From fbf50b04fe17b0f091430d22557245d2aedabfd4 Mon Sep 17 00:00:00 2001
From: Will Thames <will@thames.id.au>
Date: Wed, 9 Jun 2021 12:29:47 +1000
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Allow=20TLS=20minimum=20version=20t?=
 =?UTF-8?q?o=20be=20configured=20(#1548)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Allow TLS minimum version to be configured

Some environments have automated security scans that trigger
on TLS versions or insecure cipher suites. Setting TLS to 1.3
would solve both problems (setting to 1.2 only solves the former
as the default 1.2 cipher suites are insecure).

Default TLS minimum version of 1.0 remains.

* Add error handling to tls version conversion
---
 pkg/webhook/server.go | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/pkg/webhook/server.go b/pkg/webhook/server.go
index cdd34c9660..dfca94e99a 100644
--- a/pkg/webhook/server.go
+++ b/pkg/webhook/server.go
@@ -70,6 +70,10 @@ type Server struct {
 	// Defaults to "", which means server does not verify client's certificate.
 	ClientCAName string
 
+	// TLSVersion is the minimum version of TLS supported. Accepts
+	// "", "1.0", "1.1", "1.2" and "1.3" only ("" is equivalent to "1.0" for backwards compatibility)
+	TLSMinVersion string
+
 	// WebhookMux is the multiplexer that handles different webhooks.
 	WebhookMux *http.ServeMux
 
@@ -175,6 +179,26 @@ func (s *Server) StartStandalone(ctx context.Context, scheme *runtime.Scheme) er
 	return s.Start(ctx)
 }
 
+// tlsVersion converts from human-readable TLS version (for example "1.1")
+// to the values accepted by tls.Config (for example 0x301)
+func tlsVersion(version string) (uint16, error) {
+	switch version {
+	// default is previous behaviour
+	case "":
+		return tls.VersionTLS10, nil
+	case "1.0":
+		return tls.VersionTLS10, nil
+	case "1.1":
+		return tls.VersionTLS11, nil
+	case "1.2":
+		return tls.VersionTLS12, nil
+	case "1.3":
+		return tls.VersionTLS13, nil
+	default:
+		return 0, fmt.Errorf("Invalid TLSMinVersion %v: expects 1.0, 1.1, 1.2, 1.3 or empty", version)
+	}
+}
+
 // Start runs the server.
 // It will install the webhook related resources depend on the server configuration.
 func (s *Server) Start(ctx context.Context) error {
@@ -197,9 +221,15 @@ func (s *Server) Start(ctx context.Context) error {
 		}
 	}()
 
+	tlsMinVersion, err := tlsVersion(s.TLSMinVersion)
+	if err != nil {
+		return err
+	}
+
 	cfg := &tls.Config{
 		NextProtos:     []string{"h2"},
 		GetCertificate: certWatcher.GetCertificate,
+		MinVersion:     tlsMinVersion,
 	}
 
 	// load CA to verify client certificate