Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: switch to tls cipher suite in stdlib #105064

Merged
merged 1 commit into from
Sep 21, 2021
Merged

refactor: switch to tls cipher suite in stdlib #105064

merged 1 commit into from
Sep 21, 2021

Conversation

knight42
Copy link
Member

@knight42 knight42 commented Sep 16, 2021
edited

Signed-off-by: Jian Zeng zengjian.zj@bytedance.com

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #88547
xref #105063

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Sep 16, 2021
@k8s-ci-robot
Copy link
Contributor

@knight42: Adding the "do-not-merge/release-note-label-needed" label and removing any existing "release-note-none" label because there is a "kind/deprecation" label on the PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Sep 16, 2021
@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 16, 2021
@knight42
Copy link
Member Author

/triage accepted
/cc @liggitt
/assign @liggitt
/remove-kind deprecation

@k8s-ci-robot k8s-ci-robot added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Sep 16, 2021
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. release-note-none Denotes a PR that doesn't merit a release note. and removed kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Sep 16, 2021
liggitt
liggitt reviewed Sep 16, 2021
View reviewed changes
staging/src/k8s.io/component-base/cli/flag/ciphersuites_flag.go

for _, suite := range tls.InsecureCipherSuites() {
insecureCiphers[suite.Name] = suite.ID
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now that we're using these, we can drop the TestConstantMaps unit test that ensured we stayed in sync with the stdlib

liggitt
liggitt reviewed Sep 16, 2021
View reviewed changes
staging/src/k8s.io/component-base/cli/flag/ciphersuites_flag.go
ciphers[suite.Name] = suite.ID
}
// keep legacy names for backward compatibility
ciphers["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"] = tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Copy link
Member

@liggitt liggitt Sep 16, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this doesn't match the previous mapping, right?

"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://cs.opensource.google/go/go/+/refs/tags/go1.17.1:src/crypto/tls/cipher_suites.go;l=687

tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 is actually the same as tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 is retained for backwards compability.

liggitt
liggitt reviewed Sep 16, 2021
View reviewed changes
staging/src/k8s.io/component-base/cli/flag/ciphersuites_flag.go
}
// keep legacy names for backward compatibility
ciphers["TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"] = tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
ciphers["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"] = tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this doesn't match the previous mapping, right?

"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 is also the same as tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add the _114 mappings to the unit test to verify this

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 16, 2021
@liggitt
Copy link
Member

liggitt commented Sep 16, 2021

lgtm, go ahead and squash commits

@knight42
refactor: switch to tls cipher suite in stdlib
2fbbd38 
Signed-off-by: Jian Zeng <zengjian.zj@bytedance.com>
@knight42 knight42 force-pushed the refactor-switch-to-stdlib-cipher branch from 2bebdf2 to 2fbbd38 Compare September 16, 2021 13:58
@knight42
Copy link
Member Author

@liggitt Hi! The commits have been squashed now, could I get a /approve?

@liggitt
Copy link
Member

liggitt commented Sep 21, 2021

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 21, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: knight42, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 21, 2021
@k8s-ci-robot k8s-ci-robot merged commit d5f39eb into kubernetes:master Sep 21, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Sep 21, 2021
@knight42 knight42 deleted the refactor-switch-to-stdlib-cipher branch September 21, 2021 21:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@brianpursley brianpursley Awaiting requested review from brianpursley

@soltysh soltysh Awaiting requested review from soltysh

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.

Switch to go1.14 tls cipher suite helper methods
3 participants
@knight42 @k8s-ci-robot @liggitt