From 199016a6bed5284df3ec5caebbef9f2d018a2d43 Mon Sep 17 00:00:00 2001 From: Alex Collins Date: Wed, 24 Feb 2021 08:18:16 -0800 Subject: [PATCH] feat(server): Enforce TLS >= v1.2 (#5172) Signed-off-by: Alex Collins --- cmd/argo/commands/server.go | 10 ++++++++-- docs/tls.md | 31 ++++++++++++++++++++++++------- 2 files changed, 32 insertions(+), 9 deletions(-) diff --git a/cmd/argo/commands/server.go b/cmd/argo/commands/server.go index 9d1fd169f1ba..f50ad9d85c33 100644 --- a/cmd/argo/commands/server.go +++ b/cmd/argo/commands/server.go @@ -17,6 +17,7 @@ import ( "golang.org/x/net/context" "k8s.io/client-go/kubernetes" _ "k8s.io/client-go/plugin/pkg/client/auth" + "k8s.io/utils/env" "github.com/argoproj/argo-workflows/v3/cmd/argo/commands/client" wfclientset "github.com/argoproj/argo-workflows/v3/pkg/client/clientset/versioned" @@ -87,8 +88,13 @@ See %s`, help.ArgoSever), if secure { cer, err := tls.LoadX509KeyPair("argo-server.crt", "argo-server.key") errors.CheckError(err) - // InsecureSkipVerify will not impact the TLS listener. It is needed for the server to speak to itself for GRPC. - tlsConfig = &tls.Config{Certificates: []tls.Certificate{cer}, InsecureSkipVerify: true} + tlsMinVersion, err := env.GetInt("TLS_MIN_VERSION", tls.VersionTLS12) + errors.CheckError(err) + tlsConfig = &tls.Config{ + Certificates: []tls.Certificate{cer}, + InsecureSkipVerify: false, // InsecureSkipVerify will not impact the TLS listener. It is needed for the server to speak to itself for GRPC. + MinVersion: uint16(tlsMinVersion), + } } else { log.Warn("You are running in insecure mode. Learn how to enable transport layer security: https://argoproj.github.io/argo-workflows/tls/") } diff --git a/docs/tls.md b/docs/tls.md index 7dd949e4e745..da0519ea686b 100644 --- a/docs/tls.md +++ b/docs/tls.md @@ -4,21 +4,22 @@ > v2.8 and after -If you're running Argo Server you have three options with increasing transport security (note - you should also be running [authentication](argo-server.md#auth-mode)): +If you're running Argo Server you have three options with increasing transport security (note - you should also be +running [authentication](argo-server.md#auth-mode)): ## Plain Text -*Recommended for: dev* +*Recommended for: dev* -This is the default setting: everything is sent in plain text. +This is the default setting: everything is sent in plain text. To secure the UI you may front it with a HTTPS proxy. -## Encrypted +## Encrypted *Recommended for: development and test environments* -You can encrypt connections without any real effort. +You can encrypt connections without any real effort. Start Argo Server with the `--secure` flag, e.g.: @@ -40,7 +41,8 @@ export ARGO_INSECURE_SKIP_VERIFY=true argo --secure --insecure-skip-verify list ``` -Tip: Don't forget to update your readiness probe to use HTTPS. To do so, edit your `argo-server` Deployment's `readinessProbe` spec: +Tip: Don't forget to update your readiness probe to use HTTPS. To do so, edit your `argo-server` +Deployment's `readinessProbe` spec: ``` readinessProbe: @@ -52,7 +54,8 @@ readinessProbe: *Recommended for: production environments* -Run your HTTPS proxy in front of the Argo Server. You'll need to set-up your certificates and this out of scope of this documentation. +Run your HTTPS proxy in front of the Argo Server. You'll need to set-up your certificates and this out of scope of this +documentation. Start Argo Server with the `--secure` flag, e.g.: @@ -72,3 +75,17 @@ argo --secure list export ARGO_SECURE=true argo list ``` + +### TLS Min Version + +Set `TLS_MIN_VERSION` to be the minimum TLS version to use. This is v1.2 by default. + +This must be one of these [int values](https://golang.org/pkg/crypto/tls/). + +| Version | Value | +|---|---| +| v1.0 | 769 | +| v1.1 | 770 | +| v1.2 | 771 | +| v1.3 | 772 | +