diff --git a/pkg/operator/controller/ingress/deployment.go b/pkg/operator/controller/ingress/deployment.go index 0840d63d89..15f430d9ad 100644 --- a/pkg/operator/controller/ingress/deployment.go +++ b/pkg/operator/controller/ingress/deployment.go @@ -968,6 +968,13 @@ func desiredRouterDeployment(ci *operatorv1.IngressController, config *Config, i }) } + if len(tlsProfileSpec.Curves) != 0 { + env = append(env, corev1.EnvVar{ + Name: "ROUTER_CURVES", + Value: strings.Join(tlsProfileSpec.Curves, ":"), + }) + } + var minTLSVersion string switch tlsProfileSpec.MinTLSVersion { // TLS 1.0 is not supported, convert to TLS 1.1. diff --git a/pkg/operator/controller/ingress/deployment_test.go b/pkg/operator/controller/ingress/deployment_test.go index 6d8bbffd5b..39a7f232e9 100644 --- a/pkg/operator/controller/ingress/deployment_test.go +++ b/pkg/operator/controller/ingress/deployment_test.go @@ -663,6 +663,11 @@ func TestDesiredRouterDeploymentSpecAndNetwork(t *testing.T) { "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", }, + Curves: []string{ + "ecdh_x25519", + "secp256r1", + "secp384r1", + }, MinTLSVersion: configv1.VersionTLS12, }, }, @@ -754,6 +759,7 @@ func TestDesiredRouterDeploymentSpecAndNetwork(t *testing.T) { {RouterHTTPIgnoreProbes, true, "true"}, {"ROUTER_CIPHERS", true, "quux"}, {"ROUTER_CIPHERSUITES", true, "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"}, + {"ROUTER_CURVES", true, "ecdh_x25519:secp256r1:secp384r1"}, {"SSL_MIN_VERSION", true, "TLSv1.2"}, {"ROUTER_IP_V4_V6_MODE", true, "v4v6"}, {RouterEnableCompression, true, "true"}, diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go index b18ef647c2..2800f6117c 100644 --- a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go +++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go @@ -213,6 +213,14 @@ type TLSProfileSpec struct { // // +listType=atomic Ciphers []string `json:"ciphers"` + // curves is used to specify the elliptic curves that are used during + // the TLS handshake. Operators may remove entries their operands do + // not support. For example, to use X25519 and P-256 (yaml): + // + // curves: + // - X25519 + // - P-256 + Curves []string `json:"curves.omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol // that is negotiated during the TLS handshake. For example, to use TLS // versions 1.1, 1.2 and 1.3 (yaml):