diff --git a/cmd/vela-worker/flags.go b/cmd/vela-worker/flags.go index cefbacf2..bce7284c 100644 --- a/cmd/vela-worker/flags.go +++ b/cmd/vela-worker/flags.go @@ -85,6 +85,12 @@ func flags() []cli.Flag { Name: "server.cert-key", Usage: "optional TLS certificate key", }, + &cli.StringFlag{ + EnvVars: []string{"WORKER_SERVER_TLS_MIN_VERSION", "VELA_SERVER_TLS_MIN_VERSION", "SERVER_TLS_MIN_VERSION"}, + Name: "server.tls-min-version", + Usage: "optional TLS minimum version requirement", + Value: "1.2", + }, } // Executor Flags diff --git a/cmd/vela-worker/run.go b/cmd/vela-worker/run.go index a709e27e..c7c1e289 100644 --- a/cmd/vela-worker/run.go +++ b/cmd/vela-worker/run.go @@ -130,6 +130,8 @@ func run(c *cli.Context) error { Cert: c.String("server.cert"), Key: c.String("server.cert-key"), }, + // TLS minimum version enforced + TLSMinVersion: c.String("server.tls-min-version"), }, Executors: make(map[int]executor.Engine), } diff --git a/cmd/vela-worker/server.go b/cmd/vela-worker/server.go index ee79aa95..cecd9210 100644 --- a/cmd/vela-worker/server.go +++ b/cmd/vela-worker/server.go @@ -5,6 +5,7 @@ package main import ( + "crypto/tls" "net/http" "os" "strings" @@ -18,7 +19,7 @@ import ( // server is a helper function to listen and serve // traffic for web and API requests for the Worker. -func (w *Worker) server() (http.Handler, bool) { +func (w *Worker) server() (http.Handler, *tls.Config) { // log a message indicating the setup of the server handlers // // https://pkg.go.dev/github.com/sirupsen/logrus?tab=doc#Trace @@ -56,10 +57,33 @@ func (w *Worker) server() (http.Handler, bool) { logrus.Fatal("unable to run with TLS: No certificate provided") } - return _server, true + // define TLS config struct for server start up + tlsCfg := new(tls.Config) + + // if a TLS minimum version is supplied, set that in the config + if len(w.Config.TLSMinVersion) > 0 { + var tlsVersion uint16 + + switch w.Config.TLSMinVersion { + case "1.0": + tlsVersion = tls.VersionTLS10 + case "1.1": + tlsVersion = tls.VersionTLS11 + case "1.2": + tlsVersion = tls.VersionTLS12 + case "1.3": + tlsVersion = tls.VersionTLS13 + default: + logrus.Fatal("invalid TLS minimum version supplied") + } + + tlsCfg.MinVersion = tlsVersion + } + + return _server, tlsCfg } // else serve over http // https://pkg.go.dev/github.com/gin-gonic/gin?tab=doc#Engine.Run - return _server, false + return _server, nil } diff --git a/cmd/vela-worker/start.go b/cmd/vela-worker/start.go index 46193317..6f3b6077 100644 --- a/cmd/vela-worker/start.go +++ b/cmd/vela-worker/start.go @@ -32,11 +32,12 @@ func (w *Worker) Start() error { // https://pkg.go.dev/golang.org/x/sync/errgroup?tab=doc#Group g, gctx := errgroup.WithContext(ctx) - httpHandler, tls := w.server() + httpHandler, tlsCfg := w.server() server := &http.Server{ Addr: fmt.Sprintf(":%s", w.Config.API.Address.Port()), Handler: httpHandler, + TLSConfig: tlsCfg, ReadHeaderTimeout: 60 * time.Second, } @@ -69,7 +70,7 @@ func (w *Worker) Start() error { g.Go(func() error { var err error logrus.Info("starting worker server") - if tls { + if tlsCfg != nil { if err := server.ListenAndServeTLS(w.Config.Certificate.Cert, w.Config.Certificate.Key); !errors.Is(err, http.ErrServerClosed) { // log a message indicating the start of the server // diff --git a/cmd/vela-worker/worker.go b/cmd/vela-worker/worker.go index 32c1ce14..1d21e75c 100644 --- a/cmd/vela-worker/worker.go +++ b/cmd/vela-worker/worker.go @@ -46,16 +46,17 @@ type ( // Config represents the worker configuration. Config struct { - Mock bool // Mock should only be true for tests - API *API - Build *Build - CheckIn time.Duration - Executor *executor.Setup - Logger *Logger - Queue *queue.Setup - Runtime *runtime.Setup - Server *Server - Certificate *Certificate + Mock bool // Mock should only be true for tests + API *API + Build *Build + CheckIn time.Duration + Executor *executor.Setup + Logger *Logger + Queue *queue.Setup + Runtime *runtime.Setup + Server *Server + Certificate *Certificate + TLSMinVersion string } // Worker represents all configuration and