stolostron · mprahl · Nov 22, 2023 · Jul 18, 2023 · Jul 20, 2023 · Jul 20, 2023
diff --git a/Dockerfile b/Dockerfile
@@ -14,7 +14,7 @@ ARG LDFLAGS
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+    CGO_ENABLED=1 \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
     GOARM=${TARGETVARIANT}

diff --git a/OWNERS b/OWNERS
@@ -0,0 +1,12 @@
+approvers:
+- dhaiducek
+- gparvin
+- JustinKuli
+- mprahl
+- yiraeChristineKim
+reviewers:
+- dhaiducek
+- gparvin
+- JustinKuli
+- mprahl
+- yiraeChristineKim
diff --git a/Tiltfile b/Tiltfile
@@ -34,7 +34,8 @@ COPY bin/manager .
 def build_manager():
     cmd = [
         "make tilt-prepare",
-        "GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod vendor -a -o .tiltbuild/bin/manager",
+        "GO111MODULE=on CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -mod vendor -a -ldflags \"" +
+        LDFLAGS + "\" -o .tiltbuild/bin/manager",
     ]
     local_resource(
         "manager",

diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml
@@ -164,7 +164,7 @@ controllerManager:
   livenessTimeout: 1
   priorityClassName: system-cluster-critical
   disableCertRotation: false
-  tlsMinVersion: 1.3
+  tlsMinVersion: 1.2
   clientCertName: ""
   strategyType: RollingUpdate
   affinity:

diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
@@ -164,7 +164,7 @@ controllerManager:
   livenessTimeout: 1
   priorityClassName: system-cluster-critical
   disableCertRotation: false
-  tlsMinVersion: 1.3
+  tlsMinVersion: 1.2
   clientCertName: ""
   strategyType: RollingUpdate
   affinity:

diff --git a/gator.Dockerfile b/gator.Dockerfile
@@ -13,7 +13,7 @@ ARG TARGETVARIANT=""
 ARG LDFLAGS
 
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 \
+    CGO_ENABLED=1 \
     GOOS=${TARGETOS} \
     GOARCH=${TARGETARCH} \
     GOARM=${TARGETVARIANT}

diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml
@@ -164,7 +164,7 @@ controllerManager:
   livenessTimeout: 1
   priorityClassName: system-cluster-critical
   disableCertRotation: false
-  tlsMinVersion: 1.3
+  tlsMinVersion: 1.2
   clientCertName: ""
   strategyType: RollingUpdate
   affinity:

diff --git a/pkg/webhook/common.go b/pkg/webhook/common.go
@@ -53,6 +53,7 @@ var (
 	emitAdmissionEvents                = flag.Bool("emit-admission-events", false, "(alpha) emit Kubernetes events for each admission violation")
 	admissionEventsInvolvedNamespace   = flag.Bool("admission-events-involved-namespace", false, "emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will still follow the default behavior")
 	logStatsAdmission                  = flag.Bool("log-stats-admission", false, "(alpha) log stats for admission webhook")
+	tlsMinVersion                      = flag.String("tls-min-version", "1.2", "minimum version of TLS supported")
 	serviceaccount                     = fmt.Sprintf("system:serviceaccount:%s:%s", util.GetNamespace(), serviceAccountName)
 	VwhName                            = flag.String("validating-webhook-configuration-name", "gatekeeper-validating-webhook-configuration", "name of the ValidatingWebhookConfiguration")
 	MwhName                            = flag.String("mutating-webhook-configuration-name", "gatekeeper-mutating-webhook-configuration", "name of the MutatingWebhookConfiguration")

diff --git a/pkg/webhook/common_test.go b/pkg/webhook/common_test.go
@@ -15,11 +15,13 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptest"
+	"reflect"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
 type chanWriter chan string
@@ -29,6 +31,39 @@ func (w chanWriter) Write(p []byte) (n int, err error) {
 	return len(p), nil
 }
 
+func TestCongifureWebhookServer(t *testing.T) {
+	expectedServer := &webhook.Server{
+		TLSMinVersion: "1.2",
+	}
+
+	if *clientCAName != "" {
+		expectedServer.ClientCAName = *clientCAName
+	}
+
+	tc := []struct {
+		Name           string
+		Server         *webhook.Server
+		ExpectedServer *webhook.Server
+	}{
+		{
+			Name:           "Wbhook server config",
+			Server:         &webhook.Server{},
+			ExpectedServer: expectedServer,
+		},
+	}
+
+	for _, tt := range tc {
+		t.Run(tt.Name, func(t *testing.T) {
+			server := congifureWebhookServer(tt.Server)
+			expectedServer.TLSOpts = server.TLSOpts
+
+			if !reflect.DeepEqual(tt.ExpectedServer, server) {
+				t.Errorf(fmt.Sprintf("got %#v, want %#v", server, tt.ExpectedServer))
+			}
+		})
+	}
+}
+
 func TestTLSConfig(t *testing.T) {
 	ca, caPEM, caPrivKey, err := getCA(*CertCNName)
 	if err != nil {