feat: use centralized TLS configuration from knative/pkg/tls

Bump knative.dev/pkg to pick up the new knative.dev/pkg/tls package
and replace the hardcoded TLS server config in eventingtls with
the shared DefaultConfigFromEnv utility. This enables environment-based
control of MinVersion, MaxVersion, CipherSuites, and CurvePreferences
for all eventing TLS servers (broker filter/ingress, IMC dispatcher,
job sink, auth proxy, request-reply).
Since DefaultConfigFromEnv defaults to TLS 1.3 but eventing historically
defaults to TLS 1.2, GetTLSServerConfig falls back to 1.2 unless
TLS_MIN_VERSION is explicitly set.
Also wires up TLS for the RequestReply data plane, which previously had
a TODO placeholder.

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>

Author: Fedosin

cmd/requestreply/main.go

@@ -18,12 +18,14 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"log"
 
 	"github.com/kelseyhightower/envconfig"
 	"go.uber.org/zap"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 
 	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/kncloudevents"
@@ -34,6 +36,7 @@ import (
 	configmap "knative.dev/pkg/configmap/informer"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection"
+	secretinformer "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret"
 	"knative.dev/pkg/logging"
 	"knative.dev/pkg/signals"
 	"knative.dev/pkg/system"
@@ -109,9 +112,15 @@ func main() {
 		env.PodIdx,
 	)
 
+	tlsConfig, err := getServerTLSConfig(ctx)
+	if err != nil {
+		logger.Fatal("failed to get TLS server config", zap.Error(err))
+	}
+
 	sm, err := eventingtls.NewServerManager(ctx,
 		kncloudevents.NewHTTPEventReceiver(env.HttpPort),
-		kncloudevents.NewHTTPEventReceiver(env.HttpsPort), // TODO: add tls config when we have it
+		kncloudevents.NewHTTPEventReceiver(env.HttpsPort,
+			kncloudevents.WithTLSConfig(tlsConfig)),
 		handler,
 		configMapWatcher,
 	)
@@ -135,6 +144,17 @@ func flush(sl *zap.SugaredLogger) {
 	_ = sl.Sync()
 }
 
+func getServerTLSConfig(ctx context.Context) (*tls.Config, error) {
+	secret := types.NamespacedName{
+		Namespace: system.Namespace(),
+		Name:      eventingtls.RequestReplyServerTLSSecretName,
+	}
+
+	serverTLSConfig := eventingtls.NewDefaultServerConfig()
+	serverTLSConfig.GetCertificate = eventingtls.GetCertificateFromSecret(ctx, secretinformer.Get(ctx), kubeclient.Get(ctx), secret)
+	return eventingtls.GetTLSServerConfig(serverTLSConfig)
+}
+
 func getLoggingConfig(ctx context.Context, namespace, loggingConfigMapName string) (*logging.Config, error) {
 	loggingConfigMap, err := kubeclient.Get(ctx).CoreV1().ConfigMaps(namespace).Get(ctx, loggingConfigMapName, metav1.GetOptions{})
 	if apierrs.IsNotFound(err) {

pkg/eventingtls/eventingtls.go

@@ -39,6 +39,7 @@ import (
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/logging"
+	pkgtls "knative.dev/pkg/tls"
 )
 
 const (
@@ -58,6 +59,8 @@ const (
 	BrokerFilterServerTLSSecretName = "mt-broker-filter-server-tls" //nolint:gosec // This is not a hardcoded credential
 	// BrokerIngressServerTLSSecretName is the name of the tls secret for the broker ingress server
 	BrokerIngressServerTLSSecretName = "mt-broker-ingress-server-tls" //nolint:gosec // This is not a hardcoded credential
+	// RequestReplyServerTLSSecretName is the name of the tls secret for the request reply server
+	RequestReplyServerTLSSecretName = "request-reply-server-tls" //nolint:gosec // This is not a hardcoded credential
 )
 
 type ClientConfig struct {
@@ -181,10 +184,19 @@ func NewDefaultServerConfig() ServerConfig {
 }
 
 func GetTLSServerConfig(config ServerConfig) (*tls.Config, error) {
-	return &tls.Config{
-		MinVersion:     DefaultMinTLSVersion,
-		GetCertificate: config.GetCertificate,
-	}, nil
+	cfg, err := pkgtls.DefaultConfigFromEnv("")
+	if err != nil {
+		return nil, fmt.Errorf("failed to load TLS config from env: %w", err)
+	}
+
+	// DefaultConfigFromEnv defaults to TLS 1.3, but eventing defaults to TLS 1.2.
+	// Only keep TLS 1.3 if explicitly set via environment variable.
+	if os.Getenv(pkgtls.MinVersionEnvKey) == "" {
+		cfg.MinVersion = DefaultMinTLSVersion
+	}
+
+	cfg.GetCertificate = config.GetCertificate
+	return cfg, nil
 }
 
 // IsHttpsSink returns true if the sink has scheme equal to https.

pkg/eventingtls/eventingtls_test.go

@@ -22,6 +22,7 @@ import (
 	"testing"
 
 	"k8s.io/utils/pointer"
+	pkgtls "knative.dev/pkg/tls"
 )
 
 func TestGetClientConfig(t *testing.T) {
@@ -129,3 +130,110 @@ func WithCerts(pool *x509.CertPool, caCerts string) *x509.CertPool {
 	}
 	return pool
 }
+
+func TestGetTLSServerConfig(t *testing.T) {
+	t.Run("defaults to TLS 1.2 when env not set", func(t *testing.T) {
+		t.Setenv(pkgtls.MinVersionEnvKey, "")
+
+		cfg, err := GetTLSServerConfig(NewDefaultServerConfig())
+		if err != nil {
+			t.Fatal("unexpected error:", err)
+		}
+		if cfg.MinVersion != tls.VersionTLS12 {
+			t.Fatalf("want MinVersion TLS 1.2 (%d), got %d", tls.VersionTLS12, cfg.MinVersion)
+		}
+	})
+
+	t.Run("uses TLS 1.3 when explicitly set via env", func(t *testing.T) {
+		t.Setenv(pkgtls.MinVersionEnvKey, "1.3")
+
+		cfg, err := GetTLSServerConfig(NewDefaultServerConfig())
+		if err != nil {
+			t.Fatal("unexpected error:", err)
+		}
+		if cfg.MinVersion != tls.VersionTLS13 {
+			t.Fatalf("want MinVersion TLS 1.3 (%d), got %d", tls.VersionTLS13, cfg.MinVersion)
+		}
+	})
+
+	t.Run("uses TLS 1.2 when explicitly set via env", func(t *testing.T) {
+		t.Setenv(pkgtls.MinVersionEnvKey, "1.2")
+
+		cfg, err := GetTLSServerConfig(NewDefaultServerConfig())
+		if err != nil {
+			t.Fatal("unexpected error:", err)
+		}
+		if cfg.MinVersion != tls.VersionTLS12 {
+			t.Fatalf("want MinVersion TLS 1.2 (%d), got %d", tls.VersionTLS12, cfg.MinVersion)
+		}
+	})
+
+	t.Run("reads MaxVersion from env", func(t *testing.T) {
+		t.Setenv(pkgtls.MaxVersionEnvKey, "1.3")
+
+		cfg, err := GetTLSServerConfig(NewDefaultServerConfig())
+		if err != nil {
+			t.Fatal("unexpected error:", err)
+		}
+		if cfg.MaxVersion != tls.VersionTLS13 {
+			t.Fatalf("want MaxVersion TLS 1.3 (%d), got %d", tls.VersionTLS13, cfg.MaxVersion)
+		}
+	})
+
+	t.Run("reads CipherSuites from env", func(t *testing.T) {
+		t.Setenv(pkgtls.CipherSuitesEnvKey, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
+
+		cfg, err := GetTLSServerConfig(NewDefaultServerConfig())
+		if err != nil {
+			t.Fatal("unexpected error:", err)
+		}
+		if len(cfg.CipherSuites) != 1 || cfg.CipherSuites[0] != tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 {
+			t.Fatalf("want CipherSuites [%d], got %v", tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cfg.CipherSuites)
+		}
+	})
+
+	t.Run("reads CurvePreferences from env", func(t *testing.T) {
+		t.Setenv(pkgtls.CurvePreferencesEnvKey, "X25519,CurveP256")
+
+		cfg, err := GetTLSServerConfig(NewDefaultServerConfig())
+		if err != nil {
+			t.Fatal("unexpected error:", err)
+		}
+		if len(cfg.CurvePreferences) != 2 {
+			t.Fatalf("want 2 CurvePreferences, got %d", len(cfg.CurvePreferences))
+		}
+		if cfg.CurvePreferences[0] != tls.X25519 || cfg.CurvePreferences[1] != tls.CurveP256 {
+			t.Fatalf("want CurvePreferences [X25519, CurveP256], got %v", cfg.CurvePreferences)
+		}
+	})
+
+	t.Run("returns error on invalid env value", func(t *testing.T) {
+		t.Setenv(pkgtls.MinVersionEnvKey, "invalid")
+
+		_, err := GetTLSServerConfig(NewDefaultServerConfig())
+		if err == nil {
+			t.Fatal("expected error for invalid TLS_MIN_VERSION, got nil")
+		}
+	})
+
+	t.Run("preserves GetCertificate callback", func(t *testing.T) {
+		called := false
+		sc := ServerConfig{
+			GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+				called = true
+				return nil, nil
+			},
+		}
+		cfg, err := GetTLSServerConfig(sc)
+		if err != nil {
+			t.Fatal("unexpected error:", err)
+		}
+		if cfg.GetCertificate == nil {
+			t.Fatal("GetCertificate should not be nil")
+		}
+		_, _ = cfg.GetCertificate(nil)
+		if !called {
+			t.Fatal("GetCertificate callback was not invoked")
+		}
+	})
+}