tls update

giantswarm · Dec 10, 2024 · 225bf23 · 225bf23
1 parent 1474df3
commit 225bf23
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 49 deletions.
diff --git a/helm/cluster/files/etc/kubernetes/patches/kubeletconfiguration.yaml b/helm/cluster/files/etc/kubernetes/patches/kubeletconfiguration.yaml
@@ -21,8 +21,7 @@ systemReserved:
   cpu: {{ $.Values.internal.advancedConfiguration.kubelet.systemReserved.cpu }}
   memory: {{ $.Values.internal.advancedConfiguration.kubelet.systemReserved.memory }}
 systemReservedCgroup: /system.slice
-tlsCipherSuites:
-{{ include "kubelet.tlsCipherSuites" . | indent 2 }}
+tlsCipherSuites: {{ include "cluster.internal.kubeadm.tlsCipherSuites" $ | nindent 2 }}
 serializeImagePulls: false
 streamingConnectionIdleTimeout: 1h
 allowedUnsafeSysctls:

diff --git a/helm/cluster/templates/clusterapi/_helpers_tlsciphersuites.tpl b/helm/cluster/templates/clusterapi/_helpers_tlsciphersuites.tpl
@@ -1,22 +1,29 @@
-{{- define "kubelet.tlsCipherSuites" -}}
-{{- $k8sVersion := include "cluster.component.kubernetes.version" . -}}
-- TLS_AES_128_GCM_SHA256
-- TLS_AES_256_GCM_SHA384
-- TLS_CHACHA20_POLY1305_SHA256
-- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-- TLS_RSA_WITH_AES_128_CBC_SHA
-- TLS_RSA_WITH_AES_128_GCM_SHA256
+ {{- /*
+    This file is for internal use only. It is used to define the list of TLS ciphersuites that are supported by the Kubernetes API server.
+    The list of ciphersuites is based on the Kubernetes version and is used to configure the `tls-cipher-suites` parameter in the kube-apiserver and kubelet configuration files.
+*/}}
+
+{{- define "cluster.internal.kubeadm.tlsCipherSuites" -}}
+{{- $k8sVersion := include "cluster.component.kubernetes.version" . | trimPrefix "v" }}
+{{- $ciphers := list
+  "TLS_AES_128_GCM_SHA256"
+  "TLS_AES_256_GCM_SHA384"
+  "TLS_CHACHA20_POLY1305_SHA256"
+  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
+  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+  "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
+  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
+  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+  "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
+  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+  "TLS_RSA_WITH_AES_128_CBC_SHA"
+  "TLS_RSA_WITH_AES_128_GCM_SHA256"
+}}
 {{- if semverCompare "<1.30.0" $k8sVersion }}
-- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+{{- $ciphers = concat $ciphers (list "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305") }}
 {{- end }}
+{{- toYaml $ciphers }}
 {{- end }}
diff --git a/helm/cluster/templates/clusterapi/controlplane/_helpers_clusterconfiguration_apiserver.tpl b/helm/cluster/templates/clusterapi/controlplane/_helpers_clusterconfiguration_apiserver.tpl
@@ -64,7 +64,8 @@ extraArgs:
   {{- end }}
   service-account-lookup: "true"
   service-cluster-ip-range: {{ .Values.global.connectivity.network.services.cidrBlocks | first }}
-  tls-cipher-suites: {{ include "cluster.internal.controlPlane.kubeadm.clusterConfiguration.apiServer.tlsCipherSuites" $ }}
+  {{- /* returning the tls cipher suites map object use fromYamlArray when converting to string */ }}
+  tls-cipher-suites: {{ include "cluster.internal.kubeadm.tlsCipherSuites" $ | fromYamlArray | join "," }}
   {{- range $argName, $argValue := $.Values.internal.advancedConfiguration.controlPlane.apiServer.extraArgs }}
   {{ $argName }}: {{ if kindIs "string" $argValue }}{{ $argValue | quote }}{{ else }}{{ $argValue }}{{ end }}
   {{- end }}
@@ -138,33 +139,6 @@ https://{{ .serviceAccountIssuer.clusterDomainPrefix }}.{{ include "cluster.reso
 api-audiences-example.giantswarm.io
 {{- end }}
 
-{{- define "cluster.internal.controlPlane.kubeadm.clusterConfiguration.apiServer.tlsCipherSuites" }}
-{{- $k8sVersion := include "cluster.component.kubernetes.version" . -}}
-{{- $preferredCiphers := list
-  "TLS_AES_128_GCM_SHA256"
-  "TLS_AES_256_GCM_SHA384"
-  "TLS_CHACHA20_POLY1305_SHA256"
-  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
-  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
-  "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
-  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
-  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
-  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
-  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
-  "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
-  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
-  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
-  "TLS_RSA_WITH_AES_128_CBC_SHA"
-  "TLS_RSA_WITH_AES_128_GCM_SHA256"
-  "TLS_RSA_WITH_AES_256_CBC_SHA"
-  "TLS_RSA_WITH_AES_256_GCM_SHA384"
--}}
-{{- if semverCompare "<1.30.0" $k8sVersion }}
-{{- $preferredCiphers = append $preferredCiphers "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" }}
-{{- end }}
-{{- join "," (compact $preferredCiphers) }}
-{{- end }}
-
 {{- define "cluster.internal.controlPlane.kubeadm.clusterConfiguration.apiServer.featureGates" }}
 {{- $providerFeatureGates := $.Values.providerIntegration.controlPlane.kubeadmConfig.clusterConfiguration.apiServer.featureGates | default list }}
 {{- $internalFeatureGates := $.Values.internal.advancedConfiguration.controlPlane.apiServer.featureGates | default list }}