feat: use knative.dev/pkg/tls for queue-proxy TLS configuration by Fedosin · Pull Request #16425 · knative/serving

Fedosin · Mar 3, 2026

Proposed Changes

Replace the hardcoded tls.VersionTLS13 in queue-proxy's TLS server with the shared knative.dev/pkg/tls package, allowing TLS settings to be configured via QUEUE_PROXY_TLS_MIN_VERSION, QUEUE_PROXY_TLS_MAX_VERSION, QUEUE_PROXY_TLS_CIPHER_SUITES, and QUEUE_PROXY_TLS_CURVE_PREFERENCES environment variables. The default remains TLS 1.3 when no env var is set.

Add four new keys to the config-deployment ConfigMap (queue-sidecar-tls-min-version, queue-sidecar-tls-max-version,
queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences) and forward them as QUEUE_PROXY_TLS_* environment variables in makeQueueContainer. This allows cluster admins to configure the queue-proxy's TLS server via the same ConfigMap used for other queue-proxy settings (like queue-sidecar-rootca), since the operator cannot inject env vars into the dynamically created sidecar via manifestival.

Release Note

Queue-proxy TLS server settings are now configurable via the config-deployment ConfigMap using queue-sidecar-tls-min-version, queue-sidecar-tls-max-version, queue-sidecar-tls-cipher-suites, and queue-sidecar-tls-curve-preferences keys.

knative/pkg patch: knative/pkg#3324

codecov · Mar 3, 2026

Codecov Report

❌ Patch coverage is 43.24324% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.27%. Comparing base (42495d4) to head (ad8272f).
⚠️ Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/queue/sharedmain/main.go	0.00%	21 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #16425      +/-   ##
==========================================
+ Coverage   80.21%   80.27%   +0.05%     
==========================================
  Files         217      217              
  Lines       13511    13528      +17     
==========================================
+ Hits        10838    10859      +21     
+ Misses       2307     2302       -5     
- Partials      366      367       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

twoGiants

Very clean, great job, thank you! 😺 👍

/approve
/lgtm

twoGiants · Mar 4, 2026

/retest

Fedosin · Mar 4, 2026

/hold

Fedosin · Mar 5, 2026

/hold cancel

Replace the hardcoded tls.VersionTLS13 in queue-proxy's TLS server with the shared knative.dev/pkg/tls package, allowing TLS settings to be configured via QUEUE_PROXY_TLS_MIN_VERSION, QUEUE_PROXY_TLS_MAX_VERSION, QUEUE_PROXY_TLS_CIPHER_SUITES, and QUEUE_PROXY_TLS_CURVE_PREFERENCES environment variables. The default remains TLS 1.3 when no env var is set. Add four new keys to the config-deployment ConfigMap (queue-sidecar-tls-min-version, queue-sidecar-tls-max-version, queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences) and forward them as QUEUE_PROXY_TLS_* environment variables in makeQueueContainer. This allows cluster admins to configure the queue-proxy's TLS server via the same ConfigMap used for other queue-proxy settings (like queue-sidecar-rootca), since the operator cannot inject env vars into the dynamically created sidecar via manifestival. Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>

twoGiants

/approve
/lgtm

linkvt

/lgtm

dprotaso · Mar 8, 2026

/lgtm
/approve

knative-prow · Mar 8, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, Fedosin, twoGiants

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [dprotaso]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

… TLS Backport of the following PRs from main to release-1.21: - knative#16424 feat: use knative.dev/pkg/tls for activator TLS configuration - knative#16425 feat: use knative.dev/pkg/tls for queue-proxy TLS configuration - knative#16431 feat: use knative.dev/pkg/tls for reconciler TLS configuration - knative#16458 Update TLS import path to knative.dev/pkg/network/tls Replace hardcoded tls.VersionTLS13 in the activator, queue-proxy, and tag-to-digest resolver with the shared knative.dev/pkg/network/tls package, allowing TLS settings (min/max version, cipher suites, curve preferences) to be configured via environment variables: - ACTIVATOR_TLS_* - QUEUE_PROXY_TLS_* - TAG_TO_DIGEST_TLS_* Add four new keys to the config-deployment ConfigMap (queue-sidecar-tls-min-version, queue-sidecar-tls-max-version, queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences) and forward them as QUEUE_PROXY_TLS_* environment variables in makeQueueContainer. The default remains TLS 1.3 when no env var is set. The tag-to-digest resolver default is bumped from TLS 1.2 to TLS 1.3. knative/pkg dependency: knative/pkg#3337 Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>

… TLS (#16482) Backport of the following PRs from main to release-1.21: - #16424 feat: use knative.dev/pkg/tls for activator TLS configuration - #16425 feat: use knative.dev/pkg/tls for queue-proxy TLS configuration - #16431 feat: use knative.dev/pkg/tls for reconciler TLS configuration - #16458 Update TLS import path to knative.dev/pkg/network/tls Replace hardcoded tls.VersionTLS13 in the activator, queue-proxy, and tag-to-digest resolver with the shared knative.dev/pkg/network/tls package, allowing TLS settings (min/max version, cipher suites, curve preferences) to be configured via environment variables: - ACTIVATOR_TLS_* - QUEUE_PROXY_TLS_* - TAG_TO_DIGEST_TLS_* Add four new keys to the config-deployment ConfigMap (queue-sidecar-tls-min-version, queue-sidecar-tls-max-version, queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences) and forward them as QUEUE_PROXY_TLS_* environment variables in makeQueueContainer. The default remains TLS 1.3 when no env var is set. The tag-to-digest resolver default is bumped from TLS 1.2 to TLS 1.3. knative/pkg dependency: knative/pkg#3337 Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>

knative-prow Bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 3, 2026

knative-prow Bot requested review from dsimansk and skonto March 3, 2026 10:53

Fedosin force-pushed the queue-proxy-tls branch from 0c3c394 to c697440 Compare March 3, 2026 10:56

Fedosin changed the title ~~Use knative.dev/pkg/tls for queue-proxy TLS configuration~~ feat: use knative.dev/pkg/tls for queue-proxy TLS configuration Mar 3, 2026

Fedosin force-pushed the queue-proxy-tls branch from c697440 to 562f79a Compare March 3, 2026 10:57

linkvt reviewed Mar 3, 2026

View reviewed changes

Comment thread pkg/deployment/config.go

Comment thread pkg/queue/sharedmain/main.go Outdated

Comment thread pkg/queue/sharedmain/main.go Outdated

Fedosin mentioned this pull request Mar 3, 2026

feat: use knative.dev/pkg/tls for activator TLS configuration #16424

Merged

Fedosin force-pushed the queue-proxy-tls branch from f195476 to 8a646eb Compare March 3, 2026 17:28

twoGiants approved these changes Mar 4, 2026

View reviewed changes

Comment thread pkg/queue/sharedmain/main.go Outdated

knative-prow Bot assigned twoGiants Mar 4, 2026

knative-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Mar 4, 2026

knative-prow Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 4, 2026

Fedosin force-pushed the queue-proxy-tls branch from 8a646eb to 3bc387a Compare March 5, 2026 11:07

knative-prow Bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 5, 2026

knative-prow Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 5, 2026

linkvt reviewed Mar 5, 2026

View reviewed changes

Comment thread pkg/queue/sharedmain/tls_config_test.go Outdated

Comment thread pkg/queue/sharedmain/main.go Outdated

Comment thread pkg/deployment/config.go Outdated

Fedosin force-pushed the queue-proxy-tls branch from 3bc387a to ad8272f Compare March 5, 2026 12:43

twoGiants approved these changes Mar 5, 2026

View reviewed changes

knative-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Mar 5, 2026

linkvt reviewed Mar 5, 2026

View reviewed changes

knative-prow Bot assigned linkvt Mar 5, 2026

knative-prow Bot assigned dprotaso Mar 8, 2026

knative-prow Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 8, 2026

knative-prow Bot merged commit 39b2d47 into knative:main Mar 8, 2026
70 checks passed

Fedosin mentioned this pull request Mar 20, 2026

[release-1.21] feat: use knative.dev/pkg/network/tls for configurable TLS #16482

Merged

Search code, repositories, users, issues, pull requests...

Conversation

Fedosin commented Mar 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed Changes

Uh oh!

codecov Bot commented Mar 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Uh oh!

twoGiants left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

twoGiants commented Mar 4, 2026

Uh oh!

Fedosin commented Mar 4, 2026

Uh oh!

Fedosin commented Mar 5, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

twoGiants left a comment

Choose a reason for hiding this comment

Uh oh!

linkvt left a comment

Choose a reason for hiding this comment

Uh oh!

dprotaso commented Mar 8, 2026

Uh oh!

knative-prow Bot commented Mar 8, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Fedosin commented Mar 3, 2026 •

edited

Loading

codecov Bot commented Mar 3, 2026 •

edited

Loading