Skip to content

Commit

Permalink
Support modern TLS security Profile
Browse files Browse the repository at this point in the history
  • Loading branch information
@wangke19
wangke19 committed Oct 30, 2024
1 parent 7ca9eb1 commit aea610c
Show file tree
Hide file tree
Showing 4,672 changed files with 1,193,999 additions and 16,045 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ require (
github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f
github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6
github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f
github.com/openshift/library-go v0.0.0-20241001171606-756adf2188fc
github.com/openshift/library-go v0.0.0-20241028193827-a808e2fb8060
github.com/pkg/errors v0.9.1
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
github.com/prometheus/client_golang v1.19.1
Expand Down
168 changes: 2 additions & 166 deletions go.sum
View file

Large diffs are not rendered by default.

9 changes: 4 additions & 5 deletions openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
string(configv1.TLSProfileOldType),
string(configv1.TLSProfileIntermediateType),
string(configv1.TLSProfileCustomType),
string(configv1.TLSProfileModernType),
}

switch profile.Type {
Expand All @@ -200,7 +201,9 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
errs = append(errs, field.Required(fieldPath.Child("intermediate"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
}
case configv1.TLSProfileModernType:
errs = append(errs, field.NotSupported(fieldPath.Child("type"), profile.Type, availableTypes))
if profile.Modern == nil {
errs = append(errs, field.Required(fieldPath.Child("modern"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
}
case configv1.TLSProfileCustomType:
if profile.Custom == nil {
errs = append(errs, field.Required(fieldPath.Child("custom"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
Expand Down Expand Up @@ -247,10 +250,6 @@ func haveRequiredHTTP2CipherSuites(suites []string) bool {
func validateMinTLSVersion(fieldPath *field.Path, version configv1.TLSProtocolVersion) field.ErrorList {
errs := field.ErrorList{}

if version == configv1.VersionTLS13 {
return append(errs, field.NotSupported(fieldPath, version, []string{string(configv1.VersionTLS10), string(configv1.VersionTLS11), string(configv1.VersionTLS12)}))
}

if _, err := libgocrypto.TLSVersion(string(version)); err != nil {
errs = append(errs, field.Invalid(fieldPath, version, err.Error()))
}
Expand Down
32 changes: 1 addition & 31 deletions ...ft-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,28 +143,13 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
field.Required(rootFieldPath.Child("intermediate"), "type set to Intermediate, but the corresponding field is unset"),
},
},
{
name: "modern type - currently unsupported",
profile: &configv1.TLSSecurityProfile{
Type: configv1.TLSProfileModernType,
Modern: &configv1.ModernTLSProfile{},
},
want: field.ErrorList{
field.NotSupported(rootFieldPath.Child("type"), configv1.TLSProfileModernType,
[]string{
string(configv1.TLSProfileOldType),
string(configv1.TLSProfileIntermediateType),
string(configv1.TLSProfileCustomType),
}),
},
},
{
name: "unknown type",
profile: &configv1.TLSSecurityProfile{
Type: "something",
},
want: field.ErrorList{
field.Invalid(rootFieldPath.Child("type"), "something", "unknown type, valid values are: [Old Intermediate Custom]"),
field.Invalid(rootFieldPath.Child("type"), "something", "unknown type, valid values are: [Old Intermediate Custom Modern]"),
},
},
{
Expand Down Expand Up @@ -211,21 +196,6 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
field.Invalid(rootFieldPath.Child("custom", "ciphers"), []string(nil), "http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)"),
},
},
{
name: "min tls 1.3 - currently unsupported",
profile: &configv1.TLSSecurityProfile{
Type: "Custom",
Custom: &configv1.CustomTLSProfile{
TLSProfileSpec: configv1.TLSProfileSpec{
Ciphers: []string{"ECDHE-ECDSA-CHACHA20-POLY1305"},
MinTLSVersion: configv1.VersionTLS13,
},
},
},
want: field.ErrorList{
field.NotSupported(rootFieldPath.Child("custom", "minTLSVersion"), configv1.VersionTLS13, []string{string(configv1.VersionTLS10), string(configv1.VersionTLS11), string(configv1.VersionTLS12)}),
},
},
{
name: "custom profile missing required http2 ciphers",
profile: &configv1.TLSSecurityProfile{
Expand Down
9 changes: 0 additions & 9 deletions vendor/OWNERS
View file

This file was deleted.

6 changes: 3 additions & 3 deletions vendor/github.com/openshift/library-go/pkg/crypto/crypto.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

162 changes: 0 additions & 162 deletions vendor/golang.org/x/text/cases/cases.go
View file

This file was deleted.

Loading

0 comments on commit aea610c

Please sign in to comment.