Skip to content

[release-1.21] Backport centralized TLS configuration#8966

Open
Fedosin wants to merge 2 commits intoknative:release-1.21from
Fedosin:backport-tls-release-1.21
Open

[release-1.21] Backport centralized TLS configuration#8966
Fedosin wants to merge 2 commits intoknative:release-1.21from
Fedosin:backport-tls-release-1.21

Conversation

@Fedosin
Copy link
Contributor

@Fedosin Fedosin commented Mar 25, 2026
edited
Loading

Proposed Changes

Backport of #8901 and #8912 to release-1.21.

Cherry-picked commits

  1. feat: use centralized TLS configuration from knative/pkg/tls (feat: use centralized TLS configuration from knative/pkg/tls #8901)
    Bump knative.dev/pkg to pick up the new knative.dev/pkg/tls package and replace the hardcoded TLS server config in eventingtls with the shared DefaultConfigFromEnv utility. This enables environment-based control of MinVersion, MaxVersion, CipherSuites, and CurvePreferences for all eventing TLS servers (broker filter/ingress, IMC dispatcher, job sink, auth proxy, request-reply).
    Since DefaultConfigFromEnv defaults to TLS 1.3 but eventing historically defaults to TLS 1.2, GetTLSServerConfig falls back to 1.2 unless TLS_MIN_VERSION is explicitly set.
    Also wires up TLS for the RequestReply data plane, which previously had a TODO placeholder.

  2. Update TLS import path to knative.dev/pkg/network/tls (Update TLS import path to knative.dev/pkg/network/tls #8912)
    The knative.dev/pkg/tls package has been relocated to knative.dev/pkg/network/tls. Update all import references accordingly.

Release Note

All eventing TLS servers now support configurable TLS settings (min/max version, cipher suites, curve preferences) via environment variables TLS_MIN_VERSION, TLS_MAX_VERSION, TLS_CIPHER_SUITES, and TLS_CURVE_PREFERENCES. The default minimum TLS version remains 1.2.

Fedosin added 2 commits March 25, 2026 13:51
@Fedosin
feat: use centralized TLS configuration from knative/pkg/tls (knative…
df4f854 
…#8901)

Bump knative.dev/pkg to pick up the new knative.dev/pkg/tls package
and replace the hardcoded TLS server config in eventingtls with
the shared DefaultConfigFromEnv utility. This enables environment-based
control of MinVersion, MaxVersion, CipherSuites, and CurvePreferences
for all eventing TLS servers (broker filter/ingress, IMC dispatcher,
job sink, auth proxy, request-reply).
Since DefaultConfigFromEnv defaults to TLS 1.3 but eventing historically
defaults to TLS 1.2, GetTLSServerConfig falls back to 1.2 unless
TLS_MIN_VERSION is explicitly set.
Also wires up TLS for the RequestReply data plane, which previously had
a TODO placeholder.

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
@Fedosin
Update TLS import path to knative.dev/pkg/network/tls (knative#8912)
5286713 
The knative.dev/pkg/tls package has been relocated to
knative.dev/pkg/network/tls. Update all import references accordingly.
@knative-prow knative-prow bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 25, 2026
@knative-prow
Copy link

knative-prow bot commented Mar 25, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Fedosin
Once this PR has been reviewed and has the lgtm label, please assign dsimansk for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot requested review from Cali0707 and pierDipi March 25, 2026 12:52
@knative-prow
Copy link

knative-prow bot commented Mar 25, 2026

@Fedosin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
build-tests_eventing_release-1.21 5286713 link true /test build-tests
unit-tests_eventing_release-1.21 5286713 link true /test unit-tests
upgrade-tests_eventing_release-1.21 5286713 link true /test upgrade-tests
conformance-tests_eventing_release-1.21 5286713 link true /test conformance-tests
reconciler-tests_eventing_release-1.21 5286713 link true /test reconciler-tests

Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Cali0707 Cali0707 Awaiting requested review from Cali0707

@pierDipi pierDipi Awaiting requested review from pierDipi

Assignees

No one assigned

Labels

size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Fedosin