[release-1.21] Add network/tls package for TLS configuration#3337
Merged
knative-prow[bot] merged 4 commits intoknative:release-1.21from Mar 19, 2026
Merged
Conversation
…native#3324) * feat: add shared tls package for reading TLS config from environment Extract TLS configuration parsing into a reusable knative.dev/pkg/tls package so that any Knative component (not just webhooks) can read TLS_MIN_VERSION, TLS_MAX_VERSION, TLS_CIPHER_SUITES, and TLS_CURVE_PREFERENCES from environment variables with an optional prefix. The webhook package is updated to use the new tls package, extending env var support from just WEBHOOK_TLS_MIN_VERSION to all four WEBHOOK_TLS_* variables. Programmatic Options values continue to take precedence over environment variables. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com> * fix: address review feedback on tls package Reduce the public API surface of the tls package by unexporting ParseVersion, ParseCipherSuites, and ParseCurvePreferences since they are implementation details of NewConfigFromEnv. Also validate that TLS max version is not smaller than min version in webhook.New(), document the Options TLS field precedence (programmatic > env vars > defaults), and broaden TestConfig_TLSConfig to exercise the full NewConfigFromEnv → TLSConfig path. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com> --------- Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
DefaultConfigFromEnv replaces NewConfigFromEnv by returning a full default tls.Config with overrides from env vars. This avoids specifying e.g. the TLS MinVersion explicitely.
…ity (knative#3331) The TLS configuration package is moved from tls/ to network/tls/ to co-locate it with the rest of the networking code. The old tls/ package now re-exports all public symbols as deprecated aliases so that existing consumers continue to compile without changes. The webhook package is updated to import from the new location directly. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
knative-prow
bot
added
the
size/XL
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release-1.21 #3337 +/- ##
================================================
+ Coverage 74.64% 74.85% +0.20%
================================================
Files 188 189 +1
Lines 8207 8275 +68
================================================
+ Hits 6126 6194 +68
Misses 1841 1841
Partials 240 240 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
linkvt
reviewed
Mar 18, 2026
Contributor
linkvt
left a comment
linkvt
left a comment
There was a problem hiding this comment.
Same as in the already reviewed PRs 👍
/lgtm
Contributor
Author
|
/hold |
knative-prow
bot
added
the
do-not-merge/hold
Contributor
Author
|
/hold cancel |
knative-prow
bot
removed
the
do-not-merge/hold
Member
|
What's the intent here are we hoping to pull this into specific repos which we release? If so what bug are we fixing? Or do you just want these changes in a release branch for other reasons? |
Member
|
To clarify not looking to block this - just looking for clarity on what's the subsequent plan |
Contributor
Author
|
@dprotaso right, I have to add more clarity here... In OpenShift 4.22 it will be mandatory for all components to support configurable TLS options (min/max version, cipher suites, curve preferences). Since OpenShift 4.22 will ship Knative 1.21, we need this TLS configuration support on the release-1.21 branch so that the Knative components can comply with that requirement. |
Member
|
ok /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dprotaso, Fedosin The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
bot
added
the
approved
Fedosin
added a commit
to Fedosin/serving
that referenced
this pull request
Mar 20, 2026
… TLS Backport of the following PRs from main to release-1.21: - knative#16424 feat: use knative.dev/pkg/tls for activator TLS configuration - knative#16425 feat: use knative.dev/pkg/tls for queue-proxy TLS configuration - knative#16431 feat: use knative.dev/pkg/tls for reconciler TLS configuration - knative#16458 Update TLS import path to knative.dev/pkg/network/tls Replace hardcoded tls.VersionTLS13 in the activator, queue-proxy, and tag-to-digest resolver with the shared knative.dev/pkg/network/tls package, allowing TLS settings (min/max version, cipher suites, curve preferences) to be configured via environment variables: - ACTIVATOR_TLS_* - QUEUE_PROXY_TLS_* - TAG_TO_DIGEST_TLS_* Add four new keys to the config-deployment ConfigMap (queue-sidecar-tls-min-version, queue-sidecar-tls-max-version, queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences) and forward them as QUEUE_PROXY_TLS_* environment variables in makeQueueContainer. The default remains TLS 1.3 when no env var is set. The tag-to-digest resolver default is bumped from TLS 1.2 to TLS 1.3. knative/pkg dependency: knative/pkg#3337 Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
knative-prow bot
pushed a commit
to knative/serving
that referenced
this pull request
Mar 20, 2026
… TLS (#16482) Backport of the following PRs from main to release-1.21: - #16424 feat: use knative.dev/pkg/tls for activator TLS configuration - #16425 feat: use knative.dev/pkg/tls for queue-proxy TLS configuration - #16431 feat: use knative.dev/pkg/tls for reconciler TLS configuration - #16458 Update TLS import path to knative.dev/pkg/network/tls Replace hardcoded tls.VersionTLS13 in the activator, queue-proxy, and tag-to-digest resolver with the shared knative.dev/pkg/network/tls package, allowing TLS settings (min/max version, cipher suites, curve preferences) to be configured via environment variables: - ACTIVATOR_TLS_* - QUEUE_PROXY_TLS_* - TAG_TO_DIGEST_TLS_* Add four new keys to the config-deployment ConfigMap (queue-sidecar-tls-min-version, queue-sidecar-tls-max-version, queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences) and forward them as QUEUE_PROXY_TLS_* environment variables in makeQueueContainer. The default remains TLS 1.3 when no env var is set. The tag-to-digest resolver default is bumped from TLS 1.2 to TLS 1.3. knative/pkg dependency: knative/pkg#3337 Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Backport of the following PRs from main to release-1.21:
/kind enhancement
Fixes #
Release Note
Docs