Skip to content

WIP: Proove 1956 #3479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
+80,378 −65,938
Open

WIP: Proove 1956 #3479

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ade4e55
Bump golang dependencies for k8s v0.32.3
tiraboschi Apr 10, 2025
ccdbd53
Regenerate HCO CRD
tiraboschi Apr 10, 2025
48f7427
Fix tests expectations for TLS 1.3 ciphers
tiraboschi Apr 10, 2025
a87d293
Proove 1956
tiraboschi Apr 11, 2025
799c549
WIP: check TLS output
tiraboschi Apr 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
2 changes: 1 addition & 1 deletion api/v1beta1/zz_generated.defaults.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

62 changes: 56 additions & 6 deletions config/crd/bases/hco.kubevirt.io_hyperconvergeds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2813,11 +2813,16 @@ spec:
looks like this:

ciphers:

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256
minTLSVersion: TLSv1.1

minTLSVersion: VersionTLS11
nullable: true
properties:
ciphers:
Expand All @@ -2831,13 +2836,14 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
that is negotiated during the TLS handshake. For example, to use TLS
versions 1.1, 1.2 and 1.3 (yaml):

minTLSVersion: TLSv1.1
minTLSVersion: VersionTLS11

NOTE: currently the highest minTLSVersion allowed is VersionTLS12
enum:
Expand All @@ -2856,18 +2862,30 @@ spec:
and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES256-GCM-SHA384

- ECDHE-RSA-AES256-GCM-SHA384

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- DHE-RSA-AES128-GCM-SHA256

- DHE-RSA-AES256-GCM-SHA384
minTLSVersion: TLSv1.2

minTLSVersion: VersionTLS12
nullable: true
type: object
modern:
Expand All @@ -2879,12 +2897,14 @@ spec:
and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256
minTLSVersion: TLSv1.3

NOTE: Currently unsupported.
minTLSVersion: VersionTLS13
nullable: true
type: object
old:
Expand All @@ -2896,36 +2916,66 @@ spec:
and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES256-GCM-SHA384

- ECDHE-RSA-AES256-GCM-SHA384

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- DHE-RSA-AES128-GCM-SHA256

- DHE-RSA-AES256-GCM-SHA384

- DHE-RSA-CHACHA20-POLY1305

- ECDHE-ECDSA-AES128-SHA256

- ECDHE-RSA-AES128-SHA256

- ECDHE-ECDSA-AES128-SHA

- ECDHE-RSA-AES128-SHA

- ECDHE-ECDSA-AES256-SHA384

- ECDHE-RSA-AES256-SHA384

- ECDHE-ECDSA-AES256-SHA

- ECDHE-RSA-AES256-SHA

- DHE-RSA-AES128-SHA256

- DHE-RSA-AES256-SHA256

- AES128-GCM-SHA256

- AES256-GCM-SHA384

- AES128-SHA256

- AES256-SHA256

- AES128-SHA

- AES256-SHA

- DES-CBC3-SHA
minTLSVersion: TLSv1.0

minTLSVersion: VersionTLS10
nullable: true
type: object
type:
Expand Down
3 changes: 3 additions & 0 deletions controllers/hyperconverged/hyperconverged_controller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1064,6 +1064,9 @@ var _ = Describe("HyperconvergedController", func() {

Expect(kv.Spec.Configuration.TLSConfiguration.MinTLSVersion).To(Equal(kubevirtcorev1.VersionTLS12))
Expect(kv.Spec.Configuration.TLSConfiguration.Ciphers).To(Equal([]string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
Expand Down
2 changes: 2 additions & 0 deletions controllers/operands/kubevirt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -704,6 +704,8 @@ func hcTLSSecurityProfileToKv(profile *openshiftconfigv1.TLSSecurityProfile) *ku
if profile.Custom != nil {
profileCiphers = profile.Custom.Ciphers
profileMinVersion = profile.Custom.MinTLSVersion
} else if profile.Modern != nil {
profileMinVersion = openshiftconfigv1.TLSProfiles[profile.Type].MinTLSVersion
} else {
profileCiphers = openshiftconfigv1.TLSProfiles[profile.Type].Ciphers
profileMinVersion = openshiftconfigv1.TLSProfiles[profile.Type].MinTLSVersion
Expand Down
6 changes: 6 additions & 0 deletions controllers/operands/kubevirt_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4316,6 +4316,9 @@ Version: 1.2.3`)
}

kvOldCiphers := []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
Expand All @@ -4337,6 +4340,9 @@ Version: 1.2.3`)
}

kvIntermediateCiphers := []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
Expand Down
62 changes: 56 additions & 6 deletions deploy/crds/hco00.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2813,11 +2813,16 @@ spec:
looks like this:

ciphers:

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256
minTLSVersion: TLSv1.1

minTLSVersion: VersionTLS11
nullable: true
properties:
ciphers:
Expand All @@ -2831,13 +2836,14 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
that is negotiated during the TLS handshake. For example, to use TLS
versions 1.1, 1.2 and 1.3 (yaml):

minTLSVersion: TLSv1.1
minTLSVersion: VersionTLS11

NOTE: currently the highest minTLSVersion allowed is VersionTLS12
enum:
Expand All @@ -2856,18 +2862,30 @@ spec:
and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES256-GCM-SHA384

- ECDHE-RSA-AES256-GCM-SHA384

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- DHE-RSA-AES128-GCM-SHA256

- DHE-RSA-AES256-GCM-SHA384
minTLSVersion: TLSv1.2

minTLSVersion: VersionTLS12
nullable: true
type: object
modern:
Expand All @@ -2879,12 +2897,14 @@ spec:
and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256
minTLSVersion: TLSv1.3

NOTE: Currently unsupported.
minTLSVersion: VersionTLS13
nullable: true
type: object
old:
Expand All @@ -2896,36 +2916,66 @@ spec:
and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES256-GCM-SHA384

- ECDHE-RSA-AES256-GCM-SHA384

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- DHE-RSA-AES128-GCM-SHA256

- DHE-RSA-AES256-GCM-SHA384

- DHE-RSA-CHACHA20-POLY1305

- ECDHE-ECDSA-AES128-SHA256

- ECDHE-RSA-AES128-SHA256

- ECDHE-ECDSA-AES128-SHA

- ECDHE-RSA-AES128-SHA

- ECDHE-ECDSA-AES256-SHA384

- ECDHE-RSA-AES256-SHA384

- ECDHE-ECDSA-AES256-SHA

- ECDHE-RSA-AES256-SHA

- DHE-RSA-AES128-SHA256

- DHE-RSA-AES256-SHA256

- AES128-GCM-SHA256

- AES256-GCM-SHA384

- AES128-SHA256

- AES256-SHA256

- AES128-SHA

- AES256-SHA

- DES-CBC3-SHA
minTLSVersion: TLSv1.0

minTLSVersion: VersionTLS10
nullable: true
type: object
type:
Expand Down
Loading
Loading