jsonnet: disable insecure cypher suites for prometheus-adapter

Running sslscan against the prometheus adapter secure port reports two insecure SSL ciphers, ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA. This commit removes those ciphers from the list.
openshift · Jun 22, 2021 · 4b051cc · 4b051cc
1 parent e3bce41
commit 4b051cc
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/assets/prometheus-adapter/deployment.yaml b/assets/prometheus-adapter/deployment.yaml
@@ -47,6 +47,7 @@ spec:
         - --metrics-relist-interval=1m
         - --prometheus-url=https://prometheus-k8s.openshift-monitoring.svc:9091
         - --secure-port=6443
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
         image: directxman12/k8s-prometheus-adapter:v0.8.4
         name: prometheus-adapter
         ports:

diff --git a/jsonnet/prometheus-adapter.libsonnet b/jsonnet/prometheus-adapter.libsonnet
@@ -94,6 +94,7 @@ function(params)
                           '--metrics-relist-interval=1m',
                           '--prometheus-url=' + cfg.prometheusURL,
                           '--secure-port=6443',
+                          '--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
                         ],
                         terminationMessagePolicy: 'FallbackToLogsOnError',
                         volumeMounts: [