chore(tlsversion) : Add a minimum tls version in webhooks

Update controller-runtime to v0.10.2 and add a tls minimum version fro
webhooks

fixes openservicemesh#4165

Signed-off-by: Sneha Chhabria <snchh@microsoft.com>

codegen/gen-crd-client.sh

@@ -38,7 +38,7 @@ ROOT_PACKAGE="github.com/openservicemesh/osm"
 ROOT_DIR="$(git rev-parse --show-toplevel)"
 
 # get code-generator version from go.sum
-CODEGEN_VERSION="v0.21.1" # Must match k8s.io/client-go version defined in go.mod
+CODEGEN_VERSION="v0.22.2" # Must match k8s.io/client-go version defined in go.mod
 CODEGEN_PKG="$(echo `go env GOPATH`/pkg/mod/k8s.io/code-generator@${CODEGEN_VERSION})"
 
 echo ">>> using codegen: ${CODEGEN_PKG}"

go.mod

@@ -32,7 +32,7 @@ require (
 	github.com/norwoodj/helm-docs v1.4.0
 	github.com/olekukonko/tablewriter v0.0.4
 	github.com/onsi/ginkgo v1.16.4
-	github.com/onsi/gomega v1.13.0
+	github.com/onsi/gomega v1.15.0
 	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0
@@ -43,24 +43,23 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.0
-	golang.org/x/tools v0.1.1-0.20210319172145-bda8f5cee399 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0
-	google.golang.org/grpc v1.36.0
+	google.golang.org/grpc v1.38.0
 	google.golang.org/protobuf v1.26.0
 	gopkg.in/yaml.v2 v2.4.0
 	gorm.io/driver/mysql v1.1.1
 	gorm.io/gorm v1.21.12
 	helm.sh/helm/v3 v3.6.1
 	honnef.co/go/tools v0.1.1 // indirect
-	k8s.io/api v0.21.1
-	k8s.io/apiextensions-apiserver v0.21.1
-	k8s.io/apimachinery v0.21.1
+	k8s.io/api v0.22.2
+	k8s.io/apiextensions-apiserver v0.22.2
+	k8s.io/apimachinery v0.22.2
 	k8s.io/cli-runtime v0.21.1
-	k8s.io/client-go v0.21.1
-	k8s.io/code-generator v0.21.1
-	k8s.io/utils v0.0.0-20210527160623-6fdb442a123b
+	k8s.io/client-go v0.22.2
+	k8s.io/code-generator v0.22.2
+	k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a
 	mvdan.cc/gofumpt v0.1.0 // indirect
-	sigs.k8s.io/controller-runtime v0.9.0
+	sigs.k8s.io/controller-runtime v0.10.2
 	sigs.k8s.io/kind v0.11.1
 )
 

pkg/crdconversion/crdconversion.go

@@ -114,6 +114,7 @@ func (crdWh *crdConversionWebhook) run(stop <-chan struct{}) {
 		// #nosec G402
 		webhookServer.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS12,
 		}
 
 		if err := webhookServer.ListenAndServeTLS("", ""); err != nil {

pkg/health/health.go

@@ -48,7 +48,7 @@ func (httpProbe HTTPProbe) Probe() (int, error) {
 		// similar to how k8s api server handles HTTPS probes.
 		// #nosec G402
 		transport := &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true, MinVersion: tls.VersionTLS12},
 		}
 		client.Transport = transport
 	}

pkg/injector/webhook.go

@@ -126,6 +126,7 @@ func (wh *mutatingWebhook) run(stop <-chan struct{}) {
 		// #nosec G402
 		server.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS12,
 		}
 
 		if err := server.ListenAndServeTLS("", ""); err != nil {

pkg/utils/mtls.go

@@ -35,6 +35,7 @@ func setupMutualTLS(insecure bool, serverName string, certPem []byte, keyPem []b
 		ClientAuth:         tls.RequireAndVerifyClientCert,
 		Certificates:       []tls.Certificate{certif},
 		ClientCAs:          certPool,
+		MinVersion:         tls.VersionTLS12,
 	}
 	return grpc.Creds(credentials.NewTLS(&tlsConfig)), nil
 }

pkg/validator/server.go

@@ -178,6 +178,7 @@ func (s *validatingWebhookServer) run(port int, certificater certificate.Certifi
 		// #nosec G402
 		server.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS12,
 		}
 
 		if err := server.ListenAndServeTLS("", ""); err != nil {