Update to TLS1.3 (stolostron#603)

Signed-off-by: xuezhaojun <[email protected]>
zhiweiyin318 · May 5, 2023 · 6b731b4 · 6b731b4
1 parent 889962a
commit 6b731b4
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 4 deletions.
diff --git a/cmd/agent/app/server.go b/cmd/agent/app/server.go
@@ -63,7 +63,7 @@ func InitializeTLS(s *options.AgentOptions) (*agent.TLSOptions, error) {
 	tlsOptions := &agent.TLSOptions{
 		CertFile: s.TLSCertFile,
 		KeyFile:  s.TLSPrivateKeyFile,
-		Config:   &tls.Config{MinVersion: tls.VersionTLS12},
+		Config:   &tls.Config{MinVersion: tls.VersionTLS13},
 	}
 
 	if len(s.ClientCAFile) > 0 {

diff --git a/cmd/proxyserver/app/options/options.go b/cmd/proxyserver/app/options/options.go
@@ -3,6 +3,7 @@
 package options
 
 import (
+	"crypto/tls"
 	"fmt"
 
 	"github.com/spf13/pflag"
@@ -70,6 +71,7 @@ func (o *Options) APIServerConfig() (*genericapiserver.Config, error) {
 	if err := o.SecureServing.ApplyTo(&serverConfig.SecureServing, &serverConfig.LoopbackClientConfig); err != nil {
 		return nil, err
 	}
+	serverConfig.SecureServing.MinTLSVersion = tls.VersionTLS13
 
 	if err := o.Authentication.ApplyTo(&serverConfig.Authentication, serverConfig.SecureServing, nil); err != nil {
 		return nil, err

diff --git a/cmd/webhook/app/options/options.go b/cmd/webhook/app/options/options.go
@@ -92,7 +92,7 @@ func cachingCertificateLoader(certFile, keyFile string) func() (*tls.Certificate
 func ConfigTLS(o *Options) *tls.Config {
 	dynamicCertLoader := cachingCertificateLoader(o.CertFile, o.KeyFile)
 	return &tls.Config{
-		MinVersion: tls.VersionTLS12,
+		MinVersion: tls.VersionTLS13,
 		GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 			return dynamicCertLoader()
 		},

diff --git a/pkg/klusterlet/agent/server.go b/pkg/klusterlet/agent/server.go
@@ -45,7 +45,7 @@ func (s *Server) listenAndServe() error {
 		Addr:    net.JoinHostPort(s.address.String(), strconv.FormatUint(uint64(s.port), 10)),
 		Handler: &s.handler,
 		TLSConfig: &tls.Config{
-			MinVersion:         tls.VersionTLS12,
+			MinVersion:         tls.VersionTLS13,
 			GetConfigForClient: s.getConfigForClient,
 		},
 		MaxHeaderBytes: 1 << 20,

diff --git a/pkg/klusterlet/nodecollector/nodecollecter.go b/pkg/klusterlet/nodecollector/nodecollecter.go
@@ -258,7 +258,7 @@ func (r *resourceCollector) newPrometheusClient(caData []byte) (prometheusv1.API
 		return nil, fmt.Errorf("no cert found in ca file")
 	}
 
-	httpTransport.TLSClientConfig = &tls.Config{RootCAs: r.certPool, MinVersion: tls.VersionTLS12}
+	httpTransport.TLSClientConfig = &tls.Config{RootCAs: r.certPool, MinVersion: tls.VersionTLS13}
 
 	roundTripper, err := transport.NewBearerAuthWithRefreshRoundTripper("", r.tokenFile, httpTransport)
 	if err != nil {