Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CMD new TLS options to manage cipher suites and TLS version #353

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

CMD new TLS options to manage cipher suites and TLS version #353

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
243325f
CMD new options
May 17, 2024
365a07c
Parse arguments with a list of cipher suite IDs from the passed ciphe…
May 19, 2024
6d0c480
Parse arguments with a list of cipher suite IDs from the passed ciphe…
May 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 20 additions & 7 deletions cmd/trust-manager/app/app.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,27 +17,28 @@ limitations under the License.
package app

import (
"crypto/tls"
"errors"
"fmt"
"net/http"

"github.com/cert-manager/trust-manager/cmd/trust-manager/app/options"
trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
"github.com/cert-manager/trust-manager/pkg/bundle"
"github.com/cert-manager/trust-manager/pkg/webhook"
"github.com/spf13/cobra"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/selection"
"k8s.io/client-go/kubernetes"
clientv1 "k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/client-go/tools/record"
ciphers "k8s.io/component-base/cli/flag"
"net/http"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/cache"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/metrics/server"
ctrlwebhook "sigs.k8s.io/controller-runtime/pkg/webhook"

"github.com/cert-manager/trust-manager/cmd/trust-manager/app/options"
trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
"github.com/cert-manager/trust-manager/pkg/bundle"
"github.com/cert-manager/trust-manager/pkg/webhook"
"strings"
)

const (
Expand Down Expand Up @@ -74,6 +75,12 @@ func NewCommand() *cobra.Command {
eventBroadcaster.StartLogging(func(format string, args ...any) { mlog.V(3).Info(fmt.Sprintf(format, args...)) })
eventBroadcaster.StartRecordingToSink(&clientv1.EventSinkImpl{Interface: cl.CoreV1().Events("")})

cipherSuitesStrings := strings.Split(opts.Webhook.TlsCipherSuites, ",")
cipherSuitesUint16, err := ciphers.TLSCipherSuites(cipherSuitesStrings)
if err != nil {
return fmt.Errorf("error parsing a list of cipher suite IDs from the passed cipher suite names: %s", err.Error())
}

mgr, err := ctrl.NewManager(opts.RestConfig, ctrl.Options{
Scheme: trustapi.GlobalScheme,
EventBroadcaster: eventBroadcaster,
Expand All @@ -86,6 +93,12 @@ func NewCommand() *cobra.Command {
Port: opts.Webhook.Port,
Host: opts.Webhook.Host,
CertDir: opts.Webhook.CertDir,
TLSOpts: []func(config *tls.Config){
func(config *tls.Config) {
config.CipherSuites = cipherSuitesUint16
config.MinVersion = uint16(opts.Webhook.MinTlsVersion)
},
},
}),
Metrics: server.Options{
BindAddress: fmt.Sprintf("0.0.0.0:%d", opts.MetricsPort),
Expand Down
27 changes: 24 additions & 3 deletions cmd/trust-manager/app/options/options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ limitations under the License.
package options

import (
"crypto/tls"
"flag"
"fmt"

Expand All @@ -33,6 +34,18 @@ import (
"github.com/cert-manager/trust-manager/pkg/bundle"
)

const (
defaultCipherSuites = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," +
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305," +
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +
"TLS_RSA_WITH_AES_128_GCM_SHA256," +
"TLS_RSA_WITH_AES_256_GCM_SHA384," +
"TLS_RSA_WITH_AES_128_CBC_SHA," +
"TLS_RSA_WITH_AES_256_CBC_SHA"
)

// Options is a struct to hold options for trust-manager
type Options struct {
logLevel string
Expand Down Expand Up @@ -63,9 +76,11 @@ type Options struct {

// Webhook holds options specific to running the trust Webhook service.
type Webhook struct {
Host string
Port int
CertDir string
Host string
Port int
CertDir string
MinTlsVersion int
TlsCipherSuites string
}

// New constructs a new Options.
Expand Down Expand Up @@ -174,4 +189,10 @@ func (o *Options) addWebhookFlags(fs *pflag.FlagSet) {
"Directory where the Webhook certificate and private key are located. "+
"Certificate and private key must be named 'tls.crt' and 'tls.key' "+
"respectively.")
fs.IntVar(&o.Webhook.MinTlsVersion,
"min-tls-version", tls.VersionTLS12,
"Minimal TLS version to serve webhook.")
fs.StringVar(&o.Webhook.TlsCipherSuites,
"tls-cipher-suites", defaultCipherSuites,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should default the cipher suites explicity. Instead we should use the default in Go if no flag given - as we do right now.

"Comma separated list of cipher suite names.")
}