diff --git a/bindata/assets/kube-apiserver/pod.yaml b/bindata/assets/kube-apiserver/pod.yaml index e8f0f1d5c6..8d3f60fa6c 100644 --- a/bindata/assets/kube-apiserver/pod.yaml +++ b/bindata/assets/kube-apiserver/pod.yaml @@ -239,6 +239,8 @@ spec: args: - --kubeconfig - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig + - --config + - /etc/kubernetes/static-pod-certs/configmaps/kube-apiserver-operator-config/config.yaml - --listen - 0.0.0.0:17697 - --namespace diff --git a/manifests/0000_20_kube-apiserver-operator_03_configmap.yaml b/manifests/0000_20_kube-apiserver-operator_03_configmap.yaml index a614c80ce7..902d34f38e 100644 --- a/manifests/0000_20_kube-apiserver-operator_03_configmap.yaml +++ b/manifests/0000_20_kube-apiserver-operator_03_configmap.yaml @@ -11,3 +11,12 @@ data: config.yaml: | apiVersion: operator.openshift.io/v1 kind: GenericOperatorConfig + servingInfo: + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + minTLSVersion: VersionTLS12 diff --git a/pkg/operator/resourcesynccontroller/resourcesynccontroller.go b/pkg/operator/resourcesynccontroller/resourcesynccontroller.go index 4da20c26bf..035e25650d 100644 --- a/pkg/operator/resourcesynccontroller/resourcesynccontroller.go +++ b/pkg/operator/resourcesynccontroller/resourcesynccontroller.go @@ -95,5 +95,13 @@ func NewResourceSyncController( return nil, err } + // this config contains the cipherSuites and minTLSVersion which is used by check-endpoints + if err := resourceSyncController.SyncConfigMap( + resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-apiserver-operator-config"}, + resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "kube-apiserver-operator-config"}, + ); err != nil { + return nil, err + } + return resourceSyncController, nil } diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go index a0c1828f7e..ff5c395ee5 100644 --- a/pkg/operator/starter.go +++ b/pkg/operator/starter.go @@ -660,6 +660,9 @@ var CertConfigMaps = []installer.UnrevisionedResource{ // kubeconfig for check-endpoints {Name: "check-endpoints-kubeconfig"}, + + // kube-apiserver-operator-config (TLS cipherSuites/minTLSVersion for check-endpoints). + {Name: "kube-apiserver-operator-config"}, } var CertSecrets = []installer.UnrevisionedResource{