From 949e73dd06ba4e711bd6714b4300895745e21fb4 Mon Sep 17 00:00:00 2001
From: Tom Pantelis <tompantelis@gmail.com>
Date: Tue, 23 Jun 2026 08:00:32 -0400
Subject: [PATCH] Remove TLS min version validation for OpenShift profile
 compatibility

Removed the validation that enforced TLS 1.2 as the minimum version when
the --tls-min-version CLI flag is specified. This allows OpenShift TLS
profiles that support older versions (e.g., the "Old" profile with TLS 1.0)
to be used when explicitly configured.

When --tls-min-version is not specified, the webhook server still defaults
to TLS 1.2, maintaining secure defaults while allowing backwards
compatibility when needed.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
---
 cmd/webhook/main.go      |  5 -----
 cmd/webhook/main_test.go | 15 +++------------
 2 files changed, 3 insertions(+), 17 deletions(-)

diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
index 5b775227..37d476b4 100644
--- a/cmd/webhook/main.go
+++ b/cmd/webhook/main.go
@@ -171,11 +171,6 @@ func startHTTPServers(config *ServerConfig) (func(), error) {
 		if err != nil {
 			return nil, fmt.Errorf("error parsing TLS min version %q: %w", config.TLSMinVersion, err)
 		}
-
-		// Validate that the minimum TLS version is at least TLS 1.2
-		if tlsMinVersionID < tls.VersionTLS12 {
-			return nil, fmt.Errorf("TLS min version %q is below the minimum required version TLS 1.2", config.TLSMinVersion)
-		}
 	}
 
 	applyTLSOptions := func(to *tls.Config) *tls.Config {
diff --git a/cmd/webhook/main_test.go b/cmd/webhook/main_test.go
index 75fa2a34..2043ef1d 100644
--- a/cmd/webhook/main_test.go
+++ b/cmd/webhook/main_test.go
@@ -131,24 +131,15 @@ func testHTTPServers() {
 		})
 	})
 
-	DescribeTable("should reject TLS min versions below TLS 1.2",
-		func(version string) {
-			config.TLSMinVersion = version
-			_, err := startHTTPServers(config)
-			Expect(err).To(HaveOccurred())
-			Expect(err.Error()).To(ContainSubstring("below the minimum required version TLS 1.2"))
-		},
-		Entry("TLS 1.0", "VersionTLS10"),
-		Entry("TLS 1.1", "VersionTLS11"),
-	)
-
-	DescribeTable("should accept TLS min versions at or above TLS 1.2",
+	DescribeTable("should accept all TLS min versions",
 		func(version string) {
 			config.TLSMinVersion = version
 			var err error
 			cleanup, err = startHTTPServers(config)
 			Expect(err).NotTo(HaveOccurred())
 		},
+		Entry("TLS 1.0", "VersionTLS10"),
+		Entry("TLS 1.1", "VersionTLS11"),
 		Entry("TLS 1.2", "VersionTLS12"),
 		Entry("TLS 1.3", "VersionTLS13"),
 	)