From 2bc3ed83fb1c1afcb06463dc56e55ff130bae9d0 Mon Sep 17 00:00:00 2001
From: Or Mergi <ormergi@redhat.com>
Date: Mon, 23 Mar 2026 13:20:44 +0200
Subject: [PATCH 1/2] tls flags: Replace TLS settings env vars with flags

Flags are easier to work with and better fit for TLS settings.

Resolve #606

Signed-off-by: Or Mergi <ormergi@redhat.com>
---
 cmd/manager/main.go                 | 10 +++++++++-
 config/default/manager/manager.yaml |  3 +--
 config/release/kubemacpool.yaml     |  3 +--
 config/test/kubemacpool.yaml        |  3 +--
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/cmd/manager/main.go b/cmd/manager/main.go
index f5e03212c..8ab764142 100644
--- a/cmd/manager/main.go
+++ b/cmd/manager/main.go
@@ -153,10 +153,18 @@ func runCertManager() {
 func runKubemacpoolManager() {
 	var logType, metricsAddr string
 	var waitingTime int
+	var tlsMinVersion, tlsCiphers string
 
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8443", "The address the metric endpoint binds to.")
 	flag.StringVar(&logType, "v", "production", "Log type (debug/production).")
 	flag.IntVar(&waitingTime, names.WAIT_TIME_ARG, 600, "waiting time to release the mac if object was not created")
+	flag.StringVar(&tlsMinVersion, "tls-min-version", "", "Minimum TLS version. "+
+		"Supported values are tls package constants names (e.g. VersionTLS13), please see "+
+		"https://pkg.go.dev/crypto/tls#pkg-constants")
+	flag.StringVar(&tlsCiphers, "tls-cipher-suites", "", "Comma-separated list of TLS cipher suite names."+
+		"Supported values are tls package constants names (e.g. TLS_AES_128_GCM_SHA256), please see "+
+		"https://pkg.go.dev/crypto/tls#pkg-constants"+
+		"When 'min-tls-version' is 'VersionTLS13', cipher suites are selected by the runtime.")
 	flag.Parse()
 
 	ctrl.SetLogger(zap.New(zap.UseDevMode(logType != "production")))
@@ -187,7 +195,7 @@ func runKubemacpoolManager() {
 		os.Exit(1)
 	}
 
-	tlsConfig, err := kmptls.NewConfig(os.Getenv("TLS_MIN_VERSION"), os.Getenv("TLS_CIPHERS"))
+	tlsConfig, err := kmptls.NewConfig(tlsMinVersion, tlsCiphers)
 	if err != nil {
 		log.Error(err, "Failed to create TLS config")
 		os.Exit(1)
diff --git a/config/default/manager/manager.yaml b/config/default/manager/manager.yaml
index 19043dfc4..3dbbf685b 100644
--- a/config/default/manager/manager.yaml
+++ b/config/default/manager/manager.yaml
@@ -85,6 +85,7 @@ spec:
         args:
           - "--v=production"
           - "--wait-time=300"
+          - "--tls-min-version=VersionTLS13"
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
@@ -114,8 +115,6 @@ spec:
                 key: RANGE_END
           - name: KUBEVIRT_CLIENT_GO_SCHEME_REGISTRATION_VERSION
             value: "v1"
-          - name: TLS_MIN_VERSION
-            value: "VersionTLS13"
         resources:
           requests:
             cpu: 100m
diff --git a/config/release/kubemacpool.yaml b/config/release/kubemacpool.yaml
index aa7be4cda..2eb66fe9c 100644
--- a/config/release/kubemacpool.yaml
+++ b/config/release/kubemacpool.yaml
@@ -275,6 +275,7 @@ spec:
       - args:
         - --v=production
         - --wait-time=300
+        - --tls-min-version=VersionTLS13
         command:
         - /manager
         env:
@@ -298,8 +299,6 @@ spec:
               name: kubemacpool-mac-range-config
         - name: KUBEVIRT_CLIENT_GO_SCHEME_REGISTRATION_VERSION
           value: v1
-        - name: TLS_MIN_VERSION
-          value: VersionTLS13
         image: quay.io/kubevirt/kubemacpool:latest
         imagePullPolicy: Always
         livenessProbe:
diff --git a/config/test/kubemacpool.yaml b/config/test/kubemacpool.yaml
index 35bf9baf8..914f65c94 100644
--- a/config/test/kubemacpool.yaml
+++ b/config/test/kubemacpool.yaml
@@ -276,6 +276,7 @@ spec:
       - args:
         - --v=debug
         - --wait-time=300
+        - --tls-min-version=VersionTLS13
         command:
         - /manager
         env:
@@ -299,8 +300,6 @@ spec:
               name: kubemacpool-mac-range-config
         - name: KUBEVIRT_CLIENT_GO_SCHEME_REGISTRATION_VERSION
           value: v1
-        - name: TLS_MIN_VERSION
-          value: VersionTLS13
         image: registry:5000/kubevirt/kubemacpool:latest
         imagePullPolicy: Always
         livenessProbe:

From fc281223fd885b475f8bc23b5cce7f210cc37a40 Mon Sep 17 00:00:00 2001
From: Or Mergi <ormergi@redhat.com>
Date: Mon, 23 Mar 2026 13:25:58 +0200
Subject: [PATCH 2/2] tls, flags, config: Set default version to TLS 1.3

Set the TLS minimal version default value to 1.3.

Remove redundent the flag occurances in manifests.

Signed-off-by: Or Mergi <ormergi@redhat.com>
---
 cmd/manager/main.go                 | 8 ++++----
 config/default/manager/manager.yaml | 1 -
 config/release/kubemacpool.yaml     | 1 -
 config/test/kubemacpool.yaml        | 1 -
 4 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/cmd/manager/main.go b/cmd/manager/main.go
index 8ab764142..5e3117b26 100644
--- a/cmd/manager/main.go
+++ b/cmd/manager/main.go
@@ -158,12 +158,12 @@ func runKubemacpoolManager() {
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8443", "The address the metric endpoint binds to.")
 	flag.StringVar(&logType, "v", "production", "Log type (debug/production).")
 	flag.IntVar(&waitingTime, names.WAIT_TIME_ARG, 600, "waiting time to release the mac if object was not created")
-	flag.StringVar(&tlsMinVersion, "tls-min-version", "", "Minimum TLS version. "+
+	flag.StringVar(&tlsMinVersion, "tls-min-version", "VersionTLS13", "Minimum TLS version. "+
 		"Supported values are tls package constants names (e.g. VersionTLS13), please see "+
-		"https://pkg.go.dev/crypto/tls#pkg-constants")
-	flag.StringVar(&tlsCiphers, "tls-cipher-suites", "", "Comma-separated list of TLS cipher suite names."+
+		"https://pkg.go.dev/crypto/tls#pkg-constants.")
+	flag.StringVar(&tlsCiphers, "tls-cipher-suites", "", "Comma-separated list of TLS cipher suite names. "+
 		"Supported values are tls package constants names (e.g. TLS_AES_128_GCM_SHA256), please see "+
-		"https://pkg.go.dev/crypto/tls#pkg-constants"+
+		"https://pkg.go.dev/crypto/tls#pkg-constants. "+
 		"When 'min-tls-version' is 'VersionTLS13', cipher suites are selected by the runtime.")
 	flag.Parse()
 
diff --git a/config/default/manager/manager.yaml b/config/default/manager/manager.yaml
index 3dbbf685b..5c2c6c0d1 100644
--- a/config/default/manager/manager.yaml
+++ b/config/default/manager/manager.yaml
@@ -85,7 +85,6 @@ spec:
         args:
           - "--v=production"
           - "--wait-time=300"
-          - "--tls-min-version=VersionTLS13"
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
diff --git a/config/release/kubemacpool.yaml b/config/release/kubemacpool.yaml
index 2eb66fe9c..afba418b4 100644
--- a/config/release/kubemacpool.yaml
+++ b/config/release/kubemacpool.yaml
@@ -275,7 +275,6 @@ spec:
       - args:
         - --v=production
         - --wait-time=300
-        - --tls-min-version=VersionTLS13
         command:
         - /manager
         env:
diff --git a/config/test/kubemacpool.yaml b/config/test/kubemacpool.yaml
index 914f65c94..12b70abdf 100644
--- a/config/test/kubemacpool.yaml
+++ b/config/test/kubemacpool.yaml
@@ -276,7 +276,6 @@ spec:
       - args:
         - --v=debug
         - --wait-time=300
-        - --tls-min-version=VersionTLS13
         command:
         - /manager
         env: