[release-1.21] Backport centralized TLS configuration

cmd/requestreply/main.go

@@ -18,12 +18,14 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"log"
 
 	"github.com/kelseyhightower/envconfig"
 	"go.uber.org/zap"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 
 	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/kncloudevents"
@@ -34,6 +36,7 @@ import (
 	configmap "knative.dev/pkg/configmap/informer"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection"
+	secretinformer "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret"
 	"knative.dev/pkg/logging"
 	"knative.dev/pkg/signals"
 	"knative.dev/pkg/system"
@@ -109,9 +112,15 @@ func main() {
 		env.PodIdx,
 	)
 
+	tlsConfig, err := getServerTLSConfig(ctx)
+	if err != nil {
+		logger.Fatal("failed to get TLS server config", zap.Error(err))
+	}
+
 	sm, err := eventingtls.NewServerManager(ctx,
 		kncloudevents.NewHTTPEventReceiver(env.HttpPort),
-		kncloudevents.NewHTTPEventReceiver(env.HttpsPort), // TODO: add tls config when we have it
+		kncloudevents.NewHTTPEventReceiver(env.HttpsPort,
+			kncloudevents.WithTLSConfig(tlsConfig)),
 		handler,
 		configMapWatcher,
 	)
@@ -135,6 +144,17 @@ func flush(sl *zap.SugaredLogger) {
 	_ = sl.Sync()
 }
 
+func getServerTLSConfig(ctx context.Context) (*tls.Config, error) {
+	secret := types.NamespacedName{
+		Namespace: system.Namespace(),
+		Name:      eventingtls.RequestReplyServerTLSSecretName,
+	}
+
+	serverTLSConfig := eventingtls.NewDefaultServerConfig()
+	serverTLSConfig.GetCertificate = eventingtls.GetCertificateFromSecret(ctx, secretinformer.Get(ctx), kubeclient.Get(ctx), secret)
+	return eventingtls.GetTLSServerConfig(serverTLSConfig)
+}
+
 func getLoggingConfig(ctx context.Context, namespace, loggingConfigMapName string) (*logging.Config, error) {
 	loggingConfigMap, err := kubeclient.Get(ctx).CoreV1().ConfigMaps(namespace).Get(ctx, loggingConfigMapName, metav1.GetOptions{})
 	if apierrs.IsNotFound(err) {

cmd/requestreply/main_test.go

@@ -0,0 +1,51 @@
+/*
+Copyright 2026 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"crypto/tls"
+	"testing"
+
+	reconcilertesting "knative.dev/pkg/reconciler/testing"
+
+	// Fake injection informers and clients
+	_ "knative.dev/pkg/client/injection/kube/client/fake"
+	_ "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret/fake"
+)
+
+func TestGetServerTLSConfig(t *testing.T) {
+	t.Setenv("SYSTEM_NAMESPACE", "knative-eventing")
+
+	ctx, _ := reconcilertesting.SetupFakeContext(t)
+
+	tlsConfig, err := getServerTLSConfig(ctx)
+	if err != nil {
+		t.Fatal("unexpected error:", err)
+	}
+
+	if tlsConfig == nil {
+		t.Fatal("expected non-nil TLS config")
+	}
+
+	if tlsConfig.MinVersion != tls.VersionTLS12 {
+		t.Fatalf("want MinVersion TLS 1.2 (%d), got %d", tls.VersionTLS12, tlsConfig.MinVersion)
+	}
+
+	if tlsConfig.GetCertificate == nil {
+		t.Fatal("expected GetCertificate to be set")
+	}
+}

go.mod

@@ -51,7 +51,7 @@ require (
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 	knative.dev/hack v0.0.0-20260120115810-bf6758cba446
 	knative.dev/hack/schema v0.0.0-20260120115810-bf6758cba446
-	knative.dev/pkg v0.0.0-20260120122510-4a022ed9999a
+	knative.dev/pkg v0.0.0-20260319144603-18c5d580ae64
 	knative.dev/reconciler-test v0.0.0-20260120140419-4301404c03ce
 	sigs.k8s.io/randfill v1.0.0
 	sigs.k8s.io/yaml v1.6.0

go.sum

@@ -1096,8 +1096,8 @@ knative.dev/hack v0.0.0-20260120115810-bf6758cba446 h1:Y8raYHIuAL9/gUKGYD9/dD+Eq
 knative.dev/hack v0.0.0-20260120115810-bf6758cba446/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0=
 knative.dev/hack/schema v0.0.0-20260120115810-bf6758cba446 h1:V7TW1ZOZObhVcDuN04tYvCfCjvvikv1qZR/6lcp6g4Q=
 knative.dev/hack/schema v0.0.0-20260120115810-bf6758cba446/go.mod h1:KkibP1IazICP5ClxwN5D26LDSygsqbYnVGuGFTsHNOQ=
-knative.dev/pkg v0.0.0-20260120122510-4a022ed9999a h1:9f29OTA7w/iVIX6PS6yveVVzNbcUS74eQfchVe8o2/4=
-knative.dev/pkg v0.0.0-20260120122510-4a022ed9999a/go.mod h1:Tz3GoxcNC5vH3Zo//cW3mnHL474u+Y1wbsUIZ11p8No=
+knative.dev/pkg v0.0.0-20260319144603-18c5d580ae64 h1:TiwrcgUKNePfdAbaJT9W4P57lsKjiZnjJ0wVC6XrL0U=
+knative.dev/pkg v0.0.0-20260319144603-18c5d580ae64/go.mod h1:Tz3GoxcNC5vH3Zo//cW3mnHL474u+Y1wbsUIZ11p8No=
 knative.dev/reconciler-test v0.0.0-20260120140419-4301404c03ce h1:pIQCFDsDTRkzrJZDTs2laryYOI6VpcnGF5zezL0NXOw=
 knative.dev/reconciler-test v0.0.0-20260120140419-4301404c03ce/go.mod h1:FUaadFiniAaqqBp/D2g2cO/FUABVR8W4yZd2azDzp7I=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

pkg/eventingtls/eventingtls.go

@@ -39,6 +39,7 @@ import (
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/logging"
+	pkgtls "knative.dev/pkg/network/tls"
 )
 
 const (
@@ -58,6 +59,8 @@ const (
 	BrokerFilterServerTLSSecretName = "mt-broker-filter-server-tls" //nolint:gosec // This is not a hardcoded credential
 	// BrokerIngressServerTLSSecretName is the name of the tls secret for the broker ingress server
 	BrokerIngressServerTLSSecretName = "mt-broker-ingress-server-tls" //nolint:gosec // This is not a hardcoded credential
+	// RequestReplyServerTLSSecretName is the name of the tls secret for the request reply server
+	RequestReplyServerTLSSecretName = "request-reply-server-tls" //nolint:gosec // This is not a hardcoded credential
 )
 
 type ClientConfig struct {
@@ -170,21 +173,45 @@ func GetTLSClientConfig(config ClientConfig) (*tls.Config, error) {
 		return nil, err
 	}
 
-	return &tls.Config{
-		RootCAs:    pool,
-		MinVersion: DefaultMinTLSVersion,
-	}, nil
+	cfg, err := defaultTLSConfigFromEnv()
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.RootCAs = pool
+	return cfg, nil
 }
 
 func NewDefaultServerConfig() ServerConfig {
 	return ServerConfig{}
 }
 
 func GetTLSServerConfig(config ServerConfig) (*tls.Config, error) {
-	return &tls.Config{
-		MinVersion:     DefaultMinTLSVersion,
-		GetCertificate: config.GetCertificate,
-	}, nil
+	cfg, err := defaultTLSConfigFromEnv()
+	if err != nil {
+		return nil, err
+	}
+
+	cfg.GetCertificate = config.GetCertificate
+	return cfg, nil
+}
+
+// defaultTLSConfigFromEnv loads TLS configuration from environment variables
+// using the shared knative/pkg/tls utility. DefaultConfigFromEnv defaults to
+// TLS 1.3, but eventing historically defaults to TLS 1.2, so we fall back to
+// 1.2 unless TLS_MIN_VERSION is explicitly set.
+// TODO: switch to TLS 1.3 to align with the rest of the system.
+func defaultTLSConfigFromEnv() (*tls.Config, error) {
+	cfg, err := pkgtls.DefaultConfigFromEnv("")
+	if err != nil {
+		return nil, fmt.Errorf("failed to load TLS config from env: %w", err)
+	}
+
+	if os.Getenv(pkgtls.MinVersionEnvKey) == "" {
+		cfg.MinVersion = DefaultMinTLSVersion
+	}
+
+	return cfg, nil
 }
 
 // IsHttpsSink returns true if the sink has scheme equal to https.