Set minimum TLS version to 1.3 (#13500)

This helps ensure a minimum level of security. The two places this affects is our controller webhook and linkerd-viz tap API. The controller requires that kube-api supports TLSv1.3, which it does as of 1.19 (our minimum is currently 1.22). The linkerd-viz tap API is mostly used internally, and is deprecated. It may be worth revisiting if we want to keep it around at all. Signed-off-by: Scott Fleener <[email protected]>
linkerd · Dec 19, 2024 · 3847f9c · 3847f9c
1 parent c77075c
commit 3847f9c
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/controller/webhook/server.go b/controller/webhook/server.go
@@ -65,7 +65,7 @@ func NewServer(
 		Addr:              addr,
 		ReadHeaderTimeout: 15 * time.Second,
 		TLSConfig: &tls.Config{
-			MinVersion: tls.VersionTLS12,
+			MinVersion: tls.VersionTLS13,
 		},
 	}
 

diff --git a/controller/webhook/server_test.go b/controller/webhook/server_test.go
@@ -18,7 +18,7 @@ var mockHTTPServer = &http.Server{
 	Addr:              ":0",
 	ReadHeaderTimeout: 15 * time.Second,
 	TLSConfig: &tls.Config{
-		MinVersion: tls.VersionTLS12,
+		MinVersion: tls.VersionTLS13,
 	},
 }
 

diff --git a/viz/tap/api/server.go b/viz/tap/api/server.go
@@ -74,7 +74,7 @@ func NewServer(
 		TLSConfig: &tls.Config{
 			ClientAuth: tls.VerifyClientCertIfGiven,
 			ClientCAs:  clientCertPool,
-			MinVersion: tls.VersionTLS12,
+			MinVersion: tls.VersionTLS13,
 		},
 	}