Require TLS when using curl (linkerd#1277)

Our usage of `curl` could be vulnerable to protocol downgrade attacks. This change updates most of our usage of curl--especially when fetching executable resources--with the following command-line flags: * `--proto '=https'` forces use of HTTPS. This ensures that dropping `https://` from a URL will cause the command to fail instead of reverting to use unsecured HTTP. * `--tlsv1.2` disables the use of older TLS versions. * `-f|--fail` ensures that curl does not output anything to stdout when a non-2xx response is received. * `-S|--show-error` causes errors to be printed to stderr (when `-s|--silent` is used). Related to linkerd/linkerd2#7593 Signed-off-by: Oliver Gould <[email protected]>
chetanpdeshmukh · Jan 20, 2022 · 6f6ae6e · 6f6ae6e
1 parent 950d6eb
commit 6f6ae6e
Show file tree

Hide file tree

Showing 41 changed files with 83 additions and 82 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,14 +10,14 @@ RUN apt-get update \
   && export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)" \
   && echo "deb https://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" \
     | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list \
-  && curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \
+  && curl --proto '=https' --tlsv1.2 -sSfL https://packages.cloud.google.com/apt/doc/apt-key.gpg \
     | apt-key add - \
   && apt-get update \
   && apt-get install -y --no-install-recommends google-cloud-sdk \
   && wget https://github.com/gohugoio/hugo/releases/download/v0.61.0/hugo_extended_0.61.0_Linux-64bit.deb \
   && dpkg -i hugo*.deb \
   && rm hugo*.deb \
-  && curl https://htmltest.wjdp.uk | bash \
+  && curl --proto '=https' --tlsv1.2 -sSfL https://htmltest.wjdp.uk | bash \
   && mv bin/htmltest /usr/local/bin \
   && npm install -g markdownlint-cli \
   && rm -rf /var/lib/apt/lists/*
diff --git a/Makefile b/Makefile
@@ -77,7 +77,7 @@ endif
 check: build-linkerd.io
 	@# Check linkerd.io for valid links and standards
 ifndef HAS_HTMLTEST
-	@printf "Install htmltest first. curl https://htmltest.wjdp.uk | bash\n"; exit 1
+	@printf "Install htmltest first. curl --proto '=https' --tlsv1.2 -sSfL https://htmltest.wjdp.uk | bash\n"; exit 1
 endif
 	cd tmp/linkerd.io && htmltest
 

diff --git a/linkerd.io/content/2.10/getting-started/_index.md b/linkerd.io/content/2.10/getting-started/_index.md
@@ -58,7 +58,7 @@ allow you to interact with your Linkerd deployment.
 To install the CLI manually, run:
 
 ```bash
-curl -sL run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 Be sure to follow the instructions to add it to your path.
@@ -140,7 +140,7 @@ linkerd viz install | kubectl apply -f - # install the on-cluster metrics stack
 To install the buoyant-cloud extension, run:
 
 ```bash
-curl -sL buoyant.cloud/install | sh # get the installer
+curl --proto '=https' --tlsv1.2 -sSfL https://buoyant.cloud/install | sh # get the installer
 linkerd buoyant install | kubectl apply -f - # connect to the hosted metrics stack
 ```
 
@@ -192,7 +192,7 @@ users to vote on their favorite emojis.
 Install *emojivoto* into the `emojivoto` namespace by running:
 
 ```bash
-curl -sL run.linkerd.io/emojivoto.yml | kubectl apply -f -
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/emojivoto.yml | kubectl apply -f -
 ```
 
 Before we mesh it, let's take a look at the app. If you're using [Docker

diff --git a/linkerd.io/content/2.10/tasks/books.md b/linkerd.io/content/2.10/tasks/books.md
@@ -34,7 +34,7 @@ terminal, run:
 
 ```bash
 kubectl create ns booksapp && \
-  curl -sL https://run.linkerd.io/booksapp.yml \
+  curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp.yml \
   | kubectl -n booksapp apply -f -
 ```
 
@@ -167,7 +167,7 @@ demo has published specs for each of its services. You can create a service
 profile for `webapp` by running:
 
 ```bash
-curl -sL https://run.linkerd.io/booksapp/webapp.swagger \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp/webapp.swagger \
   | linkerd -n booksapp profile --open-api - webapp \
   | kubectl -n booksapp apply -f -
 ```
@@ -243,10 +243,10 @@ For this demo, the method is appended to the route regex.
 To get profiles for `authors` and `books`, you can run:
 
 ```bash
-curl -sL https://run.linkerd.io/booksapp/authors.swagger \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp/authors.swagger \
   | linkerd -n booksapp profile --open-api - authors \
   | kubectl -n booksapp apply -f -
-curl -sL https://run.linkerd.io/booksapp/books.swagger \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp/books.swagger \
   | linkerd -n booksapp profile --open-api - books \
   | kubectl -n booksapp apply -f -
 ```
@@ -466,7 +466,7 @@ the effective success rate for our route has dropped below 100%.
 To remove the books app and the booksapp namespace from your cluster, run:
 
 ```bash
-curl -sL https://run.linkerd.io/booksapp.yml \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp.yml \
   | kubectl -n booksapp delete -f - \
   && kubectl delete ns booksapp
 ```
diff --git a/linkerd.io/content/2.10/tasks/extensions.md b/linkerd.io/content/2.10/tasks/extensions.md
@@ -43,7 +43,7 @@ extension, but doesn't require it. To install this extension, run:
 
 ```bash
 ## optional
-curl -sL buoyant.cloud/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://buoyant.cloud/install | sh
 linkerd buoyant install | kubectl apply -f - # hosted metrics dashboard
 ```
 

diff --git a/linkerd.io/content/2.10/tasks/linkerd-smi.md b/linkerd.io/content/2.10/tasks/linkerd-smi.md
@@ -38,7 +38,7 @@ a `TrafficSplit` specification, to perform Traffic Splitting across services.
 Install the SMI extension CLI binary by running:
 
 ```bash
-curl -sL https://linkerd.github.io/linkerd-smi/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://linkerd.github.io/linkerd-smi/install | sh
 ```
 
 Alternatively, you can download the CLI directly via the [releases page](https://github.com/linkerd/linkerd-smi/releases).

diff --git a/linkerd.io/content/2.10/tasks/troubleshooting.md b/linkerd.io/content/2.10/tasks/troubleshooting.md
@@ -2027,7 +2027,7 @@ linkerd-buoyant check
 To install the CLI:
 
 ```bash
-curl https://buoyant.cloud/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://buoyant.cloud/install | sh
 ```
 
 ### √ linkerd-buoyant can determine the latest version
@@ -2042,7 +2042,7 @@ Ensure you can connect to the Linkerd Buoyant version check endpoint from the
 environment the `linkerd` cli is running:
 
 ```bash
-$ curl https://buoyant.cloud/version.json
+$ curl --proto '=https' --tlsv1.2 -sSfL https://buoyant.cloud/version.json
 {"linkerd-buoyant":"v0.4.4"}
 ```
 
@@ -2057,7 +2057,7 @@ $ curl https://buoyant.cloud/version.json
 To update to the latest version of the `linkerd-buoyant` CLI:
 
 ```bash
-curl https://buoyant.cloud/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://buoyant.cloud/install | sh
 ```
 
 ### √ buoyant-cloud Namespace exists

diff --git a/linkerd.io/content/2.10/tasks/upgrade.md b/linkerd.io/content/2.10/tasks/upgrade.md
@@ -42,7 +42,7 @@ free to skip to the [Helm section](#with-helm).
 To upgrade the CLI locally, run:
 
 ```bash
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 Alternatively, you can download the CLI directly via the
@@ -465,7 +465,7 @@ are retained.
 
 ```bash
 # get the latest stable CLI
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 {{< note >}} The linkerd cli installer installs the CLI binary into a
@@ -532,7 +532,7 @@ are retained.
 
 ```bash
 # get the latest stable CLI
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 For Kubernetes 1.12+:
@@ -634,7 +634,7 @@ kubectl -n linkerd delete deploy/linkerd-ca
 
 ```bash
 # get the latest stable
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 
 # upgrade the control plane
 linkerd upgrade | kubectl apply --prune -l linkerd.io/control-plane-ns=linkerd -f -
@@ -727,7 +727,7 @@ information on disk, such as using tools like
 
 ```bash
 # get the latest stable
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 
 # Install stable control plane, using flags previously supplied during
 # installation.
@@ -787,7 +787,7 @@ these instructions for anywhere that uses the linkerd CLI.
 To upgrade the CLI locally, run:
 
 ```bash
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 Alternatively, you can download the CLI directly via the

diff --git a/linkerd.io/content/2.10/tasks/validating-your-traffic.md b/linkerd.io/content/2.10/tasks/validating-your-traffic.md
@@ -106,7 +106,7 @@ service mesh itself. For example, with our [*emojivoto* demo
 application](../../getting-started/), we can add the debug sidecar by running:
 
 ```bash
-curl -sL https://run.linkerd.io/emojivoto.yml \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/emojivoto.yml \
   | linkerd inject --enable-debug-sidecar - \
   | kubectl apply -f -
 ```

diff --git a/linkerd.io/content/2.11/getting-started/_index.md b/linkerd.io/content/2.11/getting-started/_index.md
@@ -58,7 +58,7 @@ your Linkerd deployment.
 To install the CLI manually, run:
 
 ```bash
-curl -fsL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 Be sure to follow the instructions to add it to your path.
@@ -134,7 +134,8 @@ allow the user to vote on their favorite emojis.
 Install Emojivoto into the `emojivoto` namespace by running:
 
 ```bash
-curl -fsL https://run.linkerd.io/emojivoto.yml | kubectl apply -f -
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/emojivoto.yml \
+  | kubectl apply -f -
 ```
 
 This command installs Emojivoto onto your cluster, but Linkerd hasn't been
@@ -217,7 +218,7 @@ linkerd viz install | kubectl apply -f - # install the on-cluster metrics stack
 To install the buoyant-cloud extension, run:
 
 ```bash
-curl -fsL https://buoyant.cloud/install | sh # get the installer
+curl --proto '=https' --tlsv1.2 -sSfL https://buoyant.cloud/install | sh # get the installer
 linkerd buoyant install | kubectl apply -f - # connect to the hosted metrics stack
 ```
 

diff --git a/linkerd.io/content/2.11/tasks/books.md b/linkerd.io/content/2.11/tasks/books.md
@@ -34,7 +34,7 @@ terminal, run:
 
 ```bash
 kubectl create ns booksapp && \
-  curl -sL https://run.linkerd.io/booksapp.yml \
+  curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp.yml \
   | kubectl -n booksapp apply -f -
 ```
 
@@ -167,7 +167,7 @@ demo has published specs for each of its services. You can create a service
 profile for `webapp` by running:
 
 ```bash
-curl -sL https://run.linkerd.io/booksapp/webapp.swagger \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp/webapp.swagger \
   | linkerd -n booksapp profile --open-api - webapp \
   | kubectl -n booksapp apply -f -
 ```
@@ -243,10 +243,10 @@ For this demo, the method is appended to the route regex.
 To get profiles for `authors` and `books`, you can run:
 
 ```bash
-curl -sL https://run.linkerd.io/booksapp/authors.swagger \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp/authors.swagger \
   | linkerd -n booksapp profile --open-api - authors \
   | kubectl -n booksapp apply -f -
-curl -sL https://run.linkerd.io/booksapp/books.swagger \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp/books.swagger \
   | linkerd -n booksapp profile --open-api - books \
   | kubectl -n booksapp apply -f -
 ```
@@ -466,7 +466,7 @@ the effective success rate for our route has dropped below 100%.
 To remove the books app and the booksapp namespace from your cluster, run:
 
 ```bash
-curl -sL https://run.linkerd.io/booksapp.yml \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/booksapp.yml \
   | kubectl -n booksapp delete -f - \
   && kubectl delete ns booksapp
 ```
diff --git a/linkerd.io/content/2.11/tasks/extensions.md b/linkerd.io/content/2.11/tasks/extensions.md
@@ -43,7 +43,7 @@ extension, but doesn't require it. To install this extension, run:
 
 ```bash
 ## optional
-curl -sL buoyant.cloud/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL buoyant.cloud/install | sh
 linkerd buoyant install | kubectl apply -f - # hosted metrics dashboard
 ```
 

diff --git a/linkerd.io/content/2.11/tasks/linkerd-smi.md b/linkerd.io/content/2.11/tasks/linkerd-smi.md
@@ -38,7 +38,7 @@ a `TrafficSplit` specification, to perform Traffic Splitting across services.
 Install the SMI extension CLI binary by running:
 
 ```bash
-curl -sL https://linkerd.github.io/linkerd-smi/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://linkerd.github.io/linkerd-smi/install | sh
 ```
 
 Alternatively, you can download the CLI directly via the [releases page](https://github.com/linkerd/linkerd-smi/releases).

diff --git a/linkerd.io/content/2.11/tasks/upgrade.md b/linkerd.io/content/2.11/tasks/upgrade.md
@@ -43,7 +43,7 @@ free to skip to the [Helm section](#with-helm).
 To upgrade the CLI locally, run:
 
 ```bash
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 Alternatively, you can download the CLI directly via the
@@ -549,7 +549,7 @@ are retained.
 
 ```bash
 # get the latest stable CLI
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 {{< note >}} The linkerd cli installer installs the CLI binary into a
@@ -616,7 +616,7 @@ are retained.
 
 ```bash
 # get the latest stable CLI
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 For Kubernetes 1.12+:
@@ -718,7 +718,7 @@ kubectl -n linkerd delete deploy/linkerd-ca
 
 ```bash
 # get the latest stable
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 
 # upgrade the control plane
 linkerd upgrade | kubectl apply --prune -l linkerd.io/control-plane-ns=linkerd -f -
@@ -811,7 +811,7 @@ information on disk, such as using tools like
 
 ```bash
 # get the latest stable
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 
 # Install stable control plane, using flags previously supplied during
 # installation.
@@ -871,7 +871,7 @@ these instructions for anywhere that uses the linkerd CLI.
 To upgrade the CLI locally, run:
 
 ```bash
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 Alternatively, you can download the CLI directly via the

diff --git a/linkerd.io/content/2.11/tasks/validating-your-traffic.md b/linkerd.io/content/2.11/tasks/validating-your-traffic.md
@@ -106,7 +106,7 @@ service mesh itself. For example, with our [*emojivoto* demo
 application](../../getting-started/), we can add the debug sidecar by running:
 
 ```bash
-curl -sL https://run.linkerd.io/emojivoto.yml \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/emojivoto.yml \
   | linkerd inject --enable-debug-sidecar - \
   | kubectl apply -f -
 ```

diff --git a/linkerd.io/content/2.9/getting-started/_index.md b/linkerd.io/content/2.9/getting-started/_index.md
@@ -54,7 +54,7 @@ Linkerd, including installing the control plane onto your Kubernetes cluster.
 To install the CLI manually, run:
 
 ```bash
-curl -sL https://run.linkerd.io/install | sh
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh
 ```
 
 Alternatively, you can download the CLI directly via the
@@ -178,7 +178,7 @@ users to vote on their favorite emojis.
 Install *emojivoto* into the `emojivoto` namespace by running:
 
 ```bash
-curl -sL https://run.linkerd.io/emojivoto.yml \
+curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/emojivoto.yml \
   | kubectl apply -f -
 ```