Set TLS minimum version to 1.2 (#180)

ref: https://issues.redhat.com/browse/ACM-6233 Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com> Co-authored-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>
stolostron · Jul 20, 2023 · 8709d2f · 8709d2f
1 parent 691b02a
commit 8709d2f
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 5 deletions.
diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml
@@ -144,7 +144,7 @@ controllerManager:
   livenessTimeout: 1
   priorityClassName: system-cluster-critical
   disableCertRotation: false
-  tlsMinVersion: 1.3
+  tlsMinVersion: 1.2
   clientCertName: ""
   affinity:
     podAntiAffinity:

diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
@@ -144,7 +144,7 @@ controllerManager:
   livenessTimeout: 1
   priorityClassName: system-cluster-critical
   disableCertRotation: false
-  tlsMinVersion: 1.3
+  tlsMinVersion: 1.2
   clientCertName: ""
   affinity:
     podAntiAffinity:

diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml
@@ -144,7 +144,7 @@ controllerManager:
   livenessTimeout: 1
   priorityClassName: system-cluster-critical
   disableCertRotation: false
-  tlsMinVersion: 1.3
+  tlsMinVersion: 1.2
   clientCertName: ""
   affinity:
     podAntiAffinity:

diff --git a/pkg/webhook/common.go b/pkg/webhook/common.go
@@ -59,7 +59,7 @@ var (
 	disableEnforcementActionValidation = flag.Bool("disable-enforcementaction-validation", false, "disable validation of the enforcementAction field of a constraint")
 	logDenies                          = flag.Bool("log-denies", false, "log detailed info on each deny")
 	emitAdmissionEvents                = flag.Bool("emit-admission-events", false, "(alpha) emit Kubernetes events in gatekeeper namespace for each admission violation")
-	tlsMinVersion                      = flag.String("tls-min-version", "1.3", "minimum version of TLS supported")
+	tlsMinVersion                      = flag.String("tls-min-version", "1.2", "minimum version of TLS supported")
 	serviceaccount                     = fmt.Sprintf("system:serviceaccount:%s:%s", util.GetNamespace(), serviceAccountName)
 	clientCAName                       = flag.String("client-ca-name", "", "name of the certificate authority bundle to authenticate the Kubernetes API server requests against")
 	certCNName                         = flag.String("client-cn-name", "kube-apiserver", "expected CN name on the client certificate attached by apiserver in requests to the webhook")

diff --git a/pkg/webhook/common_test.go b/pkg/webhook/common_test.go
@@ -33,7 +33,7 @@ func (w chanWriter) Write(p []byte) (n int, err error) {
 
 func TestCongifureWebhookServer(t *testing.T) {
 	expectedServer := &webhook.Server{
-		TLSMinVersion: "1.3",
+		TLSMinVersion: "1.2",
 	}
 
 	if *clientCAName != "" {