@@ -191,36 +191,29 @@ func New(
191191
192192 logger := logging .FromContext (ctx )
193193
194- tlsCfg , err := knativetls .NewConfigFromEnv ("WEBHOOK_" )
194+ tlsCfg , err := knativetls .DefaultConfigFromEnv ("WEBHOOK_" )
195195 if err != nil {
196196 return nil , fmt .Errorf ("reading TLS configuration from environment: %w" , err )
197197 }
198198
199- // Replace the TLS configuration with the one from the environment if not set.
200- // Default to TLS 1.3 as the minimum version when neither the caller nor the
201- // environment specifies one.
202- if opts .TLSMinVersion == 0 {
203- if tlsCfg .MinVersion != 0 {
204- opts .TLSMinVersion = tlsCfg .MinVersion
205- } else {
206- opts .TLSMinVersion = tls .VersionTLS13
207- }
199+ if opts .TLSMinVersion != 0 {
200+ tlsCfg .MinVersion = opts .TLSMinVersion
208201 }
209- if opts .TLSMaxVersion == 0 && tlsCfg . MaxVersion != 0 {
210- opts . TLSMaxVersion = tlsCfg . MaxVersion
202+ if opts .TLSMaxVersion != 0 {
203+ tlsCfg . MaxVersion = opts . TLSMaxVersion
211204 }
212- if opts .TLSCipherSuites == nil && len ( tlsCfg . CipherSuites ) > 0 {
213- opts . TLSCipherSuites = tlsCfg . CipherSuites
205+ if opts .TLSCipherSuites != nil {
206+ tlsCfg . CipherSuites = opts . TLSCipherSuites
214207 }
215- if opts .TLSCurvePreferences == nil && len ( tlsCfg . CurvePreferences ) > 0 {
216- opts . TLSCurvePreferences = tlsCfg . CurvePreferences
208+ if opts .TLSCurvePreferences != nil {
209+ tlsCfg . CurvePreferences = opts . TLSCurvePreferences
217210 }
218211
219- if opts . TLSMinVersion != 0 && opts . TLSMinVersion != tls .VersionTLS12 && opts . TLSMinVersion != tls .VersionTLS13 {
220- return nil , fmt .Errorf ("unsupported TLS minimum version %d: must be TLS 1.2 or TLS 1.3" , opts . TLSMinVersion )
212+ if tlsCfg . MinVersion != tls .VersionTLS12 && tlsCfg . MinVersion != tls .VersionTLS13 {
213+ return nil , fmt .Errorf ("unsupported TLS minimum version %d: must be TLS 1.2 or TLS 1.3" , tlsCfg . MinVersion )
221214 }
222- if opts . TLSMaxVersion != 0 && opts . TLSMinVersion > opts . TLSMaxVersion {
223- return nil , fmt .Errorf ("TLS minimum version (%#x) is greater than maximum version (%#x)" , opts . TLSMinVersion , opts . TLSMaxVersion )
215+ if tlsCfg . MaxVersion != 0 && tlsCfg . MinVersion > tlsCfg . MaxVersion {
216+ return nil , fmt .Errorf ("TLS minimum version (%#x) is greater than maximum version (%#x)" , tlsCfg . MinVersion , tlsCfg . MaxVersion )
224217 }
225218
226219 syncCtx , cancel := context .WithCancel (context .Background ())
@@ -240,42 +233,35 @@ func New(
240233 // a new secret informer from it.
241234 secretInformer := kubeinformerfactory .Get (ctx ).Core ().V1 ().Secrets ()
242235
243- //nolint:gosec // operator configures TLS min version (default is 1.3)
244- webhook .tlsConfig = & tls.Config {
245- MinVersion : opts .TLSMinVersion ,
246- MaxVersion : opts .TLSMaxVersion ,
247- CipherSuites : opts .TLSCipherSuites ,
248- CurvePreferences : opts .TLSCurvePreferences ,
249-
250- // If we return (nil, error) the client sees - 'tls: internal error"
251- // If we return (nil, nil) the client sees - 'tls: no certificates configured'
252- //
253- // We'll return (nil, nil) when we don't find a certificate
254- GetCertificate : func (* tls.ClientHelloInfo ) (* tls.Certificate , error ) {
255- secret , err := secretInformer .Lister ().Secrets (system .Namespace ()).Get (opts .SecretName )
256- if err != nil {
257- logger .Errorw ("failed to fetch secret" , zap .Error (err ))
258- return nil , nil
259- }
260- webOpts := GetOptions (ctx )
261- sKey , sCert := getSecretDataKeyNamesOrDefault (webOpts .ServerPrivateKeyName , webOpts .ServerCertificateName )
262- serverKey , ok := secret .Data [sKey ]
263- if ! ok {
264- logger .Warn ("server key missing" )
265- return nil , nil
266- }
267- serverCert , ok := secret .Data [sCert ]
268- if ! ok {
269- logger .Warn ("server cert missing" )
270- return nil , nil
271- }
272- cert , err := tls .X509KeyPair (serverCert , serverKey )
273- if err != nil {
274- return nil , err
275- }
276- return & cert , nil
277- },
236+ // If we return (nil, error) the client sees - 'tls: internal error'
237+ // If we return (nil, nil) the client sees - 'tls: no certificates configured'
238+ //
239+ // We'll return (nil, nil) when we don't find a certificate
240+ tlsCfg .GetCertificate = func (* tls.ClientHelloInfo ) (* tls.Certificate , error ) {
241+ secret , err := secretInformer .Lister ().Secrets (system .Namespace ()).Get (opts .SecretName )
242+ if err != nil {
243+ logger .Errorw ("failed to fetch secret" , zap .Error (err ))
244+ return nil , nil
245+ }
246+ webOpts := GetOptions (ctx )
247+ sKey , sCert := getSecretDataKeyNamesOrDefault (webOpts .ServerPrivateKeyName , webOpts .ServerCertificateName )
248+ serverKey , ok := secret .Data [sKey ]
249+ if ! ok {
250+ logger .Warn ("server key missing" )
251+ return nil , nil
252+ }
253+ serverCert , ok := secret .Data [sCert ]
254+ if ! ok {
255+ logger .Warn ("server cert missing" )
256+ return nil , nil
257+ }
258+ cert , err := tls .X509KeyPair (serverCert , serverKey )
259+ if err != nil {
260+ return nil , err
261+ }
262+ return & cert , nil
278263 }
264+ webhook .tlsConfig = tlsCfg
279265 }
280266
281267 webhook .mux .HandleFunc ("/" , func (w http.ResponseWriter , r * http.Request ) {
0 commit comments