Skip to content

Commit ffd26cf

Browse files
sanchezldusk125
authored and
bertinatto
committed
UPSTREAM: <carry>: allow TLS1.3 or modern profile to be specified
Co-authored-by: Allen Ray <[email protected]>
1 parent 002a722 commit ffd26cf

File tree

2 files changed

+45
-30
lines changed

2 files changed

+45
-30
lines changed

openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver.go

Lines changed: 12 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -180,12 +180,6 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
180180

181181
errs := field.ErrorList{}
182182

183-
availableTypes := []string{
184-
string(configv1.TLSProfileOldType),
185-
string(configv1.TLSProfileIntermediateType),
186-
string(configv1.TLSProfileCustomType),
187-
}
188-
189183
switch profile.Type {
190184
case "":
191185
if profile.Old != nil || profile.Intermediate != nil || profile.Modern != nil || profile.Custom != nil {
@@ -200,13 +194,15 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
200194
errs = append(errs, field.Required(fieldPath.Child("intermediate"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
201195
}
202196
case configv1.TLSProfileModernType:
203-
errs = append(errs, field.NotSupported(fieldPath.Child("type"), profile.Type, availableTypes))
197+
if profile.Modern == nil {
198+
errs = append(errs, field.Required(fieldPath.Child("modern"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
199+
}
204200
case configv1.TLSProfileCustomType:
205201
if profile.Custom == nil {
206202
errs = append(errs, field.Required(fieldPath.Child("custom"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
207203
}
208204
default:
209-
errs = append(errs, field.Invalid(typePath, profile.Type, fmt.Sprintf("unknown type, valid values are: %v", availableTypes)))
205+
errs = append(errs, field.Invalid(typePath, profile.Type, fmt.Sprintf("unknown type, valid values are: [Old Intermediate Modern Custom]")))
210206
}
211207

212208
return errs
@@ -215,6 +211,13 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
215211
func validateCipherSuites(fieldPath *field.Path, suites []string, version configv1.TLSProtocolVersion) field.ErrorList {
216212
errs := field.ErrorList{}
217213

214+
if version == configv1.VersionTLS13 {
215+
if len(suites) != 0 {
216+
errs = append(errs, field.Invalid(fieldPath, suites, "TLS 1.3 cipher suites are not configurable"))
217+
}
218+
return errs
219+
}
220+
218221
if ianaSuites := libgocrypto.OpenSSLToIANACipherSuites(suites); len(ianaSuites) == 0 {
219222
errs = append(errs, field.Invalid(fieldPath, suites, "no supported cipher suite found"))
220223
}
@@ -224,7 +227,7 @@ func validateCipherSuites(fieldPath *field.Path, suites []string, version config
224227
// configuration to return an error when http2 required cipher suites aren't
225228
// provided.
226229
// See: go/x/net/http2.ConfigureServer for futher information.
227-
if version < configv1.VersionTLS13 && !haveRequiredHTTP2CipherSuites(suites) {
230+
if !haveRequiredHTTP2CipherSuites(suites) {
228231
errs = append(errs, field.Invalid(fieldPath, suites, "http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)"))
229232
}
230233

@@ -246,14 +249,8 @@ func haveRequiredHTTP2CipherSuites(suites []string) bool {
246249

247250
func validateMinTLSVersion(fieldPath *field.Path, version configv1.TLSProtocolVersion) field.ErrorList {
248251
errs := field.ErrorList{}
249-
250-
if version == configv1.VersionTLS13 {
251-
return append(errs, field.NotSupported(fieldPath, version, []string{string(configv1.VersionTLS10), string(configv1.VersionTLS11), string(configv1.VersionTLS12)}))
252-
}
253-
254252
if _, err := libgocrypto.TLSVersion(string(version)); err != nil {
255253
errs = append(errs, field.Invalid(fieldPath, version, err.Error()))
256254
}
257-
258255
return errs
259256
}

openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver_test.go

Lines changed: 33 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -144,27 +144,20 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
144144
},
145145
},
146146
{
147-
name: "modern type - currently unsupported",
147+
name: "modern type - supported",
148148
profile: &configv1.TLSSecurityProfile{
149149
Type: configv1.TLSProfileModernType,
150150
Modern: &configv1.ModernTLSProfile{},
151151
},
152-
want: field.ErrorList{
153-
field.NotSupported(rootFieldPath.Child("type"), configv1.TLSProfileModernType,
154-
[]string{
155-
string(configv1.TLSProfileOldType),
156-
string(configv1.TLSProfileIntermediateType),
157-
string(configv1.TLSProfileCustomType),
158-
}),
159-
},
152+
want: field.ErrorList{},
160153
},
161154
{
162155
name: "unknown type",
163156
profile: &configv1.TLSSecurityProfile{
164157
Type: "something",
165158
},
166159
want: field.ErrorList{
167-
field.Invalid(rootFieldPath.Child("type"), "something", "unknown type, valid values are: [Old Intermediate Custom]"),
160+
field.Invalid(rootFieldPath.Child("type"), "something", "unknown type, valid values are: [Old Intermediate Modern Custom]"),
168161
},
169162
},
170163
{
@@ -212,19 +205,16 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
212205
},
213206
},
214207
{
215-
name: "min tls 1.3 - currently unsupported",
208+
name: "min tls 1.3 - supported",
216209
profile: &configv1.TLSSecurityProfile{
217210
Type: "Custom",
218211
Custom: &configv1.CustomTLSProfile{
219212
TLSProfileSpec: configv1.TLSProfileSpec{
220-
Ciphers: []string{"ECDHE-ECDSA-CHACHA20-POLY1305"},
221213
MinTLSVersion: configv1.VersionTLS13,
222214
},
223215
},
224216
},
225-
want: field.ErrorList{
226-
field.NotSupported(rootFieldPath.Child("custom", "minTLSVersion"), configv1.VersionTLS13, []string{string(configv1.VersionTLS10), string(configv1.VersionTLS11), string(configv1.VersionTLS12)}),
227-
},
217+
want: field.ErrorList{},
228218
},
229219
{
230220
name: "custom profile missing required http2 ciphers",
@@ -246,6 +236,19 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
246236
field.Invalid(rootFieldPath.Child("custom", "ciphers"), []string{"ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"}, "http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)"),
247237
},
248238
},
239+
{
240+
name: "custom profile required http2 ciphers tls 1.3",
241+
profile: &configv1.TLSSecurityProfile{
242+
Type: "Custom",
243+
Custom: &configv1.CustomTLSProfile{
244+
TLSProfileSpec: configv1.TLSProfileSpec{
245+
Ciphers: []string{},
246+
MinTLSVersion: configv1.VersionTLS13,
247+
},
248+
},
249+
},
250+
want: field.ErrorList{},
251+
},
249252
{
250253
name: "custom profile with one required http2 ciphers",
251254
profile: &configv1.TLSSecurityProfile{
@@ -265,6 +268,21 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
265268
},
266269
want: field.ErrorList{},
267270
},
271+
{
272+
name: "custom profile min tls 1.3 cannot customize",
273+
profile: &configv1.TLSSecurityProfile{
274+
Type: "Custom",
275+
Custom: &configv1.CustomTLSProfile{
276+
TLSProfileSpec: configv1.TLSProfileSpec{
277+
Ciphers: []string{"TLS_AES_128_GCM_SHA256"},
278+
MinTLSVersion: configv1.VersionTLS13,
279+
},
280+
},
281+
},
282+
want: field.ErrorList{
283+
field.Invalid(rootFieldPath.Child("custom", "ciphers"), []string{"TLS_AES_128_GCM_SHA256"}, "TLS 1.3 cipher suites are not configurable"),
284+
},
285+
},
268286
}
269287
for _, tt := range tests {
270288
t.Run(tt.name, func(t *testing.T) {

0 commit comments

Comments
 (0)