Update default minimum TLS version to 1.3

This updates the eventingtls package to use TLS 1.3 as the default minimum
version, aligning with the default behavior of `knative.dev/pkg/network/tls`.
The fallback to TLS 1.2 and the associated TODO have been removed.

Additionally, tests asserting the default MinVersion have been removed
from `pkg/eventingtls` and `cmd/requestreply`, as this configuration is
now handled entirely by the underlying `knative.dev/pkg/network/tls` utility.

Signed-off-by: Mikhail Fedosin <mfedosin@redhat.com>

Author: Fedosin

cmd/requestreply/main_test.go

@@ -17,7 +17,6 @@ limitations under the License.
 package main
 
 import (
-	"crypto/tls"
 	"testing"
 
 	reconcilertesting "knative.dev/pkg/reconciler/testing"
@@ -41,10 +40,6 @@ func TestGetServerTLSConfig(t *testing.T) {
 		t.Fatal("expected non-nil TLS config")
 	}
 
-	if tlsConfig.MinVersion != tls.VersionTLS12 {
-		t.Fatalf("want MinVersion TLS 1.2 (%d), got %d", tls.VersionTLS12, tlsConfig.MinVersion)
-	}
-
 	if tlsConfig.GetCertificate == nil {
 		t.Fatal("expected GetCertificate to be set")
 	}

pkg/eventingtls/eventingtls.go

@@ -47,8 +47,6 @@ const (
 	TLSKey = "tls.key"
 	// TLSCrt is the key in the TLS secret for the public key of TLS servers
 	TLSCrt = "tls.crt"
-	// DefaultMinTLSVersion is the default minimum TLS version for servers and clients.
-	DefaultMinTLSVersion = tls.VersionTLS12
 	// SecretCACrt is the name of the CA Cert in the secret
 	SecretCACert = "ca.crt"
 	// IMCDispatcherServerTLSSecretName is the name of the tls secret for the imc dispatcher server
@@ -198,19 +196,13 @@ func GetTLSServerConfig(config ServerConfig) (*tls.Config, error) {
 
 // defaultTLSConfigFromEnv loads TLS configuration from environment variables
 // using the shared knative/pkg/tls utility. DefaultConfigFromEnv defaults to
-// TLS 1.3, but eventing historically defaults to TLS 1.2, so we fall back to
-// 1.2 unless TLS_MIN_VERSION is explicitly set.
-// TODO: switch to TLS 1.3 to align with the rest of the system.
+// TLS 1.3.
 func defaultTLSConfigFromEnv() (*tls.Config, error) {
 	cfg, err := pkgtls.DefaultConfigFromEnv("")
 	if err != nil {
 		return nil, fmt.Errorf("failed to load TLS config from env: %w", err)
 	}
 
-	if os.Getenv(pkgtls.MinVersionEnvKey) == "" {
-		cfg.MinVersion = DefaultMinTLSVersion
-	}
-
 	return cfg, nil
 }
 

pkg/eventingtls/eventingtls_test.go

@@ -67,15 +67,13 @@ wSdZWoEx7ye2kUHEyRKdRGbHyJtY9YYvaROznzxqVpIqHxnRQnE/If7kcN4t/7vi
 				CACerts: pointer.String(""),
 			},
 			expected: tls.Config{
-				MinVersion: tls.VersionTLS12,
 				RootCAs:    sysCertPool,
 			},
 		},
 		{
 			name: "nil CA certs",
 			cfg:  ClientConfig{},
 			expected: tls.Config{
-				MinVersion: tls.VersionTLS12,
 				RootCAs:    sysCertPool,
 			},
 		},
@@ -85,7 +83,6 @@ wSdZWoEx7ye2kUHEyRKdRGbHyJtY9YYvaROznzxqVpIqHxnRQnE/If7kcN4t/7vi
 				CACerts: pointer.String(pemCaCert),
 			},
 			expected: tls.Config{
-				MinVersion: tls.VersionTLS12,
 				RootCAs:    WithCerts(sysCertPool, pemCaCert),
 			},
 		},
@@ -94,9 +91,7 @@ wSdZWoEx7ye2kUHEyRKdRGbHyJtY9YYvaROznzxqVpIqHxnRQnE/If7kcN4t/7vi
 			cfg: ClientConfig{
 				CACerts: pointer.String(pemCaCert[:len(pemCaCert)-30]),
 			},
-			expected: tls.Config{
-				MinVersion: tls.VersionTLS12,
-			},
+			expected: tls.Config{},
 			wantErr: true,
 		},
 	}
@@ -115,10 +110,6 @@ wSdZWoEx7ye2kUHEyRKdRGbHyJtY9YYvaROznzxqVpIqHxnRQnE/If7kcN4t/7vi
 			if !got.RootCAs.Equal(tc.expected.RootCAs) {
 				t.Fatalf("Got RootCAs are not equal to expected RootCAs")
 			}
-
-			if got.MinVersion != tc.expected.MinVersion {
-				t.Fatalf("want MinVersion %v, got %v", tc.expected.MinVersion, got.MinVersion)
-			}
 		})
 	}
 }
@@ -132,18 +123,6 @@ func WithCerts(pool *x509.CertPool, caCerts string) *x509.CertPool {
 }
 
 func TestGetTLSClientConfigEnv(t *testing.T) {
-	t.Run("defaults to TLS 1.2 when env not set", func(t *testing.T) {
-		t.Setenv(pkgtls.MinVersionEnvKey, "")
-
-		cfg, err := GetTLSClientConfig(NewDefaultClientConfig())
-		if err != nil {
-			t.Fatal("unexpected error:", err)
-		}
-		if cfg.MinVersion != tls.VersionTLS12 {
-			t.Fatalf("want MinVersion TLS 1.2 (%d), got %d", tls.VersionTLS12, cfg.MinVersion)
-		}
-	})
-
 	t.Run("uses TLS 1.3 when explicitly set via env", func(t *testing.T) {
 		t.Setenv(pkgtls.MinVersionEnvKey, "1.3")
 
@@ -206,18 +185,6 @@ func TestGetTLSClientConfigEnv(t *testing.T) {
 }
 
 func TestGetTLSServerConfig(t *testing.T) {
-	t.Run("defaults to TLS 1.2 when env not set", func(t *testing.T) {
-		t.Setenv(pkgtls.MinVersionEnvKey, "")
-
-		cfg, err := GetTLSServerConfig(NewDefaultServerConfig())
-		if err != nil {
-			t.Fatal("unexpected error:", err)
-		}
-		if cfg.MinVersion != tls.VersionTLS12 {
-			t.Fatalf("want MinVersion TLS 1.2 (%d), got %d", tls.VersionTLS12, cfg.MinVersion)
-		}
-	})
-
 	t.Run("uses TLS 1.3 when explicitly set via env", func(t *testing.T) {
 		t.Setenv(pkgtls.MinVersionEnvKey, "1.3")