Provide CipherSuites option between Clients and Servers (#1784)

* Add options TLSCipherSuites, TLSMinVersion on Apiserver side of controller
and agent.
* Add a util module cipher to support functionality and related UT.
* Add tls e2e tests to verify Apiserver of Antrea and Antrea agent.

Signed-off-by: Zhecheng Li <[email protected]>

build/yamls/antrea-aks.yml

@@ -1393,6 +1393,15 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+    # prefer TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1444,12 +1453,21 @@ data:
     # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
     # antrea-controller container.
     #selfSignedCert: true
+
+    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+    # prefer TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-7d66b472ff
+  name: antrea-config-gt6f55df69
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1560,7 +1578,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-gt6f55df69
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1824,7 +1842,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-gt6f55df69
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -1393,6 +1393,15 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+    # prefer TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1444,12 +1453,21 @@ data:
     # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
     # antrea-controller container.
     #selfSignedCert: true
+
+    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+    # prefer TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-7d66b472ff
+  name: antrea-config-gt6f55df69
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1560,7 +1578,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-gt6f55df69
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1826,7 +1844,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-7d66b472ff
+          name: antrea-config-gt6f55df69
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -1393,6 +1393,15 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+    # prefer TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1444,12 +1453,21 @@ data:
     # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
     # antrea-controller container.
     #selfSignedCert: true
+
+    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+    # prefer TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-8hc5c7g4hb
+  name: antrea-config-56ghk45g94
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1560,7 +1578,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-8hc5c7g4hb
+          name: antrea-config-56ghk45g94
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1827,7 +1845,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-8hc5c7g4hb
+          name: antrea-config-56ghk45g94
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -1398,6 +1398,15 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+    # prefer TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1449,12 +1458,21 @@ data:
     # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
     # antrea-controller container.
     #selfSignedCert: true
+
+    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+    # prefer TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-k7574f7tdc
+  name: antrea-config-c5f94kkkd9
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1574,7 +1592,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-k7574f7tdc
+          name: antrea-config-c5f94kkkd9
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1873,7 +1891,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-k7574f7tdc
+          name: antrea-config-c5f94kkkd9
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -1398,6 +1398,15 @@ data:
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     #kubeAPIServerOverride: ""
+
+    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+    # prefer TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1449,12 +1458,21 @@ data:
     # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
     # antrea-controller container.
     #selfSignedCert: true
+
+    # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+    # https://golang.org/pkg/crypto/tls/#pkg-constants
+    # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+    # prefer TLS1.3 Cipher Suites whenever possible.
+    #tlsCipherSuites:
+
+    # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    #tlsMinVersion:
 kind: ConfigMap
 metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-2m4ktcghmf
+  name: antrea-config-6h4c4bttfd
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1565,7 +1583,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-2m4ktcghmf
+          name: antrea-config-6h4c4bttfd
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1829,7 +1847,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-2m4ktcghmf
+          name: antrea-config-6h4c4bttfd
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/conf/antrea-agent.conf

@@ -120,3 +120,12 @@ featureGates:
 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
 # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
 #kubeAPIServerOverride: ""
+
+# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+# https://golang.org/pkg/crypto/tls/#pkg-constants
+# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+# prefer TLS1.3 Cipher Suites whenever possible.
+#tlsCipherSuites:
+
+# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+#tlsMinVersion:

build/yamls/base/conf/antrea-controller.conf

@@ -27,3 +27,12 @@ featureGates:
 # And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
 # antrea-controller container.
 #selfSignedCert: true
+
+# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+# https://golang.org/pkg/crypto/tls/#pkg-constants
+# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+# prefer TLS1.3 Cipher Suites whenever possible.
+#tlsCipherSuites:
+
+# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+#tlsMinVersion:

cmd/antrea-agent/agent.go

@@ -51,6 +51,7 @@ import (
 	ofconfig "github.com/vmware-tanzu/antrea/pkg/ovs/openflow"
 	"github.com/vmware-tanzu/antrea/pkg/ovs/ovsconfig"
 	"github.com/vmware-tanzu/antrea/pkg/signals"
+	"github.com/vmware-tanzu/antrea/pkg/util/cipher"
 	"github.com/vmware-tanzu/antrea/pkg/version"
 	k8sproxy "github.com/vmware-tanzu/antrea/third_party/proxy"
 )
@@ -303,12 +304,18 @@ func run(o *Options) error {
 		go proxier.Run(stopCh)
 	}
 
+	cipherSuites, err := cipher.GenerateCipherSuitesList(o.config.TLSCipherSuites)
+	if err != nil {
+		return fmt.Errorf("error generating Cipher Suite list: %v", err)
+	}
 	apiServer, err := apiserver.New(
 		agentQuerier,
 		networkPolicyController,
 		o.config.APIPort,
 		o.config.EnablePrometheusMetrics,
-		o.config.ClientConnection.Kubeconfig)
+		o.config.ClientConnection.Kubeconfig,
+		cipherSuites,
+		cipher.TLSVersionMap[o.config.TLSMinVersion])
 	if err != nil {
 		return fmt.Errorf("error when creating agent API server: %v", err)
 	}

cmd/antrea-agent/config.go

@@ -127,4 +127,8 @@ type AgentConfig struct {
 	// Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
 	// Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
 	KubeAPIServerOverride string `yaml:"kubeAPIServerOverride,omitempty"`
+	// Cipher suites to use.
+	TLSCipherSuites string `yaml:"tlsCipherSuites,omitempty"`
+	// TLS min version.
+	TLSMinVersion string `yaml:"tlsMinVersion,omitempty"`
 }

cmd/antrea-controller/config.go

@@ -39,4 +39,8 @@ type ControllerConfig struct {
 	// antrea-controller container.
 	// Defaults to true.
 	SelfSignedCert bool `yaml:"selfSignedCert,omitempty"`
+	// Cipher suites to use.
+	TLSCipherSuites string `yaml:"tlsCipherSuites,omitempty"`
+	// TLS min version.
+	TLSMinVersion string `yaml:"tlsMinVersion,omitempty"`
 }