From dc0c0058d07bfeada0ff7ad8cb3c800997b32a6e Mon Sep 17 00:00:00 2001
From: Olivier Lemasle <olivier.lemasle@apalia.net>
Date: Mon, 28 Nov 2022 23:18:51 +0100
Subject: [PATCH] Set MinVersion: tls.VersionTLS12 in prometheus client's
 TLSClientConfig

Having no explicit MinVersion is reported by [gosec] as G402 (CWE-295):
`TLS MinVersion too low`

Using MinVersion: tls.VersionTLS12 because it's what client-go uses:
cf https://github.com/kubernetes/client-go/blob/1ac8d459351e21458fd1041f41e43403eadcbdba/transport/transport.go#L92

That way, the Kubernetes API client and the Prometheus client in
prometheus-adapter use the same TLS config MinVersion.

[gosec]: https://github.com/securego/gosec
---
 cmd/adapter/adapter.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmd/adapter/adapter.go b/cmd/adapter/adapter.go
index 9c868a53..ad3bcf6d 100644
--- a/cmd/adapter/adapter.go
+++ b/cmd/adapter/adapter.go
@@ -408,10 +408,10 @@ func makePrometheusCAClient(caFilePath string, tlsCertFilePath string, tlsKeyFil
 		}
 		return &http.Client{
 			Transport: &http.Transport{
-				//nolint:gosec
 				TLSClientConfig: &tls.Config{
 					RootCAs:      pool,
 					Certificates: []tls.Certificate{tlsClientCerts},
+					MinVersion:   tls.VersionTLS12,
 				},
 			},
 		}, nil
@@ -419,9 +419,9 @@ func makePrometheusCAClient(caFilePath string, tlsCertFilePath string, tlsKeyFil
 
 	return &http.Client{
 		Transport: &http.Transport{
-			//nolint:gosec
 			TLSClientConfig: &tls.Config{
-				RootCAs: pool,
+				RootCAs:    pool,
+				MinVersion: tls.VersionTLS12,
 			},
 		},
 	}, nil