Add option to specify the tls-min-version for the server

pkg/apis/options/legacy_options.go

@@ -448,6 +448,7 @@ type LegacyServer struct {
 	HTTPSAddress         string `flag:"https-address" cfg:"https_address"`
 	TLSCertFile          string `flag:"tls-cert-file" cfg:"tls_cert_file"`
 	TLSKeyFile           string `flag:"tls-key-file" cfg:"tls_key_file"`
+	TLSMinVersion        string `flag:"tls-min-version" cfg:"tls_min_version"`
 }
 
 func legacyServerFlagset() *pflag.FlagSet {
@@ -461,6 +462,7 @@ func legacyServerFlagset() *pflag.FlagSet {
 	flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
 	flagSet.String("tls-cert-file", "", "path to certificate file")
 	flagSet.String("tls-key-file", "", "path to private key file")
+	flagSet.String("tls-min-version", "", "minimal TLS version for HTTPS clients (either \"TLS1.2\" or \"TLS1.3\")")
 
 	return flagSet
 }
@@ -582,6 +584,7 @@ func (l LegacyServer) convert() (Server, Server) {
 			Cert: &SecretSource{
 				FromFile: l.TLSCertFile,
 			},
+			MinVersion: l.TLSMinVersion,
 		}
 		// Preserve backwards compatibility, only run one server
 		appServer.BindAddress = ""

pkg/apis/options/legacy_options_test.go

@@ -785,6 +785,7 @@ var _ = Describe("Legacy Options", func() {
 			secureMetricsAddr   = ":9443"
 			crtPath             = "tls.crt"
 			keyPath             = "tls.key"
+			minVersion          = "TLS1.3"
 		)
 
 		var tlsConfig = &TLS{
@@ -796,6 +797,12 @@ var _ = Describe("Legacy Options", func() {
 			},
 		}
 
+		var tlsConfigMinVersion = &TLS{
+			Cert:       tlsConfig.Cert,
+			Key:        tlsConfig.Key,
+			MinVersion: minVersion,
+		}
+
 		DescribeTable("should convert to app and metrics servers",
 			func(in legacyServersTableInput) {
 				appServer, metricsServer := in.legacyServer.convert()
@@ -823,6 +830,19 @@ var _ = Describe("Legacy Options", func() {
 					TLS:               tlsConfig,
 				},
 			}),
+			Entry("with TLS options specified with MinVersion", legacyServersTableInput{
+				legacyServer: LegacyServer{
+					HTTPAddress:   insecureAddr,
+					HTTPSAddress:  secureAddr,
+					TLSKeyFile:    keyPath,
+					TLSCertFile:   crtPath,
+					TLSMinVersion: minVersion,
+				},
+				expectedAppServer: Server{
+					SecureBindAddress: secureAddr,
+					TLS:               tlsConfigMinVersion,
+				},
+			}),
 			Entry("with metrics HTTP and HTTPS addresses", legacyServersTableInput{
 				legacyServer: LegacyServer{
 					HTTPAddress:          insecureAddr,

pkg/apis/options/server.go

@@ -11,11 +11,12 @@ type Server struct {
 	SecureBindAddress string
 
 	// TLS contains the information for loading the certificate and key for the
-	// secure traffic.
+	// secure traffic and further configuration for the TLS server.
 	TLS *TLS
 }
 
-// TLS contains the information for loading a TLS certifcate and key.
+// TLS contains the information for loading a TLS certificate and key
+// as well as an optional minimal TLS version that is acceptable.
 type TLS struct {
 	// Key is the TLS key data to use.
 	// Typically this will come from a file.
@@ -24,4 +25,8 @@ type TLS struct {
 	// Cert is the TLS certificate data to use.
 	// Typically this will come from a file.
 	Cert *SecretSource
+
+	// MinVersion is the minimal TLS version that is acceptable.
+	// E.g. Set to "TLS1.3" to select TLS version 1.3
+	MinVersion string
 }