diff --git a/bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml b/bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml new file mode 100644 index 0000000000..b692941ecc --- /dev/null +++ b/bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: openshift-kube-apiserver + name: kube-apiserver-check-endpoints-config +data: + config.yaml: | + apiVersion: operator.openshift.io/v1 + kind: GenericOperatorConfig + servingInfo: + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + minTLSVersion: VersionTLS12 diff --git a/bindata/assets/kube-apiserver/pod.yaml b/bindata/assets/kube-apiserver/pod.yaml index e8f0f1d5c6..121f620081 100644 --- a/bindata/assets/kube-apiserver/pod.yaml +++ b/bindata/assets/kube-apiserver/pod.yaml @@ -239,6 +239,8 @@ spec: args: - --kubeconfig - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig + - --config + - /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-check-endpoints-config/config.yaml - --listen - 0.0.0.0:17697 - --namespace diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go index a0c1828f7e..c049435aaf 100644 --- a/pkg/operator/starter.go +++ b/pkg/operator/starter.go @@ -632,6 +632,9 @@ var RevisionConfigMaps = []revision.RevisionResource{ // optional configmap containing the OIDC structured auth config {Name: auth.AuthConfigCMName, Optional: true}, + // kube-apiserver-check-endpoints-config: TLS cipherSuites/minTLSVersion for check-endpoints. + // set kube-apiserver-check-endpoints-config Optional to true as this cm is not existed in the current revision when upgrade + {Name: "kube-apiserver-check-endpoints-config", Optional: true}, } // RevisionSecrets is a list of secrets that are directly copied for the current values. A different actor/controller modifies these. diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go index 7a4406f670..ced94e4511 100644 --- a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go +++ b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go @@ -219,6 +219,10 @@ func createTargetConfig(ctx context.Context, c TargetConfigController, recorder if err != nil { errors = append(errors, fmt.Errorf("%q: %v", "configmap/config", err)) } + _, _, err = manageKubeAPICheckEndpointsConfig(ctx, c.kubeClient.CoreV1(), recorder) + if err != nil { + errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-apiserver-check-endpoints-config", err)) + } _, _, err = managePods(ctx, c.kubeClient.CoreV1(), c.isStartupMonitorEnabledFn, recorder, operatorSpec, c.targetImagePullSpec, c.operatorImagePullSpec, c.operatorImageVersion) if err != nil { errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-apiserver-pod", err)) @@ -303,6 +307,11 @@ func manageKubeAPIServerConfig(ctx context.Context, client coreclientv1.ConfigMa return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap) } +func manageKubeAPICheckEndpointsConfig(ctx context.Context, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) { + configMap := resourceread.ReadConfigMapV1OrDie(bindata.MustAsset("assets/kube-apiserver/check-endpoints-config-cm.yaml")) + return resourceapply.ApplyConfigMap(ctx, client, recorder, configMap) +} + func managePods(ctx context.Context, client coreclientv1.ConfigMapsGetter, isStartupMonitorEnabledFn func() (bool, error), recorder events.Recorder, operatorSpec *operatorv1.StaticPodOperatorSpec, imagePullSpec, operatorImagePullSpec, operatorImageVersion string) (*corev1.ConfigMap, bool, error) { appliedPodTemplate, err := manageTemplate(string(bindata.MustAsset("assets/kube-apiserver/pod.yaml")), imagePullSpec, operatorImagePullSpec, operatorImageVersion, operatorSpec) if err != nil {