Merge pull request #1808 from tkatila/tls-cipher-updates

mythi · web-flow · commit a91d43a776fa · 2024-08-20T14:42:08.000+03:00
TLS cipher updates
diff --git a/cmd/fpga_admissionwebhook/README.md b/cmd/fpga_admissionwebhook/README.md
@@ -54,6 +54,8 @@ controller webhook plugin.
 The default webhook deployment depends on having [cert-manager](https://cert-manager.io/)
 installed. See its installation instructions [here](https://cert-manager.io/docs/installation/kubectl/).
 
+> **Note**: The default deployment for the Intel FPGA webhook uses self-signed certificates. For a production cluster, the certificate issuer should be properly set and not use a self-signed method.
+
 Also if your cluster operates behind a corporate proxy make sure that the API
 server is configured not to send requests to cluster services through the
 proxy. You can check that with the following command:
diff --git a/cmd/fpga_admissionwebhook/main.go b/cmd/fpga_admissionwebhook/main.go
@@ -55,7 +55,14 @@ func main() {
 	ctrl.SetLogger(textlogger.NewLogger(tlConf))
 
 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}
 
 	webhookOptions := webhook.Options{
diff --git a/cmd/operator/README.md b/cmd/operator/README.md
@@ -62,6 +62,8 @@ deployments/operator/samples/deviceplugin_v1_dsadeviceplugin.yaml:    intel.feat
 
 ### Cert-Manager
 
+> **Note**: The default deployment for the Intel Device Plugin operator uses self-signed certificates. For a production cluster, the certificate issuer should be properly set and not use a self-signed method.
+
 The default operator deployment depends on [cert-manager](https://cert-manager.io/) running in the cluster.
 See installation instructions [here](https://cert-manager.io/docs/installation/kubectl/).
 
diff --git a/cmd/operator/main.go b/cmd/operator/main.go
@@ -135,7 +135,14 @@ func main() {
 	}
 
 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}
 
 	webhookOptions := webhook.Options{
diff --git a/cmd/sgx_admissionwebhook/README.md b/cmd/sgx_admissionwebhook/README.md
@@ -32,6 +32,8 @@ controller webhook plugin.
 The default webhook deployment depends on having [cert-manager](https://cert-manager.io/)
 installed. See its installation instructions [here](https://cert-manager.io/docs/installation/kubectl/).
 
+> **Note**: The default deployment for the Intel SGX webhook uses self-signed certificates. For a production cluster, the certificate issuer should be properly set and not use a self-signed method.
+
 Also if your cluster operates behind a corporate proxy make sure that the API
 server is configured not to send requests to cluster services through the
 proxy. You can check that with the following command:
diff --git a/cmd/sgx_admissionwebhook/main.go b/cmd/sgx_admissionwebhook/main.go
@@ -37,7 +37,14 @@ func main() {
 	ctrl.SetLogger(textlogger.NewLogger(tlConf))
 
 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}
 
 	webhookOptions := webhook.Options{
diff --git a/deployments/operator/default/manager_auth_proxy_patch.yaml b/deployments/operator/default/manager_auth_proxy_patch.yaml
@@ -15,7 +15,7 @@ spec:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"
         - "--logtostderr=true"
-        - "--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
+        - "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
         - "--v=10"
         ports:
         - containerPort: 8443

Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,14 @@ func main() {`
`135`	`135`	`}`
`136`	`136`
`137`	`137`	`tlsCfgFunc := func(cfg *tls.Config) {`
`138`		`- cfg.MinVersion = tls.VersionTLS13`
	`138`	`+ cfg.MinVersion = tls.VersionTLS12`
	`139`	`+ cfg.MaxVersion = tls.VersionTLS12`
	`140`	`+ cfg.CipherSuites = []uint16{`
	`141`	`+ tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,`
	`142`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,`
	`143`	`+ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,`
	`144`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,`
	`145`	`+ }`
`139`	`146`	`}`
`140`	`147`
`141`	`148`	`webhookOptions := webhook.Options{`