From 6964d846d60af4500cbea32333b561ccdaf960d6 Mon Sep 17 00:00:00 2001
From: Shane Utt <shaneutt@linux.com>
Date: Thu, 5 Aug 2021 17:43:10 -0400
Subject: [PATCH] fix: support TLS v1.2 minimum for admission server

This is in direct response to the gosec lint which
we disabled due to backwards compatibility issues
in the v1.3.x releases of KIC, but now with KIC v2
on the horizon it's time to pull off the band-aid.
---
 CHANGELOG.md                 | 6 ++++++
 internal/admission/server.go | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1c63b85c95..34c79bf58a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,6 +46,12 @@
   until the resource has been corrected.
   [#550](https://github.com/Kong/kubernetes-ingress-controller/issues/550)
 
+#### Breaking changes
+
+- TLS v1.2+ compatible clients are required now going forward in order
+  to do SSL negotiations with the webhook admission server.
+  [#1065](https://github.com/Kong/kubernetes-ingress-controller/issues/1065)
+
 ## [2.0.0-alpha.3] - 2021/08/02
 
 #### Breaking changes
diff --git a/internal/admission/server.go b/internal/admission/server.go
index 94da714906..bf5da2b714 100644
--- a/internal/admission/server.go
+++ b/internal/admission/server.go
@@ -79,7 +79,8 @@ func (sc *ServerConfig) toTLSConfig() (*tls.Config, error) {
 	if err != nil {
 		return nil, fmt.Errorf("X509KeyPair error: %w", err)
 	}
-	return &tls.Config{ //nolint:gosec
+	return &tls.Config{
+		MinVersion:   tls.VersionTLS12,
 		Certificates: []tls.Certificate{keyPair},
 	}, nil
 }