feat: add shared tls package for reading TLS config from environment#3324
Merged
knative-prow[bot] merged 2 commits intoknative:mainknative/pkg:mainfrom Mar 2, 2026
Merged
feat: add shared tls package for reading TLS config from environment#3324knative-prow[bot] merged 2 commits intoknative:mainknative/pkg:mainfrom
knative-prow[bot] merged 2 commits intoknative:mainknative/pkg:mainfrom
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3324 +/- ##
==========================================
+ Coverage 74.63% 74.87% +0.24%
==========================================
Files 188 189 +1
Lines 8219 8299 +80
==========================================
+ Hits 6134 6214 +80
Misses 1844 1844
Partials 241 241 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
62d1981 to
554c259
Compare
Extract TLS configuration parsing into a reusable knative.dev/pkg/tls package so that any Knative component (not just webhooks) can read TLS_MIN_VERSION, TLS_MAX_VERSION, TLS_CIPHER_SUITES, and TLS_CURVE_PREFERENCES from environment variables with an optional prefix. The webhook package is updated to use the new tls package, extending env var support from just WEBHOOK_TLS_MIN_VERSION to all four WEBHOOK_TLS_* variables. Programmatic Options values continue to take precedence over environment variables. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
twoGiants
suggested changes
Mar 2, 2026
twoGiants
suggested changes
Mar 2, 2026
Contributor
twoGiants
left a comment
There was a problem hiding this comment.
Alright, done. Tests are great!
See my few comments.
Reduce the public API surface of the tls package by unexporting ParseVersion, ParseCipherSuites, and ParseCurvePreferences since they are implementation details of NewConfigFromEnv. Also validate that TLS max version is not smaller than min version in webhook.New(), document the Options TLS field precedence (programmatic > env vars > defaults), and broaden TestConfig_TLSConfig to exercise the full NewConfigFromEnv → TLSConfig path. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Cali0707, Fedosin, twoGiants The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This was referenced Mar 3, 2026
Member
|
Can we move this package under |
Fedosin
added a commit
to Fedosin/knative-pkg
that referenced
this pull request
Mar 18, 2026
…native#3324) * feat: add shared tls package for reading TLS config from environment Extract TLS configuration parsing into a reusable knative.dev/pkg/tls package so that any Knative component (not just webhooks) can read TLS_MIN_VERSION, TLS_MAX_VERSION, TLS_CIPHER_SUITES, and TLS_CURVE_PREFERENCES from environment variables with an optional prefix. The webhook package is updated to use the new tls package, extending env var support from just WEBHOOK_TLS_MIN_VERSION to all four WEBHOOK_TLS_* variables. Programmatic Options values continue to take precedence over environment variables. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com> * fix: address review feedback on tls package Reduce the public API surface of the tls package by unexporting ParseVersion, ParseCipherSuites, and ParseCurvePreferences since they are implementation details of NewConfigFromEnv. Also validate that TLS max version is not smaller than min version in webhook.New(), document the Options TLS field precedence (programmatic > env vars > defaults), and broaden TestConfig_TLSConfig to exercise the full NewConfigFromEnv → TLSConfig path. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com> --------- Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
knative-prow Bot
pushed a commit
that referenced
this pull request
Mar 19, 2026
* feat: add shared tls package for reading TLS config from environment (#3324) * feat: add shared tls package for reading TLS config from environment Extract TLS configuration parsing into a reusable knative.dev/pkg/tls package so that any Knative component (not just webhooks) can read TLS_MIN_VERSION, TLS_MAX_VERSION, TLS_CIPHER_SUITES, and TLS_CURVE_PREFERENCES from environment variables with an optional prefix. The webhook package is updated to use the new tls package, extending env var support from just WEBHOOK_TLS_MIN_VERSION to all four WEBHOOK_TLS_* variables. Programmatic Options values continue to take precedence over environment variables. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com> * fix: address review feedback on tls package Reduce the public API surface of the tls package by unexporting ParseVersion, ParseCipherSuites, and ParseCurvePreferences since they are implementation details of NewConfigFromEnv. Also validate that TLS max version is not smaller than min version in webhook.New(), document the Options TLS field precedence (programmatic > env vars > defaults), and broaden TestConfig_TLSConfig to exercise the full NewConfigFromEnv → TLSConfig path. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com> --------- Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com> * Replace NewConfigFromEnv with DefaultConfigFromEnv (#3328) DefaultConfigFromEnv replaces NewConfigFromEnv by returning a full default tls.Config with overrides from env vars. This avoids specifying e.g. the TLS MinVersion explicitely. * Move tls package to network/tls, keep aliases for backward compatibility (#3331) The TLS configuration package is moved from tls/ to network/tls/ to co-locate it with the rest of the networking code. The old tls/ package now re-exports all public symbols as deprecated aliases so that existing consumers continue to compile without changes. The webhook package is updated to import from the new location directly. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com> * remove deprecated TLS package (#3333) --------- Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com> Co-authored-by: Vincent Link <linkvt@users.noreply.github.com> Co-authored-by: Dave Protasowski <dprotaso@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Extract TLS configuration parsing into a reusable knative.dev/pkg/tls package so that any Knative component (not just webhooks) can read TLS_MIN_VERSION, TLS_MAX_VERSION, TLS_CIPHER_SUITES, and TLS_CURVE_PREFERENCES from environment variables with an optional prefix.
The webhook package is updated to use the new tls package, extending env var support from just WEBHOOK_TLS_MIN_VERSION to all four WEBHOOK_TLS_* variables. Programmatic Options values continue to take precedence over environment variables.
/kind enhancement
Fixes #
Release Note
Docs