Skip to content

Commit

Permalink
chore(tlsversion): Add a tls minimum version for webhooks
Browse files Browse the repository at this point in the history 
Add a minimum tls version for webhooks

fixed openservicemesh#4165

Signed-off-by: Sneha Chhabria <snchh@microsoft.com>
  • Loading branch information
@snehachhabria
snehachhabria committed Oct 14, 2021
1 parent 2ead5a8 commit 2649463
Show file tree
Hide file tree
Showing 5 changed files with 8 additions and 1 deletion.
1 change: 1 addition & 0 deletions pkg/crdconversion/crdconversion.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@ func (crdWh *crdConversionWebhook) run(stop <-chan struct{}) {
// #nosec G402
webhookServer.TLSConfig = &tls.Config{
Certificates: []tls.Certificate{cert},
MinVersion: tls.VersionTLS13,
}

if err := webhookServer.ListenAndServeTLS("", ""); err != nil {
Expand Down
5 changes: 4 additions & 1 deletion pkg/health/health.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,10 @@ func (httpProbe HTTPProbe) Probe() (int, error) {
// similar to how k8s api server handles HTTPS probes.
// #nosec G402
transport := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
MinVersion: tls.VersionTLS13,
},
}
client.Transport = transport
}
Expand Down
1 change: 1 addition & 0 deletions pkg/injector/webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ func (wh *mutatingWebhook) run(stop <-chan struct{}) {
// #nosec G402
server.TLSConfig = &tls.Config{
Certificates: []tls.Certificate{cert},
MinVersion: tls.VersionTLS13,
}

if err := server.ListenAndServeTLS("", ""); err != nil {
Expand Down
1 change: 1 addition & 0 deletions pkg/utils/mtls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ func setupMutualTLS(insecure bool, serverName string, certPem []byte, keyPem []b
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{certif},
ClientCAs: certPool,
MinVersion: tls.VersionTLS13,
}
return grpc.Creds(credentials.NewTLS(&tlsConfig)), nil
}
Expand Down
1 change: 1 addition & 0 deletions pkg/validator/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,7 @@ func (s *validatingWebhookServer) run(port int, certificater certificate.Certifi
// #nosec G402
server.TLSConfig = &tls.Config{
Certificates: []tls.Certificate{cert},
MinVersion: tls.VersionTLS13,
}

if err := server.ListenAndServeTLS("", ""); err != nil {
Expand Down

0 comments on commit 2649463

Please sign in to comment.