manager: remove TLS options

They are in CAPI now, we import them.

Author: EmilienM

config/manager/manager.yaml

@@ -23,7 +23,7 @@ spec:
             - "--leader-elect"
             - "--v=2"
             - "--diagnostics-address=127.0.0.1:8080"
-            - "--insecure-diagnostics"
+            - "--insecure-diagnostics=true"
           image: controller:latest
           imagePullPolicy: Always
           name: manager

main.go

@@ -17,13 +17,11 @@ package main
 
 import (
 	"context"
-	"crypto/tls"
 	"flag"
 	"fmt"
 	"net/http"
 	_ "net/http/pprof"
 	"os"
-	"strings"
 	"time"
 
 	"github.com/spf13/pflag"
@@ -72,10 +70,8 @@ type TLSOptions struct {
 }
 
 var (
-	scheme               = runtime.NewScheme()
-	setupLog             = ctrl.Log.WithName("setup")
-	tlsOptions           = TLSOptions{}
-	tlsSupportedVersions = []string{TLSVersion12, TLSVersion13}
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
 
 	// flags.
 	managerOptions              = flags.ManagerOptions{}
@@ -175,24 +171,6 @@ func InitFlags(fs *pflag.FlagSet) {
 	fs.IntVar(&scopeCacheMaxSize, "scope-cache-max-size", 10, "The maximum credentials count the operator should keep in cache. Setting this value to 0 means no cache.")
 
 	fs.BoolVar(&showVersion, "version", false, "Show current version and exit.")
-
-	fs.StringVar(&tlsOptions.TLSMinVersion, "tls-min-version", TLSVersion12,
-		"The minimum TLS version in use by the webhook server.\n"+
-			fmt.Sprintf("Possible values are %s.", strings.Join(tlsSupportedVersions, ", ")),
-	)
-
-	fs.StringVar(&tlsOptions.TLSMaxVersion, "tls-max-version", TLSVersion13,
-		"The maximum TLS version in use by the webhook server.\n"+
-			fmt.Sprintf("Possible values are %s.", strings.Join(tlsSupportedVersions, ", ")),
-	)
-
-	tlsCipherPreferredValues := cliflag.PreferredTLSCipherNames()
-	tlsCipherInsecureValues := cliflag.InsecureTLSCipherNames()
-	fs.StringVar(&tlsOptions.TLSCipherSuites, "tls-cipher-suites", "",
-		"Comma-separated list of cipher suites for the webhook server. "+
-			"If omitted, the default Go cipher suites will be used. \n"+
-			"Preferred values: "+strings.Join(tlsCipherPreferredValues, ", ")+". \n"+
-			"Insecure values: "+strings.Join(tlsCipherInsecureValues, ", ")+".")
 }
 
 // Add RBAC for the authorized diagnostics endpoint.
@@ -225,12 +203,6 @@ func main() {
 		}()
 	}
 
-	tlsOptionOverrides, err := GetTLSOptionOverrideFuncs(tlsOptions)
-	if err != nil {
-		setupLog.Error(err, "unable to add TLS settings to the webhook server")
-		os.Exit(1)
-	}
-
 	cfg, err := config.GetConfigWithContext(os.Getenv("KUBECONTEXT"))
 	if err != nil {
 		setupLog.Error(err, "unable to get kubeconfig")
@@ -248,7 +220,7 @@ func main() {
 		}
 	}
 
-	_, metricsOpts, err := flags.GetManagerOptions(managerOptions)
+	tlsOpts, metricsOpts, err := flags.GetManagerOptions(managerOptions)
 	if err != nil {
 		setupLog.Error(err, "unable to get manager options")
 		os.Exit(1)
@@ -285,7 +257,7 @@ func main() {
 			webhook.Options{
 				Port:    webhookPort,
 				CertDir: webhookCertDir,
-				TLSOpts: tlsOptionOverrides,
+				TLSOpts: tlsOpts,
 			},
 		),
 		HealthProbeBindAddress:        healthAddr,
@@ -394,63 +366,3 @@ func setupWebhooks(mgr ctrl.Manager) {
 func concurrency(c int) controller.Options {
 	return controller.Options{MaxConcurrentReconciles: c}
 }
-
-// GetTLSOptionOverrideFuncs returns a list of TLS configuration overrides to be used
-// by the webhook server.
-func GetTLSOptionOverrideFuncs(options TLSOptions) ([]func(*tls.Config), error) {
-	var tlsOptions []func(config *tls.Config)
-
-	// To make a static analyzer happy, this block ensures there is no code
-	// path that sets a TLS version outside the acceptable values, even in
-	// case of unexpected user input.
-	var tlsMinVersion, tlsMaxVersion uint16
-	for version, option := range map[*uint16]string{&tlsMinVersion: options.TLSMinVersion, &tlsMaxVersion: options.TLSMaxVersion} {
-		switch option {
-		case TLSVersion12:
-			*version = tls.VersionTLS12
-		case TLSVersion13:
-			*version = tls.VersionTLS13
-		default:
-			return nil, fmt.Errorf("unexpected TLS version %q (must be one of: %s)", option, strings.Join(tlsSupportedVersions, ", "))
-		}
-	}
-
-	if tlsMaxVersion != 0 && tlsMinVersion > tlsMaxVersion {
-		return nil, fmt.Errorf("TLS version flag min version (%s) is greater than max version (%s)",
-			options.TLSMinVersion, options.TLSMaxVersion)
-	}
-
-	tlsOptions = append(tlsOptions, func(cfg *tls.Config) {
-		cfg.MinVersion = tlsMinVersion
-		cfg.MaxVersion = tlsMaxVersion
-	})
-
-	// Cipher suites should not be set if empty.
-	if tlsMinVersion >= tls.VersionTLS13 &&
-		options.TLSCipherSuites != "" {
-		setupLog.Info("warning: Cipher suites should not be set for TLS version 1.3. Ignoring ciphers")
-		options.TLSCipherSuites = ""
-	}
-
-	if options.TLSCipherSuites != "" {
-		tlsCipherSuites := strings.Split(options.TLSCipherSuites, ",")
-		suites, err := cliflag.TLSCipherSuites(tlsCipherSuites)
-		if err != nil {
-			return nil, err
-		}
-
-		insecureCipherValues := cliflag.InsecureTLSCipherNames()
-		for _, cipher := range tlsCipherSuites {
-			for _, insecureCipherName := range insecureCipherValues {
-				if insecureCipherName == cipher {
-					setupLog.Info(fmt.Sprintf("warning: use of insecure cipher '%s' detected.", cipher))
-				}
-			}
-		}
-		tlsOptions = append(tlsOptions, func(cfg *tls.Config) {
-			cfg.CipherSuites = suites
-		})
-	}
-
-	return tlsOptions, nil
-}