From 03d2ea8b9292da8c2dc4edd481f4fe484ba08801 Mon Sep 17 00:00:00 2001
From: Xie Zheng <xie.zheng@broadcom.com>
Date: Thu, 19 Dec 2024 16:57:42 +0800
Subject: [PATCH] Remove unapproved ciphers 
 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

---
 cmd/main.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cmd/main.go b/cmd/main.go
index 61dd572e1..1042f2ab6 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -5,6 +5,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"os"
@@ -252,6 +253,12 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 			hookServer = webhook.NewServer(webhook.Options{
 				Port:    config.WebhookServerPort,
 				CertDir: config.WebhookCertDir,
+				TLSOpts: []func(*tls.Config){
+					func(cfg *tls.Config) {
+						cfg.MinVersion = tls.VersionTLS12
+						cfg.CipherSuites = []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}
+					},
+				},
 			})
 			if err := mgr.Add(hookServer); err != nil {
 				log.Error(err, "Failed to add hook server")