enable tlsMinVersion and tlsCipherSuites configuration in jobset configuration (#1127)

Author: kannon92

Makefile

@@ -58,6 +58,8 @@ JOBSET_CHART_DIR := charts/jobset
 E2E_TARGET ?= ./test/e2e/...
 E2E_KIND_VERSION ?= kindest/node:v1.34.0
 USE_EXISTING_CLUSTER ?= false
+# E2E config folder to use (e.g., "default", "certmanager", etc.)
+E2E_TARGET_FOLDER ?= default
 
 # For local testing, we should allow user to use different kind cluster name
 # Default will delete default kind cluster
@@ -408,7 +410,7 @@ test-integration: manifests fmt vet envtest ginkgo ## Run tests.
 
 .PHONY: test-e2e-kind
 test-e2e-kind: manifests kustomize fmt vet envtest ginkgo kind-image-build
-	E2E_KIND_VERSION=$(E2E_KIND_VERSION) KIND_CLUSTER_NAME=$(KIND_CLUSTER_NAME) USE_EXISTING_CLUSTER=$(USE_EXISTING_CLUSTER) ARTIFACTS=$(ARTIFACTS) IMAGE_TAG=$(IMAGE_TAG) ./hack/e2e-test.sh
+	E2E_KIND_VERSION=$(E2E_KIND_VERSION) KIND_CLUSTER_NAME=$(KIND_CLUSTER_NAME) USE_EXISTING_CLUSTER=$(USE_EXISTING_CLUSTER) ARTIFACTS=$(ARTIFACTS) IMAGE_TAG=$(IMAGE_TAG) E2E_TARGET_FOLDER=$(E2E_TARGET_FOLDER) ./hack/e2e-test.sh
 
 .PHONY: prometheus
 prometheus:

api/config/v1alpha1/configuration_types.go

@@ -58,6 +58,11 @@ type ControllerManager struct {
 	// Health contains the controller health configuration
 	// +optional
 	Health ControllerHealth `json:"health,omitempty"`
+
+	// TLS contains TLS security settings for all JobSet API servers
+	// (webhooks and metrics).
+	// +optional
+	TLS *TLSOptions `json:"tls,omitempty"`
 }
 
 // ControllerWebhook defines the webhook server for the controller.
@@ -135,3 +140,22 @@ type ClientConnection struct {
 	// Burst allows extra queries to accumulate when a client is exceeding its rate.
 	Burst *int32 `json:"burst,omitempty"`
 }
+
+// TLSOptions defines TLS security settings for JobSet servers
+type TLSOptions struct {
+	// minVersion is the minimum TLS version supported.
+	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
+	// Valid values are: "VersionTLS12", "VersionTLS13"
+	// If unset, the server defaults to TLS 1.2.
+	// +optional
+	MinVersion string `json:"minVersion,omitempty"`
+
+	// cipherSuites is the list of allowed cipher suites for the server.
+	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
+	// This setting only applies to TLS versions up to 1.2; TLS 1.3 cipher suites are
+	// hardcoded by Go and are not configurable. Any attempt to configure TLS 1.3
+	// cipher suites will be rejected by validation.
+	// The default is to leave this unset and inherit golang's default cipher suites.
+	// +optional
+	CipherSuites []string `json:"cipherSuites,omitempty"`
+}

api/config/v1alpha1/zz_generated.deepcopy.go

@@ -5,6 +5,8 @@ export KIND=$PWD/bin/kind
 # For testing against existing clusters, one needs to set this environment variable
 export NAMESPACE="jobset-system"
 export JOBSET_E2E_TESTS_DUMP_NAMESPACE=true
+# E2E config folder to use (defaults to "default")
+export E2E_TARGET_FOLDER="${E2E_TARGET_FOLDER:-default}"
 
 # Use a temporary KUBECONFIG so that the script does not mess with the current user's kubeconfig.
 KUBECONFIG=""
@@ -43,8 +45,8 @@ function kind_load {
 function jobset_deploy {
     echo "cd config/components/manager && $KUSTOMIZE edit set image controller=$IMAGE_TAG"
     (cd config/components/manager && $KUSTOMIZE edit set image controller=$IMAGE_TAG)
-    echo "kubectl apply --server-side -k test/e2e/config" 
-    kubectl apply --server-side -k test/e2e/config
+    echo "kubectl apply --server-side -k test/e2e/config/$E2E_TARGET_FOLDER"
+    kubectl apply --server-side -k test/e2e/config/$E2E_TARGET_FOLDER
 }
 trap cleanup EXIT
 startup

hack/e2e-test.sh

@@ -42,8 +42,10 @@ import (
 	jobset "sigs.k8s.io/jobset/api/jobset/v1alpha2"
 	"sigs.k8s.io/jobset/pkg/config"
 	"sigs.k8s.io/jobset/pkg/controllers"
+	"sigs.k8s.io/jobset/pkg/features"
 	"sigs.k8s.io/jobset/pkg/metrics"
 	"sigs.k8s.io/jobset/pkg/util/cert"
+	"sigs.k8s.io/jobset/pkg/util/tlsconfig"
 	"sigs.k8s.io/jobset/pkg/util/useragent"
 	"sigs.k8s.io/jobset/pkg/version"
 	"sigs.k8s.io/jobset/pkg/webhooks"
@@ -156,6 +158,20 @@ func main() {
 		setupLog.Info("disabling http/2")
 		c.NextProtos = []string{"http/1.1"}
 	}
+
+	// Parse TLS options from configuration if feature gate is enabled
+	tlsOpts := []func(*tls.Config){disableHTTP2}
+	if features.Enabled(features.TLSOptions) && cfg.TLS != nil {
+		parsedTLS, err := tlsconfig.ParseTLSOptions(cfg.TLS)
+		if err != nil {
+			setupLog.Error(err, "Unable to parse TLS options from configuration")
+			os.Exit(1)
+		}
+		if parsedTLS != nil {
+			tlsOpts = append(tlsOpts, tlsconfig.BuildTLSOptions(parsedTLS)...)
+		}
+	}
+
 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
 	// More info:
 	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
@@ -164,7 +180,7 @@ func main() {
 		BindAddress:    metricsAddr,
 		SecureServing:  true,
 		FilterProvider: filters.WithAuthenticationAndAuthorization,
-		TLSOpts:        []func(*tls.Config){disableHTTP2},
+		TLSOpts:        tlsOpts,
 		CertDir:        options.Metrics.CertDir,
 		CertName:       options.Metrics.CertName,
 		KeyName:        options.Metrics.KeyName,

main.go

@@ -14,6 +14,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	configapi "sigs.k8s.io/jobset/api/config/v1alpha1"
+	"sigs.k8s.io/jobset/pkg/features"
+	"sigs.k8s.io/jobset/pkg/util/tlsconfig"
 )
 
 func fromFile(path string, scheme *runtime.Scheme, cfg *configapi.Configuration) error {
@@ -71,6 +73,17 @@ func addTo(o *ctrl.Options, cfg *configapi.Configuration) {
 		if cfg.Webhook.CertDir != "" {
 			wo.CertDir = cfg.Webhook.CertDir
 		}
+
+		// Apply TLS configuration if feature gate is enabled
+		if features.Enabled(features.TLSOptions) && cfg.TLS != nil {
+			tlsOpts, err := tlsconfig.ParseTLSOptions(cfg.TLS)
+			if err != nil {
+				ctrl.Log.Error(err, "failed to parse TLS options, webhook server will start without custom TLS configuration")
+			} else if tlsOpts != nil {
+				wo.TLSOpts = append(wo.TLSOpts, tlsconfig.BuildTLSOptions(tlsOpts)...)
+			}
+		}
+
 		o.WebhookServer = webhook.NewServer(wo)
 	}
 }

pkg/config/config.go

@@ -17,6 +17,7 @@ limitations under the License.
 package config
 
 import (
+	"crypto/tls"
 	"errors"
 	"io/fs"
 	"net"
@@ -37,6 +38,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	configapi "sigs.k8s.io/jobset/api/config/v1alpha1"
+	"sigs.k8s.io/jobset/pkg/features"
 )
 
 func TestLoad(t *testing.T) {
@@ -596,3 +598,144 @@ func TestEncode(t *testing.T) {
 		})
 	}
 }
+
+func TestTLSConfiguration(t *testing.T) {
+	testScheme := runtime.NewScheme()
+	err := configapi.AddToScheme(testScheme)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tmpDir := t.TempDir()
+
+	// Config with TLS settings
+	tlsConfig := filepath.Join(tmpDir, "tls-config.yaml")
+	if err := os.WriteFile(tlsConfig, []byte(`
+apiVersion: config.jobset.x-k8s.io/v1alpha1
+kind: Configuration
+health:
+  healthProbeBindAddress: :8081
+metrics:
+  bindAddress: :8443
+leaderElection:
+  leaderElect: true
+  resourceName: 6d4f6a47.jobset.x-k8s.io
+webhook:
+  port: 9443
+tls:
+  minVersion: VersionTLS12
+  cipherSuites:
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+`), os.FileMode(0600)); err != nil {
+		t.Fatal(err)
+	}
+
+	// Config with TLS 1.3 (no cipher suites)
+	tls13Config := filepath.Join(tmpDir, "tls13-config.yaml")
+	if err := os.WriteFile(tls13Config, []byte(`
+apiVersion: config.jobset.x-k8s.io/v1alpha1
+kind: Configuration
+health:
+  healthProbeBindAddress: :8081
+metrics:
+  bindAddress: :8443
+leaderElection:
+  leaderElect: true
+  resourceName: 6d4f6a47.jobset.x-k8s.io
+webhook:
+  port: 9443
+tls:
+  minVersion: VersionTLS13
+`), os.FileMode(0600)); err != nil {
+		t.Fatal(err)
+	}
+
+	testcases := []struct {
+		name               string
+		configFile         string
+		featureGateEnabled bool
+		wantTLSOptsApplied bool
+		wantMinVersion     uint16
+		wantCipherSuiteSet bool
+	}{
+		{
+			name:               "TLS config with feature gate enabled",
+			configFile:         tlsConfig,
+			featureGateEnabled: true,
+			wantTLSOptsApplied: true,
+			wantMinVersion:     tls.VersionTLS12,
+			wantCipherSuiteSet: true,
+		},
+		{
+			name:               "TLS config with feature gate disabled",
+			configFile:         tlsConfig,
+			featureGateEnabled: false,
+			wantTLSOptsApplied: false,
+		},
+		{
+			name:               "TLS 1.3 config with feature gate enabled",
+			configFile:         tls13Config,
+			featureGateEnabled: true,
+			wantTLSOptsApplied: true,
+			wantMinVersion:     tls.VersionTLS13,
+			wantCipherSuiteSet: false,
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			features.SetFeatureGateDuringTest(t, features.TLSOptions, tc.featureGateEnabled)
+
+			options, cfg, err := Load(testScheme, tc.configFile)
+			if err != nil {
+				t.Fatalf("Unexpected error: %s", err)
+			}
+
+			// Verify TLS config is in the parsed configuration
+			if cfg.TLS == nil {
+				t.Errorf("Expected TLS configuration to be present in config")
+				return
+			}
+
+			// Check webhook server TLS options
+			webhookServer := options.WebhookServer
+			if webhookServer == nil {
+				t.Errorf("Expected webhook server to be set")
+				return
+			}
+
+			defaultServer, ok := webhookServer.(*webhook.DefaultServer)
+			if !ok {
+				t.Errorf("Expected webhook server to be DefaultServer type")
+				return
+			}
+
+			// Verify TLSOpts is set correctly based on feature gate
+			if tc.wantTLSOptsApplied {
+				if len(defaultServer.Options.TLSOpts) == 0 {
+					t.Errorf("Expected TLSOpts to be set when feature gate is enabled")
+				} else {
+					// Verify the TLS options are correctly applied by invoking them
+					tlsConfig := &tls.Config{}
+					for _, opt := range defaultServer.Options.TLSOpts {
+						opt(tlsConfig)
+					}
+					if tlsConfig.MinVersion != tc.wantMinVersion {
+						t.Errorf("MinVersion = %v, want %v", tlsConfig.MinVersion, tc.wantMinVersion)
+					}
+					if tc.wantCipherSuiteSet && len(tlsConfig.CipherSuites) == 0 {
+						t.Errorf("Expected cipher suites to be set")
+					}
+					if !tc.wantCipherSuiteSet && len(tlsConfig.CipherSuites) != 0 {
+						t.Errorf("Expected cipher suites to not be set for TLS 1.3")
+					}
+				}
+			} else {
+				if len(defaultServer.Options.TLSOpts) != 0 {
+					t.Errorf("Expected TLSOpts to be empty when feature gate is disabled, got %d options", len(defaultServer.Options.TLSOpts))
+				}
+			}
+		})
+	}
+}

pkg/config/config_test.go

@@ -8,15 +8,18 @@ import (
 	"k8s.io/utils/ptr"
 
 	configapi "sigs.k8s.io/jobset/api/config/v1alpha1"
+	"sigs.k8s.io/jobset/pkg/util/tlsconfig"
 )
 
 var (
 	internalCertManagementPath = field.NewPath("internalCertManagement")
+	tlsPath                    = field.NewPath("tls")
 )
 
 func validate(c *configapi.Configuration) field.ErrorList {
 	var allErrs field.ErrorList
 	allErrs = append(allErrs, validateInternalCertManagement(c)...)
+	allErrs = append(allErrs, validateTLS(c)...)
 	return allErrs
 }
 
@@ -37,3 +40,27 @@ func validateInternalCertManagement(c *configapi.Configuration) field.ErrorList
 	}
 	return allErrs
 }
+
+func validateTLS(c *configapi.Configuration) field.ErrorList {
+	var allErrs field.ErrorList
+	if c.TLS == nil {
+		return allErrs
+	}
+
+	// Validate using ParseTLSOptions first - this provides clearer error messages
+	// for invalid input (including TLS 1.0/1.1 rejection and invalid cipher suites)
+	_, err := tlsconfig.ParseTLSOptions(c.TLS)
+	if err != nil {
+		allErrs = append(allErrs, field.Invalid(tlsPath.Root(), c.TLS, err.Error()))
+		return allErrs
+	}
+
+	// TLS 1.3 cipher suites are not configurable in Go's crypto/tls package.
+	// When TLS 1.3 is set as the minimum version, cipher suites must not be specified.
+	if c.TLS.MinVersion == "VersionTLS13" && len(c.TLS.CipherSuites) > 0 {
+		allErrs = append(allErrs, field.Invalid(tlsPath.Child("cipherSuites"),
+			c.TLS.CipherSuites, "may not be specified when `minVersion` is 'VersionTLS13'"))
+	}
+
+	return allErrs
+}