Skip to content

Wire security.kubernetes.tls.minVersion into the Kubernetes API client transport#2020

Open
Elmo33 wants to merge 1 commit into
Altinity:0.27.2from
Elmo33:0.27.2-fix-k8s-tls-minversion
Open

Wire security.kubernetes.tls.minVersion into the Kubernetes API client transport#2020
Elmo33 wants to merge 1 commit into
Altinity:0.27.2from
Elmo33:0.27.2-fix-k8s-tls-minversion

Conversation

@Elmo33

@Elmo33 Elmo33 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor
  • Under FIPS/Enforced, the operator already coerced security.kubernetes.tls.minVersion to 1.3 in chopconf but never applied it when building the client-go transport, so the K8s client could still negotiate TLS 1.2.
  • Resolve the effective floor from file-based chopconf at GetClientset time (same timing as the insecure-kubeconfig startup gate) via OperatorConfig.ResolveK8sTLSMinVersion, and stamp it onto rest.Config with Wrap.
  • Pass chopConfigFile into GetClientset from the operator, keeper, and metrics-exporter entrypoints so all three binaries share the same behavior.

Important items to consider before making a Pull Request

Please check items PR complies to:

  • All commits in the PR are squashed. More info
  • The PR is made into dedicated next-release branch, not into master branch1. More info
  • The PR is signed. More info

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant