Change TLS MinVersion to tls.VersionTLS12 in order to make Triggers run on OCP where FIPS enabled

[savitaashture]

Changes

• Fixes: tls: client offered only unsupported versions #1463 this issue occurs on Openshift cluster where fips are enabled

  Issue: http: TLS handshake error from 10.128.2.1:36306: tls: client offered only unsupported versions: [303]
  RCA:

  1. During peer-peer https communication, when TLS handshake is happening, at a stage where both server and client mutually agree for a common TLS version and cipher,, The Triggers Interceptor server is enabled or only allow TLS 1.3 and corresponding ciphers today, where the client(OCP) giving a TLS 1.2 tls version and cipher(Based on error http: TLS handshake error from 10.128.2.1:36306: tls: client offered only unsupported versions: [303] Ref,)
     which result in the TLS handshake not happening as there is no mutual TLS version to negotiate from both (server and client ) side

  2. OCP uses MInTLS as 1.2 for all components

  Fix:

  1. Changed MinVersion to tls.VersionTLS12 and it works on both K8S and OCP

• Moved config/interceptors/interceptor-secrets.yaml to config/interceptors/00-interceptor-secrets.yaml so that secrets will be created before core-intercetor pod start this solves issue like tekton-triggers-core-interceptors-certs not found

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices
• Release notes block has been filled in or deleted (only if no user facing changes)

See the contribution guide for more details.

Release Notes

Changed TLS MinVersion to `tls.VersionTLS12` in order to make Triggers run on OCP(Where FIPS enabled) as OCP uses MInTLS as 1.2 for all components

[savitaashture]

@dibyom @khrm we may need v0.22.2 patch release for this fix as its blocking to use Triggers on a cluster where fips are enabled

[khrm]

/approve

[khrm]

@savitaashture Removing min version in the tls, is flagged as a security issue by gosec. Does it really resolve FIPS?

[dibyom]

@savitaashture Removing min version in the tls, is flagged as a security issue by gosec. Does it really resolve FIPS?

+1. Don't know a lot about FIPS but from https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant it sounds like you have to build with a different set of crypto libraries for it to be FIPS compatible?

[savitaashture]

@savitaashture Removing min version in the tls, is flagged as a security issue by gosec. Does it really resolve FIPS?

+1. Don't know a lot about FIPS but from https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant it sounds like you have to build with a different set of crypto libraries for it to be FIPS compatible?

@khrm @dibyom Yes agree

Looked deeper and discussed with those who know about FIPS

Reason:

1. During peer-peer https communication, when TLS handshake is happening, at a stage where both server and client mutually agree for a common TLS version and cipher,, The Triggers Interceptor server is enabled or only allow TLS 1.3 and corresponding ciphers today, where the client(OCP) giving a TLS 1.2 tls version and cipher(Based on error http: TLS handshake error from 10.128.2.1:36306: tls: client offered only unsupported versions: [303] Ref,)
   which result in the TLS handshake not happening as there is no mutual TLS version to negotiate from both (server and client ) side

2. OCP uses MInTLS as 1.2 for all components

So now changed MinVersion to tls.VersionTLS12 and it works on both K8S and OCP

[khrm]

/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: khrm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [khrm]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[savitaashture]

@dibyom @khrm we may need v0.22.2 patch release for this fix as its blocking to use Triggers on a cluster where fips are enabled

We may need to do v0.21.x because this issue exist in v0.21.x as well

[dibyom]

Thanks @savitaashture - the explanation is very helpful. Can we update the PR description/commit message with this?
/lgtm
/hold
(feel free to cancel the hold when you have updated!)

[savitaashture]

Thanks @savitaashture - the explanation is very helpful. Can we update the PR description/commit message with this? /lgtm /hold (feel free to cancel the hold when you have updated!)

Thank you @dibyom

Updated commit message and Description

[savitaashture]

/test pull-tekton-triggers-integration-tests

[khrm]

/test pull-tekton-triggers-integration-tests

[khrm]

/test pull-tekton-triggers-integration-tests

[khrm]

/kind bug