Min TLS for tag to digest defaults to 1.2 again and is configurable (#…

…13963)

quay.io only supports 1.2

Co-authored-by: dprotaso <[email protected]>

pkg/reconciler/revision/resolve.go

@@ -42,6 +42,8 @@ const (
  // Kubernetes CA certificate bundle is mounted into the pod here, see:
  // https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/#trusting-tls-in-a-cluster
  k8sCertPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+
+ tlsMinVersionEnvKey = "TAG_TO_DIGEST_TLS_MIN_VERSION"
 )
 
 // newResolverTransport returns an http.Transport that appends the certs bundle
@@ -64,13 +66,26 @@ func newResolverTransport(path string, maxIdleConns, maxIdleConnsPerHost int) (*
  transport.MaxIdleConns = maxIdleConns
  transport.MaxIdleConnsPerHost = maxIdleConnsPerHost
  transport.TLSClientConfig = &tls.Config{
- MinVersion: tls.VersionTLS13,
+ MinVersion: tlsMinVersionFromEnv(tls.VersionTLS12),
  RootCAs: pool,
  }
 
  return transport, nil
 }
 
+func tlsMinVersionFromEnv(defaultTLSMinVersion uint16) uint16 {
+ switch tlsMinVersion := os.Getenv(tlsMinVersionEnvKey); tlsMinVersion {
+ case "1.2":
+ return tls.VersionTLS12
+ case "1.3":
+ return tls.VersionTLS13
+ case "":
+ return defaultTLSMinVersion
+ default:
+ panic(fmt.Sprintf("the environment variable %q has to be either '1.2' or '1.3'", tlsMinVersionEnvKey))
+ }
+}
+
 // Resolve resolves the image references that use tags to digests.
 func (r *digestResolver) Resolve(
  ctx context.Context,

pkg/reconciler/revision/resolve_test.go

@@ -19,6 +19,7 @@ package revision
 import (
  "bytes"
  "context"
+ "crypto/tls"
  "crypto/x509"
  "encoding/base64"
  "encoding/pem"
@@ -449,31 +450,6 @@ func TestResolveSkippingRegistry(t *testing.T) {
 }
 
 func TestNewResolverTransport(t *testing.T) {
- // Cert stolen from crypto/x509/example_test.go
- const certPEM = `
------BEGIN CERTIFICATE-----
-MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
-BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
-cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
-WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
-TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
-bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q
-5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC
-7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAa
-BgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUF
-BwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
-LmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2Nz
-cDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAf
-BgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisG
-AQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29t
-L0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+
-gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283
-TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq
-0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoW
-RvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOh
-yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
------END CERTIFICATE-----`
-
  cases := []struct {
  name string
  certBundle string
@@ -528,6 +504,50 @@ yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
  })
  }
 }
+func TestNewResolverTransport_TLSMinVersion(t *testing.T) {
+ cases := []struct {
+ name string
+ envOverride string
+ expectedMinTLS uint16
+ expectedPanic bool
+ }{{
+ name: "TLS 1.2",
+ envOverride: "1.2",
+ expectedMinTLS: tls.VersionTLS12,
+ }, {
+ name: "TLS 1.3",
+ envOverride: "1.3",
+ expectedMinTLS: tls.VersionTLS13,
+ }, {
+ name: "default TLS 1.2",
+ envOverride: "",
+ expectedMinTLS: tls.VersionTLS12,
+ }}
+
+ tmpDir := t.TempDir()
+
+ for _, tc := range cases {
+ t.Run(tc.name, func(t *testing.T) {
+ t.Setenv(tlsMinVersionEnvKey, tc.envOverride)
+
+ // noop for this test
+ path, err := writeCertFile(tmpDir, "cert.pem", []byte(certPEM))
+ if err != nil {
+ t.Fatal("Failed to write cert bundle file:", err)
+ }
+
+ // The actual test.
+ if tr, err := newResolverTransport(path, 100, 100); err != nil {
+ t.Error("Got unexpected err:", err)
+ } else if err == nil {
+
+ if diff := cmp.Diff(tc.expectedMinTLS, tr.TLSClientConfig.MinVersion); diff != "" {
+ t.Errorf("expected min TLS version does not match: %s", diff)
+ }
+ }
+ })
+ }
+}
 
 func writeCertFile(dir, path string, contents []byte) (string, error) {
  fp := filepath.Join(dir, path)
@@ -557,3 +577,28 @@ func containsSubject(t *testing.T, subjects [][]byte, contents []byte) bool {
 
  return false
 }
+
+// Cert stolen from crypto/x509/example_test.go
+const certPEM = `
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
+BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
+cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAw
+WjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
+TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFp
+bC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q
+5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC
+7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAa
+BgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUF
+BwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
+LmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2Nz
+cDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAf
+BgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisG
+AQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29t
+L0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+
+gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283
+TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq
+0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoW
+RvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOh
+yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
+-----END CERTIFICATE-----`