From 74f81364adc10bc19fa431ad18f27161fea6c2f4 Mon Sep 17 00:00:00 2001
From: Marc Sluiter <msluiter@redhat.com>
Date: Fri, 20 Oct 2023 11:21:05 +0200
Subject: [PATCH] Disable HTTP/2

Signed-off-by: Marc Sluiter <msluiter@redhat.com>
---
 api/v1alpha1/nodehealthcheck_webhook.go | 25 ------------
 main.go                                 | 51 ++++++++++++++++++++++++-
 2 files changed, 50 insertions(+), 26 deletions(-)

diff --git a/api/v1alpha1/nodehealthcheck_webhook.go b/api/v1alpha1/nodehealthcheck_webhook.go
index 6ceadd54..b610dcd0 100644
--- a/api/v1alpha1/nodehealthcheck_webhook.go
+++ b/api/v1alpha1/nodehealthcheck_webhook.go
@@ -18,8 +18,6 @@ package v1alpha1
 
 import (
 	"fmt"
-	"os"
-	"path/filepath"
 	"reflect"
 	"time"
 
@@ -33,10 +31,6 @@ import (
 )
 
 const (
-	WebhookCertDir  = "/apiserver.local.config/certificates"
-	WebhookCertName = "apiserver.crt"
-	WebhookKeyName  = "apiserver.key"
-
 	OngoingRemediationError   = "prohibited due to running remediation"
 	minHealthyError           = "MinHealthy must not be negative"
 	invalidSelectorError      = "Invalid selector"
@@ -52,25 +46,6 @@ const (
 var nodehealthchecklog = logf.Log.WithName("nodehealthcheck-resource")
 
 func (nhc *NodeHealthCheck) SetupWebhookWithManager(mgr ctrl.Manager) error {
-
-	// check if OLM injected certs
-	certs := []string{filepath.Join(WebhookCertDir, WebhookCertName), filepath.Join(WebhookCertDir, WebhookKeyName)}
-	certsInjected := true
-	for _, fname := range certs {
-		if _, err := os.Stat(fname); err != nil {
-			certsInjected = false
-			break
-		}
-	}
-	if certsInjected {
-		server := mgr.GetWebhookServer()
-		server.CertDir = WebhookCertDir
-		server.CertName = WebhookCertName
-		server.KeyName = WebhookKeyName
-	} else {
-		nodehealthchecklog.Info("OLM injected certs for webhooks not found")
-	}
-
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(nhc).
 		Complete()
diff --git a/main.go b/main.go
index 3c0ced0f..8dff4e75 100644
--- a/main.go
+++ b/main.go
@@ -17,9 +17,11 @@ limitations under the License.
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"os"
+	"path/filepath"
 	"runtime"
 
 	// +kubebuilder:scaffold:imports
@@ -51,6 +53,12 @@ import (
 	"github.com/medik8s/node-healthcheck-operator/version"
 )
 
+const (
+	WebhookCertDir  = "/apiserver.local.config/certificates"
+	WebhookCertName = "apiserver.crt"
+	WebhookKeyName  = "apiserver.key"
+)
+
 var (
 	scheme   = pkgruntime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
@@ -72,11 +80,13 @@ func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var probeAddr string
+	var enableHTTP2 bool
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", true,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
+	flag.BoolVar(&enableHTTP2, "enable-http2", false, "If HTTP/2 should be enabled for the metrics and webhook servers.")
 
 	opts := zap.Options{
 		Development: true,
@@ -90,7 +100,9 @@ func main() {
 	printVersion()
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:                 scheme,
+		Scheme: scheme,
+		// HEADS UP: once controller runtime is updated and this changes to metrics.Options{},
+		// and in case you configure TLS / SecureServing, disable HTTP/2 in it for mitigating related CVEs!
 		MetricsBindAddress:     metricsAddr,
 		Port:                   9443,
 		HealthProbeBindAddress: probeAddr,
@@ -102,6 +114,8 @@ func main() {
 		os.Exit(1)
 	}
 
+	configureWebhookServer(mgr, enableHTTP2)
+
 	upgradeChecker, err := cluster.NewClusterUpgradeStatusChecker(mgr)
 	if err != nil {
 		setupLog.Error(err, "unable initialize cluster upgrade checker")
@@ -194,3 +208,38 @@ func printVersion() {
 	setupLog.Info(fmt.Sprintf("Git Commit: %s", version.GitCommit))
 	setupLog.Info(fmt.Sprintf("Build Date: %s", version.BuildDate))
 }
+
+func configureWebhookServer(mgr ctrl.Manager, enableHTTP2 bool) {
+
+	server := mgr.GetWebhookServer()
+
+	// check for OLM injected certs
+	certs := []string{filepath.Join(WebhookCertDir, WebhookCertName), filepath.Join(WebhookCertDir, WebhookKeyName)}
+	certsInjected := true
+	for _, fname := range certs {
+		if _, err := os.Stat(fname); err != nil {
+			certsInjected = false
+			break
+		}
+	}
+	if certsInjected {
+		server.CertDir = WebhookCertDir
+		server.CertName = WebhookCertName
+		server.KeyName = WebhookKeyName
+	} else {
+		setupLog.Info("OLM injected certs for webhooks not found")
+	}
+
+	// disable http/2 for mitigating relevant CVEs
+	if !enableHTTP2 {
+		server.TLSOpts = append(server.TLSOpts,
+			func(c *tls.Config) {
+				c.NextProtos = []string{"http/1.1"}
+			},
+		)
+		setupLog.Info("HTTP/2 for webhooks disabled")
+	} else {
+		setupLog.Info("HTTP/2 for webhooks enabled")
+	}
+
+}