feat: TLS configuration and Dockerfile

Corrected the TLS configuration and updated the Dockerfile. Contributes to: ibm-saas-platform/workitems#6088 Signed-off-by: Sujeily Fonseca <sujeily.fonseca@ibm.com>
sujeilyfonseca · Mar 5, 2024 · 31c7fde · 31c7fde
1 parent d8325fc
commit 31c7fde
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 16 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,10 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:22.04
+ARG BASE_IMAGE=docker.io/library/ubuntu:22.04@sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.22.0 AS builder
+FROM docker.io/library/golang:1.21.3@sha256:02d7116222536a5cf0fcf631f90b507758b669648e0f20186d2dc94a9b419a9b AS builder
 
 LABEL org.opencontainers.image.source="https://github.ibm.com/ibm-saas-platform/argo-cd" \
       author="Argo CD" \
@@ -58,12 +58,8 @@ RUN groupadd -g $ARGOCD_USER_ID argocd && \
     chmod g=u /home/argocd && \
     apt-get update && \
     apt-get dist-upgrade -y && \
-    apt-get install -y git tini gpg tzdata wget && \
-    # START - Install git-lfs
-    wget https://github.com/git-lfs/git-lfs/releases/download/v3.4.1/git-lfs-linux-amd64-v3.4.1.tar.gz && \
-    tar -xvf git-lfs-linux-amd64-v3.4.1.tar.gz && \
-    cp ./git-lfs-3.4.1/git-lfs /usr/bin/git-lfs && \
-    # END - Install git-lfs
+    apt-get install -y \
+    git git-lfs tini gpg tzdata && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
@@ -72,10 +68,10 @@ COPY hack/git-verify-wrapper.sh /usr/local/bin/git-verify-wrapper.sh
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
-# Keep uid_entrypoint.sh for backward compatibility
+# keep uid_entrypoint.sh for backward compatibility
 RUN ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh
 
-# Support for mounting configuration from a configmap
+# support for mounting configuration from a configmap
 WORKDIR /app/config/ssh
 RUN touch ssh_known_hosts && \
     ln -s /app/config/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts
@@ -95,7 +91,7 @@ WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:20.11.1 AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:20.6.1@sha256:14bd39208dbc0eb171cbfb26ccb9ac09fa1b2eba04ccd528ab5d12983fd9ee24 AS argocd-ui
 
 WORKDIR /src
 COPY ["ui/package.json", "ui/yarn.lock", "./"]
@@ -113,7 +109,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.22.0 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21.3@sha256:02d7116222536a5cf0fcf631f90b507758b669648e0f20186d2dc94a9b419a9b AS argocd-build
 
 WORKDIR /go/src/github.com/argoproj/argo-cd
 

diff --git a/reposerver/apiclient/clientset.go b/reposerver/apiclient/clientset.go
@@ -70,7 +70,7 @@ func NewConnection(address string, timeoutSeconds int, tlsConfig *TLSConfigurati
 		grpc.WithStreamInterceptor(argogrpc.OTELStreamClientInterceptor()),
 	}
 
-	tlsC := &tls.Config{MinVersion: tls.VersionTLS12}
+	tlsC := &tls.Config{}
 	if !tlsConfig.DisableTLS {
 		if !tlsConfig.StrictValidation {
 			tlsC.InsecureSkipVerify = true

diff --git a/util/cache/cache.go b/util/cache/cache.go
@@ -105,7 +105,7 @@ func AddCacheFlagsToCmd(cmd *cobra.Command, opts ...func(client *redis.Client))
 	return func() (*Cache, error) {
 		var tlsConfig *tls.Config = nil
 		if redisUseTLS {
-			tlsConfig = &tls.Config{MinVersion: tls.VersionTLS12}
+			tlsConfig = &tls.Config{}
 			if redisClientCertificate != "" {
 				clientCert, err := tls.LoadX509KeyPair(redisClientCertificate, redisClientKey)
 				if err != nil {

diff --git a/util/settings/settings.go b/util/settings/settings.go
@@ -1893,7 +1893,6 @@ func (a *ArgoCDSettings) TLSConfig() *tls.Config {
 	}
 	return &tls.Config{
 		RootCAs: certPool,
-		MinVersion: tls.VersionTLS12,
 	}
 }
 

diff --git a/util/tls/tls.go b/util/tls/tls.go
@@ -432,5 +432,5 @@ func CreateServerTLSConfig(tlsCertPath, tlsKeyPath string, hosts []string) (*tls
 		cert = &c
 	}
 
-	return &tls.Config{Certificates: []tls.Certificate{*cert}, MinVersion: tls.VersionTLS12}, nil
+	return &tls.Config{Certificates: []tls.Certificate{*cert}}, nil
 }