From 359eccdc281dbd08e946f76aca05cb992da94685 Mon Sep 17 00:00:00 2001
From: Kyle Sullivan <47400288+FestiveKyle@users.noreply.github.com>
Date: Thu, 14 Jul 2022 16:03:20 -0300
Subject: [PATCH] Disable tls1.3 by default for compliance (#3828)

---
 k8s/infrastructure/bases/istio/ingress-gateway.yaml              | 1 +
 .../overlays/production/ingress-gateway-tls-patch.yaml           | 1 +
 .../overlays/staging/ingress-gateway-tls-patch.yaml              | 1 +
 3 files changed, 3 insertions(+)

diff --git a/k8s/infrastructure/bases/istio/ingress-gateway.yaml b/k8s/infrastructure/bases/istio/ingress-gateway.yaml
index 8bf8a3f052..1d062cc198 100644
--- a/k8s/infrastructure/bases/istio/ingress-gateway.yaml
+++ b/k8s/infrastructure/bases/istio/ingress-gateway.yaml
@@ -29,6 +29,7 @@ spec:
         privateKey: sds
         serverCertificate: sds
         minProtocolVersion: TLSV1_2 # ITPIN 6.1.3 implements TLS 1.2, or subsequent versions
+        maxProtocolVersion: TLSV1_2
         cipherSuites: # ITPIN 6.1.3 uses supported cryptographic algorithms
           - ECDHE-ECDSA-AES256-GCM-SHA384
           - ECDHE-RSA-AES256-GCM-SHA384
diff --git a/k8s/infrastructure/overlays/production/ingress-gateway-tls-patch.yaml b/k8s/infrastructure/overlays/production/ingress-gateway-tls-patch.yaml
index 9453055785..62a5b95308 100644
--- a/k8s/infrastructure/overlays/production/ingress-gateway-tls-patch.yaml
+++ b/k8s/infrastructure/overlays/production/ingress-gateway-tls-patch.yaml
@@ -29,6 +29,7 @@ spec:
         privateKey: sds
         serverCertificate: sds
         minProtocolVersion: TLSV1_2
+        maxProtocolVersion: TLSV1_2
         cipherSuites:
         - TLS_AES_128_GCM_SHA256
         - TLS_AES_256_GCM_SHA384
diff --git a/k8s/infrastructure/overlays/staging/ingress-gateway-tls-patch.yaml b/k8s/infrastructure/overlays/staging/ingress-gateway-tls-patch.yaml
index 9453055785..62a5b95308 100644
--- a/k8s/infrastructure/overlays/staging/ingress-gateway-tls-patch.yaml
+++ b/k8s/infrastructure/overlays/staging/ingress-gateway-tls-patch.yaml
@@ -29,6 +29,7 @@ spec:
         privateKey: sds
         serverCertificate: sds
         minProtocolVersion: TLSV1_2
+        maxProtocolVersion: TLSV1_2
         cipherSuites:
         - TLS_AES_128_GCM_SHA256
         - TLS_AES_256_GCM_SHA384