Skip to content

OCPBUGS-61038: SSL Medium Strength Cipher Suites Supported for kube-apiserver-check-endpoints #1913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OCPBUGS-61038: SSL Medium Strength Cipher Suites Supported for kube-apiserver-check-endpoints #1913

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: ConfigMap
metadata:
namespace: openshift-kube-apiserver
name: kube-apiserver-check-endpoints-config
data:
config.yaml: |
apiVersion: operator.openshift.io/v1
kind: GenericOperatorConfig
servingInfo:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
minTLSVersion: VersionTLS12
2 changes: 2 additions & 0 deletions bindata/assets/kube-apiserver/pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,8 @@ spec:
args:
- --kubeconfig
- /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig
- --config
- /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-check-endpoints-config/config.yaml
- --listen
- 0.0.0.0:17697
- --namespace
Expand Down
3 changes: 3 additions & 0 deletions pkg/operator/starter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -632,6 +632,9 @@ var RevisionConfigMaps = []revision.RevisionResource{

// optional configmap containing the OIDC structured auth config
{Name: auth.AuthConfigCMName, Optional: true},
// kube-apiserver-check-endpoints-config: TLS cipherSuites/minTLSVersion for check-endpoints.
// set kube-apiserver-check-endpoints-config Optional to true as this cm is not existed in the current revision when upgrade
{Name: "kube-apiserver-check-endpoints-config", Optional: true},
}

// RevisionSecrets is a list of secrets that are directly copied for the current values. A different actor/controller modifies these.
Expand Down
9 changes: 9 additions & 0 deletions pkg/operator/targetconfigcontroller/targetconfigcontroller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,10 @@ func createTargetConfig(ctx context.Context, c TargetConfigController, recorder
if err != nil {
errors = append(errors, fmt.Errorf("%q: %v", "configmap/config", err))
}
_, _, err = manageKubeAPICheckEndpointsConfig(ctx, c.kubeClient.CoreV1(), recorder)
if err != nil {
errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-apiserver-check-endpoints-config", err))
}
_, _, err = managePods(ctx, c.kubeClient.CoreV1(), c.isStartupMonitorEnabledFn, recorder, operatorSpec, c.targetImagePullSpec, c.operatorImagePullSpec, c.operatorImageVersion)
if err != nil {
errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-apiserver-pod", err))
Expand Down Expand Up @@ -303,6 +307,11 @@ func manageKubeAPIServerConfig(ctx context.Context, client coreclientv1.ConfigMa
return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap)
}

func manageKubeAPICheckEndpointsConfig(ctx context.Context, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
configMap := resourceread.ReadConfigMapV1OrDie(bindata.MustAsset("assets/kube-apiserver/check-endpoints-config-cm.yaml"))
return resourceapply.ApplyConfigMap(ctx, client, recorder, configMap)
}

func managePods(ctx context.Context, client coreclientv1.ConfigMapsGetter, isStartupMonitorEnabledFn func() (bool, error), recorder events.Recorder, operatorSpec *operatorv1.StaticPodOperatorSpec, imagePullSpec, operatorImagePullSpec, operatorImageVersion string) (*corev1.ConfigMap, bool, error) {
appliedPodTemplate, err := manageTemplate(string(bindata.MustAsset("assets/kube-apiserver/pod.yaml")), imagePullSpec, operatorImagePullSpec, operatorImageVersion, operatorSpec)
if err != nil {
Expand Down