openziti · qrkourier · Jul 14, 2025 · Jul 14, 2025 · Jul 14, 2025 · Jul 14, 2025
diff --git a/charts/ziti-controller/Chart.yaml b/charts/ziti-controller/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 1.6.5
 description: Host an OpenZiti controller in Kubernetes
 name: ziti-controller
 type: application
-version: 2.0.1
+version: 2.0.2
diff --git a/charts/ziti-controller/README.md b/charts/ziti-controller/README.md
@@ -2,7 +2,7 @@
 
 # ziti-controller
 
-![Version: 2.0.1](https://img.shields.io/badge/Version-2.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.5](https://img.shields.io/badge/AppVersion-1.6.5-informational?style=flat-square)
+![Version: 2.0.2](https://img.shields.io/badge/Version-2.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.5](https://img.shields.io/badge/AppVersion-1.6.5-informational?style=flat-square)
 
 Host an OpenZiti controller in Kubernetes
 
@@ -380,6 +380,8 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 | prometheus.advertisedHost | string | `""` | DNS name to advertise in place of the default internal cluster name built from the Helm release name |
 | prometheus.advertisedPort | int | `443` | cluster service, node port, load balancer, and ingress port |
 | prometheus.containerPort | int | `9090` | cluster service target port on the container |
+| prometheus.maxTLSVersion | string | `"TLS1.3"` | maximum TLS version to offer to clients |
+| prometheus.minTLSVersion | string | `"TLS1.2"` | minimum TLS version to offer to clients |
 | prometheus.service.annotations | object | `{}` |  |
 | prometheus.service.enabled | bool | `false` | create a cluster service for the deployment |
 | prometheus.service.labels | object | `{"app":"prometheus"}` | extra labels for matching only this service, ie. serviceMonitor |
@@ -407,6 +409,8 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 | webBindingPki.altServerCerts | list | `[]` |  |
 | webBindingPki.alternativeIssuer | object | `{}` | obtain the web identity from an existing issuer instead of generating a new PKI |
 | webBindingPki.enabled | bool | `true` | generate a separate PKI root of trust for web bindings, i.e., client, management, and prometheus APIs |
+| webBindingPki.maxTLSVersion | string | `"TLS1.3"` | maximum TLS version to offer to clients |
+| webBindingPki.minTLSVersion | string | `"TLS1.2"` | minimum TLS version to offer to clients |
 
 ## TODO's
 

diff --git a/charts/ziti-controller/templates/configmap.yaml b/charts/ziti-controller/templates/configmap.yaml
@@ -236,10 +236,10 @@ data:
           writeTimeout: 100000ms
           # minTLSVersion - optional, default TLS1.2
           # The minimum version of TSL to support
-          minTLSVersion: TLS1.2
+          minTLSVersion: {{ .Values.webBindingPki.minTLSVersion }}
           # maxTLSVersion - optional, default TLS1.3
           # The maximum version of TSL to support
-          maxTLSVersion: TLS1.3
+          maxTLSVersion: {{ .Values.webBindingPki.maxTLSVersion }}
         # apis - required
         # Allows one or more APIs to be bound to this webListener
         apis:
@@ -329,10 +329,10 @@ data:
           writeTimeout: 100000ms
           # minTLSVersion - optional, default TLS1.2
           # The minimum version of TSL to support
-          minTLSVersion: TLS1.3
+          minTLSVersion: {{ .Values.webBindingPki.minTLSVersion }}
           # maxTLSVersion - optional, default TLS1.3
           # The maximum version of TSL to support
-          maxTLSVersion: TLS1.3
+          maxTLSVersion: {{ .Values.webBindingPki.maxTLSVersion }}
         # apis - required
         # Allows one or more APIs to be bound to this webListener
         apis:
@@ -398,7 +398,9 @@ data:
           {{- end }}
           {{- end }}
         {{- end }}
-        options: { }
+        options:
+          minTLSVersion: {{ .Values.prometheus.minTLSVersion }}
+          maxTLSVersion: {{ .Values.prometheus.maxTLSVersion }}
         apis:
           - binding: metrics
             options: { }

diff --git a/charts/ziti-controller/values.yaml b/charts/ziti-controller/values.yaml
@@ -176,8 +176,13 @@ prometheus:
     type: ClusterIP
     # -- extra labels for matching only this service, ie. serviceMonitor
     labels:
-      app: "prometheus"
+      app: prometheus
     annotations: {}
+  # -- minimum TLS version to offer to clients
+  minTLSVersion: TLS1.2
+  # -- maximum TLS version to offer to clients
+  maxTLSVersion: TLS1.3
+
 
   # ServiceMonitor configuration
   serviceMonitor:
@@ -291,6 +296,10 @@ webBindingPki:
   # kind:
   # -- metadata name of the alternative issuer
   # name:
+  # -- minimum TLS version to offer to clients
+  minTLSVersion: TLS1.2
+  # -- maximum TLS version to offer to clients
+  maxTLSVersion: TLS1.3
 
 spireAgent:
   # -- if you are running a container with the spire-agent binary installed