Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP]OCPBUGS-37706: Modern TLS security profile support #2071

Closed
wants to merge 1 commit into from
Closed

[WIP]OCPBUGS-37706: Modern TLS security profile support #2071

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
The diff you're trying to view is too large. We only load the first 3000 changed files.
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ require (
github.com/openshift/api v0.0.0-20241001152557-e415140e5d5f
github.com/openshift/apiserver-library-go v0.0.0-20241001175710-6064b62894a6
github.com/openshift/client-go v0.0.0-20241001162912-da6d55e4611f
github.com/openshift/library-go v0.0.0-20241001171606-756adf2188fc
github.com/openshift/library-go v0.0.0-20241028193827-a808e2fb8060
github.com/pkg/errors v0.9.1
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
github.com/prometheus/client_golang v1.19.1
Expand Down
168 changes: 2 additions & 166 deletions go.sum
View file
Open in desktop

Large diffs are not rendered by default.

9 changes: 4 additions & 5 deletions openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
string(configv1.TLSProfileOldType),
string(configv1.TLSProfileIntermediateType),
string(configv1.TLSProfileCustomType),
string(configv1.TLSProfileModernType),
}

switch profile.Type {
Expand All @@ -200,7 +201,9 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
errs = append(errs, field.Required(fieldPath.Child("intermediate"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
}
case configv1.TLSProfileModernType:
errs = append(errs, field.NotSupported(fieldPath.Child("type"), profile.Type, availableTypes))
if profile.Modern == nil {
errs = append(errs, field.Required(fieldPath.Child("modern"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
}
case configv1.TLSProfileCustomType:
if profile.Custom == nil {
errs = append(errs, field.Required(fieldPath.Child("custom"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
Expand Down Expand Up @@ -247,10 +250,6 @@ func haveRequiredHTTP2CipherSuites(suites []string) bool {
func validateMinTLSVersion(fieldPath *field.Path, version configv1.TLSProtocolVersion) field.ErrorList {
errs := field.ErrorList{}

if version == configv1.VersionTLS13 {
return append(errs, field.NotSupported(fieldPath, version, []string{string(configv1.VersionTLS10), string(configv1.VersionTLS11), string(configv1.VersionTLS12)}))
}

if _, err := libgocrypto.TLSVersion(string(version)); err != nil {
errs = append(errs, field.Invalid(fieldPath, version, err.Error()))
}
Expand Down
32 changes: 1 addition & 31 deletions ...ft-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,28 +143,13 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
field.Required(rootFieldPath.Child("intermediate"), "type set to Intermediate, but the corresponding field is unset"),
},
},
{
name: "modern type - currently unsupported",
profile: &configv1.TLSSecurityProfile{
Type: configv1.TLSProfileModernType,
Modern: &configv1.ModernTLSProfile{},
},
want: field.ErrorList{
field.NotSupported(rootFieldPath.Child("type"), configv1.TLSProfileModernType,
[]string{
string(configv1.TLSProfileOldType),
string(configv1.TLSProfileIntermediateType),
string(configv1.TLSProfileCustomType),
}),
},
},
{
name: "unknown type",
profile: &configv1.TLSSecurityProfile{
Type: "something",
},
want: field.ErrorList{
field.Invalid(rootFieldPath.Child("type"), "something", "unknown type, valid values are: [Old Intermediate Custom]"),
field.Invalid(rootFieldPath.Child("type"), "something", "unknown type, valid values are: [Old Intermediate Custom Modern]"),
},
},
{
Expand Down Expand Up @@ -211,21 +196,6 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
field.Invalid(rootFieldPath.Child("custom", "ciphers"), []string(nil), "http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)"),
},
},
{
name: "min tls 1.3 - currently unsupported",
profile: &configv1.TLSSecurityProfile{
Type: "Custom",
Custom: &configv1.CustomTLSProfile{
TLSProfileSpec: configv1.TLSProfileSpec{
Ciphers: []string{"ECDHE-ECDSA-CHACHA20-POLY1305"},
MinTLSVersion: configv1.VersionTLS13,
},
},
},
want: field.ErrorList{
field.NotSupported(rootFieldPath.Child("custom", "minTLSVersion"), configv1.VersionTLS13, []string{string(configv1.VersionTLS10), string(configv1.VersionTLS11), string(configv1.VersionTLS12)}),
},
},
{
name: "custom profile missing required http2 ciphers",
profile: &configv1.TLSSecurityProfile{
Expand Down
9 changes: 0 additions & 9 deletions vendor/OWNERS
View file
Open in desktop

This file was deleted.

6 changes: 3 additions & 3 deletions vendor/github.com/openshift/library-go/pkg/crypto/crypto.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

162 changes: 0 additions & 162 deletions vendor/golang.org/x/text/cases/cases.go
View file
Open in desktop

This file was deleted.

Loading