Skip to content

feat: use knative.dev/pkg/tls for queue-proxy TLS configuration#16425

Open
Fedosin wants to merge 1 commit intoknative:mainfrom
Fedosin:queue-proxy-tls
Open

feat: use knative.dev/pkg/tls for queue-proxy TLS configuration#16425
Fedosin wants to merge 1 commit intoknative:mainfrom
Fedosin:queue-proxy-tls

Conversation

@Fedosin
Copy link
Contributor

@Fedosin Fedosin commented Mar 3, 2026
edited
Loading

Proposed Changes

Replace the hardcoded tls.VersionTLS13 in queue-proxy's TLS server with the shared knative.dev/pkg/tls package, allowing TLS settings to be configured via QUEUE_PROXY_TLS_MIN_VERSION, QUEUE_PROXY_TLS_MAX_VERSION, QUEUE_PROXY_TLS_CIPHER_SUITES, and QUEUE_PROXY_TLS_CURVE_PREFERENCES environment variables. The default remains TLS 1.3 when no env var is set.

Add four new keys to the config-deployment ConfigMap (queue-sidecar-tls-min-version, queue-sidecar-tls-max-version,
queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences) and forward them as QUEUE_PROXY_TLS_* environment variables in makeQueueContainer. This allows cluster admins to configure the queue-proxy's TLS server via the same ConfigMap used for other queue-proxy settings (like queue-sidecar-rootca), since the operator cannot inject env vars into the dynamically created sidecar via manifestival.

Release Note

Queue-proxy TLS server settings are now configurable via the config-deployment ConfigMap using queue-sidecar-tls-min-version, queue-sidecar-tls-max-version, queue-sidecar-tls-cipher-suites, and queue-sidecar-tls-curve-preferences keys.

knative/pkg patch: knative/pkg#3324

@knative-prow knative-prow bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 3, 2026
@knative-prow knative-prow bot requested review from dsimansk and skonto March 3, 2026 10:53
@Fedosin Fedosin changed the title Use knative.dev/pkg/tls for queue-proxy TLS configuration feat: use knative.dev/pkg/tls for queue-proxy TLS configuration Mar 3, 2026
@codecov
Copy link

codecov bot commented Mar 3, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 43.24324% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.27%. Comparing base (42495d4) to head (ad8272f).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
pkg/queue/sharedmain/main.go 0.00% 21 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #16425      +/-   ##
==========================================
+ Coverage   80.21%   80.27%   +0.05%     
==========================================
  Files         217      217              
  Lines       13511    13528      +17     
==========================================
+ Hits        10838    10859      +21     
+ Misses       2307     2302       -5     
- Partials      366      367       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

linkvt
linkvt reviewed Mar 3, 2026
View reviewed changes
@Fedosin Fedosin mentioned this pull request Mar 3, 2026
Open
twoGiants
twoGiants approved these changes Mar 4, 2026
View reviewed changes
Copy link

@twoGiants twoGiants left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very clean, great job, thank you! 😺 👍

/approve
/lgtm

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Mar 4, 2026
@twoGiants
Copy link

twoGiants commented Mar 4, 2026

/retest

@Fedosin
Copy link
Contributor Author

Fedosin commented Mar 4, 2026

/hold

@knative-prow knative-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 4, 2026
@knative-prow knative-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 5, 2026
@Fedosin
Copy link
Contributor Author

Fedosin commented Mar 5, 2026

/hold cancel

@knative-prow knative-prow bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 5, 2026
linkvt
linkvt reviewed Mar 5, 2026
View reviewed changes
@Fedosin
feat: use knative.dev/pkg/tls for queue-proxy TLS configuration
ad8272f 
Replace the hardcoded tls.VersionTLS13 in queue-proxy's TLS
server with the shared knative.dev/pkg/tls package, allowing
TLS settings to be configured via QUEUE_PROXY_TLS_MIN_VERSION,
QUEUE_PROXY_TLS_MAX_VERSION, QUEUE_PROXY_TLS_CIPHER_SUITES,
and QUEUE_PROXY_TLS_CURVE_PREFERENCES environment variables.
The default remains TLS 1.3 when no env var is set.

Add four new keys to the config-deployment ConfigMap
(queue-sidecar-tls-min-version, queue-sidecar-tls-max-version,
queue-sidecar-tls-cipher-suites, queue-sidecar-tls-curve-preferences)
and forward them as QUEUE_PROXY_TLS_* environment variables in
makeQueueContainer. This allows cluster admins to configure the
queue-proxy's TLS server via the same ConfigMap used for other
queue-proxy settings (like queue-sidecar-rootca), since the operator
cannot inject env vars into the dynamically created sidecar via
manifestival.

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
twoGiants
twoGiants approved these changes Mar 5, 2026
View reviewed changes
Copy link

@twoGiants twoGiants left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Mar 5, 2026
@knative-prow
Copy link

knative-prow bot commented Mar 5, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Fedosin, twoGiants
Once this PR has been reviewed and has the lgtm label, please assign dprotaso for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

linkvt
linkvt reviewed Mar 5, 2026
View reviewed changes
Copy link
Contributor

@linkvt linkvt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dsimansk dsimansk Awaiting requested review from dsimansk

@skonto skonto Awaiting requested review from skonto

2 more reviewers

@linkvt linkvt linkvt left review comments

@twoGiants twoGiants twoGiants approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@twoGiants twoGiants

@linkvt linkvt

Labels

lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Fedosin @twoGiants @linkvt