Bug 1847318: set TLS min version to 1.2 #826

pgier · 2020-06-25T20:02:53Z

Change the TLS min version in prometheus-operator to 1.2 from the default of 1.3.

No user facing changes, so no entry in CHANGELOG was needed.

pgier · 2020-06-25T20:04:28Z

/hold
Creating this PR for testing possible fix for bz1847318

pgier · 2020-06-25T20:18:27Z

/retest

s-urbaniak · 2020-06-26T08:15:38Z

/test e2e-aws

s-urbaniak · 2020-06-26T08:16:07Z

@pgier can you give some references why we need to remove configuring tls cipher suites for the webhooks?

pgier · 2020-06-26T15:34:25Z

@s-urbaniak I noticed that the other validation webhooks currently in openshift do not set any TLS cipher suites, so just wanted to test this.

openshift-ci-robot · 2020-06-29T18:06:41Z

@pgier: This pull request references Bugzilla bug 1847318, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.6.0) matches configured target release for branch (4.6.0)
bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1847318: set TLS min version to 1.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

pgier · 2020-06-29T18:10:33Z

/hold cancel

openshift-ci-robot · 2020-06-29T18:11:33Z

@pgier: This pull request references Bugzilla bug 1847318, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.6.0) matches configured target release for branch (4.6.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1847318: set TLS min version to 1.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

s-urbaniak · 2020-06-30T08:47:40Z

@pgier we had some issues in CI yesterday. do you mind to rebase and retest?

pgier · 2020-06-30T19:00:20Z

/retest

lilic · 2020-07-01T07:44:13Z

/retest

The default TLS min version in prometheus operator is 1.3. TLS version 1.3 causes a communication failure between the API server and prometheus-operator "tls: protocol version not supported".

pgier · 2020-07-01T19:57:38Z

/retest

pgier · 2020-07-01T22:03:24Z

@s-urbaniak please take a look again

s-urbaniak · 2020-07-02T13:38:13Z

/lgtm

openshift-ci-robot · 2020-07-02T13:38:30Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pgier, s-urbaniak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [pgier,s-urbaniak]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

s-urbaniak · 2020-07-02T13:40:00Z

@bparees i am very sorry, can you remind me again whom we can ping about the FIPS compliance and verify "we are doing the right thing" here?

bparees · 2020-07-02T13:51:33Z

@bparees i am very sorry, can you remind me again whom we can ping about the FIPS compliance and verify "we are doing the right thing" here?

Kirsten Newcomer was the PM who might be able to point you to some experts. David Eads also suggested Simo Sorce as a security engineer who was involved.

pgier · 2020-07-02T19:45:02Z

/retest

openshift-bot · 2020-07-02T22:57:02Z

/retest