
+	EnableHTTP2                bool
+	SecureMetrics              bool
 
 	// Path to a controller-runtime componentconfig file.
 	// If this is empty, use default values.
@@ -197,6 +201,17 @@ func (f *Flags) AddTo(flagSet *pflag.FlagSet) {
 		8888,
 		"Ansible proxy server port. Defaults to 8888.",
 	)
+	flagSet.BoolVar(&f.EnableHTTP2,
+		"enable-http2",
+		false,
+		"enables HTTP/2 on the webhook and metrics servers",
+	)
+
+	flagSet.BoolVar(&f.SecureMetrics,
+		"metrics-secure",
+		false,
+		"enables secure serving of the metrics endpoint",
+	)
 }
 
 // ToManagerOptions uses the flag set in f to configure options.
@@ -241,5 +256,15 @@ func (f *Flags) ToManagerOptions(options manager.Options) manager.Options {
 		options.GracefulShutdownTimeout = &f.GracefulShutdownTimeout
 	}
 
+	disableHTTP2 := func(c *tls.Config) {
+		c.NextProtos = []string{"http/1.1"}
+	}
+	if !f.EnableHTTP2 {
+		options.WebhookServer = webhook.NewServer(webhook.Options{
+			TLSOpts: []func(*tls.Config){disableHTTP2},
+		})
+		options.Metrics.TLSOpts = append(options.Metrics.TLSOpts, disableHTTP2)
+	}
+	options.Metrics.SecureServing = f.SecureMetrics
 	return options
 }