Remove Legacy TLS Config, which is not used in the source code

internal/crypto/ptls/ptls.go

@@ -19,8 +19,6 @@ import (
 	"k8s.io/client-go/transport"
 )
 
-// TODO decide if we need to expose the four TLS levels (secure, default, default-ldap, legacy) as config.
-
 // defaultServingOptionsMinTLSVersion is the minimum tls version in the format
 // expected by SecureServingOptions.MinTLSVersion from
 // k8s.io/apiserver/pkg/server/options.
@@ -28,21 +26,6 @@ const defaultServingOptionsMinTLSVersion = "VersionTLS12"
 
 type ConfigFunc func(*x509.CertPool) *tls.Config
 
-func Legacy(rootCAs *x509.CertPool) *tls.Config {
-	c := Default(rootCAs)
-	// add all the ciphers (even the crappy ones) except the ones that Go considers to be outright broken like 3DES
-	c.CipherSuites = suitesToIDs(tls.CipherSuites())
-	return c
-}
-
-func suitesToIDs(suites []*tls.CipherSuite) []uint16 {
-	out := make([]uint16, 0, len(suites))
-	for _, suite := range suites {
-		out = append(out, suite.ID)
-	}
-	return out
-}
-
 func Merge(tlsConfigFunc ConfigFunc, tlsConfig *tls.Config) {
 	secureTLSConfig := tlsConfigFunc(nil)
 

internal/crypto/ptls/ptls_test.go

@@ -5,11 +5,8 @@ package ptls
 
 import (
 	"crypto/tls"
-	"runtime"
-	"strings"
 	"testing"
 
-	"github.com/coreos/go-semver/semver"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apiserver/pkg/server/options"
 )
@@ -37,13 +34,6 @@ func TestDefaultServing(t *testing.T) {
 func TestMerge(t *testing.T) {
 	t.Parallel()
 
-	runtimeVersion := runtime.Version()
-	if strings.HasPrefix(runtimeVersion, "go") {
-		runtimeVersion, _ = strings.CutPrefix(runtimeVersion, "go")
-	}
-	runtimeVersionSemver, err := semver.NewVersion(runtimeVersion)
-	require.NoError(t, err)
-
 	tests := []struct {
 		name          string
 		tlsConfigFunc ConfigFunc
@@ -167,33 +157,6 @@ func TestMerge(t *testing.T) {
 				NextProtos: []string{"panda"},
 			},
 		},
-		{
-			name:          "legacy without NextProtos",
-			tlsConfigFunc: Legacy,
-			tlsConfig: &tls.Config{
-				ServerName: "something-to-check-passthrough",
-			},
-			want: &tls.Config{
-				ServerName:   "something-to-check-passthrough",
-				MinVersion:   tls.VersionTLS12,
-				CipherSuites: wantLegacyCipherSuites(runtimeVersionSemver),
-				NextProtos:   []string{"h2", "http/1.1"},
-			},
-		},
-		{
-			name:          "legacy with NextProtos",
-			tlsConfigFunc: Legacy,
-			tlsConfig: &tls.Config{ //nolint:gosec // not concerned with TLS MinVersion here
-				ServerName: "a different thing for passthrough",
-				NextProtos: []string{"panda"},
-			},
-			want: &tls.Config{
-				ServerName:   "a different thing for passthrough",
-				MinVersion:   tls.VersionTLS12,
-				CipherSuites: wantLegacyCipherSuites(runtimeVersionSemver),
-				NextProtos:   []string{"panda"},
-			},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -204,31 +167,3 @@ func TestMerge(t *testing.T) {
 		})
 	}
 }
-
-func wantLegacyCipherSuites(runtime *semver.Version) []uint16 {
-	var ciphers []uint16
-	if runtime.Major == 1 && runtime.Minor < 22 {
-		ciphers = append(ciphers, []uint16{
-			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-		}...)
-	}
-	ciphers = append(ciphers, []uint16{
-		tls.TLS_AES_128_GCM_SHA256,
-		tls.TLS_AES_256_GCM_SHA384,
-		tls.TLS_CHACHA20_POLY1305_SHA256,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-	}...)
-	return ciphers
-}