COO-1819:fix: Add TLS min version and cipher suite configuration support

[shwetaap]

Add TLS min version and cipher suite configuration support

Summary by CodeRabbit

• New Features

  • TLS is now configurable via CLI flags and env vars (min TLS version and cipher suites).
  • Server will apply custom TLS version and cipher suite settings when provided; a warning is logged if configured suites are ignored for TLS 1.3.

• Tests

  • Added unit tests validating TLS version and cipher-suite parsing.

[openshift-ci-robot]

@shwetaap: This pull request references COO-1819 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Add TLS min version and cipher suite configuration support

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8beb1921-3df3-42a2-8d39-63a00dcd3077

📥 Commits

Reviewing files that changed from the base of the PR and between 6c64648 and b0e5fc4.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• cmd/plugin-backend.go
• cmd/plugin-backend_test.go
• go.mod
• pkg/server.go

✅ Files skipped from review due to trivial changes (1)

• cmd/plugin-backend_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• cmd/plugin-backend.go
• go.mod
• pkg/server.go

---

Walkthrough

Adds CLI flags/env for TLS min version and cipher suites, parsing helpers for both, passes parsed values into server.Config, and applies them when building the server TLS config (using OpenShift's secure TLS initializer). Tests validate parsing helpers; go.mod updated for new dependency.

Changes

TLS Configuration Customization

Layer / File(s)	Summary
Data Shape pkg/server.go	Config adds TLSMinVersion uint16 and TLSCipherSuites []uint16.
Dependencies go.mod	Adds github.com/openshift/library-go; bumps github.com/evanphx/json-patch; adds some indirect deps.
Core TLS Implementation pkg/server.go	Switch to oscrypto.SecureTLSConfig(&tls.Config{}); conditionally set MinVersion from cfg.TLSMinVersion; set CipherSuites when provided and warn if TLS≥1.3.
CLI Parsing & Wiring cmd/plugin-backend.go	Add tls-min-version / TLS_MIN_VERSION and tls-cipher-suites / TLS_CIPHER_SUITES inputs; implement parseTLSVersion and parseCipherSuites; pass values into server.Config when calling server.Start.
Tests cmd/plugin-backend_test.go	Adds table-driven tests for parseTLSVersion and parseCipherSuites covering empty, valid, and invalid inputs.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding TLS min version and cipher suite configuration support, which is reflected across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/plugin-backend.go`:
- Around line 115-119: The tlsVersions map and parseTLSVersion path currently
allow VersionTLS10/11 which can downgrade cfg.TLSMinVersion below TLS1.2; update
the code to forbid versions < tls.VersionTLS12 by removing "VersionTLS10" and
"VersionTLS11" from the tlsVersions map (or, after parsing, clamp any parsed
value lower than tls.VersionTLS12 to tls.VersionTLS12), and ensure when applying
cfg.TLSMinVersion (after calling oscrypto.SecureTLSConfig) you enforce a minimum
of tls.VersionTLS12 (optionally logging or returning an error if a user
requested a lower version) so the server never runs under TLS1.0/1.1.

In `@pkg/server.go`:
- Around line 62-63: The cfg.TLSCipherSuites assignment only affects TLS
1.0–1.2; TLS 1.3 suites are not configurable, so update the code around
tlsConfig.CipherSuites and cfg.TLSCipherSuites to either (a) add a clear comment
explaining this limitation, or (b) validate/enforce that cfg.TLSMinVersion (or
tlsConfig.MinVersion) is <= tls.VersionTLS12 when cfg.TLSCipherSuites is
non-empty: if TLSCipherSuites is set and TLSMinVersion > tls.VersionTLS12,
return an error or lower the min version and log a warning so callers don’t
assume TLS 1.3 will honor cipher suites. Ensure references to TLSCipherSuites,
tlsConfig.CipherSuites and TLSMinVersion (tlsConfig.MinVersion) are updated
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8c08d1c6-c666-4bf1-8a7d-1f8c9e1b7b1c

📥 Commits

Reviewing files that changed from the base of the PR and between 4440656 and 6c64648.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• cmd/plugin-backend.go
• cmd/plugin-backend_test.go
• go.mod
• pkg/server.go

[openshift-ci]

@shwetaap: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[alanconway]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alanconway, shwetaap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [alanconway,shwetaap]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment