🌱 Refactoring: never assign unacceptable TLS versions

[pierreprinetti]

What this PR does / why we need it:

Our downstream security scan is confused by GetTLSVersion returning 0 as a value (even if coupled by a non-nil error), which could end up being assigned to the same identifier that (in a non-error context) would set the TLS version.

This patch makes security linting easier by never setting a TLS version outside v1.2 or v1.3, even in case of an unacceptable user input.

Special notes for your reviewer:

This is expected to be a pure refactoring. Please reject this patch if it introduces any change in behaviour.

TODOs:

• squashed commits
• if necessary:
  • includes documentation
  • adds unit tests

/hold

Fixes: #2034

[netlify]

✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name	Link
🔨 Latest commit	27526d5
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/662a79c8b541e500098bbd28
😎 Deploy Preview	https://deploy-preview-2037--kubernetes-sigs-cluster-api-openstack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[mdbooth]

Thanks. Can you please do a couple of things for me before merging?

• Mark this as fixing Static analyser gets confused about minimum TLS version #2034 in the description.
• Add a comment in the affected function which explains why the code is a bit weird. Something like: "To make a static analyzer happy, ensure there is no code path...". That'll be a bit more discoverable than the commit message.

[pierreprinetti]

• To make a static analyzer happy, ensure there is no code path

done. PTAL

[mdbooth]

/approve

Thank you!

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mdbooth

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mdbooth]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pierreprinetti]

/hold cancel
I think this is ready for a review.

[MaysaMacedo]

/lgtm

[pierreprinetti]

/hold
good that I fixed the tests

[EmilienM]

tests still failing. Happy to LGTM once they're fixed.

[pierreprinetti]

/hold cancel
🤞

[mdbooth]

Unit tests pass, and this PR doesn't do anything which should affect the e2e tests.

/lgtm

[EmilienM]

@pierreprinetti do we want/need it in release-0.10?

[pierreprinetti]

@pierreprinetti do we want/need it in release-0.10?

that'd be swell.

In the meantime, the bug has been validated by Snyk and reportedly passed on to their engineering.

[EmilienM]

/cherry-pick release-0.10

[k8s-infra-cherrypick-robot]

@EmilienM: new pull request created: #2062

In response to this:

/cherry-pick release-0.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.