chore: set VersionTLS12 as min default TLS version (#4192)

* chore: add VersionTLS12 as min default TLS version

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* update changelog

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* fix style

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>

* update the version switch

Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>

* add a unit test for the parsing

Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>

* Update pkg/util/http_test.go

Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com>
Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>

* Update pkg/util/http_test.go

Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com>

* fix style

Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>

---------

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
Signed-off-by: Jorge Turrado <jorge.turrado@scrm.lidl>
Signed-off-by: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com>
Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com>

CHANGELOG.md

@@ -62,6 +62,7 @@ Here is an overview of all new **experimental** features:
 
 - **General**: Add a warning when KEDA run outside supported k8s versions ([#4130](https://github.com/kedacore/keda/issues/4130))
 - **General**: Use (self-signed) certificates for all the communications (internals and externals) ([#3931](https://github.com/kedacore/keda/issues/3931))
+- **General**: Use TLS1.2 as minimum TLS version ([#4193](https://github.com/kedacore/keda/issues/4193))
 - **Azure Pipelines Scaler**: Improve error logging for `validatePoolID` ([#3996](https://github.com/kedacore/keda/issues/3996))
 - **Azure Pipelines Scaler**: New configuration parameter `requireAllDemands` to scale only if jobs request all demands provided by the scaling definition ([#4138](https://github.com/kedacore/keda/issues/4138))
 - **Hashicorp Vault**: Add support to secrets backend version 1 ([#2645](https://github.com/kedacore/keda/issues/2645))

pkg/scalers/authentication/authentication_helpers.go

@@ -94,7 +94,10 @@ func NewTLSConfig(auth *AuthMeta) (*tls.Config, error) {
 }
 
 func CreateHTTPRoundTripper(roundTripperType TransportType, auth *AuthMeta, conf ...*HTTPTransport) (rt http.RoundTripper, err error) {
-	tlsConfig := &tls.Config{InsecureSkipVerify: false}
+	tlsConfig := &tls.Config{
+		MinVersion:         kedautil.GetMinTLSVersion(),
+		InsecureSkipVerify: false,
+	}
 	if auth != nil && (auth.CA != "" || auth.EnableTLS) {
 		tlsConfig, err = NewTLSConfig(auth)
 		if err != nil || tlsConfig == nil {

pkg/scalers/elasticsearch_scaler.go

@@ -244,7 +244,10 @@ func newElasticsearchClient(meta *elasticsearchMetadata, logger logr.Logger) (*e
 	}
 
 	transport := http.DefaultTransport.(*http.Transport)
-	transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: meta.unsafeSsl}
+	transport.TLSClientConfig = &tls.Config{
+		MinVersion:         kedautil.GetMinTLSVersion(),
+		InsecureSkipVerify: meta.unsafeSsl,
+	}
 	config.Transport = transport
 
 	esClient, err := elasticsearch.NewClient(config)

pkg/scalers/ibmmq_scaler.go

@@ -179,7 +179,10 @@ func (s *IBMMQScaler) getQueueDepthViaHTTP(ctx context.Context) (int64, error) {
 	req.SetBasicAuth(s.metadata.username, s.metadata.password)
 
 	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: s.metadata.tlsDisabled},
+		TLSClientConfig: &tls.Config{
+			MinVersion:         kedautil.GetMinTLSVersion(),
+			InsecureSkipVerify: s.metadata.tlsDisabled,
+		},
 	}
 	client := kedautil.CreateHTTPClient(s.defaultHTTPTimeout, false)
 	client.Transport = tr

pkg/scalers/influxdb_scaler.go

@@ -52,7 +52,10 @@ func NewInfluxDBScaler(config *ScalerConfig) (Scaler, error) {
 	client := influxdb2.NewClientWithOptions(
 		meta.serverURL,
 		meta.authToken,
-		influxdb2.DefaultOptions().SetTLSConfig(&tls.Config{InsecureSkipVerify: meta.unsafeSsl}))
+		influxdb2.DefaultOptions().SetTLSConfig(&tls.Config{
+			MinVersion:         kedautil.GetMinTLSVersion(),
+			InsecureSkipVerify: meta.unsafeSsl,
+		}))
 
 	return &influxDBScaler{
 		client:     client,

pkg/scalers/predictkube_scaler.go

@@ -113,6 +113,7 @@ func (s *PredictKubeScaler) setupClientConn() error {
 	if !grpcConf.Conn.Insecure {
 		clientOpt = append(clientOpt, grpc.WithTransportCredentials(
 			credentials.NewTLS(&tls.Config{
+				MinVersion: kedautil.GetMinTLSVersion(),
 				ServerName: mlEngineHost,
 			}),
 		))

pkg/scalers/redis_scaler.go

@@ -465,6 +465,7 @@ func getRedisClusterClient(ctx context.Context, info redisConnectionInfo) (*redi
 	}
 	if info.enableTLS {
 		options.TLSConfig = &tls.Config{
+			MinVersion:         kedautil.GetMinTLSVersion(),
 			InsecureSkipVerify: info.unsafeSsl,
 		}
 	}
@@ -489,6 +490,7 @@ func getRedisSentinelClient(ctx context.Context, info redisConnectionInfo, dbInd
 	}
 	if info.enableTLS {
 		options.TLSConfig = &tls.Config{
+			MinVersion:         kedautil.GetMinTLSVersion(),
 			InsecureSkipVerify: info.unsafeSsl,
 		}
 	}
@@ -510,6 +512,7 @@ func getRedisClient(ctx context.Context, info redisConnectionInfo, dbIndex int)
 	}
 	if info.enableTLS {
 		options.TLSConfig = &tls.Config{
+			MinVersion:         kedautil.GetMinTLSVersion(),
 			InsecureSkipVerify: info.unsafeSsl,
 		}
 	}

pkg/util/http.go

@@ -18,18 +18,48 @@ package util
 
 import (
 	"crypto/tls"
+	"fmt"
 	"net/http"
+	"os"
 	"time"
+
+	"github.com/go-logr/logr"
+	ctrl "sigs.k8s.io/controller-runtime"
 )
 
 var disableKeepAlives bool
+var minTLSVersion uint16
 
 func init() {
+	setupLog := ctrl.Log.WithName("http_setup")
 	var err error
 	disableKeepAlives, err = ResolveOsEnvBool("KEDA_HTTP_DISABLE_KEEP_ALIVE", false)
 	if err != nil {
 		disableKeepAlives = false
 	}
+
+	minTLSVersion = initMinTLSVersion(setupLog)
+}
+
+func initMinTLSVersion(logger logr.Logger) uint16 {
+	version, found := os.LookupEnv("KEDA_HTTP_MIN_TLS_VERSION")
+	minVersion := tls.VersionTLS12
+	if found {
+		switch version {
+		case "TLS13":
+			minVersion = tls.VersionTLS13
+		case "TLS12":
+			minVersion = tls.VersionTLS12
+		case "TLS11":
+			minVersion = tls.VersionTLS11
+		case "TLS10":
+			minVersion = tls.VersionTLS10
+		default:
+			logger.Info(fmt.Sprintf("%s is not a valid value, using `TLS12`. Allowed values are: `TLS13`,`TLS12`,`TLS11`,`TLS10`", version))
+			minVersion = tls.VersionTLS12
+		}
+	}
+	return uint16(minVersion)
 }
 
 // HTTPDoer is an interface that matches the Do method on
@@ -48,8 +78,11 @@ func CreateHTTPClient(timeout time.Duration, unsafeSsl bool) *http.Client {
 		timeout = 300 * time.Millisecond
 	}
 	transport := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: unsafeSsl},
-		Proxy:           http.ProxyFromEnvironment,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: unsafeSsl,
+			MinVersion:         GetMinTLSVersion(),
+		},
+		Proxy: http.ProxyFromEnvironment,
 	}
 	if disableKeepAlives {
 		// disable keep http connection alive
@@ -62,3 +95,7 @@ func CreateHTTPClient(timeout time.Duration, unsafeSsl bool) *http.Client {
 	}
 	return httpClient
 }
+
+func GetMinTLSVersion() uint16 {
+	return minTLSVersion
+}

pkg/util/http_test.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2023 The KEDA Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"crypto/tls"
+	"os"
+	"testing"
+
+	"github.com/go-logr/logr"
+)
+
+type minTLSVersionTestData struct {
+	envSet          bool
+	envValue        string
+	expectedVersion uint16
+}
+
+var minTLSVersionTestDatas = []minTLSVersionTestData{
+	{
+		envSet:          true,
+		envValue:        "TLS10",
+		expectedVersion: tls.VersionTLS10,
+	},
+	{
+		envSet:          true,
+		envValue:        "TLS11",
+		expectedVersion: tls.VersionTLS11,
+	},
+	{
+		envSet:          true,
+		envValue:        "TLS12",
+		expectedVersion: tls.VersionTLS12,
+	},
+	{
+		envSet:          true,
+		envValue:        "TLS13",
+		expectedVersion: tls.VersionTLS13,
+	},
+	{
+		envSet:          false,
+		expectedVersion: tls.VersionTLS12,
+	},
+}
+
+func TestResolveMinTLSVersion(t *testing.T) {
+	defer os.Unsetenv("KEDA_HTTP_MIN_TLS_VERSION")
+	for _, testData := range minTLSVersionTestDatas {
+		os.Unsetenv("KEDA_HTTP_MIN_TLS_VERSION")
+		if testData.envSet {
+			os.Setenv("KEDA_HTTP_MIN_TLS_VERSION", testData.envValue)
+		}
+		minVersion := initMinTLSVersion(logr.Discard())
+
+		if testData.expectedVersion != minVersion {
+			t.Error("Failed to resolve minTLSVersion correctly", "wants", testData.expectedVersion, "got", minVersion)
+		}
+	}
+}

pkg/util/tls_config.go

@@ -54,7 +54,9 @@ func decryptClientKey(clientKey, clientKeyPassword string) ([]byte, error) {
 func NewTLSConfigWithPassword(clientCert, clientKey, clientKeyPassword, caCert string) (*tls.Config, error) {
 	valid := false
 
-	config := &tls.Config{}
+	config := &tls.Config{
+		MinVersion: GetMinTLSVersion(),
+	}
 
 	if clientCert != "" && clientKey != "" {
 		key := []byte(clientKey)