Enforce secure TLS MinVersion across all configurations (#3309)

Signed-off-by: Saurav Teli <telisaurav44@gmail.com>
Co-authored-by: Alex Meijer <ameijer@users.noreply.github.com>

core/pkg/nodestats/nodes_test.go

@@ -32,6 +32,7 @@ func TestNodeSummaryLive(t *testing.T) {
 	transport := &http.Transport{
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: true,
+			MinVersion:         tls.VersionTLS12,
 		},
 	}
 

core/pkg/storage/http.go

@@ -75,7 +75,10 @@ func (config HTTPConfig) GetHTTPTransport() (http.RoundTripper, error) {
 
 // NewTLSConfig creates a new tls.Config from the given TLSConfig.
 func (cfg TLSConfig) ToConfig() (*tls.Config, error) {
-	tlsConfig := &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify}
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: cfg.InsecureSkipVerify,
+		MinVersion:         tls.VersionTLS12,
+	}
 
 	// If a CA cert is provided then let's read it in.
 	if len(cfg.CAFile) > 0 {

core/pkg/storage/http_test.go

@@ -262,8 +262,10 @@ func TestTLSConfig_ToConfig(t *testing.T) {
 		validateFunc func(t *testing.T, tlsConfig *tls.Config)
 	}{
 		"default configuration": {
-			config:    &TLSConfig{},
-			want:      &tls.Config{},
+			config: &TLSConfig{},
+			want: &tls.Config{
+				MinVersion: tls.VersionTLS12,
+			},
 			wantError: false,
 		},
 		"with insecure skip verify": {
@@ -272,6 +274,7 @@ func TestTLSConfig_ToConfig(t *testing.T) {
 			},
 			want: &tls.Config{
 				InsecureSkipVerify: true,
+				MinVersion:         tls.VersionTLS12,
 			},
 			wantError: false,
 		},
@@ -293,6 +296,7 @@ func TestTLSConfig_ToConfig(t *testing.T) {
 			},
 			want: &tls.Config{
 				ServerName: "example.com",
+				MinVersion: tls.VersionTLS12,
 			},
 			wantError: false,
 		},
@@ -333,6 +337,7 @@ func TestTLSConfig_ToConfig(t *testing.T) {
 					CertFile: path.Join(tmpDir, caFileName),
 					KeyFile:  path.Join(tmpDir, keyFileName),
 				}.getClientCertificate,
+				MinVersion: tls.VersionTLS12,
 			},
 			wantError: false,
 		},

modules/prometheus-source/pkg/prom/prom.go

@@ -395,6 +395,7 @@ func NewPrometheusClient(address string, config *PrometheusClientConfig) (promet
 		TLSClientConfig: &tls.Config{
 			InsecureSkipVerify: config.TLSInsecureSkipVerify,
 			RootCAs:            config.RootCAs,
+			MinVersion:         tls.VersionTLS12,
 		},
 	})
 	pc := prometheus.Config{

pkg/costmodel/nodeclientconfig.go

@@ -37,6 +37,7 @@ func NewNodeClientConfigFromEnv() (*nodes.NodeClientConfig, error) {
 		transport = &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: true,
+				MinVersion:         tls.VersionTLS12,
 			},
 		}
 	} else {
@@ -60,12 +61,14 @@ func NewNodeClientConfigFromEnv() (*nodes.NodeClientConfig, error) {
 			tlsConfig = &tls.Config{
 				Certificates: []tls.Certificate{cert},
 				RootCAs:      caCertPool,
+				MinVersion:   tls.VersionTLS12,
 			}
 
 			transport = &http.Transport{TLSClientConfig: tlsConfig}
 		} else {
 			tlsConfig := &tls.Config{
-				RootCAs: caCertPool,
+				RootCAs:    caCertPool,
+				MinVersion: tls.VersionTLS12,
 			}
 			transport = &http.Transport{TLSClientConfig: tlsConfig}
 		}