Fix min tls setting for webhook server (open-telemetry#1225) (open-te…

…lemetry#1230) * fix min tls setting for webhook server (open-telemetry#1225) * using constant as setting * fix godot issue on comment
ItielOlenick · Nov 8, 2022 · 1b2baed · 1b2baed
1 parent 111aa9f
commit 1b2baed
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/main.go b/main.go
@@ -16,6 +16,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"os"
@@ -50,6 +51,10 @@ import (
 	// +kubebuilder:scaffold:imports
 )
 
+// We should avoid that users unknowingly use a vulnerable TLS version.
+// The defaults should be a safe configuration.
+const defaultMinTLSVersion = tls.VersionTLS12
+
 var (
 	scheme   = k8sruntime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
@@ -151,10 +156,16 @@ func main() {
 	leaseDuration := time.Second * 137
 	renewDeadline := time.Second * 107
 	retryPeriod := time.Second * 26
+
+	optionsTlSOptsFuncs := []func(*tls.Config){
+		func(config *tls.Config) { minTlsDefault(config) },
+	}
+
 	mgrOptions := ctrl.Options{
 		Scheme:                 scheme,
 		MetricsBindAddress:     metricsAddr,
 		Port:                   webhookPort,
+		TLSOpts:                optionsTlSOptsFuncs,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "9f7554c3.opentelemetry.io",
@@ -277,3 +288,7 @@ func addDependencies(_ context.Context, mgr ctrl.Manager, cfg config.Config, v v
 	}
 	return nil
 }
+
+func minTlsDefault(cfg *tls.Config) {
+	cfg.MinVersion = defaultMinTLSVersion
+}