Allow the controller configure tls-cipher-suites and tls-min-version via command line params

[klzsysy]

This PR changes controller webhook server tls security config

changes:

• Use secure tls-cipher-suites to solve CVE-2016-2183- Red Hat Customer Portal.
• Allow configure tls-cipher-suites and tls-min-version via command line params, e.g. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/, If omitted, the default PreferredTLSCipherNames cipher suites will be used.

Before

> kubectl port-forward svc/metallb-webhook-service 1443:443 &
[1] 20151
Forwarding from 127.0.0.1:1443 -> 9443
Forwarding from [::1]:1443 -> 9443
Handling connection for 1443

> nmap --script ssl-enum-ciphers 1443 127.0.0.1
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-14 14:07 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00068s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT      STATE SERVICE
1080/tcp  open  socks
1443/tcp  open  ies-lm
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: C
9090/tcp  open  zeus-admin
49161/tcp open  unknown

after

    spec:
      containers:
      - args:
        - --port=7472
        - --log-level=info
        - --cert-service-name=metallb-webhook-service
        - --tls-min-version=VersionTLS12
        env:
        - name: METALLB_ML_SECRET_NAME
          value: metallb-memberlist
        - name: METALLB_DEPLOYMENT
          value: metallb-controller
        - name: METALLB_BGP_TYPE
          value: frr
        image: registry.smtx.io/kubesmart-dev/metallb/controller:v0.13.11  # rebuild image

> kubectl port-forward svc/metallb-webhook-service 1443:443 &

> nmap --script ssl-enum-ciphers -p 1443 127.0.0.1
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-18 16:46 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0053s latency).

PORT     STATE SERVICE
1443/tcp open  ies-lm
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 3.51 seconds

[fedepaol]

Thanks!
Mind fixing the conflicts?

[fedepaol]

Also, the diff in nmap you showed is with the default values right?

[fedepaol]

@yuvalk mind having a look here?

[klzsysy]

Also, the diff in nmap you showed is with the default values right?

yes, Now updated to the results after using VersionTLS12

[fedepaol]

Thanks @klzsysy . Couple of other asks:

• can you squash the commits so they are meaningful and we get a clean commit history?
• can you apply the same change setting the defaults to the kustomize based deployment here ?

[klzsysy]

Thanks @klzsysy . Couple of other asks:

• can you squash the commits so they are meaningful and we get a clean commit history?
• can you apply the same change setting the defaults to the kustomize based deployment here ?

done

[fedepaol]

Thanks @klzsysy . Couple of other asks:

• can you squash the commits so they are meaningful and we get a clean commit history?
• can you apply the same change setting the defaults to the kustomize based deployment here ?

done

thanks!

[fedepaol]

need to run inv helmdocs to regenerate the docs for the helm parameters

[klzsysy]

need to run inv helmdocs to regenerate the docs for the helm parameters

The version of helm-docs I am using is too new and has been returned to the same version as ci.

inv generatemanifests updated

[yuvalk]

sorry for late comment here, but just had the time to check this.
re ciphersuites
it's better to follow NIST guidelines
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
you must at least remove the cliflag.InsecureTLSCiphers() ones

[klzsysy]

OK, it is no problem to delete the default value of ciphersuites and let the users who need it configure it themselves.

[yuvalk]

OK, it is no problem to delete the default value of ciphersuites and let the users who need it configure it themselves.

question is, then what happens by default?
can you please update your after section in PR opening comment?

the idea is to have a sane default..
then of course, customer who need something else can configure it

[klzsysy]

OK, it is no problem to delete the default value of ciphersuites and let the users who need it configure it themselves.

question is, then what happens by default? can you please update your after section in PR opening comment?

the idea is to have a sane default.. then of course, customer who need something else can configure it

The effect of updating the default value has been updated in PR opening comment，You can see that the time of nmap output log has been updated.

It seems that leaving the default value blank has a good effect.

[yuvalk]

It seems that leaving the default value blank has a good effect.

then I dont think it's good enough, there are still insecure ciphers in that list

[klzsysy]

then I dont think it's good enough, there are still insecure ciphers in that list

so just follow the NIST guidelines ?
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29

# TLS Cipher suites
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

# result
> nmap --script ssl-enum-ciphers -p 1443 127.0.0.1
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-18 16:46 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0053s latency).

PORT     STATE SERVICE
1443/tcp open  ies-lm
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 3.51 seconds

[klzsysy]

@yuvalk
what do you think

[klzsysy]

@fedepaol
can you take a look, retested after resolving the conflict

[fedepaol]

looks good, waiting for one last ack from @yuvalk

[yuvalk]

@yuvalk what do you think

this is great,
thank you!

@fedepaol yeah, you have my ack

[fedepaol]

thanks, sending to merge

[fedepaol]

@klzsysy mind squashing before I merge?
Thanks!

[klzsysy]

@klzsysy mind squashing before I merge? Thanks!

done

[fedepaol]

Sorry I left this behind. I see now that needs rebasing? Mind doing so so I will merge?
Thanks again!

[klzsysy]

Sorry I left this behind. I see now that needs rebasing? Mind doing so so I will merge? Thanks again!

It should be possible to merge now

[fedepaol]

sent to the merge queue