Skip to content

OCPBUGS-61038: SSL Medium Strength Cipher Suites Supported for operator #1911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OCPBUGS-61038: SSL Medium Strength Cipher Suites Supported for operator #1911

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions bindata/assets/kube-apiserver/pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,8 @@ spec:
args:
- --kubeconfig
- /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig
- --config
- /etc/kubernetes/static-pod-certs/configmaps/kube-apiserver-operator-config/config.yaml
Comment on lines +242 to +243
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Pass --config to check-endpoints matches the synced mount path.

The path aligns with CertConfigMaps sync to /etc/kubernetes/static-pod-certs/configmaps/kube-apiserver-operator-config/config.yaml. Please ensure the flag is mandatory-tolerant (does not crash if the file is temporarily absent during cert-sync) and logs the applied TLS params.

🏁 Script executed:

#!/bin/bash
# Verify no other places start check-endpoints without --config
rg -nP 'check-endpoints\b' -g '!vendor' -C2 | rg -v -- '--config'

Length of output: 16368

Handle missing --config file gracefully and log TLS parameters (cipherSuites/minTLSVersion): The only check-endpoints invocation is in bindata/assets/kube-apiserver/pod.yaml with --config. In pkg/cmd/checkendpoints, wrap loading of the --config path so a temporarily absent file does not crash the binary and emit the effective cipherSuites and minTLSVersion on startup.

🤖 Prompt for AI Agents 
In bindata/assets/kube-apiserver/pod.yaml around lines 242-243 and in
pkg/cmd/checkendpoints, the current invocation passes a --config path that may
be temporarily missing which will crash the binary; update the checkendpoints
command to attempt to read and parse the provided --config file inside a guarded
block that treats a missing file as non-fatal (log a warning and continue with
defaults) and only returns a fatal error for unrecoverable parse errors, and
after configuration is loaded (or defaults chosen) emit an info log stating the
effective TLS parameters including cipherSuites and minTLSVersion so operators
can see what TLS settings are in use at startup.

- --listen
- 0.0.0.0:17697
- --namespace
Expand Down
9 changes: 9 additions & 0 deletions manifests/0000_20_kube-apiserver-operator_03_configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,12 @@ data:
config.yaml: |
apiVersion: operator.openshift.io/v1
kind: GenericOperatorConfig
servingInfo:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
minTLSVersion: VersionTLS12
8 changes: 8 additions & 0 deletions pkg/operator/resourcesynccontroller/resourcesynccontroller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,5 +95,13 @@ func NewResourceSyncController(
return nil, err
}

// this config contains the cipherSuites and minTLSVersion which is used by check-endpoints
if err := resourceSyncController.SyncConfigMap(
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-apiserver-operator-config"},
resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "kube-apiserver-operator-config"},
); err != nil {
return nil, err
}

return resourceSyncController, nil
}
3 changes: 3 additions & 0 deletions pkg/operator/starter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -660,6 +660,9 @@ var CertConfigMaps = []installer.UnrevisionedResource{

// kubeconfig for check-endpoints
{Name: "check-endpoints-kubeconfig"},

// kube-apiserver-operator-config (TLS cipherSuites/minTLSVersion for check-endpoints).
{Name: "kube-apiserver-operator-config"},
Comment on lines +664 to +665
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Verify resource-sync direction and asset presence to avoid rollout races.

The pod now relies on /etc/kubernetes/static-pod-certs/configmaps/kube-apiserver-operator-config/config.yaml. Ensure:

  • The ConfigMap is created by manifests before the pod revision that adds --config.
  • ResourceSyncController copies it into the namespace that cert-syncer watches for CertConfigMaps (TargetNamespace).

Run to confirm sources/targets and the pod arg:

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Where is the CM created?
rg -nC2 'kube-apiserver-operator-config' manifests || true
rg -nC2 'kube-apiserver-operator-config' bindata || true

# 2) Verify ResourceSyncController maps it to the correct namespace (expect: operator -> target or vice versa, as intended).
rg -nC5 'SyncConfigMap\(.+kube-apiserver-operator-config' pkg || true

# 3) Confirm the pod.yaml uses the expected path/filename.
rg -nC3 '/etc/kubernetes/static-pod-certs/configmaps/kube-apiserver-operator-config/config\.yaml' bindata/assets/kube-apiserver/pod.yaml

Length of output: 2034

Configure ResourceSyncController to sync kube-apiserver-operator-config ConfigMap. The static pod now mounts /etc/kubernetes/static-pod-certs/configmaps/kube-apiserver-operator-config/config.yaml, but no SyncConfigMap call exists to copy that CM into the cert-syncer’s target namespace.

🤖 Prompt for AI Agents 
In pkg/operator/starter.go around lines 664-665, the ResourceSyncController list
includes "kube-apiserver-operator-config" but no SyncConfigMap call is added;
add a SyncConfigMap registration to copy the kube-apiserver-operator-config
ConfigMap from its source namespace into the cert-syncer’s target namespace so
the static pod path
/etc/kubernetes/static-pod-certs/configmaps/kube-apiserver-operator-config/config.yaml
is populated. Ensure you call the controller's SyncConfigMap method with the
correct source namespace/name and the cert-syncer destination namespace, wire it
into the existing resourceSyncController setup, and handle returned errors
consistently with other SyncConfigMap registrations.

}

var CertSecrets = []installer.UnrevisionedResource{
Expand Down