Skip to content

apiserver: make note of the supported tls profiles #508

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 5, 2019
Merged

apiserver: make note of the supported tls profiles #508

merged 2 commits into from
Nov 5, 2019

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Nov 1, 2019

No description provided.

@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Nov 1, 2019
@openshift-ci-robot openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 4, 2019
sttts
sttts reviewed Nov 4, 2019
View reviewed changes
config/v1/types_apiserver.go
// Intermediate profiles are currently supported, and the maximum available MinTLSVersions
// is VersionTLS12.
// +optional
TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please document that in TLSSecurityProfile too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Miciah
Miciah reviewed Nov 4, 2019
View reviewed changes
sttts
sttts reviewed Nov 4, 2019
View reviewed changes
config/v1/types_tlssecurityprofile.go Outdated
// - ECDHE-ECDSA-AES128-GCM-SHA256
// minTLSVersion: TLSv1.1
//
// NOTE: Currently unsupported.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unsupported or rejected?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think unsupported is the better wording since IngressControllerSpec will not reject it AFAIK, but does not support it (I believe they just fall back to Intermediate). We would reject it in the APIServer configuration, and the reason is the same with ingress - the components that would react to such configuration cannot process TLSv1.3.

@stlaz
Copy link
Contributor Author

stlaz commented Nov 5, 2019

/hold
the RBR CRD should not be here apparently

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 5, 2019
@stlaz
Copy link
Contributor Author

stlaz commented Nov 5, 2019

/hold cancel
removing it did the trick

@openshift-ci-robot openshift-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 5, 2019
@stlaz
Copy link
Contributor Author

stlaz commented Nov 5, 2019

@damemi this is fun: Error: unable to parse option "output:dir=/tmp/tmp.0xPTMuqKdS": [illegal hexadecimal number (at <input>:1:10)] at https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/pr-logs/pull/openshift_api/508/pull-ci-openshift-api-master-verify/1474

@stlaz
Copy link
Contributor Author

stlaz commented Nov 5, 2019

/test verify

@sttts
Copy link
Contributor

sttts commented Nov 5, 2019

/approve
/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 5, 2019
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stlaz, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 5, 2019
@openshift-merge-robot openshift-merge-robot merged commit d3d78e0 into openshift:master Nov 5, 2019
@damemi
Copy link
Contributor

damemi commented Nov 5, 2019

@damemi this is fun: Error: unable to parse option "output:dir=/tmp/tmp.0xPTMuqKdS": [illegal hexadecimal number (at <input>:1:10)] at https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/pr-logs/pull/openshift_api/508/pull-ci-openshift-api-master-verify/1474

Am I understanding this, or does the generator assume that a directory string starting with 0x is hex??

@sttts
Copy link
Contributor

sttts commented Nov 5, 2019

Am I understanding this, or does the generator assume that a directory string starting with 0x is hex??

:D

@damemi
Copy link
Contributor

damemi commented Nov 5, 2019

Issue opened here: kubernetes-sigs/controller-tools#357

@orenc1
Copy link

orenc1 commented Jul 10, 2025

hello @stlaz , @sttts ,
could you please advise if the modern TLS profile is still not supported in 2025 ?
the note still appears in master:

api/config/v1/types_tlssecurityprofile.go

Lines 17 to 18 in 926605d

// Note that the Modern profile is currently not supported because it is not
// yet well adopted by common software libraries.

We've got a bug about this:
https://issues.redhat.com/browse/CNV-64951
but since we're a layered product, we depend on the openshift api.

@benluddy
Copy link
Contributor

benluddy commented Jul 10, 2025
edited
Loading

@orenc1 https://issues.redhat.com//browse/OCPBUGS-37706

Edit: Found an even better issue: https://issues.redhat.com/browse/OCPBUGS-57313

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k deads2k left review comments

@abhinavdahiya abhinavdahiya Awaiting requested review from abhinavdahiya

@adambkaplan adambkaplan Awaiting requested review from adambkaplan

+3 more reviewers

@sttts sttts sttts left review comments

@damemi damemi damemi left review comments

@Miciah Miciah Miciah left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@sttts sttts

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@stlaz @sttts @openshift-ci-robot @damemi @orenc1 @benluddy @Miciah @deads2k @openshift-merge-robot