Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-v0.16] Adding TLSSecurityProfile to CRD #413

Merged
merged 1 commit into from
Sep 5, 2022
Merged

[release-v0.16] Adding TLSSecurityProfile to CRD #413

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion api/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module kubevirt.io/ssp-operator/api
go 1.18

require (
github.com/openshift/api v0.0.0-20220124143425-d74727069f6f // release-4.10
k8s.io/apimachinery v0.23.5
kubevirt.io/containerized-data-importer-api v1.53.0
kubevirt.io/controller-lifecycle-operator-sdk/api v0.2.4
Expand All @@ -17,7 +18,6 @@ require (
github.com/json-iterator/go v1.1.12 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/openshift/api v0.0.0-20211217221424-8779abfbd571 // indirect
github.com/openshift/custom-resource-status v1.1.2 // indirect
golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
golang.org/x/text v0.3.7 // indirect
Expand Down
4 changes: 2 additions & 2 deletions api/go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,8 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
github.com/openshift/api v0.0.0-20211217221424-8779abfbd571 h1:+ShYlGoPriGahTTFTjQ0RtNXW0srxDodk2STdc238Rk=
github.com/openshift/api v0.0.0-20211217221424-8779abfbd571/go.mod h1:F/eU6jgr6Q2VhMu1mSpMmygxAELd7+BUxs3NHZ25jV4=
github.com/openshift/api v0.0.0-20220124143425-d74727069f6f h1:iOTv1WudhVm2UsoST+L+ZrA5A9w57h9vmQsdlBuqG6g=
github.com/openshift/api v0.0.0-20220124143425-d74727069f6f/go.mod h1:F/eU6jgr6Q2VhMu1mSpMmygxAELd7+BUxs3NHZ25jV4=
github.com/openshift/build-machinery-go v0.0.0-20211213093930-7e33a7eb4ce3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
github.com/openshift/custom-resource-status v1.1.2 h1:C3DL44LEbvlbItfd8mT5jWrqPfHnSOQoQf/sypqA6A4=
github.com/openshift/custom-resource-status v1.1.2/go.mod h1:DB/Mf2oTeiAmVVX1gN+NEqweonAPY0TKUwADizj8+ZA=
Expand Down
4 changes: 4 additions & 0 deletions api/v1beta1/ssp_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ limitations under the License.
package v1beta1

import (
ocpv1 "github.com/openshift/api/config/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
cdiv1beta1 "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1"
lifecycleapi "kubevirt.io/controller-lifecycle-operator-sdk/api"
Expand Down Expand Up @@ -62,6 +63,9 @@ type SSPSpec struct {

// NodeLabeller is configuration of the node-labeller operand
NodeLabeller NodeLabeller `json:"nodeLabeller,omitempty"`

// TLSSecurityProfile is a configuration for the TLS.
TLSSecurityProfile *ocpv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
}

// DataImportCronTemplate defines the template type for DataImportCrons.
Expand Down
6 changes: 6 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 6 additions & 5 deletions api/vendor/github.com/openshift/api/config/v1/types_feature.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion api/vendor/modules.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ github.com/modern-go/concurrent
# github.com/modern-go/reflect2 v1.0.2
## explicit; go 1.12
github.com/modern-go/reflect2
# github.com/openshift/api v0.0.0-20211217221424-8779abfbd571
# github.com/openshift/api v0.0.0-20220124143425-d74727069f6f
## explicit; go 1.16
github.com/openshift/api/config/v1
# github.com/openshift/custom-resource-status v1.1.2
Expand Down
88 changes: 88 additions & 0 deletions config/crd/bases/ssp.kubevirt.io_ssps.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2754,6 +2754,94 @@ spec:
minimum: 0
type: integer
type: object
tlsSecurityProfile:
description: TLSSecurityProfile is a configuration for the TLS.
properties:
custom:
description: "custom is a user-defined TLS security profile. Be
extremely careful using a custom profile as invalid configurations
can be catastrophic. An example custom profile looks like this:
\n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256
\ minTLSVersion: TLSv1.1"
nullable: true
properties:
ciphers:
description: "ciphers is used to specify the cipher algorithms
that are negotiated during the TLS handshake. Operators
may remove entries their operands do not support. For example,
to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA"
items:
type: string
type: array
minTLSVersion:
description: "minTLSVersion is used to specify the minimal
version of the TLS protocol that is negotiated during the
TLS handshake. For example, to use TLS versions 1.1, 1.2
and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n NOTE: currently
the highest minTLSVersion allowed is VersionTLS12"
enum:
- VersionTLS10
- VersionTLS11
- VersionTLS12
- VersionTLS13
type: string
type: object
intermediate:
description: "intermediate is a TLS security profile based on:
\n https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
\ - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
\ - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384
\ minTLSVersion: TLSv1.2"
nullable: true
type: object
modern:
description: "modern is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported."
nullable: true
type: object
old:
description: "old is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
\ - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
\ - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384
\ - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256
\ - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA
\ - ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES256-SHA384
\ - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA
\ - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 -
DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384
\ - AES128-SHA256 - AES256-SHA256 - AES128-SHA -
AES256-SHA - DES-CBC3-SHA minTLSVersion: TLSv1.0"
nullable: true
type: object
type:
description: "type is one of Old, Intermediate, Modern or Custom.
Custom provides the ability to specify individual TLS security
profile parameters. Old, Intermediate and Modern are TLS security
profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
\n The profiles are intent based, so they may change over time
as new ciphers are developed and existing ciphers are found
to be insecure. Depending on precisely which ciphers are available
to a process, the list may be reduced. \n Note that the Modern
profile is currently not supported because it is not yet well
adopted by common software libraries."
enum:
- Old
- Intermediate
- Modern
- Custom
type: string
type: object
required:
- commonTemplates
type: object
Expand Down
88 changes: 88 additions & 0 deletions data/crd/ssp.kubevirt.io_ssps.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2752,6 +2752,94 @@ spec:
minimum: 0
type: integer
type: object
tlsSecurityProfile:
description: TLSSecurityProfile is a configuration for the TLS.
properties:
custom:
description: "custom is a user-defined TLS security profile. Be
extremely careful using a custom profile as invalid configurations
can be catastrophic. An example custom profile looks like this:
\n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256
\ minTLSVersion: TLSv1.1"
nullable: true
properties:
ciphers:
description: "ciphers is used to specify the cipher algorithms
that are negotiated during the TLS handshake. Operators
may remove entries their operands do not support. For example,
to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA"
items:
type: string
type: array
minTLSVersion:
description: "minTLSVersion is used to specify the minimal
version of the TLS protocol that is negotiated during the
TLS handshake. For example, to use TLS versions 1.1, 1.2
and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n NOTE: currently
the highest minTLSVersion allowed is VersionTLS12"
enum:
- VersionTLS10
- VersionTLS11
- VersionTLS12
- VersionTLS13
type: string
type: object
intermediate:
description: "intermediate is a TLS security profile based on:
\n https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
\ - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
\ - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384
\ minTLSVersion: TLSv1.2"
nullable: true
type: object
modern:
description: "modern is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported."
nullable: true
type: object
old:
description: "old is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
\ - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
\ - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384
\ - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256
\ - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA
\ - ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES256-SHA384
\ - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA
\ - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 -
DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384
\ - AES128-SHA256 - AES256-SHA256 - AES128-SHA -
AES256-SHA - DES-CBC3-SHA minTLSVersion: TLSv1.0"
nullable: true
type: object
type:
description: "type is one of Old, Intermediate, Modern or Custom.
Custom provides the ability to specify individual TLS security
profile parameters. Old, Intermediate and Modern are TLS security
profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
\n The profiles are intent based, so they may change over time
as new ciphers are developed and existing ciphers are found
to be insecure. Depending on precisely which ciphers are available
to a process, the list may be reduced. \n Note that the Modern
profile is currently not supported because it is not yet well
adopted by common software libraries."
enum:
- Old
- Intermediate
- Modern
- Custom
type: string
type: object
required:
- commonTemplates
type: object
Expand Down
4 changes: 4 additions & 0 deletions vendor/kubevirt.io/ssp-operator/api/v1beta1/ssp_types.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions vendor/kubevirt.io/ssp-operator/api/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.