-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLSConfiguration to Kubevirt #8252
Add TLSConfiguration to Kubevirt #8252
Conversation
Skipping CI for Draft Pull Request. |
/test all |
628a080
to
8397604
Compare
/test all |
/cc @xpivarc @davidvossel |
/retest-required |
Personally I still think that letting the admin simply choose between a small set of predefined profiles, with the capability of eventually set a custom configuration, is an interesting idea. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, I also want to make sure that following Simone's comment we are fine with not using the existing profile API.
(Would have loved to know if these profiles are something people from the security realm strongly expect or not)
BTW should we also add the TLS configuration to the export proxy components?
TLSConfig: &tls.Config{ |
@akalenyu You're right, the export proxy was added later my initial PR and I forgot to address it. Thanks for notice it. |
8397604
to
5ba7099
Compare
5ba7099
to
eeb50ff
Compare
/retest-required |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fossedihelm Hi! Thank you for the PR! Looks well arranged, I have a few questions below
eeb50ff
to
e864036
Compare
@xpivarc Pushed requested changes. PTAL |
/lgtm |
/retest |
/unhold |
/retest-required |
2 similar comments
/retest-required |
/retest-required |
/retest-required |
4 similar comments
/retest-required |
/retest-required |
/retest-required |
/retest-required |
/retest-required |
/retest-required |
1 similar comment
/retest-required |
/retest-required |
2 similar comments
/retest-required |
/retest-required |
@fossedihelm: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required |
/cherrypick release-0.53 |
@fossedihelm: #8252 failed to apply on top of branch "release-0.53":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
Add TLS Configuration to Kubevirt spec.
This configuration allows specifying
minTLSVersion
andciphers
that will be used for the client/server communication.TLS golang crypto package [1] allows overriding the Config that will be used for the communication specifying the
GetConfigForClient
function. ReadingtlsConfiguration
from kubevirt CR inside this function allows us to always have updated information.Possible values for
minTLSVersion
are:VersionTLS10
VersionTLS11
VersionTLS12
VersionTLS13
Values for
ciphers
are strings using the IANA syntax, and more specifically these:General note about crypto package:
ciphers
whenminTLSVersion
is 1.3This means that, since we only specify
minTLSVersion
, communications between components (virt-handler/virt-api/etc) will be performed with TLS 1.3.[1] https://pkg.go.dev/crypto/tls#Config
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: