Expose TLS configuration for webhook servers to support platform-managed TLS policies

[jkhelil]

Summary The knative.dev/pkg/webhook package currently does not expose the tlsConfig field (webhook.go#L141), preventing downstream platforms from dynamically configuring TLS settings beyond the basic WEBHOOK_TLS_MIN_VERSION environment variable. This limitation blocks integration with centralized TLS policy management systems required for enterprise Kubernetes distributions.

Motivation Modern Kubernetes platforms increasingly require centralized TLS policy management to:

• Prepare for Post-Quantum Cryptography (PQC) transitions requiring TLS 1.3+ and specific cipher suites
• Comply with organizational security policies that mandate specific cipher configurations
• Support custom TLS profiles beyond simple version selection (e.g., FIPS mode, industry-specific compliance)
• Enable dynamic security policy updates without rebuilding/redeploying components

Current Limitations https://github.com/knative/pkg/blob/main/webhook/webhook.go#L141

tlsConfig: &tls.Config{
    MinVersion: tlsMinVersion,  // Only configurable via env var
    // No cipher suite configuration
    // No way to inject custom tls.Config
}

The existing implementation is missing:

• Cipher suite configuration
• Support for custom TLS profiles (Old/Intermediate/Modern/Custom as defined in Mozilla's SSL Configuration Generator)`

Proposed Solution: Add TLSConfig functional option

// webhook.go
type Options struct {
    // ... existing fields ...
    
    // TLSConfig allows customization of the webhook server's TLS configuration.
    // If nil, a default configuration with MinVersion from WEBHOOK_TLS_MIN_VERSION is used.
    // When provided, this completely overrides the default TLS configuration.
    TLSConfig *tls.Config
}