Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 2002759: UPSTREAM: <carry>: verify required http2 cipher suites #1022

Merged
merged 1 commit into from
Nov 3, 2021
Merged

Bug 2002759: UPSTREAM: <carry>: verify required http2 cipher suites #1022

merged 1 commit into from
Nov 3, 2021

Conversation

dgrisonnet
Copy link
Member

In the Apiserver admission, we need to return an error if the required
http2 cipher suites are missing from a custom tlsSecurityProfile.
Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server
configuration causing the apiservers to crash.
See: go/x/net/http2.ConfigureServer for futher information.

This change is meant to add a check in the Apiserver admission to validate custom ciphers similarly to the following check in the http2 go library in https://cs.opensource.google/go/x/net/+/d418f374:http2/server.go;l=240-257.

/cc @p0lyn0mial

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Oct 27, 2021
@openshift-ci openshift-ci bot added bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Oct 27, 2021
@openshift-ci
Copy link

openshift-ci bot commented Oct 27, 2021

@dgrisonnet: This pull request references Bugzilla bug 2002759, which is invalid:

  • expected the bug to target the "4.10.0" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2002759: UPSTREAM: : verify required http2 cipher suites

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

@dgrisonnet: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@dgrisonnet
Copy link
Member Author

/bugzilla refresh

@openshift-ci
Copy link

openshift-ci bot commented Oct 27, 2021

@dgrisonnet: This pull request references Bugzilla bug 2002759, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.10.0) matches configured target release for branch (4.10.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @wangke19

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Oct 27, 2021
@openshift-ci openshift-ci bot requested a review from wangke19 October 27, 2021 15:43
@dgrisonnet
UPSTREAM: <carry>: verify required http2 cipher suites
b2a9cd9 
In the Apiserver admission, we need to return an error if the required
http2 cipher suites are missing from a custom tlsSecurityProfile.
Currently, custom cipher suites missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 result in invalid http2 Server
configuration causing the apiservers to crash.
See: go/x/net/http2.ConfigureServer for futher information.

Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
@openshift-ci-robot
Copy link

@dgrisonnet: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@p0lyn0mial
Copy link

/lgtm
/assing @sttts

for approval and review

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 29, 2021
@sttts sttts removed the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Nov 2, 2021
@sttts
Copy link

sttts commented Nov 2, 2021

/retest
/approve

@p0lyn0mial
Copy link

/retest

@openshift-ci
Copy link

openshift-ci bot commented Nov 2, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dgrisonnet, p0lyn0mial, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 2, 2021
@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

4 similar comments
@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

7 similar comments
@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 1b2affc into openshift:master Nov 3, 2021
@openshift-ci
Copy link

openshift-ci bot commented Nov 3, 2021

@dgrisonnet: All pull requests linked via external trackers have merged:

Bugzilla bug 2002759 has been moved to the MODIFIED state.

In response to this:

Bug 2002759: UPSTREAM: : verify required http2 cipher suites

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p0lyn0mial p0lyn0mial p0lyn0mial left review comments

@wangke19 wangke19 Awaiting requested review from wangke19

Assignees

@p0lyn0mial p0lyn0mial

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@dgrisonnet @openshift-ci-robot @p0lyn0mial @sttts @openshift-bot @openshift-merge-robot