From 8709d2f92637dc0a8de9c109f47a91d391786181 Mon Sep 17 00:00:00 2001 From: OpenShift Cherrypick Robot Date: Thu, 20 Jul 2023 19:52:28 +0000 Subject: [PATCH] Set TLS minimum version to 1.2 (#180) ref: https://issues.redhat.com/browse/ACM-6233 Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com> Co-authored-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com> --- charts/gatekeeper/values.yaml | 2 +- cmd/build/helmify/static/values.yaml | 2 +- manifest_staging/charts/gatekeeper/values.yaml | 2 +- pkg/webhook/common.go | 2 +- pkg/webhook/common_test.go | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index 124dde5e553..0f8ac1d3961 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -144,7 +144,7 @@ controllerManager: livenessTimeout: 1 priorityClassName: system-cluster-critical disableCertRotation: false - tlsMinVersion: 1.3 + tlsMinVersion: 1.2 clientCertName: "" affinity: podAntiAffinity: diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 124dde5e553..0f8ac1d3961 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -144,7 +144,7 @@ controllerManager: livenessTimeout: 1 priorityClassName: system-cluster-critical disableCertRotation: false - tlsMinVersion: 1.3 + tlsMinVersion: 1.2 clientCertName: "" affinity: podAntiAffinity: diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 124dde5e553..0f8ac1d3961 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -144,7 +144,7 @@ controllerManager: livenessTimeout: 1 priorityClassName: system-cluster-critical disableCertRotation: false - tlsMinVersion: 1.3 + tlsMinVersion: 1.2 clientCertName: "" affinity: podAntiAffinity: diff --git a/pkg/webhook/common.go b/pkg/webhook/common.go index 63f255b1519..4cc15de99a1 100644 --- a/pkg/webhook/common.go +++ b/pkg/webhook/common.go @@ -59,7 +59,7 @@ var ( disableEnforcementActionValidation = flag.Bool("disable-enforcementaction-validation", false, "disable validation of the enforcementAction field of a constraint") logDenies = flag.Bool("log-denies", false, "log detailed info on each deny") emitAdmissionEvents = flag.Bool("emit-admission-events", false, "(alpha) emit Kubernetes events in gatekeeper namespace for each admission violation") - tlsMinVersion = flag.String("tls-min-version", "1.3", "minimum version of TLS supported") + tlsMinVersion = flag.String("tls-min-version", "1.2", "minimum version of TLS supported") serviceaccount = fmt.Sprintf("system:serviceaccount:%s:%s", util.GetNamespace(), serviceAccountName) clientCAName = flag.String("client-ca-name", "", "name of the certificate authority bundle to authenticate the Kubernetes API server requests against") certCNName = flag.String("client-cn-name", "kube-apiserver", "expected CN name on the client certificate attached by apiserver in requests to the webhook") diff --git a/pkg/webhook/common_test.go b/pkg/webhook/common_test.go index c80e21e93cf..0eccc78d7af 100644 --- a/pkg/webhook/common_test.go +++ b/pkg/webhook/common_test.go @@ -33,7 +33,7 @@ func (w chanWriter) Write(p []byte) (n int, err error) { func TestCongifureWebhookServer(t *testing.T) { expectedServer := &webhook.Server{ - TLSMinVersion: "1.3", + TLSMinVersion: "1.2", } if *clientCAName != "" {