Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ add TLS configuration flags #1867

Merged
merged 1 commit into from
Feb 9, 2024
Merged

✨ add TLS configuration flags #1867

merged 1 commit into from
Feb 9, 2024

Conversation

tuminoid
Copy link
Contributor

@tuminoid tuminoid commented Feb 7, 2024

What this PR does / why we need it:

Add --tls-min-version, --tls-max-version and --tls-cipher-suites configuration flags. Same flags can be found in k8s, CAPI, CAPM3 etc.

This enables configuring TLS 1.3 in high security environments, or limiting TLS to 1.2 for debugging purposes as 1.3 is considerably harder to debug.

Special notes for your reviewer:

  1. Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
    No.

TODOs:

  • squashed commits
  • if necessary:
    • includes documentation
    • adds unit tests

@netlify Netlify
Copy link

netlify bot commented Feb 7, 2024
edited
Loading

Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!

Name Link
🔨 Latest commit 2c8a1a6
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-cluster-api-openstack/deploys/65c387cee541bd0008b731eb
😎 Deploy Preview https://deploy-preview-1867--kubernetes-sigs-cluster-api-openstack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 7, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @tuminoid. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Feb 7, 2024
@tuminoid tuminoid force-pushed the tuomo/tls-configuration-flags branch from 9bb9e83 to 3384c9f Compare February 7, 2024 12:38
@EmilienM
Copy link
Contributor

EmilienM commented Feb 7, 2024

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 7, 2024
EmilienM
EmilienM reviewed Feb 7, 2024
View reviewed changes
main_test.go Show resolved Hide resolved
@EmilienM
Copy link
Contributor

EmilienM commented Feb 7, 2024

really cool work, thanks!
I was wondering if we could have some doc (maybe in a separate PR) on how to setup CAPO with TLS. Unless it's already covered in some other repositories?

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 7, 2024
@tuminoid @as20203
add TLS configuration flags support
2c8a1a6 
Add --tls-min-version and --tls-max-versin configuration flags.
Same flags can be found in k8s, CAPI, CAPM3 etc.

Co-authored-by: Jawad Zaheer <[email protected]>
Signed-off-by: Tuomo Tanskanen <[email protected]>
@tuminoid tuminoid force-pushed the tuomo/tls-configuration-flags branch from 3384c9f to 2c8a1a6 Compare February 7, 2024 13:38
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 7, 2024
@tuminoid
Copy link
Contributor Author

tuminoid commented Feb 7, 2024

really cool work, thanks! I was wondering if we could have some doc (maybe in a separate PR) on how to setup CAPO with TLS. Unless it's already covered in some other repositories?

CAPO webhook TLS is handled by cert-manager via the kustomizations. These flags just give granular control over the TLS versions webhook server is accepting. I tried to check if flags could be added to some template (commented out by default), or any documentation, but I didn't see any of the other flags in any template or doc either. Seems there is a gap in documenting the flags in general.

@EmilienM
Copy link
Contributor

EmilienM commented Feb 7, 2024

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 7, 2024
@huxcrux
Copy link
Contributor

huxcrux commented Feb 7, 2024

/lgtm

@tuminoid tuminoid mentioned this pull request Feb 8, 2024
Closed
lentzi90
lentzi90 reviewed Feb 9, 2024
View reviewed changes
Copy link
Contributor

@lentzi90 lentzi90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems there is a gap in documenting the flags in general.

Good observation. This is something we should work on, but let's do it separately. I think the only docs we have currently is this tiny little thing about the log level flag... and that is mixed in with how to configure CAPO clusters 🙈 CAPI is not much better either.

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lentzi90, tuminoid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 9, 2024
@k8s-ci-robot k8s-ci-robot merged commit 7622602 into kubernetes-sigs:main Feb 9, 2024
9 checks passed
@tuminoid tuminoid deleted the tuomo/tls-configuration-flags branch February 9, 2024 12:07
@tuminoid tuminoid mentioned this pull request Feb 13, 2024
Closed
9 tasks
@mdbooth mdbooth mentioned this pull request Apr 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lentzi90 lentzi90 lentzi90 left review comments

@EmilienM EmilienM EmilienM left review comments

@mdbooth mdbooth Awaiting requested review from mdbooth

Assignees

@EmilienM EmilienM

@huxcrux huxcrux

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tuminoid @k8s-ci-robot @EmilienM @huxcrux @lentzi90