Provide CipherSuites option between Clients and Servers

* Add options TLSCipherSuites, TLSMinVersion on Apiserver side of controller
and agent.
* Add a util module cipher to support functionality and related UT.
* Add tls e2e tests to verify Apiserver of Antrea and Antrea agent.

Signed-off-by: Zhecheng Li <[email protected]>

build/yamls/antrea-aks.yml

@@ -1371,6 +1371,16 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+    # libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+    # TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1422,12 +1432,22 @@ data:
     # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
     # antrea-controller container.
     #selfSignedCert: true
+
+    # Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+    # libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+    # TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-7d66b472ff
+  name: antrea-config-889f4b624t
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1538,7 +1558,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-889f4b624t
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1802,7 +1822,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-889f4b624t
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -1371,6 +1371,16 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+    # libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+    # TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1422,12 +1432,22 @@ data:
     # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
     # antrea-controller container.
     #selfSignedCert: true
+
+    # Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+    # libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+    # TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-7d66b472ff
+  name: antrea-config-889f4b624t
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1538,7 +1558,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-889f4b624t
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1804,7 +1824,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-889f4b624t
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -1371,6 +1371,16 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+    # libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+    # TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1422,12 +1432,22 @@ data:
     # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
     # antrea-controller container.
     #selfSignedCert: true
+
+    # Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+    # libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+    # TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-8hc5c7g4hb
+  name: antrea-config-9md9h8m4k4
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1538,7 +1558,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-8hc5c7g4hb
+          name: antrea-config-9md9h8m4k4
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1805,7 +1825,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-8hc5c7g4hb
+          name: antrea-config-9md9h8m4k4
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -1376,6 +1376,16 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+    # libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+    # TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1427,12 +1437,22 @@ data:
     # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
     # antrea-controller container.
     #selfSignedCert: true
+
+    # Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+    # libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+    # TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-k7574f7tdc
+  name: antrea-config-5f948bg4h4
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1552,7 +1572,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-k7574f7tdc
+          name: antrea-config-5f948bg4h4
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1851,7 +1871,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-k7574f7tdc
+          name: antrea-config-5f948bg4h4
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -1376,6 +1376,16 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+    # libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+    # TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1427,12 +1437,22 @@ data:
     # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
     # antrea-controller container.
     #selfSignedCert: true
+
+    # Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+    # libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+    # TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-2m4ktcghmf
+  name: antrea-config-t8h2cdggch
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1543,7 +1563,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-2m4ktcghmf
+          name: antrea-config-t8h2cdggch
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1807,7 +1827,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-2m4ktcghmf
+          name: antrea-config-t8h2cdggch
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/conf/antrea-agent.conf

@@ -120,3 +120,13 @@ featureGates:
 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
 # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
 #kubeAPIServerOverride: ""
+
+# Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+# https://golang.org/pkg/crypto/tls/#pkg-constants
+# Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+# libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+# TLS1.3 Cipher Suites whenever possible.
+#tlsCipherSuites:
+
+# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+#tlsMinVersion:

build/yamls/base/conf/antrea-controller.conf

@@ -27,3 +27,13 @@ featureGates:
 # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
 # antrea-controller container.
 #selfSignedCert: true
+
+# Comma-separated list of cipher suites. If omitted, the default Go cipher suites will be used.
+# https://golang.org/pkg/crypto/tls/#pkg-constants
+# Note that TLS1.3 cipher suites cannot be explicitly listed here. The reason is that by default Antrea uses the Go "crypto"
+# libraries, which do not support configuring Cipher Suites for TLS1.3. Actually, the apiserver will always prefer
+# TLS1.3 Cipher Suites whenever possible.
+#tlsCipherSuites:
+
+# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+#tlsMinVersion:

cmd/antrea-agent/agent.go

@@ -51,6 +51,7 @@ import (
 	ofconfig "github.com/vmware-tanzu/antrea/pkg/ovs/openflow"
 	"github.com/vmware-tanzu/antrea/pkg/ovs/ovsconfig"
 	"github.com/vmware-tanzu/antrea/pkg/signals"
+	"github.com/vmware-tanzu/antrea/pkg/util/cipher"
 	"github.com/vmware-tanzu/antrea/pkg/version"
 	k8sproxy "github.com/vmware-tanzu/antrea/third_party/proxy"
 )
@@ -290,12 +291,18 @@ func run(o *Options) error {
 		go proxier.Run(stopCh)
 	}
 
+	cipherSuites, err := cipher.GenerateCipherSuitesList(o.config.TLSCipherSuites)
+	if err != nil {
+		return fmt.Errorf("error generating Cipher Suite list: %v", err)
+	}
 	apiServer, err := apiserver.New(
 		agentQuerier,
 		networkPolicyController,
 		o.config.APIPort,
 		o.config.EnablePrometheusMetrics,
-		o.config.ClientConnection.Kubeconfig)
+		o.config.ClientConnection.Kubeconfig,
+		cipherSuites,
+		cipher.TLSVersionMap[o.config.TLSMinVersion])
 	if err != nil {
 		return fmt.Errorf("error when creating agent API server: %v", err)
 	}

cmd/antrea-agent/config.go

@@ -127,4 +127,8 @@ type AgentConfig struct {
 	// Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
 	// Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
 	KubeAPIServerOverride string `yaml:"kubeAPIServerOverride,omitempty"`
+	// Cipher suites to use.
+	TLSCipherSuites string `yaml:"tlsCipherSuites,omitempty"`
+	// TLS min version.
+	TLSMinVersion string `yaml:"tlsMinVersion,omitempty"`
 }

cmd/antrea-controller/config.go

@@ -39,4 +39,8 @@ type ControllerConfig struct {
 	// antrea-controller container.
 	// Defaults to true.
 	SelfSignedCert bool `yaml:"selfSignedCert,omitempty"`
+	// Cipher suites to use.
+	TLSCipherSuites string `yaml:"tlsCipherSuites,omitempty"`
+	// TLS min version.
+	TLSMinVersion string `yaml:"tlsMinVersion,omitempty"`
 }