supervisor discovery test shouldn't require tls 1.3 in fips mode

Signed-off-by: Margo Crawford <margaretc@vmware.com>

internal/crypto/ptls/fips_strict.go

@@ -15,7 +15,8 @@ import (
 )
 
 // Always use TLS 1.2 for FIPs
-const secureMinTLSVersion = "VersionTLS12"
+const secureServingOptionsMinTLSVersion = "VersionTLS12"
+const SecureTLSConfigMinTLSVersion = tls.VersionTLS12
 
 func init() {
 	go func() {
@@ -41,7 +42,7 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
 		// The Kubernetes API Server must use TLS 1.2, at a minimum,
 		// to protect the confidentiality of sensitive data during electronic dissemination.
 		// https://stigviewer.com/stig/kubernetes/2021-06-17/finding/V-242378
-		MinVersion: tls.VersionTLS12,
+		MinVersion: SecureTLSConfigMinTLSVersion,
 
 		// enable HTTP2 for go's 1.7 HTTP Server
 		// setting this explicitly is only required in very specific circumstances

internal/crypto/ptls/ptls.go

@@ -21,7 +21,10 @@ import (
 
 // TODO decide if we need to expose the four TLS levels (secure, default, default-ldap, legacy) as config.
 
-const defaultMinTLSVersion = "VersionTLS12"
+// defaultServingOptionsMinTLSVersion is the minimum tls version in the format
+// expected by SecureServingOptions.MinTLSVersion from
+// k8s.io/apiserver/pkg/server/options
+const defaultServingOptionsMinTLSVersion = "VersionTLS12"
 
 type ConfigFunc func(*x509.CertPool) *tls.Config
 
@@ -90,11 +93,11 @@ func defaultServing(opts *options.SecureServingOptionsWithLoopback) {
 	}
 	opts.CipherSuites = cipherSuites
 
-	opts.MinTLSVersion = defaultMinTLSVersion
+	opts.MinTLSVersion = defaultServingOptionsMinTLSVersion
 }
 
 func secureServing(opts *options.SecureServingOptionsWithLoopback) {
-	opts.MinTLSVersion = secureMinTLSVersion
+	opts.MinTLSVersion = secureServingOptionsMinTLSVersion
 	opts.CipherSuites = nil
 }
 

internal/crypto/ptls/secure.go

@@ -11,7 +11,14 @@ import (
 	"crypto/x509"
 )
 
-const secureMinTLSVersion = "VersionTLS13"
+// secureServingOptionsMinTLSVersion is the minimum tls version in the format
+// expected by SecureServingOptions.MinTLSVersion from
+// k8s.io/apiserver/pkg/server/options
+const secureServingOptionsMinTLSVersion = "VersionTLS13"
+
+// SecureTLSConfigMinTLSVersion is the minimum tls version in the format expected
+// by tls.Config
+const SecureTLSConfigMinTLSVersion = tls.VersionTLS13
 
 func Secure(rootCAs *x509.CertPool) *tls.Config {
 	// as of 2021-10-19, Mozilla Guideline v5.6, Go 1.17.2, modern configuration, supports:
@@ -25,7 +32,7 @@ func Secure(rootCAs *x509.CertPool) *tls.Config {
 	// - Safari 12.1
 	// https://ssl-config.mozilla.org/#server=go&version=1.17.2&config=modern&guideline=5.6
 	c := Default(rootCAs)
-	c.MinVersion = tls.VersionTLS13 // max out the security
+	c.MinVersion = SecureTLSConfigMinTLSVersion // max out the security
 	c.CipherSuites = []uint16{
 		// TLS 1.3 ciphers are not configurable, but we need to explicitly set them here to make our client hello behave correctly
 		// See https://github.com/golang/go/pull/49293

test/integration/supervisor_discovery_test.go

@@ -18,6 +18,8 @@ import (
 	"testing"
 	"time"
 
+	"go.pinniped.dev/internal/crypto/ptls"
+
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -660,7 +662,7 @@ func newHTTPClient(t *testing.T, caBundle string, dnsOverrides map[string]string
 		caCertPool.AppendCertsFromPEM([]byte(caBundle))
 		c.Transport = &http.Transport{
 			DialContext:     overrideDialContext,
-			TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS13, RootCAs: caCertPool},
+			TLSClientConfig: &tls.Config{MinVersion: ptls.SecureTLSConfigMinTLSVersion, RootCAs: caCertPool},
 		}
 	} else {
 		c.Transport = &http.Transport{