TRACING-6116: Add TLS min version and cipher suite configuration support#248
Conversation
Add --tls-min-version and --tls-cipher-suites flags with env var fallback (TLS_MIN_VERSION, TLS_CIPHER_SUITES). Uses k8s component-base for TLS version and cipher suite validation, matching the approach in the opentelemetry-operator. Defaults to TLS 1.2 when no min version is specified.
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
openshift-ci
Bot
added
needs-ok-to-test
|
Hi @ozzywalsh. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
andreasgerstmayr
left a comment
andreasgerstmayr
left a comment
There was a problem hiding this comment.
Looks good overall! 💯
For simplicity, I would remove the whitespace trimming and the custom cipherSuitesSlice type - the flag or env var will be set by the operator, which is expected to provide a valid value
cc @jgbernalp the other UI plugins will need the same, we should keep the naming of the flags/env vars identical across UI plugins
@andreasgerstmayr Good idea, I'll add comments to the JIRAs to mention this. Also do we also need a |
Simplify TLS cipher suites flag handling by using a plain string flag instead of a custom flag.Value type. The operator is expected to provide valid values, so whitespace trimming is unnecessary.
Ok. I removed the whitespace traimming & custom type. |
@zhuje the OpenShift TLS Security Profiles don't specify a max TLS version. So for the purpose of supporting the cluster wide tls profiles; that flag is not needed. |
|
/lgtm |
openshift-ci
Bot
added
lgtm
|
I have also opened a PR for the NoteThe console plugin should be released first , then the At least that's how my understanding. Perhaps someone can chime in on how that is handled. |
|
I just realized this only applies the TLS config to the API server, could you also configure the TLS config of the proxy in The UI plugin proxies |
@andreasgerstmayr ok, i'll take a look & update the PR. |
|
@andreasgerstmayr I have updated this PR to also include the proxy. Let me know what you think. |
| r.PathPrefix("/proxy/{namespace}/{name}/{tenant}").Handler(proxy.NewProxyHandler(k8sclient, cfg.CertFile)) | ||
| var proxyTLSMinVersion uint16 | ||
| if cfg.TLSMinVersion != "" { | ||
| proxyTLSMinVersion, _ = k8sapiflag.TLSVersion(cfg.TLSMinVersion) |
There was a problem hiding this comment.
Let's add error handling here instead of silently dismissing the error and not using the configured TLS min version.
Technically the
logrus.WithError(err).Fatal("invalid TLS min version")
which is called a few lines after setupRoutes() will exit the process in case of error, but I suggest to be overcautious here, in case for example the code gets refactored in the future.
There was a problem hiding this comment.
Ok; I've changed it throw an error with logrus; as is done elsewhere if this function fails. I also did the same where we convert the ciphers to golang format.
| } | ||
| func (h *ProxyHandler) buildTLSConfig() (*tls.Config, error) { | ||
| if h.serviceCAfile == "" { | ||
| return nil, nil |
There was a problem hiding this comment.
Because of this early exit, the TLS min version and cipher suite won't be set if serviceCAfile is empty. imho it still makes sense to configure these settings, as the CA is just an optional field in the TLS configuration.
There was a problem hiding this comment.
Ok, fixed. We configure the min_version & cipher suite even if no cert is pased now.
|
/ok-to-test |
openshift-ci
Bot
added
ok-to-test
Previously errors from k8sapiflag.TLSVersion and TLSCipherSuites were silently discarded when configuring the proxy TLS settings. This adds fatal error logging consistent with how the server TLS config handles parse failures.
| if len(cfg.TLSCipherSuites) > 0 { | ||
| cipherSuiteIDs, err := k8sapiflag.TLSCipherSuites(cfg.TLSCipherSuites) | ||
| if err != nil { | ||
| logrus.WithError(err).Fatal("invalid TLS cipher suites") |
There was a problem hiding this comment.
Let's add error handling here instead of silently dismissing the error and not using the configured TLS min version.
Technically the
logrus.WithError(err).Fatal("invalid TLS min version")which is called a few lines after
setupRoutes()will exit the process in case of error, but I suggest to be overcautious here, in case for example the code gets refactored in the future.
I made the same change here also.
|
@ozzywalsh: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Thanks for the changes! /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andreasgerstmayr The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ozzywalsh
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@ozzywalsh: This pull request references TRACING-6116 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Will test this PR once I finish testing rhobs/observability-operator#1041 |
|
/label qe-approved |
openshift-ci
Bot
added
the
qe-approved
|
@ozzywalsh: This pull request references TRACING-6116 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@ozzywalsh @andreasgerstmayr Finished testing, added test cases with PR #249 We can go ahead and merge the PR. |
|
Could you backport this to the COO release branches? |
|
/cherry-pick release-coo-ocp-4.19 release-coo-ocp-4.15 release-coo-ocp-4.12 |
|
@andreasgerstmayr: new pull request created: #258 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
7 participants
Add support for passing tls min version & cipher suites to the backend.
See similar PR in
otel-operator: open-telemetry/opentelemetry-operator#4669Preparatory work for pulling in the cluster tls security profile in
rhobs/observability-operator--tls-min-versionand--tls-cipher-suitesflags with env var fallback (TLS_MIN_VERSION,TLS_CIPHER_SUITES).