feat(start/server): add minimum TLS version of 1.2 with option to set it differently

cmd/vela-worker/flags.go

@@ -85,6 +85,12 @@ func flags() []cli.Flag {
 			Name:    "server.cert-key",
 			Usage:   "optional TLS certificate key",
 		},
+		&cli.StringFlag{
+			EnvVars: []string{"WORKER_SERVER_TLS_MIN_VERSION", "VELA_SERVER_TLS_MIN_VERSION", "SERVER_TLS_MIN_VERSION"},
+			Name:    "server.tls-min-version",
+			Usage:   "optional TLS minimum version requirement",
+			Value:   "1.2",
+		},
 	}
 
 	// Executor Flags

cmd/vela-worker/run.go

@@ -130,6 +130,8 @@ func run(c *cli.Context) error {
 				Cert: c.String("server.cert"),
 				Key:  c.String("server.cert-key"),
 			},
+			// TLS minimum version enforced
+			TLSMinVersion: c.String("server.tls-min-version"),
 		},
 		Executors: make(map[int]executor.Engine),
 	}

cmd/vela-worker/server.go

@@ -5,6 +5,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"net/http"
 	"os"
 	"strings"
@@ -18,7 +19,7 @@ import (
 
 // server is a helper function to listen and serve
 // traffic for web and API requests for the Worker.
-func (w *Worker) server() (http.Handler, bool) {
+func (w *Worker) server() (http.Handler, *tls.Config) {
 	// log a message indicating the setup of the server handlers
 	//
 	// https://pkg.go.dev/github.com/sirupsen/logrus?tab=doc#Trace
@@ -56,10 +57,33 @@ func (w *Worker) server() (http.Handler, bool) {
 			logrus.Fatal("unable to run with TLS: No certificate provided")
 		}
 
-		return _server, true
+		// define TLS config struct for server start up
+		tlsCfg := new(tls.Config)
+
+		// if a TLS minimum version is supplied, set that in the config
+		if len(w.Config.TLSMinVersion) > 0 {
+			var tlsVersion uint16
+
+			switch w.Config.TLSMinVersion {
+			case "1.0":
+				tlsVersion = tls.VersionTLS10
+			case "1.1":
+				tlsVersion = tls.VersionTLS11
+			case "1.2":
+				tlsVersion = tls.VersionTLS12
+			case "1.3":
+				tlsVersion = tls.VersionTLS13
+			default:
+				logrus.Fatal("invalid TLS minimum version supplied")
+			}
+
+			tlsCfg.MinVersion = tlsVersion
+		}
+
+		return _server, tlsCfg
 	}
 
 	// else serve over http
 	// https://pkg.go.dev/github.com/gin-gonic/gin?tab=doc#Engine.Run
-	return _server, false
+	return _server, nil
 }

cmd/vela-worker/start.go

@@ -32,11 +32,12 @@ func (w *Worker) Start() error {
 	// https://pkg.go.dev/golang.org/x/sync/errgroup?tab=doc#Group
 	g, gctx := errgroup.WithContext(ctx)
 
-	httpHandler, tls := w.server()
+	httpHandler, tlsCfg := w.server()
 
 	server := &http.Server{
 		Addr:              fmt.Sprintf(":%s", w.Config.API.Address.Port()),
 		Handler:           httpHandler,
+		TLSConfig:         tlsCfg,
 		ReadHeaderTimeout: 60 * time.Second,
 	}
 
@@ -69,7 +70,7 @@ func (w *Worker) Start() error {
 	g.Go(func() error {
 		var err error
 		logrus.Info("starting worker server")
-		if tls {
+		if tlsCfg != nil {
 			if err := server.ListenAndServeTLS(w.Config.Certificate.Cert, w.Config.Certificate.Key); !errors.Is(err, http.ErrServerClosed) {
 				// log a message indicating the start of the server
 				//

cmd/vela-worker/worker.go

@@ -46,16 +46,17 @@ type (
 
 	// Config represents the worker configuration.
 	Config struct {
-		Mock        bool // Mock should only be true for tests
-		API         *API
-		Build       *Build
-		CheckIn     time.Duration
-		Executor    *executor.Setup
-		Logger      *Logger
-		Queue       *queue.Setup
-		Runtime     *runtime.Setup
-		Server      *Server
-		Certificate *Certificate
+		Mock          bool // Mock should only be true for tests
+		API           *API
+		Build         *Build
+		CheckIn       time.Duration
+		Executor      *executor.Setup
+		Logger        *Logger
+		Queue         *queue.Setup
+		Runtime       *runtime.Setup
+		Server        *Server
+		Certificate   *Certificate
+		TLSMinVersion string
 	}
 
 	// Worker represents all configuration and