Provide CipherSuites option between Clients and Servers

Signed-off-by: Zhecheng <[email protected]>

build/yamls/antrea-aks.yml

@@ -1371,6 +1371,15 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of cipher suites.
+    #cipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
+
+    # TLS max version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMaxVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1427,7 +1436,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-7d66b472ff
+  name: antrea-config-b28b99m84f
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1538,7 +1547,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-b28b99m84f
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1802,7 +1811,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-b28b99m84f
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -1371,6 +1371,15 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of cipher suites.
+    #cipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
+
+    # TLS max version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMaxVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1427,7 +1436,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-7d66b472ff
+  name: antrea-config-b28b99m84f
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1538,7 +1547,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-b28b99m84f
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1804,7 +1813,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-b28b99m84f
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -1371,6 +1371,15 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of cipher suites.
+    #cipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
+
+    # TLS max version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMaxVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1427,7 +1436,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-8hc5c7g4hb
+  name: antrea-config-hkc8tht72t
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1538,7 +1547,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-8hc5c7g4hb
+          name: antrea-config-hkc8tht72t
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1805,7 +1814,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-8hc5c7g4hb
+          name: antrea-config-hkc8tht72t
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -1376,6 +1376,15 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of cipher suites.
+    #cipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
+
+    # TLS max version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMaxVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1432,7 +1441,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-k7574f7tdc
+  name: antrea-config-t8hmhh9m6c
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1552,7 +1561,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-k7574f7tdc
+          name: antrea-config-t8hmhh9m6c
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1851,7 +1860,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-k7574f7tdc
+          name: antrea-config-t8hmhh9m6c
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -1376,6 +1376,15 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of cipher suites.
+    #cipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
+
+    # TLS max version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMaxVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1432,7 +1441,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-2m4ktcghmf
+  name: antrea-config-9g6d28g25d
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1543,7 +1552,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-2m4ktcghmf
+          name: antrea-config-9g6d28g25d
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1807,7 +1816,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-2m4ktcghmf
+          name: antrea-config-9g6d28g25d
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/conf/antrea-agent.conf

@@ -120,3 +120,13 @@ featureGates:
 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
 # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
 #kubeAPIServerOverride: ""
+
+# Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+# https://golang.org/pkg/crypto/tls/#pkg-constants
+#cipherSuites:
+
+# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+#tlsMinVersion:
+
+# TLS max version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+#tlsMaxVersion:

cmd/antrea-agent-simulator/simulator.go

@@ -32,6 +32,7 @@ import (
 	"github.com/vmware-tanzu/antrea/pkg/agent"
 	"github.com/vmware-tanzu/antrea/pkg/k8s"
 	"github.com/vmware-tanzu/antrea/pkg/signals"
+	"github.com/vmware-tanzu/antrea/pkg/util/cipher"
 	"github.com/vmware-tanzu/antrea/pkg/util/env"
 	"github.com/vmware-tanzu/antrea/pkg/version"
 )
@@ -49,7 +50,8 @@ func run() error {
 	}
 
 	// Create Antrea Clientset for the given config.
-	antreaClientProvider := agent.NewAntreaClientProvider(componentbaseconfig.ClientConnectionConfiguration{}, k8sClient)
+	tlsConfig, _ := cipher.NewTLSConfig("", "", "")
+	antreaClientProvider := agent.NewAntreaClientProvider(componentbaseconfig.ClientConnectionConfiguration{}, k8sClient, tlsConfig)
 
 	if err = antreaClientProvider.RunOnce(); err != nil {
 		return err

cmd/antrea-agent/agent.go

@@ -51,6 +51,7 @@ import (
 	ofconfig "github.com/vmware-tanzu/antrea/pkg/ovs/openflow"
 	"github.com/vmware-tanzu/antrea/pkg/ovs/ovsconfig"
 	"github.com/vmware-tanzu/antrea/pkg/signals"
+	"github.com/vmware-tanzu/antrea/pkg/util/cipher"
 	"github.com/vmware-tanzu/antrea/pkg/version"
 	k8sproxy "github.com/vmware-tanzu/antrea/third_party/proxy"
 )
@@ -71,9 +72,13 @@ func run(o *Options) error {
 	informerFactory := informers.NewSharedInformerFactory(k8sClient, informerDefaultResync)
 	crdInformerFactory := crdinformers.NewSharedInformerFactory(crdClient, informerDefaultResync)
 	traceflowInformer := crdInformerFactory.Ops().V1alpha1().Traceflows()
+	tlsConfig, err := cipher.NewTLSConfig(o.config.CipherSuites, o.config.TLSMinVersion, o.config.TLSMaxVersion)
+	if err != nil {
+		return fmt.Errorf("error generating TLS config: %v", err)
+	}
 
 	// Create Antrea Clientset for the given config.
-	antreaClientProvider := agent.NewAntreaClientProvider(o.config.AntreaClientConnection, k8sClient)
+	antreaClientProvider := agent.NewAntreaClientProvider(o.config.AntreaClientConnection, k8sClient, tlsConfig)
 
 	// Register Antrea Agent metrics if EnablePrometheusMetrics is set
 	if o.config.EnablePrometheusMetrics {

cmd/antrea-agent/config.go

@@ -127,4 +127,10 @@ type AgentConfig struct {
 	// Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
 	// Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
 	KubeAPIServerOverride string `yaml:"kubeAPIServerOverride,omitempty"`
+	// Cipher suites to use on Client side.
+	CipherSuites string `yaml:"cipherSuites,omitempty"`
+	// TLS min version.
+	TLSMinVersion string `yaml:"tlsMinVersion,omitempty"`
+	// TLS max version.
+	TLSMaxVersion string `yaml:"tlsMaxVersion,omitempty"`
 }

pkg/agent/client.go

@@ -15,9 +15,11 @@
 package agent
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net"
+	"net/http"
 	"os"
 	"sync"
 
@@ -30,6 +32,7 @@ import (
 
 	cert "github.com/vmware-tanzu/antrea/pkg/apiserver/certificate"
 	"github.com/vmware-tanzu/antrea/pkg/client/clientset/versioned"
+	"github.com/vmware-tanzu/antrea/pkg/util/cipher"
 )
 
 // AntreaClientProvider provides a method to get Antrea client.
@@ -46,11 +49,13 @@ type antreaClientProvider struct {
 	client versioned.Interface
 	// caContentProvider provides the very latest content of the ca bundle.
 	caContentProvider *dynamiccertificates.ConfigMapCAController
+	// TLS config.
+	tlsConfig *tls.Config
 }
 
 var _ dynamiccertificates.Listener = &antreaClientProvider{}
 
-func NewAntreaClientProvider(config config.ClientConnectionConfiguration, kubeClient kubernetes.Interface) *antreaClientProvider {
+func NewAntreaClientProvider(config config.ClientConnectionConfiguration, kubeClient kubernetes.Interface, tlsConfig *tls.Config) *antreaClientProvider {
 	// The key "ca.crt" may not exist at the beginning, no need to fail as the CA provider will watch the ConfigMap
 	// and notify antreaClientProvider of any update. The consumers of antreaClientProvider are supposed to always
 	// call GetAntreaClient() to get a client and not cache it.
@@ -63,6 +68,7 @@ func NewAntreaClientProvider(config config.ClientConnectionConfiguration, kubeCl
 	antreaClientProvider := &antreaClientProvider{
 		config:            config,
 		caContentProvider: antreaCAProvider,
+		tlsConfig:         tlsConfig,
 	}
 
 	antreaCAProvider.AddListener(antreaClientProvider)
@@ -108,11 +114,13 @@ func (p *antreaClientProvider) updateAntreaClient() error {
 			klog.Info("Didn't get CA certificate, skip updating Antrea Client")
 			return nil
 		}
-		kubeConfig, err = inClusterConfig(caBundle)
+		kubeConfig, err = inClusterConfig(caBundle, p.tlsConfig)
 	} else {
 		kubeConfig, err = clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
 			&clientcmd.ClientConfigLoadingRules{ExplicitPath: p.config.Kubeconfig},
 			&clientcmd.ConfigOverrides{}).ClientConfig()
+		tr := &http.Transport{TLSClientConfig: p.tlsConfig}
+		kubeConfig.Transport = tr
 	}
 	if err != nil {
 		return err
@@ -139,7 +147,7 @@ func (p *antreaClientProvider) updateAntreaClient() error {
 // kubernetes gives to pods. It's intended for clients that expect to be
 // running inside a pod running on kubernetes. It will return error
 // if called from a process not running in a kubernetes environment.
-func inClusterConfig(caBundle []byte) (*rest.Config, error) {
+func inClusterConfig(caBundle []byte, tlsConfig *tls.Config) (*rest.Config, error) {
 	// #nosec G101: false positive triggered by variable name which includes "token"
 	const tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 	host, port := os.Getenv("ANTREA_SERVICE_HOST"), os.Getenv("ANTREA_SERVICE_PORT")
@@ -152,15 +160,13 @@ func inClusterConfig(caBundle []byte) (*rest.Config, error) {
 		return nil, err
 	}
 
-	tlsClientConfig := rest.TLSClientConfig{
-		CAData:     caBundle,
-		ServerName: cert.GetAntreaServerNames()[0],
-	}
-
-	return &rest.Config{
+	config := rest.Config{
 		Host:            "https://" + net.JoinHostPort(host, port),
-		TLSClientConfig: tlsClientConfig,
 		BearerToken:     string(token),
 		BearerTokenFile: tokenFile,
-	}, nil
+	}
+	if err := cipher.AppendTLSConfig(&config, tlsConfig, caBundle, cert.GetAntreaServerNames()[0]); err != nil {
+		return nil, err
+	}
+	return &config, nil
 }