Add TLSConfiguration to Kubevirt

[fossedihelm]

What this PR does / why we need it:
Add TLS Configuration to Kubevirt spec.
This configuration allows specifying minTLSVersion and ciphers that will be used for the client/server communication.
TLS golang crypto package [1] allows overriding the Config that will be used for the communication specifying the GetConfigForClient function. Reading tlsConfiguration from kubevirt CR inside this function allows us to always have updated information.
Possible values for minTLSVersion are:

• VersionTLS10
• VersionTLS11
• VersionTLS12
• VersionTLS13

Values for ciphers are strings using the IANA syntax, and more specifically these:

• https://cs.opensource.google/go/go/+/master:src/crypto/tls/cipher_suites.go;drc=ea5d7cbc2644643331bd675b1ebdf0aaac7419f1;l=53
• https://cs.opensource.google/go/go/+/master:src/crypto/tls/cipher_suites.go;drc=ea5d7cbc2644643331bd675b1ebdf0aaac7419f1;l=82

General note about crypto package:

• server always gives precedence to the maximum supported version provided by the client
• it is not possible to specify ciphers when minTLSVersion is 1.3
  This means that, since we only specify minTLSVersion, communications between components (virt-handler/virt-api/etc) will be performed with TLS 1.3.

[1] https://pkg.go.dev/crypto/tls#Config
Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

Add `tlsConfiguration` to Kubevirt Configuration

[kubevirt-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[fossedihelm]

/test all

[fossedihelm]

/test all

[fossedihelm]

/cc @xpivarc @davidvossel

[stu-gott]

/retest-required

[tiraboschi]

Personally I still think that letting the admin simply choose between a small set of predefined profiles, with the capability of eventually set a custom configuration, is an interesting idea.
Mozilla Foundation's Server Side TLS profiles are well known and pretty accepted as a de facto standard, although not so directly coupled in k8s ecosystem.

[akalenyu]

Looks good, I also want to make sure that following Simone's comment we are fine with not using the existing profile API.
(Would have loved to know if these profiles are something people from the security realm strongly expect or not)

BTW should we also add the TLS configuration to the export proxy components?

kubevirt/cmd/virt-exportproxy/virt-exportproxy.go

Line 97 in 8397604

TLSConfig: &tls.Config{

[fossedihelm]

BTW should we also add the TLS configuration to the export proxy components?

kubevirt/cmd/virt-exportproxy/virt-exportproxy.go

Line 97 in 8397604

TLSConfig: &tls.Config{

@akalenyu You're right, the export proxy was added later my initial PR and I forgot to address it. Thanks for notice it.
Will adjust the commit!

[fossedihelm]

/retest-required

[enp0s3]

@fossedihelm Hi! Thank you for the PR! Looks well arranged, I have a few questions below

[fossedihelm]

@xpivarc Pushed requested changes. PTAL

[xpivarc]

/lgtm
/hold
@enp0s3 This changed a little bit. Remove hold if you are still ok with this.

[fossedihelm]

/retest

[enp0s3]

/unhold

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[fossedihelm]

/retest-required

[fossedihelm]

/retest-required

[fossedihelm]

/retest-required

[fossedihelm]

/retest-required

[fossedihelm]

/retest-required

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[fossedihelm]

/retest-required

[fossedihelm]

/retest-required

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[kubevirt-bot]

@fossedihelm: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubevirt-fossa	f2812d3	link	false	/test pull-kubevirt-fossa
pull-kubevirt-goveralls	f2812d3	link	false	/test pull-kubevirt-goveralls

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[kubevirt-commenter-bot]

/retest-required
This bot automatically retries required jobs that failed/flaked on approved PRs.
Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[fossedihelm]

/cherrypick release-0.53

[kubevirt-bot]

@fossedihelm: #8252 failed to apply on top of branch "release-0.53":

Applying: Add TLSConfiguration to kubevirt
Applying: Refactoring: extract verifyPeerCert function
Applying: Use kubevirt tlsConfiguration in TLS config
Using index info to reconstruct a base tree...
M	cmd/virt-handler/virt-handler.go
M	pkg/util/webhooks/BUILD.bazel
M	pkg/util/webhooks/tls_test.go
M	pkg/virt-api/api.go
M	pkg/virt-controller/watch/application.go
M	pkg/virt-operator/application.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/virt-operator/application.go
Auto-merging pkg/virt-controller/watch/application.go
Auto-merging pkg/virt-api/api.go
Auto-merging pkg/util/webhooks/tls_test.go
Auto-merging pkg/util/webhooks/BUILD.bazel
Auto-merging cmd/virt-handler/virt-handler.go
Applying: Add validation for TLSConfiguration
Using index info to reconstruct a base tree...
M	pkg/virt-operator/webhooks/kubevirt-update-admitter.go
M	pkg/virt-operator/webhooks/kubevirt-update-admitter_test.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/virt-operator/webhooks/kubevirt-update-admitter_test.go
CONFLICT (content): Merge conflict in pkg/virt-operator/webhooks/kubevirt-update-admitter_test.go
Auto-merging pkg/virt-operator/webhooks/kubevirt-update-admitter.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0004 Add validation for TLSConfiguration
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherrypick release-0.53

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.