Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removed outdated TLS cipher suites #392

Merged
merged 12 commits into from
Dec 11, 2024
Merged

Removed outdated TLS cipher suites #392

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
7a38453
removed outdated TLS cipher suites
njuettner Nov 22, 2024
7658c29
update changelog
njuettner Nov 26, 2024
6bde3f0
Merge branch 'main' into outdated-cipher-suites
njuettner Nov 26, 2024
0318c56
use helper function for tls cipher suites
njuettner Nov 29, 2024
f6b1f65
update changelog
njuettner Nov 29, 2024
b5778e1
Merge branch 'main' into outdated-cipher-suites
njuettner Nov 29, 2024
6d58bc9
Merge branch 'main' into outdated-cipher-suites
njuettner Dec 6, 2024
367fa55
Merge branch 'main' into outdated-cipher-suites
njuettner Dec 10, 2024
7abcd7b
tls update
njuettner Dec 10, 2024
1474df3
undo
njuettner Dec 10, 2024
225bf23
tls update
njuettner Dec 10, 2024
b6a8247
tls update
njuettner Dec 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [1.7.0] - 2024-12-06
### Changed

- :warning: Kubernetes >= v1.30 **Remove outdated TLS cipher suites `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`.**

## [1.7.0] - 2024-12-06

### Added

Expand Down
21 changes: 1 addition & 20 deletions helm/cluster/files/etc/kubernetes/patches/kubeletconfiguration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,26 +21,7 @@ systemReserved:
cpu: {{ $.Values.internal.advancedConfiguration.kubelet.systemReserved.cpu }}
memory: {{ $.Values.internal.advancedConfiguration.kubelet.systemReserved.memory }}
systemReservedCgroup: /system.slice
tlsCipherSuites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
tlsCipherSuites: {{ include "cluster.internal.kubeadm.tlsCipherSuites" $ | nindent 2 }}
serializeImagePulls: false
streamingConnectionIdleTimeout: 1h
allowedUnsafeSysctls:
Expand Down
29 changes: 29 additions & 0 deletions helm/cluster/templates/clusterapi/_helpers_tlsciphersuites.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{{- /*
This file is for internal use only. It is used to define the list of TLS ciphersuites that are supported by the Kubernetes API server.
The list of ciphersuites is based on the Kubernetes version and is used to configure the `tls-cipher-suites` parameter in the kube-apiserver and kubelet configuration files.
*/}}

{{- define "cluster.internal.kubeadm.tlsCipherSuites" -}}
{{- $k8sVersion := include "cluster.component.kubernetes.version" . | trimPrefix "v" }}
{{- $ciphers := list
"TLS_AES_128_GCM_SHA256"
"TLS_AES_256_GCM_SHA384"
"TLS_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_RSA_WITH_AES_128_CBC_SHA"
"TLS_RSA_WITH_AES_128_GCM_SHA256"
}}
{{- if semverCompare "<1.30.0" $k8sVersion }}
{{- $ciphers = concat $ciphers (list "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305") }}
{{- end }}
{{- toYaml $ciphers }}
{{- end }}
28 changes: 2 additions & 26 deletions helm/cluster/templates/clusterapi/controlplane/_helpers_clusterconfiguration_apiserver.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,8 @@ extraArgs:
{{- end }}
service-account-lookup: "true"
service-cluster-ip-range: {{ .Values.global.connectivity.network.services.cidrBlocks | first }}
tls-cipher-suites: {{ include "cluster.internal.controlPlane.kubeadm.clusterConfiguration.apiServer.tlsCipherSuites" $ }}
{{- /* Returning the tls cipher suites map object use fromYamlArray when converting to string */}}
tls-cipher-suites: {{ include "cluster.internal.kubeadm.tlsCipherSuites" $ | fromYamlArray | join "," }}
{{- range $argName, $argValue := $.Values.internal.advancedConfiguration.controlPlane.apiServer.extraArgs }}
{{ $argName }}: {{ if kindIs "string" $argValue }}{{ $argValue | quote }}{{ else }}{{ $argValue }}{{ end }}
{{- end }}
Expand Down Expand Up @@ -138,31 +139,6 @@ https://{{ .serviceAccountIssuer.clusterDomainPrefix }}.{{ include "cluster.reso
api-audiences-example.giantswarm.io
{{- end }}

{{- define "cluster.internal.controlPlane.kubeadm.clusterConfiguration.apiServer.tlsCipherSuites" }}
{{- $preferredCiphers := list
"TLS_AES_128_GCM_SHA256"
"TLS_AES_256_GCM_SHA384"
"TLS_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_RSA_WITH_AES_128_CBC_SHA"
"TLS_RSA_WITH_AES_128_GCM_SHA256"
"TLS_RSA_WITH_AES_256_CBC_SHA"
"TLS_RSA_WITH_AES_256_GCM_SHA384"
-}}
{{- join "," (compact $preferredCiphers) }}
{{- end }}

{{- define "cluster.internal.controlPlane.kubeadm.clusterConfiguration.apiServer.featureGates" }}
{{- $providerFeatureGates := $.Values.providerIntegration.controlPlane.kubeadmConfig.clusterConfiguration.apiServer.featureGates | default list }}
{{- $internalFeatureGates := $.Values.internal.advancedConfiguration.controlPlane.apiServer.featureGates | default list }}
Expand Down
Loading