From 689e72fa58259567a6ac9b197020a6cf1b92d4e4 Mon Sep 17 00:00:00 2001
From: Stefan Bueringer <sbueringer@gmail.com>
Date: Mon, 17 Oct 2022 12:21:24 +0200
Subject: [PATCH] Add tls options to manager.Options

---
 pkg/envtest/webhook_test.go             | 4 ++++
 pkg/manager/internal.go                 | 4 ++++
 pkg/manager/manager.go                  | 5 +++++
 pkg/manager/manager_test.go             | 6 ++++++
 pkg/webhook/webhook_integration_test.go | 2 ++
 5 files changed, 21 insertions(+)

diff --git a/pkg/envtest/webhook_test.go b/pkg/envtest/webhook_test.go
index bb1726cf01..ca4e936780 100644
--- a/pkg/envtest/webhook_test.go
+++ b/pkg/envtest/webhook_test.go
@@ -18,6 +18,7 @@ package envtest
 
 import (
 	"context"
+	"crypto/tls"
 	"path/filepath"
 	"time"
 
@@ -41,6 +42,9 @@ var _ = Describe("Test", func() {
 				Port:    env.WebhookInstallOptions.LocalServingPort,
 				Host:    env.WebhookInstallOptions.LocalServingHost,
 				CertDir: env.WebhookInstallOptions.LocalServingCertDir,
+				TLSOpts: []func(*tls.Config){
+					func(config *tls.Config) {},
+				},
 			}) // we need manager here just to leverage manager.SetFields
 			Expect(err).NotTo(HaveOccurred())
 			server := m.GetWebhookServer()
diff --git a/pkg/manager/internal.go b/pkg/manager/internal.go
index 5b22c628f9..fb79c55441 100644
--- a/pkg/manager/internal.go
+++ b/pkg/manager/internal.go
@@ -18,6 +18,7 @@ package manager
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"net"
@@ -135,6 +136,8 @@ type controllerManager struct {
 	// if not set, webhook server would look up the server key and certificate in
 	// {TempDir}/k8s-webhook-server/serving-certs
 	certDir string
+	// tlsOpts is used to allow configuring the TLS config used for the webhook server.
+	tlsOpts []func(*tls.Config)
 
 	webhookServer *webhook.Server
 	// webhookServerOnce will be called in GetWebhookServer() to optionally initialize
@@ -305,6 +308,7 @@ func (cm *controllerManager) GetWebhookServer() *webhook.Server {
 				Port:    cm.port,
 				Host:    cm.host,
 				CertDir: cm.certDir,
+				TLSOpts: cm.tlsOpts,
 			}
 		}
 		if err := cm.Add(cm.webhookServer); err != nil {
diff --git a/pkg/manager/manager.go b/pkg/manager/manager.go
index 028d929d96..d997e8a3ce 100644
--- a/pkg/manager/manager.go
+++ b/pkg/manager/manager.go
@@ -18,6 +18,7 @@ package manager
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/http"
@@ -242,6 +243,9 @@ type Options struct {
 	// It is used to set webhook.Server.CertDir if WebhookServer is not set.
 	CertDir string
 
+	// TLSOpts is used to allow configuring the TLS config used for the webhook server.
+	TLSOpts []func(*tls.Config)
+
 	// WebhookServer is an externally configured webhook.Server. By default,
 	// a Manager will create a default server using Port, Host, and CertDir;
 	// if this is set, the Manager will use this server instead.
@@ -422,6 +426,7 @@ func New(config *rest.Config, options Options) (Manager, error) {
 		port:                          options.Port,
 		host:                          options.Host,
 		certDir:                       options.CertDir,
+		tlsOpts:                       options.TLSOpts,
 		webhookServer:                 options.WebhookServer,
 		leaseDuration:                 *options.LeaseDuration,
 		renewDeadline:                 *options.RenewDeadline,
diff --git a/pkg/manager/manager_test.go b/pkg/manager/manager_test.go
index b5aef683e6..5f4bd81e66 100644
--- a/pkg/manager/manager_test.go
+++ b/pkg/manager/manager_test.go
@@ -18,6 +18,7 @@ package manager
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"io"
@@ -211,6 +212,9 @@ var _ = Describe("manger.Manager", func() {
 				},
 			}
 
+			optionsTlSOptsFuncs := []func(*tls.Config){
+				func(config *tls.Config) {},
+			}
 			m, err := Options{
 				SyncPeriod:                 &optDuration,
 				LeaderElection:             true,
@@ -228,6 +232,7 @@ var _ = Describe("manger.Manager", func() {
 				Port:                       8080,
 				Host:                       "example.com",
 				CertDir:                    "/pki",
+				TLSOpts:                    optionsTlSOptsFuncs,
 			}.AndFrom(&fakeDeferredLoader{ccfg})
 			Expect(err).To(BeNil())
 
@@ -247,6 +252,7 @@ var _ = Describe("manger.Manager", func() {
 			Expect(m.Port).To(Equal(8080))
 			Expect(m.Host).To(Equal("example.com"))
 			Expect(m.CertDir).To(Equal("/pki"))
+			Expect(m.TLSOpts).To(Equal(optionsTlSOptsFuncs))
 		})
 
 		It("should lazily initialize a webhook server if needed", func() {
diff --git a/pkg/webhook/webhook_integration_test.go b/pkg/webhook/webhook_integration_test.go
index 3f0f0d42a1..54cd8ca8b5 100644
--- a/pkg/webhook/webhook_integration_test.go
+++ b/pkg/webhook/webhook_integration_test.go
@@ -85,6 +85,7 @@ var _ = Describe("Webhook", func() {
 				Port:    testenv.WebhookInstallOptions.LocalServingPort,
 				Host:    testenv.WebhookInstallOptions.LocalServingHost,
 				CertDir: testenv.WebhookInstallOptions.LocalServingCertDir,
+				TLSOpts: []func(*tls.Config){func(config *tls.Config) {}},
 			}) // we need manager here just to leverage manager.SetFields
 			Expect(err).NotTo(HaveOccurred())
 			server := m.GetWebhookServer()
@@ -108,6 +109,7 @@ var _ = Describe("Webhook", func() {
 				Port:    testenv.WebhookInstallOptions.LocalServingPort,
 				Host:    testenv.WebhookInstallOptions.LocalServingHost,
 				CertDir: testenv.WebhookInstallOptions.LocalServingCertDir,
+				TLSOpts: []func(*tls.Config){func(config *tls.Config) {}},
 			}) // we need manager here just to leverage manager.SetFields
 			Expect(err).NotTo(HaveOccurred())
 			server := m.GetWebhookServer()