disable http2 for metrics and webhooks by default

It appears that mitigating the recent http2 vulnerabilities (see
CVE-2023-44487 and CVE-2023-39325) requires [more than just a library
update to golang.org/x/net][1].  Until better mitigations have been
developed, disable http2 in both the metrics and webhooks servers.

[1]: kubernetes/kubernetes#121197

Signed-off-by: Andy Sadler <[email protected]>

Author: sadlerap

main.go

@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"os"
 	"time"
@@ -64,13 +65,15 @@ func main() {
 	var enableLeaderElection bool
 	var probeAddr string
 	var migrateFromVMware bool
+	var enableHTTP2 bool
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&migrateFromVMware, "migrate-from-vmware", false,
 		"Enable migration from the VMware implementation.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false, "Enable HTTP2 for the metrics and webhook servers")
 	opts := zap.Options{
 		Development: true,
 	}
@@ -79,14 +82,26 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
+	disableHTTP2 := func(t *tls.Config) {
+		if enableHTTP2 {
+			t.NextProtos = []string{"http/1.1"}
+		}
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme: scheme,
 		Metrics: server.Options{
 			BindAddress: metricsAddr,
+			TLSOpts: []func(*tls.Config){
+				disableHTTP2,
+			},
 		},
 		WebhookServer: &webhook.DefaultServer{
 			Options: webhook.Options{
 				Port: 9443,
+				TLSOpts: []func(*tls.Config){
+					disableHTTP2,
+				},
 			},
 		},
 		Cache: cache.Options{