tls: Allow using insecure ciphers

Blocking insecure cipher usage may break upgrade path on clusters
that still use old TLS settings (e.g.: Openshift cluster using
TLSSecurityProfile type Old).

Drop insecure ciphers validation.

Signed-off-by: Or Mergi <ormergi@redhat.com>

Author: ormergi

pkg/config/tls.go

@@ -68,9 +68,6 @@ func ParseTLSOptions(
 	}
 
 	cipherSuiteNames := parseStringSlice(tlsCipherSuitesRaw)
-	if err := validateSafeCipherSuite(cipherSuiteNames); err != nil {
-		return nil, err
-	}
 	if err := validateTLSVersionConfigurableCiphers(tlsMinVersion, cipherSuiteNames); err != nil {
 		return nil, err
 	}
@@ -110,15 +107,6 @@ func toTLSVersion(tlsVersionName string) (uint16, error) {
 	return tlsVersion, nil
 }
 
-func validateSafeCipherSuite(cipherSuiteNames []string) error {
-	for _, cipherSuiteName := range cipherSuiteNames {
-		if _, exist := indexedInsecureCipherSuiteNames[cipherSuiteName]; exist {
-			return fmt.Errorf("using insecure cipher suite %q is not allowed", cipherSuiteName)
-		}
-	}
-	return nil
-}
-
 func validateTLSVersionConfigurableCiphers(versionID uint16, cipherSuiteNames []string) error {
 	if versionID == tls.VersionTLS13 && len(cipherSuiteNames) > 0 {
 		return fmt.Errorf("configuring cipher suites for TLS 1.3 is not allowed")

pkg/config/tls_test.go

@@ -71,13 +71,6 @@ var _ = Describe("ParseTLSOptions", func() {
 				ciphers:    "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384",
 			},
 		),
-		Entry("insecure cipher suite is specified",
-			flags{
-				minVersion: "VersionTLS12",
-				// TLS_RSA_WITH_AES_128_CBC_SHA256 is insecure cipher suite for TLS 1.2
-				ciphers: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256",
-			},
-		),
 	)
 
 	DescribeTable("should succeed, given",