From 6ea0629106a6d2d5812340d86a7cae096dff1cef Mon Sep 17 00:00:00 2001 From: Andrew Bays Date: Fri, 20 Oct 2023 11:04:19 +0000 Subject: [PATCH] Disable HTTP2 in webhook server --- go.mod | 1 - main.go | 11 +++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index b0cb43ad..fa1710ee 100644 --- a/go.mod +++ b/go.mod @@ -151,7 +151,6 @@ require ( ) replace ( - // required by Microsoft/hcsshim, containers/storage, sriov-network-operator // Not used within this Operator. // Bump to avoid CVE detection with earlier versions (v1.5.4). diff --git a/main.go b/main.go index 5f60943f..c4a6b521 100644 --- a/main.go +++ b/main.go @@ -17,6 +17,7 @@ limitations under the License. package main import ( + "crypto/tls" "flag" "fmt" "os" @@ -94,6 +95,8 @@ func main() { var enableLeaderElection bool var enableWebhooks bool var probeAddr string + var enableHTTP2 bool + flag.BoolVar(&enableHTTP2, "enable-http2", enableHTTP2, "If HTTP/2 should be enabled for the metrics and webhook servers.") flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, @@ -156,6 +159,13 @@ func main() { os.Exit(1) } + disableHTTP2 := func(c *tls.Config) { + if enableHTTP2 { + return + } + c.NextProtos = []string{"http/1.1"} + } + checker := healthz.Ping if strings.ToLower(os.Getenv("ENABLE_WEBHOOKS")) != "false" { enableWebhooks = true @@ -166,6 +176,7 @@ func main() { srv.CertName = WebhookCertName srv.KeyName = WebhookKeyName srv.Port = WebhookPort + srv.TLSOpts = []func(config *tls.Config){disableHTTP2} } if err = (&controllers.OpenStackControlPlaneReconciler{