diff --git a/helm/cluster/files/etc/kubernetes/patches/kubeletconfiguration.yaml b/helm/cluster/files/etc/kubernetes/patches/kubeletconfiguration.yaml index 63286555..b76499a5 100644 --- a/helm/cluster/files/etc/kubernetes/patches/kubeletconfiguration.yaml +++ b/helm/cluster/files/etc/kubernetes/patches/kubeletconfiguration.yaml @@ -21,8 +21,7 @@ systemReserved: cpu: {{ $.Values.internal.advancedConfiguration.kubelet.systemReserved.cpu }} memory: {{ $.Values.internal.advancedConfiguration.kubelet.systemReserved.memory }} systemReservedCgroup: /system.slice -tlsCipherSuites: -{{ include "kubelet.tlsCipherSuites" . | indent 2 }} +tlsCipherSuites: {{ include "cluster.internal.kubeadm.tlsCipherSuites" $ | nindent 2 }} serializeImagePulls: false streamingConnectionIdleTimeout: 1h allowedUnsafeSysctls: diff --git a/helm/cluster/templates/clusterapi/_helpers_tlsciphersuites.tpl b/helm/cluster/templates/clusterapi/_helpers_tlsciphersuites.tpl index c1f0b4d9..f9d75ded 100644 --- a/helm/cluster/templates/clusterapi/_helpers_tlsciphersuites.tpl +++ b/helm/cluster/templates/clusterapi/_helpers_tlsciphersuites.tpl @@ -1,22 +1,29 @@ -{{- define "kubelet.tlsCipherSuites" -}} -{{- $k8sVersion := include "cluster.component.kubernetes.version" . -}} -- TLS_AES_128_GCM_SHA256 -- TLS_AES_256_GCM_SHA384 -- TLS_CHACHA20_POLY1305_SHA256 -- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA -- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA -- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 -- TLS_RSA_WITH_AES_128_CBC_SHA -- TLS_RSA_WITH_AES_128_GCM_SHA256 + {{- /* + This file is for internal use only. It is used to define the list of TLS ciphersuites that are supported by the Kubernetes API server. + The list of ciphersuites is based on the Kubernetes version and is used to configure the `tls-cipher-suites` parameter in the kube-apiserver and kubelet configuration files. +*/}} + +{{- define "cluster.internal.kubeadm.tlsCipherSuites" -}} +{{- $k8sVersion := include "cluster.component.kubernetes.version" . | trimPrefix "v" }} +{{- $ciphers := list + "TLS_AES_128_GCM_SHA256" + "TLS_AES_256_GCM_SHA384" + "TLS_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_RSA_WITH_AES_128_CBC_SHA" + "TLS_RSA_WITH_AES_128_GCM_SHA256" +}} {{- if semverCompare "<1.30.0" $k8sVersion }} -- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 -- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 +{{- $ciphers = concat $ciphers (list "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305") }} {{- end }} +{{- toYaml $ciphers }} {{- end }} diff --git a/helm/cluster/templates/clusterapi/controlplane/_helpers_clusterconfiguration_apiserver.tpl b/helm/cluster/templates/clusterapi/controlplane/_helpers_clusterconfiguration_apiserver.tpl index 629232d2..be3d39f6 100644 --- a/helm/cluster/templates/clusterapi/controlplane/_helpers_clusterconfiguration_apiserver.tpl +++ b/helm/cluster/templates/clusterapi/controlplane/_helpers_clusterconfiguration_apiserver.tpl @@ -64,7 +64,8 @@ extraArgs: {{- end }} service-account-lookup: "true" service-cluster-ip-range: {{ .Values.global.connectivity.network.services.cidrBlocks | first }} - tls-cipher-suites: {{ include "cluster.internal.controlPlane.kubeadm.clusterConfiguration.apiServer.tlsCipherSuites" $ }} + {{- /* returning the tls cipher suites map object use fromYamlArray when converting to string */ }} + tls-cipher-suites: {{ include "cluster.internal.kubeadm.tlsCipherSuites" $ | fromYamlArray | join "," }} {{- range $argName, $argValue := $.Values.internal.advancedConfiguration.controlPlane.apiServer.extraArgs }} {{ $argName }}: {{ if kindIs "string" $argValue }}{{ $argValue | quote }}{{ else }}{{ $argValue }}{{ end }} {{- end }} @@ -138,33 +139,6 @@ https://{{ .serviceAccountIssuer.clusterDomainPrefix }}.{{ include "cluster.reso api-audiences-example.giantswarm.io {{- end }} -{{- define "cluster.internal.controlPlane.kubeadm.clusterConfiguration.apiServer.tlsCipherSuites" }} -{{- $k8sVersion := include "cluster.component.kubernetes.version" . -}} -{{- $preferredCiphers := list - "TLS_AES_128_GCM_SHA256" - "TLS_AES_256_GCM_SHA384" - "TLS_CHACHA20_POLY1305_SHA256" - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - "TLS_RSA_WITH_AES_128_CBC_SHA" - "TLS_RSA_WITH_AES_128_GCM_SHA256" - "TLS_RSA_WITH_AES_256_CBC_SHA" - "TLS_RSA_WITH_AES_256_GCM_SHA384" --}} -{{- if semverCompare "<1.30.0" $k8sVersion }} -{{- $preferredCiphers = append $preferredCiphers "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" }} -{{- end }} -{{- join "," (compact $preferredCiphers) }} -{{- end }} - {{- define "cluster.internal.controlPlane.kubeadm.clusterConfiguration.apiServer.featureGates" }} {{- $providerFeatureGates := $.Values.providerIntegration.controlPlane.kubeadmConfig.clusterConfiguration.apiServer.featureGates | default list }} {{- $internalFeatureGates := $.Values.internal.advancedConfiguration.controlPlane.apiServer.featureGates | default list }}