Skip to content

Add support for TLS curves in TLSProfile #2583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add support for TLS curves in TLSProfile #2583

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions config/v1/types_tlssecurityprofile.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,16 @@ type TLSProfileSpec struct {
//
// +listType=atomic
Ciphers []string `json:"ciphers"`
// curves is used to specify the elliptic curves that are used during
// the TLS handshake. Operators may remove entries their operands do
// not support. For example, to use X25519 and P-256 (yaml):
//
// curves:
// - X25519
// - P-256
// +optional
Copy link
Contributor

@yuqi-zhang yuqi-zhang Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

optional fields should have godoc around what happens if the field is not set (i.e. what is the default behaviour)

// +listType=atomic
Curves []string `json:"curves,omitempty"`
// minTLSVersion is used to specify the minimal version of the TLS protocol
// that is negotiated during the TLS handshake. For example, to use TLS
// versions 1.1, 1.2 and 1.3 (yaml):
Expand Down
13 changes: 13 additions & 0 deletions ...zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,19 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
x-kubernetes-list-type: atomic
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
13 changes: 13 additions & 0 deletions config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,19 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
x-kubernetes-list-type: atomic
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
13 changes: 13 additions & 0 deletions ...enerated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,19 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
x-kubernetes-list-type: atomic
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
13 changes: 13 additions & 0 deletions ...nerated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,19 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
x-kubernetes-list-type: atomic
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
5 changes: 5 additions & 0 deletions config/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions ...1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,19 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
x-kubernetes-list-type: atomic
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
13 changes: 13 additions & 0 deletions ...ated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,19 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
x-kubernetes-list-type: atomic
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
1 change: 1 addition & 0 deletions config/v1/zz_generated.swagger_doc_generated.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions ...iguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,19 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
Copy link
Contributor

@yuqi-zhang yuqi-zhang Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since other objects (e.g. the kubeletconfig here) references tlsSecurityProfile type, would the curve be supported for all affected objects and controllers?

description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
x-kubernetes-list-type: atomic
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
13 changes: 13 additions & 0 deletions ...turegated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,19 @@ spec:
type: string
type: array
x-kubernetes-list-type: atomic
curves:
description: |-
curves is used to specify the elliptic curves that are used during
the TLS handshake. Operators may remove entries their operands do
not support. For example, to use X25519 and P-256 (yaml):

curves:
- X25519
- P-256
items:
type: string
type: array
x-kubernetes-list-type: atomic
minTLSVersion:
description: |-
minTLSVersion is used to specify the minimal version of the TLS protocol
Expand Down
40 changes: 40 additions & 0 deletions openapi/generated_openapi/zz_generated.openapi.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

92 changes: 92 additions & 0 deletions openapi/openapi.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6016,6 +6016,15 @@
},
"x-kubernetes-list-type": "atomic"
},
"curves": {
"description": "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support. For example, to use X25519 and P-256 (yaml):\n\n curves:\n - X25519\n - P-256",
"type": "array",
"items": {
"type": "string",
"default": ""
},
"x-kubernetes-list-type": "atomic"
},
"minTLSVersion": {
"description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12",
"type": "string",
Expand Down Expand Up @@ -10984,6 +10993,15 @@
},
"x-kubernetes-list-type": "atomic"
},
"curves": {
"description": "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support. For example, to use X25519 and P-256 (yaml):\n\n curves:\n - X25519\n - P-256",
"type": "array",
"items": {
"type": "string",
"default": ""
},
"x-kubernetes-list-type": "atomic"
},
"minTLSVersion": {
"description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12",
"type": "string",
Expand Down Expand Up @@ -14268,6 +14286,76 @@
}
}
},
"com.github.openshift.api.example.v1.FormatMarkerExamples": {
"description": "FormatMarkerExamples demonstrates all Kubebuilder Format markers supported as of Kubernetes 1.33. This struct provides a comprehensive reference for format marker validation. Each field uses a different format marker to validate its value.",
"type": "object",
"properties": {
"base64Data": {
"description": "base64Data must be valid base64-encoded data. Valid examples include aGVsbG8= (encodes \"hello\") or SGVsbG8gV29ybGQh (encodes \"Hello World!\").",
"type": "string"
},
"cidrNotation": {
"description": "cidrNotation must be a valid CIDR notation IP address range. Valid examples include IPv4 CIDR (10.0.0.0/8, 192.168.1.0/24) or IPv6 CIDR (fd00::/8, 2001:db8::/32).\n\nUse of Format=cidr is not recommended due to CVE-2021-29923 and CVE-2024-24790. Instead, use the CEL expression `isCIDR(self)` to validate CIDR notation. Additionally, use `isCIDR(self) && cidr(self).ip().family() == X` to validate IPvX specifically.",
"type": "string"
},
"dateField": {
"description": "dateField must be a valid date in RFC 3339 full-date format (YYYY-MM-DD). Valid examples include 2024-01-15 or 2023-12-31.",
"type": "string"
},
"dateTimeField": {
"description": "dateTimeField must be a valid RFC 3339 date-time. Valid examples include 2024-01-15T14:30:00Z, 2024-01-15T14:30:00+00:00, or 2024-01-15T14:30:00.123Z.",
"type": "string"
},
"durationField": {
"description": "durationField must be a valid duration string parseable by Go's time.ParseDuration. Valid time units are ns, us (or µs), ms, s, m, h. Valid examples include 30s, 5m, 1h30m, 100ms, or 1h.",
"type": "string"
},
"emailAddress": {
"description": "emailAddress must be a valid email address. Valid examples include user@example.com or firstname.lastname@company.co.uk.",
"type": "string"
},
"hostnameField": {
"description": "hostnameField must be a valid Internet hostname per RFC 1034. Valid examples include example.com, api.example.com, or my-service.",
"type": "string"
},
"ipv4Address": {
"description": "ipv4Address must be a valid IPv4 address in dotted-quad notation. Valid values range from 0.0.0.0 to 255.255.255.255 (e.g., 192.168.1.1).\n\nUse of Format=ipv4 is not recommended due to CVE-2021-29923 and CVE-2024-24790. Instead, use the CEL expression `isIP(self) && ip(self).family() == 4` to validate IPv4 addresses.",
"type": "string"
},
"ipv6Address": {
"description": "ipv6Address must be a valid IPv6 address. Valid examples include full form (2001:0db8:0000:0000:0000:0000:0000:0001) or compressed form (2001:db8::1 or ::1).\n\nUse of Format=ipv6 is not recommended due to CVE-2021-29923 and CVE-2024-24790. Instead, use the CEL expression `isIP(self) && ip(self).family() == 6` to validate IPv6 addresses.",
"type": "string"
},
"macAddress": {
"description": "macAddress must be a valid MAC address. Valid examples include 00:1A:2B:3C:4D:5E or 00-1A-2B-3C-4D-5E.",
"type": "string"
},
"passwordField": {
"description": "passwordField is a marker for sensitive data. Note that the password format marker does not perform any actual validation - it accepts any string value. This marker is primarily used to signal that the field contains sensitive information.",
"type": "string"
},
"uriField": {
"description": "uriField must be a valid URI following RFC 3986 syntax. Valid examples include https://example.com/path?query=value or /absolute-path.",
"type": "string"
},
"uuid3Field": {
"description": "uuid3Field must be a valid UUID version 3 (MD5 hash-based). Version 3 UUIDs are generated using MD5 hashing of a namespace and name. Valid example: a3bb189e-8bf9-3888-9912-ace4e6543002.",
"type": "string"
},
"uuid4Field": {
"description": "uuid4Field must be a valid UUID version 4 (random). Version 4 UUIDs are randomly generated. Valid example: 550e8400-e29b-41d4-a716-446655440000.",
"type": "string"
},
"uuid5Field": {
"description": "uuid5Field must be a valid UUID version 5 (SHA-1 hash-based). Version 5 UUIDs are generated using SHA-1 hashing of a namespace and name. Valid example: 74738ff5-5367-5958-9aee-98fffdcd1876.",
"type": "string"
},
"uuidField": {
"description": "uuidField must be a valid UUID (any version) in 8-4-4-4-12 format. Valid examples include 550e8400-e29b-41d4-a716-446655440000 or 123e4567-e89b-12d3-a456-426614174000.",
"type": "string"
}
}
},
"com.github.openshift.api.example.v1.StableConfigType": {
"description": "StableConfigType is a stable config type that may include TechPreviewNoUpgrade fields.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"type": "object",
Expand Down Expand Up @@ -14357,6 +14445,10 @@
"default": {},
"$ref": "#/definitions/com.github.openshift.api.example.v1.EvolvingUnion"
},
"formatMarkerExamples": {
"description": "formatMarkerExamples demonstrates all Kubebuilder Format markers supported as of Kubernetes 1.33. This field serves as a comprehensive reference for format marker validation.",
"$ref": "#/definitions/com.github.openshift.api.example.v1.FormatMarkerExamples"
},
"immutableField": {
"description": "immutableField is a field that is immutable once the object has been created. It is required at all times.",
"type": "string",
Expand Down
Loading