As a security engineer, I want the Go TLS configuration in cmd/main.go of the cinder, glance, manila, and swift operators to explicitly set MinVersion to TLS 1.3, so that Go 1.24+ hybrid ML-KEM PQC key exchange (X25519MLKEM768) is activated for the operator's webhook and metrics server traffic.

• Add an enforceTLS13 closure to tlsOpts in cmd/main.go for cinder-operator, glance-operator, manila-operator, and swift-operator:

          disableHTTP2 := func(c *tls.Config) {
                  c.NextProtos = []string{"http/1.1"}
          }
  
  +       // Enforce TLS 1.3 minimum to enable PQC key exchange
  +       enforceTLS13 := func(c *tls.Config) {
  +               c.MinVersion = tls.VersionTLS13
  +       }
  +
          if !enableHTTP2 {
                  tlsOpts = append(tlsOpts, disableHTTP2)
          }
  +       tlsOpts = append(tlsOpts, enforceTLS13)
  
  

  Without this, Go defaults to TLS 1.2 which cannot negotiate PQC key exchange. Go 1.24+ enables hybrid X25519MLKEM768 for TLS 1.3 by default, but only when TLS 1.3 is actually negotiated.

• Consider making the minimum TLS version configurable via a config file rather than hardcoding it, to improve crypto agility.

Acceptance Criteria:

• cmd/main.go in cinder-operator, glance-operator, manila-operator, and swift-operator sets c.MinVersion = tls.VersionTLS13 in a tlsOpts closure
• OpenGrep rule [1] tls-config-no-min-version no longer fires on these files
• Operator webhook and metrics endpoints reject TLS 1.2 connections

[1] https://gitlab.cee.redhat.com/OSP-DFG-security/pqc-automated-analysis