-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible cipher suites values and tls versions in help for apiserver and kubelet #58920
Conversation
@@ -48,6 +50,15 @@ var ciphers = map[string]uint16{ | |||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | |||
} | |||
|
|||
func TLSCipherPossibleValues() string { | |||
cipherKeys := reflect.ValueOf(ciphers).MapKeys() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prefer gathering this without reflection. Iterate, insert into a sets.NewString()
, and return the result of calling List() on the string set. That returns a []string and lets the caller decide how to render the list (prefer joining with ", " to allow wrapping help)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While you're in here, can you do the same for the TLSMinVersion flags?
cmd/kubelet/app/options/options.go
Outdated
@@ -442,10 +442,13 @@ func AddKubeletConfigFlags(fs *pflag.FlagSet, c *kubeletconfig.KubeletConfigurat | |||
"If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key "+ | |||
"are generated for the public address and saved to the directory passed to --cert-dir.") | |||
fs.StringVar(&c.TLSPrivateKeyFile, "tls-private-key-file", c.TLSPrivateKeyFile, "File containing x509 private key matching --tls-cert-file.") | |||
|
|||
tlsCipherPossibleValues := flag.TLSCipherPossibleValues() | |||
fs.StringSliceVar(&c.TLSCipherSuites, "tls-cipher-suites", c.TLSCipherSuites, | |||
"Comma-separated list of cipher suites for the server. "+ | |||
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we're enumerating the valid values, I think we can drop the golang package reference completely
@liggitt changes done, for both cipher suites and tls versions |
thanks |
/lgtm |
yes, once master opens up after 1.10 |
@derekwaynecarr friendly ping |
Hi Guys, Thanks |
This is only the help improvement but the actual code to set custom ciphers was already merged |
v1.10.0 contains the cipher-setting flags |
It seems that the flag is only in the api-server but not the kubelet, how could it get lost? the code is (or was at least) there |
1.10 also enabled running the kubelet via a config file, and marked many flags as deprecated in the process, which hid them from help, though they are still functional see #62505 for resolution of showing those flags in help (a backport to fix the help display in 1.10 is pending in #63448) |
@victorgp can you rebase this? I'll work on getting it approved this week. |
rebased |
/retest |
/approve |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: derekwaynecarr, liggitt, victorgp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/milestone v1.11 this is closing a documentation gap in the custom cipher/tls config added in 1.10 |
[MILESTONENOTIFIER] Milestone Pull Request Labels Incomplete @derekwaynecarr @liggitt @victorgp Action required: This pull request requires label changes. If the required changes are not made within 3 days, the pull request will be moved out of the v1.11 milestone. kind: Must specify exactly one of |
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: #48859 (comment)
Which issue(s) this PR fixes
NONE
Special notes for your reviewer:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR #48859
The help output looks like this:
Release note: