Add specific cipher list

sapcc · Mar 12, 2024 · 60effc4 · 60effc4
1 parent 13e1701
commit 60effc4
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/charts/seed/templates/kubeadm.yaml b/charts/seed/templates/kubeadm.yaml
@@ -258,7 +258,14 @@ data:
     streamingConnectionIdleTimeout: 0s
     syncFrequency: 0s
     volumeStatsAggPeriod: 0s
-    tlsMinVersion: VersionTLS13
+    tlsCipherSuites:
+    - TLS_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    - TLS_AES_128_GCM_SHA256
+    - TLS_AES_256_GCM_SHA384
+    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 kind: ConfigMap
 metadata:
   name: kubelet-config

diff --git a/pkg/api/handlers/get_cluster_bootstrap.go b/pkg/api/handlers/get_cluster_bootstrap.go
@@ -46,7 +46,14 @@ authentication:
     enabled: true
 rotateCertificates: true
 nodeLeaseDurationSeconds: 20
-tlsMinVersion: VersionTLS13
+tlsCipherSuites:
+- TLS_CHACHA20_POLY1305_SHA256
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_AES_128_GCM_SHA256
+- TLS_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 featureGates:
 `))
 

diff --git a/pkg/templates/node_1.27.go b/pkg/templates/node_1.27.go
@@ -297,7 +297,14 @@ storage:
           rotateCertificates: true
           nodeLeaseDurationSeconds: 20
           cgroupDriver: systemd
-          tlsMinVersion: VersionTLS13
+          tlsCipherSuites:
+          - TLS_CHACHA20_POLY1305_SHA256
+          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+          - TLS_AES_128_GCM_SHA256
+          - TLS_AES_256_GCM_SHA384
+          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
     - path: /etc/flatcar/update.conf
       filesystem: root
       mode: 0644