feat(server): Enforce TLS >= v1.2 (#5172)

Signed-off-by: Alex Collins <alex_collins@intuit.com>
argoproj · Feb 24, 2021 · 199016a · 199016a
1 parent 8a8759f
commit 199016a
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 9 deletions.
diff --git a/cmd/argo/commands/server.go b/cmd/argo/commands/server.go
@@ -17,6 +17,7 @@ import (
 	"golang.org/x/net/context"
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	"k8s.io/utils/env"
 
 	"github.com/argoproj/argo-workflows/v3/cmd/argo/commands/client"
 	wfclientset "github.com/argoproj/argo-workflows/v3/pkg/client/clientset/versioned"
@@ -87,8 +88,13 @@ See %s`, help.ArgoSever),
 			if secure {
 				cer, err := tls.LoadX509KeyPair("argo-server.crt", "argo-server.key")
 				errors.CheckError(err)
-				// InsecureSkipVerify will not impact the TLS listener. It is needed for the server to speak to itself for GRPC.
-				tlsConfig = &tls.Config{Certificates: []tls.Certificate{cer}, InsecureSkipVerify: true}
+				tlsMinVersion, err := env.GetInt("TLS_MIN_VERSION", tls.VersionTLS12)
+				errors.CheckError(err)
+				tlsConfig = &tls.Config{
+					Certificates:       []tls.Certificate{cer},
+					InsecureSkipVerify: false, // InsecureSkipVerify will not impact the TLS listener. It is needed for the server to speak to itself for GRPC.
+					MinVersion:         uint16(tlsMinVersion),
+				}
 			} else {
 				log.Warn("You are running in insecure mode. Learn how to enable transport layer security: https://argoproj.github.io/argo-workflows/tls/")
 			}

diff --git a/docs/tls.md b/docs/tls.md
@@ -4,21 +4,22 @@
 
 > v2.8 and after
 
-If you're running Argo Server you have three options with increasing transport security (note - you should also be running [authentication](argo-server.md#auth-mode)):
+If you're running Argo Server you have three options with increasing transport security (note - you should also be
+running [authentication](argo-server.md#auth-mode)):
 
 ## Plain Text
 
-*Recommended for: dev* 
+*Recommended for: dev*
 
-This is the default setting: everything is sent in plain text. 
+This is the default setting: everything is sent in plain text.
 
 To secure the UI you may front it with a HTTPS proxy.
 
-## Encrypted 
+## Encrypted
 
 *Recommended for: development and test environments*
 
-You can encrypt connections without any real effort. 
+You can encrypt connections without any real effort.
 
 Start Argo Server with the `--secure` flag, e.g.:
 
@@ -40,7 +41,8 @@ export ARGO_INSECURE_SKIP_VERIFY=true
 argo --secure --insecure-skip-verify list
 ```
 
-Tip: Don't forget to update your readiness probe to use HTTPS. To do so, edit your `argo-server` Deployment's `readinessProbe` spec: 
+Tip: Don't forget to update your readiness probe to use HTTPS. To do so, edit your `argo-server`
+Deployment's `readinessProbe` spec:
 
 ```
 readinessProbe:
@@ -52,7 +54,8 @@ readinessProbe:
 
 *Recommended for: production environments*
 
-Run your HTTPS proxy in front of the Argo Server. You'll need to set-up your certificates and this out of scope of this documentation.
+Run your HTTPS proxy in front of the Argo Server. You'll need to set-up your certificates and this out of scope of this
+documentation.
 
 Start Argo Server with the `--secure` flag, e.g.:
 
@@ -72,3 +75,17 @@ argo --secure list
 export ARGO_SECURE=true
 argo list
 ```
+
+### TLS Min Version
+
+Set `TLS_MIN_VERSION` to be the minimum TLS version to use. This is v1.2 by default.
+
+This must be one of these [int values](https://golang.org/pkg/crypto/tls/).
+
+| Version | Value |
+|---|---|
+| v1.0 | 769 |
+| v1.1 | 770 |
+| v1.2 | 771 |
+| v1.3 | 772 |
+