Merge pull request #4244 from pacevedom/USHIFT-4932

USHIFT-4932: TLS config options for api server

cmd/generate-config/config/config-openapi-spec.json

@@ -18,7 +18,8 @@
       "required": [
         "auditLog",
         "namedCertificates",
-        "subjectAltNames"
+        "subjectAltNames",
+        "tls"
       ],
       "properties": {
         "advertiseAddress": {
@@ -89,6 +90,31 @@
           "items": {
             "type": "string"
           }
+        },
+        "tls": {
+          "type": "object",
+          "required": [
+            "cipherSuites",
+            "minVersion"
+          ],
+          "properties": {
+            "cipherSuites": {
+              "description": "CipherSuites lists the allowed cipher suites that the API server will\naccept and serve. Defaults to cipher suites from the minVersion config\nparameter.",
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            },
+            "minVersion": {
+              "description": "MinVersion specifies which TLS version is the minimum version of TLS\nto serve from the API server. Allowed values: VersionTLS12, VersionTLS13.\nDefaults to VersionTLS12.",
+              "type": "string",
+              "default": "VersionTLS12",
+              "enum": [
+                "VersionTLS12",
+                "VersionTLS13"
+              ]
+            }
+          }
         }
       }
     },

docs/user/howto_config.md

@@ -21,6 +21,10 @@ apiServer:
             - ""
     subjectAltNames:
         - ""
+    tls:
+        cipherSuites:
+            - ""
+        minVersion: ""
 debugging:
     logLevel: ""
 dns:
@@ -102,6 +106,10 @@ apiServer:
             - ""
     subjectAltNames:
         - ""
+    tls:
+        cipherSuites:
+            - ""
+        minVersion: VersionTLS12
 debugging:
     logLevel: Normal
 dns:

etcd/cmd/microshift-etcd/run.go

@@ -12,6 +12,7 @@ import (
 	"syscall"
 	"time"
 
+	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/microshift/pkg/config"
 	"github.com/openshift/microshift/pkg/util/cryptomaterial"
 
@@ -38,15 +39,6 @@ func NewRunEtcdCommand() *cobra.Command {
 	return cmd
 }
 
-var tlsCipherSuites = []string{
-	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-}
-
 type EtcdService struct {
 	etcdCfg                 *etcd.Config
 	minDefragBytes          int64
@@ -92,7 +84,10 @@ func (s *EtcdService) configure(cfg *config.Config) {
 	s.etcdCfg.Name = cfg.Node.HostnameOverride
 	s.etcdCfg.InitialCluster = fmt.Sprintf("%s=https://%s:2380", cfg.Node.HostnameOverride, "localhost")
 
-	s.etcdCfg.CipherSuites = tlsCipherSuites
+	s.etcdCfg.TlsMinVersion = getTLSMinVersion(cfg.ApiServer.TLS.MinVersion)
+	if cfg.ApiServer.TLS.MinVersion != string(configv1.VersionTLS13) {
+		s.etcdCfg.CipherSuites = cfg.ApiServer.TLS.CipherSuites
+	}
 	s.etcdCfg.ClientTLSInfo.CertFile = cryptomaterial.PeerCertPath(etcdServingCertDir)
 	s.etcdCfg.ClientTLSInfo.KeyFile = cryptomaterial.PeerKeyPath(etcdServingCertDir)
 	s.etcdCfg.ClientTLSInfo.TrustedCAFile = etcdSignerCertPath
@@ -188,6 +183,16 @@ func setURL(hostnames []string, port string) []url.URL {
 	return urls
 }
 
+func getTLSMinVersion(minVersion string) string {
+	switch minVersion {
+	case string(configv1.VersionTLS12):
+		return "TLS1.2"
+	case string(configv1.VersionTLS13):
+		return "TLS1.3"
+	}
+	return ""
+}
+
 // The following 'fragemented' logic is copied from the Openshift Cluster Etcd Operator.
 //
 //	https://github.com/openshift/cluster-etcd-operator/blob/0584b0d1c8868535baf889d8c199f605aef4a3ae/pkg/operator/defragcontroller/defragcontroller.go#L282

etcd/go.mod

@@ -18,7 +18,7 @@ require (
 	k8s.io/cli-runtime v0.0.0
 	k8s.io/component-base v0.31.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kubectl v0.0.0
+	k8s.io/kubectl v0.31.3
 	sigs.k8s.io/yaml v1.4.0
 )