Possible cipher suites values and tls versions in help for apiserver and kubelet

[victorgp]

What this PR does / why we need it:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: #48859 (comment)

Which issue(s) this PR fixes
NONE

Special notes for your reviewer:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR #48859

The help output looks like this:

      --tls-cert-file string                                    File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
      --tls-cipher-suites strings                               Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use.  Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      --tls-min-version string                                  Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
      --tls-private-key-file string                             File containing the default x509 private key matching --tls-cert-file.

Release note:

NONE

[liggitt]

Prefer gathering this without reflection. Iterate, insert into a sets.NewString(), and return the result of calling List() on the string set. That returns a []string and lets the caller decide how to render the list (prefer joining with ", " to allow wrapping help)

[liggitt]

While you're in here, can you do the same for the TLSMinVersion flags?

[liggitt]

If we're enumerating the valid values, I think we can drop the golang package reference completely

[victorgp]

@liggitt changes done, for both cipher suites and tls versions

[liggitt]

thanks
/ok-to-test
/lgtm

[liggitt]

/lgtm

[liggitt]

yes, once master opens up after 1.10

[liggitt]

@derekwaynecarr friendly ping

[anjuls]

Hi Guys,
is this going to be closed anytime soon? I am facing issue with security and I have to replace DES cipher from kubelet/api-server. I am using 1.10 right now.

Thanks
Anjul

[victorgp]

This is only the help improvement but the actual code to set custom ciphers was already merged
@liggitt what version will it be included in?

[liggitt]

v1.10.0 contains the cipher-setting flags

[victorgp]

It seems that the flag is only in the api-server but not the kubelet, how could it get lost? the code is (or was at least) there

[liggitt]

It seems that the flag is only in the api-server but not the kubelet, how could it get lost? the code is (or was at least) there

1.10 also enabled running the kubelet via a config file, and marked many flags as deprecated in the process, which hid them from help, though they are still functional

see #62505 for resolution of showing those flags in help (a backport to fix the help display in 1.10 is pending in #63448)

[liggitt]

@victorgp can you rebase this? I'll work on getting it approved this week.

[victorgp]

rebased

[victorgp]

/retest

[derekwaynecarr]

/approve

[liggitt]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, liggitt, victorgp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kubelet/OWNERS [derekwaynecarr]
• staging/src/k8s.io/apiserver/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liggitt]

/milestone v1.11
/status approved-for-milestone
/sig node
/sig api-machinery

this is closing a documentation gap in the custom cipher/tls config added in 1.10

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request Labels Incomplete

@derekwaynecarr @liggitt @victorgp

Action required: This pull request requires label changes. If the required changes are not made within 3 days, the pull request will be moved out of the v1.11 milestone.

kind: Must specify exactly one of kind/bug, kind/cleanup or kind/feature.
priority: Must specify exactly one of priority/critical-urgent, priority/important-longterm or priority/important-soon.

Help

• Additional instructions
• Commands for setting labels

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions here.