Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to configure UDS Core to accept TLS 1.2 #599

Closed
RothAndrew opened this issue Jul 24, 2024 · 3 comments · Fixed by #624
Closed

Ability to configure UDS Core to accept TLS 1.2 #599

RothAndrew opened this issue Jul 24, 2024 · 3 comments · Fixed by #624
Assignees
@jamestexas
Labels
enhancement New feature or request good first issue Good for newcomers istio Issues related to istio components / resources
Milestone
0.25.0

Comments

@RothAndrew
Copy link
Member

Currently UDS Core requires TLS 1.3+. This is frustrating in a variety of situations due to compatibility issues with clients that don't support 1.3 yet.

Requesting that minimum TLS version be configurable in UDS Core such that I can make it accept 1.2 when I am deploying it.

Proposed solution:

  • Make minimum TLS version configurable in UDS Core, with allowed values of 1.2 or 1.3
  • When 1.2 is EOLed, exact date unknown estimate 2026, remove 1.2 as valid minimum TLS version

FAQ:

  • Why only 1.2 or 1.3 as allowed values? v1.1 is already EOLed. 1.2 is not EOLed yet.
  • Why is this needed? Many client devices still don't support 1.3. 1.3 was released 6 years ago in 2018. It took 10+ years for 1.2 to achieve widespread adoption.
@RothAndrew RothAndrew added the enhancement New feature or request label Jul 24, 2024
@mjnagel mjnagel added good first issue Good for newcomers istio Issues related to istio components / resources labels Jul 24, 2024
@mjnagel
Copy link
Contributor

mjnagel commented Jul 24, 2024

I'm happy with the proposed solution. For anyone interested in picking this up the main changes would be...

  • Modify the template to read a value/conditional for minProtocolVersion (my suggestion would be a "supportTLSV1_2" boolean, and if/else on that to be 1.2 or 1.3)
  • Add a corresponding default value for ^ to the values file, ensuring that it still defaults to 1.3 only

@jamestexas jamestexas self-assigned this Jul 31, 2024
jamestexas added a commit to jamestexas/uds-core that referenced this issue Jul 31, 2024
@jamestexas
feat(istio): add configurable TLS version
af20fb9 
- Introduced support for configuring the minimum TLS version for UDS Core.
- Added 'supportTLSV1_2' boolean flag in values file to allow selection between TLS 1.2 and TLS 1.3.
- Updated Helm templates to conditionally set 'minProtocolVersion' based on 'supportTLSV1_2' value.
- Ensured backward compatibility by defaulting to TLS 1.3.
- Commented and documented the new configuration option for clarity.

Closes defenseunicorns#599

Signed-off-by: jamestexas <[email protected]>
@jamestexas jamestexas mentioned this issue Jul 31, 2024
Closed
5 tasks
jamestexas added a commit that referenced this issue Jul 31, 2024
@jamestexas
feat(istio): add configurable TLS version
8f8f170 
- Introduced support for configuring the minimum TLS version for UDS Core.
- Added 'supportTLSV1_2' boolean flag in values file to allow selection between TLS 1.2 and TLS 1.3.
- Updated Helm templates to conditionally set 'minProtocolVersion' based on 'supportTLSV1_2' value.
- Ensured backward compatibility by defaulting to TLS 1.3.
- Commented and documented the new configuration option for clarity.

Closes #599

Signed-off-by: jamestexas <[email protected]>
@jamestexas jamestexas mentioned this issue Jul 31, 2024
Merged
5 tasks
jamestexas added a commit that referenced this issue Jul 31, 2024
@jamestexas
feat(istio): add configurable TLS version
d5a0ee2 
- Introduced support for configuring the minimum TLS version for UDS Core.
- Added 'supportTLSV1_2' boolean flag in values file to allow selection between TLS 1.2 and TLS 1.3.
- Updated Helm templates to conditionally set 'minProtocolVersion' based on 'supportTLSV1_2' value.
- Ensured backward compatibility by defaulting to TLS 1.3.
- Commented and documented the new configuration option for clarity.

Closes #599

Signed-off-by: jamestexas <[email protected]>
jamestexas added a commit that referenced this issue Jul 31, 2024
@jamestexas
feat(istio): add configurable TLS version
d67d022 
- Introduced support for configuring the minimum TLS version for UDS Core.
- Added 'supportTLSV1_2' boolean flag in values file to allow selection between TLS 1.2 and TLS 1.3.
- Updated Helm templates to conditionally set 'minProtocolVersion' based on 'supportTLSV1_2' value.
- Ensured backward compatibility by defaulting to TLS 1.3.
- Commented and documented the new configuration option for clarity.

Closes #599

Signed-off-by: jamestexas <[email protected]>
jamestexas added a commit that referenced this issue Aug 1, 2024
@jamestexas
feat(istio): add configurable TLS version
f80d4b8 
- Introduced support for configuring the minimum TLS version for UDS Core.
- Added 'supportTLSV1_2' boolean flag in values file to allow selection between TLS 1.2 and TLS 1.3.
- Updated Helm templates to conditionally set 'minProtocolVersion' based on 'supportTLSV1_2' value.
- Ensured backward compatibility by defaulting to TLS 1.3.
- Commented and documented the new configuration option for clarity.

Closes #599

Signed-off-by: jamestexas <[email protected]>
@mjnagel mjnagel closed this as completed in cd2b87e Aug 1, 2024
@mjnagel mjnagel added this to the 0.25.0 milestone Aug 1, 2024
@RothAndrew
Copy link
Member Author

@mjnagel can I trouble you guys for some documentation on how to use this at deploy time?

@mjnagel
Copy link
Contributor

mjnagel commented Aug 1, 2024

@RothAndrew was just typing up a quick note on the resulting PR here. We can also add a note to the istio ingress docs which would surface on the docs site.

There is a new boolean value tls.supportTLSV1_2 that can be set per gateway using uds-cli overrides. This defaults to false (technically undefined, but a falsey value in helm), which maintains the previous default of 1.3 support only.

@mjnagel mjnagel mentioned this issue Aug 1, 2024
Merged
5 tasks
mjnagel added a commit that referenced this issue Aug 1, 2024
@mjnagel
docs: update TLS docs + metrics-server optionality (#629)
fc881a0 
## Description

Updates docs to reference override for TLS version + reflect metrics
server being optional now.

## Related Issue

Related to #599

Fixes #176

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jamestexas jamestexas

Labels
enhancement New feature or request good first issue Good for newcomers istio Issues related to istio components / resources
Projects
None yet
Milestone
0.25.0
3 participants
@RothAndrew @jamestexas @mjnagel