@@ -144,27 +144,20 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
144
144
},
145
145
},
146
146
{
147
- name : "modern type - currently unsupported " ,
147
+ name : "modern type - supported " ,
148
148
profile : & configv1.TLSSecurityProfile {
149
149
Type : configv1 .TLSProfileModernType ,
150
150
Modern : & configv1.ModernTLSProfile {},
151
151
},
152
- want : field.ErrorList {
153
- field .NotSupported (rootFieldPath .Child ("type" ), configv1 .TLSProfileModernType ,
154
- []string {
155
- string (configv1 .TLSProfileOldType ),
156
- string (configv1 .TLSProfileIntermediateType ),
157
- string (configv1 .TLSProfileCustomType ),
158
- }),
159
- },
152
+ want : field.ErrorList {},
160
153
},
161
154
{
162
155
name : "unknown type" ,
163
156
profile : & configv1.TLSSecurityProfile {
164
157
Type : "something" ,
165
158
},
166
159
want : field.ErrorList {
167
- field .Invalid (rootFieldPath .Child ("type" ), "something" , "unknown type, valid values are: [Old Intermediate Custom]" ),
160
+ field .Invalid (rootFieldPath .Child ("type" ), "something" , "unknown type, valid values are: [Old Intermediate Modern Custom]" ),
168
161
},
169
162
},
170
163
{
@@ -212,19 +205,16 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
212
205
},
213
206
},
214
207
{
215
- name : "min tls 1.3 - currently unsupported " ,
208
+ name : "min tls 1.3 - supported " ,
216
209
profile : & configv1.TLSSecurityProfile {
217
210
Type : "Custom" ,
218
211
Custom : & configv1.CustomTLSProfile {
219
212
TLSProfileSpec : configv1.TLSProfileSpec {
220
- Ciphers : []string {"ECDHE-ECDSA-CHACHA20-POLY1305" },
221
213
MinTLSVersion : configv1 .VersionTLS13 ,
222
214
},
223
215
},
224
216
},
225
- want : field.ErrorList {
226
- field .NotSupported (rootFieldPath .Child ("custom" , "minTLSVersion" ), configv1 .VersionTLS13 , []string {string (configv1 .VersionTLS10 ), string (configv1 .VersionTLS11 ), string (configv1 .VersionTLS12 )}),
227
- },
217
+ want : field.ErrorList {},
228
218
},
229
219
{
230
220
name : "custom profile missing required http2 ciphers" ,
@@ -246,6 +236,19 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
246
236
field .Invalid (rootFieldPath .Child ("custom" , "ciphers" ), []string {"ECDSA-AES256-GCM-SHA384" , "ECDHE-RSA-AES256-GCM-SHA384" , "ECDHE-ECDSA-CHACHA20-POLY1305" , "ECDHE-RSA-CHACHA20-POLY1305" }, "http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)" ),
247
237
},
248
238
},
239
+ {
240
+ name : "custom profile required http2 ciphers tls 1.3" ,
241
+ profile : & configv1.TLSSecurityProfile {
242
+ Type : "Custom" ,
243
+ Custom : & configv1.CustomTLSProfile {
244
+ TLSProfileSpec : configv1.TLSProfileSpec {
245
+ Ciphers : []string {},
246
+ MinTLSVersion : configv1 .VersionTLS13 ,
247
+ },
248
+ },
249
+ },
250
+ want : field.ErrorList {},
251
+ },
249
252
{
250
253
name : "custom profile with one required http2 ciphers" ,
251
254
profile : & configv1.TLSSecurityProfile {
@@ -265,6 +268,21 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
265
268
},
266
269
want : field.ErrorList {},
267
270
},
271
+ {
272
+ name : "custom profile min tls 1.3 cannot customize" ,
273
+ profile : & configv1.TLSSecurityProfile {
274
+ Type : "Custom" ,
275
+ Custom : & configv1.CustomTLSProfile {
276
+ TLSProfileSpec : configv1.TLSProfileSpec {
277
+ Ciphers : []string {"TLS_AES_128_GCM_SHA256" },
278
+ MinTLSVersion : configv1 .VersionTLS13 ,
279
+ },
280
+ },
281
+ },
282
+ want : field.ErrorList {
283
+ field .Invalid (rootFieldPath .Child ("custom" , "ciphers" ), []string {"TLS_AES_128_GCM_SHA256" }, "TLS 1.3 cipher suites are not configurable" ),
284
+ },
285
+ },
268
286
}
269
287
for _ , tt := range tests {
270
288
t .Run (tt .name , func (t * testing.T ) {
0 commit comments