[release-1.21] Add network/tls package for TLS configuration (#3337)

* feat: add shared tls package for reading TLS config from environment (#3324)

* feat: add shared tls package for reading TLS config from environment

Extract TLS configuration parsing into a reusable knative.dev/pkg/tls
package so that any Knative component (not just webhooks) can read
TLS_MIN_VERSION, TLS_MAX_VERSION, TLS_CIPHER_SUITES, and
TLS_CURVE_PREFERENCES from environment variables with an optional prefix.

The webhook package is updated to use the new tls package, extending env
var support from just WEBHOOK_TLS_MIN_VERSION to all four WEBHOOK_TLS_*
variables. Programmatic Options values continue to take precedence over
environment variables.

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>

* fix: address review feedback on tls package

Reduce the public API surface of the tls package by unexporting
ParseVersion, ParseCipherSuites, and ParseCurvePreferences since they
are implementation details of NewConfigFromEnv.

Also validate that TLS max version is not smaller than min version in
webhook.New(), document the Options TLS field precedence
(programmatic > env vars > defaults), and broaden TestConfig_TLSConfig
to exercise the full NewConfigFromEnv → TLSConfig path.

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>

---------

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>

* Replace NewConfigFromEnv with DefaultConfigFromEnv (#3328)

DefaultConfigFromEnv replaces NewConfigFromEnv by returning a full
default tls.Config with overrides from env vars. This avoids specifying
e.g. the TLS MinVersion explicitely.

* Move tls package to network/tls, keep aliases for backward compatibility (#3331)

The TLS configuration package is moved from tls/ to network/tls/ to
co-locate it with the rest of the networking code. The old tls/ package
now re-exports all public symbols as deprecated aliases so that existing
consumers continue to compile without changes. The webhook package is
updated to import from the new location directly.

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>

* remove deprecated TLS package (#3333)

---------

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>
Co-authored-by: Vincent Link <linkvt@users.noreply.github.com>
Co-authored-by: Dave Protasowski <dprotaso@gmail.com>

Author: 3 people

network/depcheck_test.go

@@ -26,5 +26,6 @@ func TestNoDeps(t *testing.T) {
 	depcheck.AssertNoDependency(t, map[string][]string{
 		"knative.dev/pkg/network":          depcheck.KnownHeavyDependencies,
 		"knative.dev/pkg/network/handlers": depcheck.KnownHeavyDependencies,
+		"knative.dev/pkg/network/tls":      depcheck.KnownHeavyDependencies,
 	})
 }

network/tls/config.go

@@ -0,0 +1,156 @@
+/*
+Copyright 2026 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tls
+
+import (
+	cryptotls "crypto/tls"
+	"fmt"
+	"os"
+	"strings"
+)
+
+// Environment variable name suffixes for TLS configuration.
+// Use with a prefix to namespace them, e.g. "WEBHOOK_" + MinVersionEnvKey
+// reads the WEBHOOK_TLS_MIN_VERSION variable.
+const (
+	MinVersionEnvKey       = "TLS_MIN_VERSION"
+	MaxVersionEnvKey       = "TLS_MAX_VERSION"
+	CipherSuitesEnvKey     = "TLS_CIPHER_SUITES"
+	CurvePreferencesEnvKey = "TLS_CURVE_PREFERENCES"
+)
+
+// DefaultConfigFromEnv returns a tls.Config with secure defaults.
+// The prefix is prepended to each standard env-var suffix;
+// for example with prefix "WEBHOOK_" the function reads
+// WEBHOOK_TLS_MIN_VERSION, WEBHOOK_TLS_MAX_VERSION, etc.
+func DefaultConfigFromEnv(prefix string) (*cryptotls.Config, error) {
+	cfg := &cryptotls.Config{
+		MinVersion: cryptotls.VersionTLS13,
+	}
+
+	if v := os.Getenv(prefix + MinVersionEnvKey); v != "" {
+		ver, err := parseVersion(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s %q: %w", prefix, MinVersionEnvKey, v, err)
+		}
+		cfg.MinVersion = ver
+	}
+
+	if v := os.Getenv(prefix + MaxVersionEnvKey); v != "" {
+		ver, err := parseVersion(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s %q: %w", prefix, MaxVersionEnvKey, v, err)
+		}
+		cfg.MaxVersion = ver
+	}
+
+	if v := os.Getenv(prefix + CipherSuitesEnvKey); v != "" {
+		suites, err := parseCipherSuites(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s: %w", prefix, CipherSuitesEnvKey, err)
+		}
+		cfg.CipherSuites = suites
+	}
+
+	if v := os.Getenv(prefix + CurvePreferencesEnvKey); v != "" {
+		curves, err := parseCurvePreferences(v)
+		if err != nil {
+			return nil, fmt.Errorf("invalid %s%s: %w", prefix, CurvePreferencesEnvKey, err)
+		}
+		cfg.CurvePreferences = curves
+	}
+
+	return cfg, nil
+}
+
+// parseVersion converts a TLS version string to the corresponding
+// crypto/tls constant. Accepted values are "1.2" and "1.3".
+func parseVersion(v string) (uint16, error) {
+	switch v {
+	case "1.2":
+		return cryptotls.VersionTLS12, nil
+	case "1.3":
+		return cryptotls.VersionTLS13, nil
+	default:
+		return 0, fmt.Errorf("unsupported TLS version %q: must be %q or %q", v, "1.2", "1.3")
+	}
+}
+
+// parseCipherSuites parses a comma-separated list of TLS cipher-suite names
+// (e.g. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
+// into a slice of cipher-suite IDs. Names must match those returned by
+// crypto/tls.CipherSuiteName.
+func parseCipherSuites(s string) ([]uint16, error) {
+	lookup := cipherSuiteLookup()
+	parts := strings.Split(s, ",")
+	suites := make([]uint16, 0, len(parts))
+
+	for _, name := range parts {
+		name = strings.TrimSpace(name)
+		if name == "" {
+			continue
+		}
+		id, ok := lookup[name]
+		if !ok {
+			return nil, fmt.Errorf("unknown cipher suite %q", name)
+		}
+		suites = append(suites, id)
+	}
+
+	return suites, nil
+}
+
+// parseCurvePreferences parses a comma-separated list of elliptic-curve names
+// (e.g. "X25519,CurveP256") into a slice of crypto/tls.CurveID values.
+// Both Go constant names (CurveP256) and standard names (P-256) are accepted.
+func parseCurvePreferences(s string) ([]cryptotls.CurveID, error) {
+	parts := strings.Split(s, ",")
+	curves := make([]cryptotls.CurveID, 0, len(parts))
+
+	for _, name := range parts {
+		name = strings.TrimSpace(name)
+		if name == "" {
+			continue
+		}
+		id, ok := curvesByName[name]
+		if !ok {
+			return nil, fmt.Errorf("unknown curve %q", name)
+		}
+		curves = append(curves, id)
+	}
+
+	return curves, nil
+}
+
+func cipherSuiteLookup() map[string]uint16 {
+	m := make(map[string]uint16)
+	for _, cs := range cryptotls.CipherSuites() {
+		m[cs.Name] = cs.ID
+	}
+	return m
+}
+
+var curvesByName = map[string]cryptotls.CurveID{
+	"CurveP256":      cryptotls.CurveP256,
+	"CurveP384":      cryptotls.CurveP384,
+	"CurveP521":      cryptotls.CurveP521,
+	"X25519":         cryptotls.X25519,
+	"X25519MLKEM768": cryptotls.X25519MLKEM768,
+	"P-256":          cryptotls.CurveP256,
+	"P-384":          cryptotls.CurveP384,
+	"P-521":          cryptotls.CurveP521,
+}