2940: optionally enable TLS 1.3 for SPO webhook

Author: ngopalak-redhat

cmd/security-profiles-operator/main.go

@@ -101,11 +101,17 @@ const (
 	auditLogMaxAgeParam      string = "audit-log-maxage"
 	enricherFiltersJsonParam string = "enricher-filters-json"
 	enricherLogSourceParam   string = "enricher-log-source"
+	tlsMinVersionParam       string = "tls-min-version"
+	defaultTlsMinVersion     string = "1.2"
 )
 
 var (
-	sync     = time.Second * 30
-	setupLog = ctrl.Log.WithName("setup")
+	sync             = time.Second * 30
+	setupLog         = ctrl.Log.WithName("setup")
+	tlsMinVersionMap = map[string]uint16{
+		"1.2": tls.VersionTLS12,
+		"1.3": tls.VersionTLS13,
+	}
 )
 
 func main() {
@@ -226,6 +232,11 @@ func main() {
 					Value:   false,
 					Usage:   "the webhook k8s resources are statically managed (default false)",
 				},
+				&cli.GenericFlag{
+					Name:  tlsMinVersionParam,
+					Value: util.NewEnumValue([]string{"1.2", "1.3"}, "1.2"),
+					Usage: "minimum TLS version to use for the SPO webhooks. Supported values: 1.2, 1.3. (default: 1.2)",
+				},
 			},
 		},
 		&cli.Command{
@@ -797,12 +808,23 @@ func runWebhook(ctx *cli.Context, info *version.Info) error {
 
 	port := ctx.Int("port")
 
-	disableHTTP2 := func(c *tls.Config) {
+	var tlsMinVersionStr string
+
+	tlsMinVersion, ok := ctx.Generic(tlsMinVersionParam).(util.EnumValue)
+	if !ok {
+		tlsMinVersionStr = defaultTlsMinVersion
+	} else {
+		tlsMinVersionStr = tlsMinVersion.String()
+	}
+
+	tlsConfig := func(c *tls.Config) {
 		c.NextProtos = []string{"http/1.1"}
+		c.MinVersion = tlsMinVersionMap[tlsMinVersionStr]
 	}
+
 	webhookServerOptions := webhook.Options{
 		Port:    port,
-		TLSOpts: []func(config *tls.Config){disableHTTP2},
+		TLSOpts: []func(config *tls.Config){tlsConfig},
 	}
 
 	webhookServer := webhook.NewServer(webhookServerOptions)

internal/pkg/util/enum.go

@@ -0,0 +1,63 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"flag"
+	"fmt"
+	"strings"
+)
+
+type EnumValue struct {
+	Enum     []string
+	Default  string
+	selected string
+}
+
+var _ flag.Value = (*EnumValue)(nil)
+
+// NewEnumValue returns a new EnumValue. Returns nil if defaultValue is not found in enum.
+func NewEnumValue(enum []string, defaultValue string) *EnumValue {
+	for _, v := range enum {
+		if v == defaultValue {
+			return &EnumValue{Enum: enum, Default: defaultValue}
+		}
+	}
+
+	return nil
+}
+
+// Set method is used by cli.GenericFlag. But the IDE won't recognize it.
+func (e *EnumValue) Set(value string) error {
+	for _, enum := range e.Enum {
+		if strings.EqualFold(enum, value) {
+			e.selected = enum
+
+			return nil
+		}
+	}
+
+	return fmt.Errorf("allowed values are %s", strings.Join(e.Enum, ", "))
+}
+
+func (e *EnumValue) String() string {
+	if e.selected == "" {
+		return e.Default
+	}
+
+	return e.selected
+}

internal/pkg/util/enum_test.go

@@ -0,0 +1,86 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"flag"
+	"testing"
+)
+
+func TestEnumValue(t *testing.T) {
+	t.Parallel()
+
+	// Test NewEnumValue
+	enum := NewEnumValue([]string{"1.2", "1.3"}, "1.2")
+	if enum == nil {
+		t.Fatal("NewEnumValue should not return nil for valid input")
+	}
+
+	if enum.Default != "1.2" {
+		t.Errorf("expected default '1.2', got '%s'", enum.Default)
+	}
+
+	// Test invalid constructor
+	if NewEnumValue([]string{"1.2", "1.3"}, "1.1") != nil {
+		t.Error("NewEnumValue should return nil when default not in enum")
+	}
+
+	if NewEnumValue([]string{}, "test") != nil {
+		t.Error("NewEnumValue should return nil for empty enum")
+	}
+
+	// Test String method returns default initially
+	if enum.String() != "1.2" {
+		t.Errorf("expected default '1.2', got '%s'", enum.String())
+	}
+
+	// Test Set method with valid inputs
+	if err := enum.Set("1.3"); err != nil {
+		t.Errorf("Set failed for valid value: %v", err)
+	}
+
+	if enum.String() != "1.3" {
+		t.Errorf("expected '1.3' after Set, got '%s'", enum.String())
+	}
+
+	// Test Set method with invalid inputs
+	if err := enum.Set("1.1"); err == nil {
+		t.Error("Set should fail for invalid value")
+	}
+
+	// Test case-insensitive matching
+	enumCase := NewEnumValue([]string{"Debug", "Info"}, "Info")
+	if err := enumCase.Set("debug"); err != nil {
+		t.Errorf("Set should work case-insensitively: %v", err)
+	}
+
+	if enumCase.String() != "Debug" {
+		t.Errorf("expected canonical case 'Debug', got '%s'", enumCase.String())
+	}
+
+	// Test flag.Value interface
+	var _ flag.Value = enum
+
+	// Test error message format
+	err := enum.Set("invalid")
+
+	expectedMsg := "allowed values are 1.2, 1.3"
+
+	if err.Error() != expectedMsg {
+		t.Errorf("expected error '%s', got '%s'", expectedMsg, err.Error())
+	}
+}