Skip to content

Set explicit TLS minimum version for Quay HTTP client#315

Open
MartinBasti wants to merge 1 commit into
konflux-ci:mainfrom
MartinBasti:min-ssl-version
Open

Set explicit TLS minimum version for Quay HTTP client#315
MartinBasti wants to merge 1 commit into
konflux-ci:mainfrom
MartinBasti:min-ssl-version

Conversation

@MartinBasti

Copy link
Copy Markdown
Contributor

Explicitly set MinVersion to TLS 1.2 on the tls.Config used for the Quay HTTP client as a defense-in-depth measure against potential TLS downgrade.

Explicitly set MinVersion to TLS 1.2 on the tls.Config used for
the Quay HTTP client as a defense-in-depth measure against potential
TLS downgrade.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Martin Basti <mbasti@redhat.com>
@MartinBasti MartinBasti requested a review from a team as a code owner May 20, 2026 16:38
@qodo-code-review

Copy link
Copy Markdown

Review Summary by Qodo

Enforce TLS 1.2 minimum version for Quay client

✨ Enhancement

Grey Divider

Walkthroughs

Description
• Enforce TLS 1.2 minimum version for Quay HTTP client
• Adds defense-in-depth protection against TLS downgrade attacks
• Improves security posture of client connections
Diagram
flowchart LR
  A["TLS Configuration"] -- "Add MinVersion constraint" --> B["TLS 1.2 minimum enforced"]
  B -- "Prevents downgrade attacks" --> C["Enhanced security"]

Loading

File Changes

1. cmd/main.go ✨ Enhancement +2/-1

Add TLS 1.2 minimum version enforcement

• Added MinVersion: tls.VersionTLS12 to the tls.Config struct in buildQuayHttpClient()
• Explicitly sets TLS 1.2 as the minimum protocol version for Quay HTTP client connections
• Provides defense-in-depth protection against potential TLS downgrade vulnerabilities
• Minor formatting adjustment to align struct field assignments

cmd/main.go


Grey Divider

Qodo Logo

@qodo-code-review

qodo-code-review Bot commented May 20, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Grey Divider

Qodo Logo

@MartinBasti

Copy link
Copy Markdown
Contributor Author

/retest

@konflux-ci-qe-bot

Copy link
Copy Markdown

Scenario: konflux-e2e-image-controller
@MartinBasti: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name Status Rerun command Build Log Test Log
konflux-e2e-image-controller-n25v7 Failed /retest View Pipeline Log View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

  1. Install ORAS (see the ORAS installation guide).
  2. Download artifacts with the following commands:
mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/konflux-team/image-controller:konflux-e2e-image-controller-n25v7

Test results analysis

🚨 Error occurred while running the E2E tests, list of failed Spec(s):

➡️ [failed] [It] Image Controller E2E tests PaC component build when a new component without specified branch is created and with visibility private correctly targets the default branch (that is not named 'main') with PaC [image-controller, github-webhook, pac-build, pipeline, pac-custom-default-branch]

Click to view logs

Unexpected error:
    <*errors.errorString | 0xc0003068f0>: 
    failed to create test namespace build-e2e-yapj: timeout waiting for service account konflux-integration-runner to be created in namespace build-e2e-yapj with error: context deadline exceeded
    {
        s: "failed to create test namespace build-e2e-yapj: timeout waiting for service account konflux-integration-runner to be created in namespace build-e2e-yapj with error: context deadline exceeded",
    }
occurred

OCI Artifact Browser URL

View in Artifact Browser

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants