Skip to content

[release-1.21] feat: use knative.dev/pkg/network/tls for configurable TLS#16482

Merged
knative-prow[bot] merged 1 commit intoknative:release-1.21from
Fedosin:backport-tls-release-1.21
Mar 20, 2026
Merged

[release-1.21] feat: use knative.dev/pkg/network/tls for configurable TLS#16482
knative-prow[bot] merged 1 commit intoknative:release-1.21from
Fedosin:backport-tls-release-1.21

Conversation

@Fedosin
Copy link
Contributor

@Fedosin Fedosin commented Mar 20, 2026

Fixes #

Proposed Changes

Backport of the following PRs from main to release-1.21:

Replace hardcoded tls.VersionTLS13 in the activator, queue-proxy, and tag-to-digest resolver with the shared knative.dev/pkg/network/tls package, allowing TLS settings (min/max version, cipher suites, curve preferences) to be configured via environment variables:

  • ACTIVATOR_TLS_*
  • QUEUE_PROXY_TLS_*
  • TAG_TO_DIGEST_TLS_*

Add four new keys to the config-deployment ConfigMap (queue-sidecar-tls-min-version, queue-sidecar-tls-max-version, queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences) and forward them as QUEUE_PROXY_TLS_* environment variables in makeQueueContainer.

The default remains TLS 1.3 when no env var is set. The tag-to-digest resolver default is bumped from TLS 1.2 to TLS 1.3.

knative/pkg dependency: knative/pkg#3337

Release Note

@Fedosin
[release-1.21] feat: use knative.dev/pkg/network/tls for configurable…
8f67147 
… TLS

Backport of the following PRs from main to release-1.21:
- knative#16424 feat: use knative.dev/pkg/tls for activator TLS configuration
- knative#16425 feat: use knative.dev/pkg/tls for queue-proxy TLS configuration
- knative#16431 feat: use knative.dev/pkg/tls for reconciler TLS configuration
- knative#16458 Update TLS import path to knative.dev/pkg/network/tls

Replace hardcoded tls.VersionTLS13 in the activator, queue-proxy, and
tag-to-digest resolver with the shared knative.dev/pkg/network/tls
package, allowing TLS settings (min/max version, cipher suites, curve
preferences) to be configured via environment variables:
  - ACTIVATOR_TLS_*
  - QUEUE_PROXY_TLS_*
  - TAG_TO_DIGEST_TLS_*

Add four new keys to the config-deployment ConfigMap
(queue-sidecar-tls-min-version, queue-sidecar-tls-max-version,
queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences)
and forward them as QUEUE_PROXY_TLS_* environment variables in
makeQueueContainer.

The default remains TLS 1.3 when no env var is set. The tag-to-digest
resolver default is bumped from TLS 1.2 to TLS 1.3.

knative/pkg dependency: knative/pkg#3337

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
@knative-prow knative-prow bot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Mar 20, 2026
@knative-prow knative-prow bot requested review from dprotaso, dsimansk and skonto March 20, 2026 09:45
@codecov
Copy link

codecov bot commented Mar 20, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 50.00000% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.16%. Comparing base (69aa052) to head (8f67147).
⚠️ Report is 1 commits behind head on release-1.21.

Files with missing lines Patch % Lines
pkg/queue/sharedmain/main.go 0.00% 21 Missing ⚠️
Additional details and impacted files 
@@               Coverage Diff                @@
##           release-1.21   #16482      +/-   ##
================================================
- Coverage         80.17%   80.16%   -0.01%     
================================================
  Files               216      216              
  Lines             13440    13449       +9     
================================================
+ Hits              10775    10781       +6     
- Misses             2301     2303       +2     
- Partials            364      365       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@linkvt
Copy link
Contributor

linkvt commented Mar 20, 2026

/lgtm

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Mar 20, 2026
@dprotaso
Copy link
Member

dprotaso commented Mar 20, 2026

/lgtm
/apporve

@dprotaso
Copy link
Member

dprotaso commented Mar 20, 2026

/approve

@knative-prow
Copy link

knative-prow bot commented Mar 20, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, Fedosin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 20, 2026
@knative-prow knative-prow bot merged commit 4d92745 into knative:release-1.21 Mar 20, 2026
91 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dprotaso dprotaso Awaiting requested review from dprotaso

@dsimansk dsimansk Awaiting requested review from dsimansk

@skonto skonto Awaiting requested review from skonto

Assignees

@dprotaso dprotaso

@linkvt linkvt

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Fedosin @linkvt @dprotaso