feat: add --tls-min-version flag to proxy server

[tesshuflower]

This was originally opened as #815 but I think got closed mistakenly - reopening

Summary

• Add --tls-min-version flag to the proxy server, allowing dynamic configuration of the minimum TLS version
• Previously the minimum TLS version was hardcoded to TLS 1.2 in getTLSConfig()
• Accepted values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 (defaults to VersionTLS12 when not specified, maintaining backward compatibility)

Motivation

The proxy server currently hardcodes tls.VersionTLS12 as the minimum TLS version. This makes it impossible for operators to enforce stricter TLS policies (e.g., TLS 1.3 only) or to align with platform-wide TLS security profiles. Adding this flag allows the minimum TLS version to be configured at startup, similar to the existing --cipher-suites flag.

Changes

File	Change
pkg/util/net.go	Add TLSVersions map and GetTLSVersion() helper function
cmd/server/app/options/options.go	Add TLSMinVersion field, --tls-min-version flag, validation, and print
cmd/server/app/server.go	Update getTLSConfig() to accept and use dynamic TLS min version
cmd/server/app/options/options_test.go	Add default value test and validation tests for valid/invalid TLS versions

Test plan

• TestDefaultServerOptions passes — verifies TLSMinVersion defaults to ""
• TestValidate passes — covers VersionTLS12, VersionTLS13, and invalid version
• All existing tests pass with no regressions

🤖 Generated with Claude Code

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: tesshuflower / name: Tesshu Flower (1a8c0d0)
• ✅ login: xuezhaojun / name: xuezhao (1a8c0d0)

[k8s-ci-robot]

Welcome @tesshuflower!

It looks like this is your first PR to kubernetes-sigs/apiserver-network-proxy 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/apiserver-network-proxy has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tesshuflower
Once this PR has been reviewed and has the lgtm label, please assign jkh52 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @tesshuflower. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[cheftako]

/ok-to-test

[cheftako]

Can you rebase on the latest?

[tesshuflower]

Can you rebase on the latest?

Sure thing, done!