Provide CipherSuites option between Clients and Servers

[lzhecheng]

• Add options TLSCipherSuites, TLSMinVersion on Apiserver side of controller
  and agent.
• Add a util module cipher to support functionality and related UT.
• Add tls e2e tests to verify Apiserver of Antrea and Antrea agent.

Signed-off-by: Zhecheng [email protected]

[lgtm-com]

This pull request introduces 1 alert when merging 48a597c into c2c24d4 - view on LGTM.com

new alerts:

• 1 for Missing error check

[jianjuns]

LGTM.

[jianjuns]

Do you use the upper case for "Client" on purpose?

[lzhecheng]

Yes.

[jianjuns]

Probably remove "*" of "*tls.Config".

[lzhecheng]

Updated.

[antoninbas]

some minor comments, otherwise LGTM

I am just curious about why we are adding these parameters on the Agent / client side, and not adding them to the Controller to configure the apiserver?

[antoninbas]

Maybe we could match the K8s documentation here and add "If omitted, the default Go cipher suites will be used." And even add this link: https://golang.org/pkg/crypto/tls/#CipherSuites

[lzhecheng]

Updated. But I prefer this link since this one includes possible cipher suite value: https://golang.org/pkg/crypto/tls/#pkg-constants

[antoninbas]

s/with/given

[lzhecheng]

Updated to tls.Config with given cipher suites ...
Not sure if this is your intention or tls.Config given cipher suite ... but it sounds better for me.

[antoninbas]

s/appends into/appends to

[lzhecheng]

Updated.

[lzhecheng]

@antoninbas Yes, I only configured client side. The reason is that I added PreferServerCipherSuites: false so it should work. I also verified it with the e2e test I added.
Please share you concern if any.

[antoninbas]

@antoninbas Yes, I only configured client side. The reason is that I added PreferServerCipherSuites: false so it should work. I also verified it with the e2e test I added.
Please share you concern if any.

I think I was surprised because I thought we would add these flags for the servers, and not the clients. Similar to how these flags are available for kube-apiserver.

But my concern is also for APIServices. Don't you want a way to configure the TLS config for communications between kube-apiserver and the Antrea Controller apiserver? Or is this something you configure in K8s already?
Same thing for communications between antctl and the Agent / Controller apiserver.

[lgtm-com]

This pull request introduces 1 alert when merging 50e3d3c into ba703c0 - view on LGTM.com

new alerts:

• 1 for Missing error check

[lzhecheng]

24

@antoninbas Yes, I only configured client side. The reason is that I added PreferServerCipherSuites: false so it should work. I also verified it with the e2e test I added.
Please share you concern if any.

I think I was surprised because I thought we would add these flags for the servers, and not the clients. Similar to how these flags are available for kube-apiserver.

But my concern is also for APIServices. Don't you want a way to configure the TLS config for communications between kube-apiserver and the Antrea Controller apiserver? Or is this something you configure in K8s already?
Same thing for communications between antctl and the Agent / Controller apiserver.

In my mind, if someone wants to configure cipher suite, both k8s setup and this cipher suite option in Antrea will be configured. Then communication: "k8s apiserver - antrea apiserver" and "antrea apiserver - antrea client" will be ok.

As for antctl, I did try to add cipher suite option but it turned out that "insecure: true" cannot be set at the same time. I think maybe it is not needed by design.
https://github.com/vmware-tanzu/antrea/blob/main/pkg/antctl/client.go#L71

I am not so familiar with TLS cipher suite. So discussion on the design is highly welcomed. :)

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (main@c2c24d4). Click here to learn what that means.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1784   +/-   ##
=======================================
  Coverage        ?   42.91%           
=======================================
  Files           ?      111           
  Lines           ?    13651           
  Branches        ?        0           
=======================================
  Hits            ?     5858           
  Misses          ?     7298           
  Partials        ?      495           

Flag	Coverage Δ
unit-tests	42.91% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

[tnqn]

what does the comment mean? why is it needed?

[lzhecheng]

To ignore error for golangci-int. It says there's error on TLS MinVersion and MaxVersion.

[tnqn]

Name it TLSCipherSuites to be more specific and keep align with kubelet? https://github.com/kubernetes/kubernetes/blob/9d16b194840ee765b73c444054ca7666821f6991/staging/src/k8s.io/kubelet/config/v1beta1/types.go#L177

[lzhecheng]

Updated.

[tnqn]

Why does it construct the Transport .TLSClientConfig in a different way from inClusterConfig?
I think it won't verify server cert and name any more as they are not specified in TLSClientConfig, or it cannot even pass the verification as kubeConfig.TLSClientConfig and kubeConfig .Transport are both set.

[tnqn]

The parameter c *rest.Config seems unnecessary. It's not used in the function and we just need to create a tlsConfig for it. That's why the unit test needs to have some unnecessary setup code.

I think it could be moved to pkg/agent/client.go and be part of inClusterConfig.

	certPool := x509.NewCertPool()
	if !certPool.AppendCertsFromPEM(caBundle) {
		return fmt.Errorf("...")
	}
	tlsConfig.ServerName = cert.GetAntreaServerNames()[0]
	tlsConfig.RootCAs = certPool

	return &rest.Config{
		Host:            "https://" + net.JoinHostPort(host, port),
		Transport:       &http.Transport{TLSClientConfig: tlsConfig},
		BearerToken:     string(token),
		BearerTokenFile: tokenFile,
	}, nil

[lzhecheng]

Actually not, c.Transport is set at L65 with all those options (CipherSuites, TLSVersion).

[tnqn]

license header

[lzhecheng]

Updated.

[tnqn]

Not sure if the test really cover any antrea logic. The PR doesn't change anything on server side but it's testing server response. Should it test agent can connect to controller when CipherSuites/ MinVersion/ MaxVersion is set?

[lzhecheng]

I use this test to mock the behavior on client side, with ciphersuite, tlsversion, PreferServerCipherSuites.

[tnqn]

Don't it need to set same TLS config for agent-apiserver communication?

[tnqn]

@antoninbas Yes, I only configured client side. The reason is that I added PreferServerCipherSuites: false so it should work. I also verified it with the e2e test I added.
Please share you concern if any.

I think I was surprised because I thought we would add these flags for the servers, and not the clients. Similar to how these flags are available for kube-apiserver.
But my concern is also for APIServices. Don't you want a way to configure the TLS config for communications between kube-apiserver and the Antrea Controller apiserver? Or is this something you configure in K8s already?
Same thing for communications between antctl and the Agent / Controller apiserver.

In my mind, if someone wants to configure cipher suite, both k8s setup and this cipher suite option in Antrea will be configured. Then communication: "k8s apiserver - antrea apiserver" and "antrea apiserver - antrea client" will be ok.

As for antctl, I did try to add cipher suite option but it turned out that "insecure: true" cannot be set at the same time. I think maybe it is not needed by design.
https://github.com/vmware-tanzu/antrea/blob/main/pkg/antctl/client.go#L71

I am not so familiar with TLS cipher suite. So discussion on the design is highly welcomed. :)

I also have same question as @antoninbas. Even PreferServerCipherSuites: false can make them communicate with the cipher suite the client chooses. There are a few reasons that may make server side configuration prefered:

1. Configuring it on server side can prevent insecure cipher suites from being used by any clients. It solves the issue of antctl, kube-apiserver as clients.
2. From the code, it seems the client library is not friendly to set cipher suite, while the server library is very friendly for this.
3. Guess the current e2e will only make sense when implementing it on server side, otherwise it's just testing http library.

[tnqn]

And for maxVersion, is it really useful? I see typically only minVersion is configurable.

[lzhecheng]

And for maxVersion, is it really useful? I see typically only minVersion is configurable.

I think usually TLS1.2 and TLS1.3 are used so minVersion can be configured to TLS1.2. But maybe someone prefers TLS1.2 then maxVersion can be set to TLS1.2.
If we choose apiserver side, then no need since there isn't one.

[lzhecheng]

For someone comes across this PR when configuring Cipher Suites for K8s, please pay attention that choose a proper one like "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".

[lzhecheng]

This PR is refactored to configure on apiserver side. PTAL.

[lzhecheng]

/test-e2e

[lzhecheng]

/test-ipv6-only-e2e

[antoninbas]

some nits

[antoninbas]

maybe names of subtests should simply be "ControllerApiserver" and "AgentApiserver". The name of the parent test ("TestTLSCipherSuites") will be used as a prefix in log outputs

[lzhecheng]

Updated.

[antoninbas]

what about "TestAntreaApiserverTLSConfig"?

[lzhecheng]

Updated.

[antoninbas]

there is an assert.True assertion

[lzhecheng]

Thank you. Updated.

[antoninbas]

same as above

[lzhecheng]

Updated.

[antoninbas]

I don't think we usually capitalize "apiserver"

[lzhecheng]

Used "apiserver"

[antoninbas]

suggest renaming tests to something else here, such as opensslConnectCommands

[lzhecheng]

Updated.

[antoninbas]

ignoring errors on purpose?

[lzhecheng]

Yes, since we just need to the check Cipher Suite used.

[antoninbas]

still it may be better to fail earlier if the command cannot be run for any reason (e.g. the Pod has crashed)

[lzhecheng]

Got it. Better to be prepared for anything possible. Updated.

[antoninbas]

LGTM

[antoninbas]

s/tc/c

[lzhecheng]

Updated.

[antoninbas]

still it may be better to fail earlier if the command cannot be run for any reason (e.g. the Pod has crashed)

[jianjuns]

I personally feel no need to explain the long reasons in yaml, but just describe the facts. We can move detailed explanation to comments on code. Up to you to decide.

[antoninbas]

I feel that everything is needed, except for the k8s.io/component-base mention and the github link

[jianjuns]

Yes, I meant "Antrea is using an old version of k8s.io/component-base" and "by default Antrea uses the Go "crypto" libraries".

[antoninbas]

Sounds good. I had suggested using "by default Antrea uses the Go "crypto" libraries" because I was thinking of user which may have their own FIPS compliant builds of Antrea by using a different crypto implementation. But in that case, it's not really our responsibility to document the behavior.

[lzhecheng]

Removed component-base and the link.

[lzhecheng]

Also "Go crypto libraries"

[jianjuns]

I do not understand this sentence - why "in other words", "the apiserver will always prefer TLS1.3 Cipher Suites whenever possible"? I cannot see the previous sentences are relevant to "the apiserver will always prefer TLS1.3 Cipher Suites whenever possible".

[antoninbas]

golang/go#29349

You cannot disable TLS1.3 Cipher Suites and they will always be preferred to the cipher suites you explicitly provide. So if you set tlsCipherSuites to <some TLS1.2 suite>, your choice will be ignored if the client supports TLS 1.3

[jianjuns]

Should we just explicitly declare the two points: TLS1.3 cipher suites cannot be listed; but apiserver will always prefer TLS1.3 when it is supported by the client?

[lzhecheng]

I think @jianjuns 's concern is that "in other words" isn't proper here. I changed it to "actually". Do you think it is better?

[jianjuns]

How about:

Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always prefer TLS1.3 Cipher Suites whenever possible.

[lzhecheng]

Updated.

[lzhecheng]

/test-all
/test-ipv6-all
/test-ipv6-only-all

[lzhecheng]

/test-e2e

[antoninbas]

LGTM

[lzhecheng]

ipv6-only-e2e is successful according to Jenkins output.
/test-ipv6-only-networkpolicy
/test-windows-conformance

[lzhecheng]

/test-ipv6-only-networkpolicy

[lzhecheng]

All tests are successful.