Skip to content

Commit

Permalink
set golang's default secure cipher suites as etcd's cipher suites
Browse files Browse the repository at this point in the history 
Signed-off-by: zhzhuang-zju <[email protected]>
  • Loading branch information
@zhzhuang-zju
zhzhuang-zju committed Nov 16, 2023
1 parent 4d6e9d7 commit 1742a8f
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 1 deletion.
1 change: 1 addition & 0 deletions artifacts/deploy/karmada-etcd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ spec:
- --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt
- --data-dir=/var/lib/etcd
- --snapshot-count=10000
- --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
volumes:
- hostPath:
path: /var/lib/karmada-etcd
Expand Down
1 change: 1 addition & 0 deletions charts/karmada/templates/etcd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ spec:
- --key-file=/etc/kubernetes/pki/etcd/karmada.key
- --trusted-ca-file=/etc/kubernetes/pki/etcd/server-ca.crt
- --data-dir=/var/lib/etcd
- --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
volumes:
- name: etcd-cert
secret:
Expand Down
1 change: 1 addition & 0 deletions operator/pkg/controlplane/etcd/mainfests.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ spec:
- --data-dir=/var/lib/etcd
- --snapshot-count=10000
- --log-level=debug
- --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
env:
- name: KARMADA_ETCD_NAME
valueFrom:
Expand Down
5 changes: 4 additions & 1 deletion pkg/karmadactl/cmdinit/kubernetes/statefulset.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@ const (
etcdEnvPodName = "POD_NAME"
etcdEnvPodIP = "POD_IP"
//secrets name
etcdCertName = "etcd-cert"
etcdCertName = "etcd-cert"
etcdCipherSuites = "[\"TLS_RSA_WITH_AES_128_CBC_SHA\",\"TLS_RSA_WITH_AES_256_CBC_SHA\",\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_AES_128_GCM_SHA256\",\"TLS_AES_256_GCM_SHA384\",\"TLS_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA\",\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\",\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\",\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\",\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\",\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305\"]"
)

var (
Expand Down Expand Up @@ -141,6 +142,7 @@ listen-client-urls: https://${%s}:%v,http://127.0.0.1:%v
initial-advertise-peer-urls: http://${%s}:%v
advertise-client-urls: https://${%s}.%s.%s.svc.%s:%v
data-dir: %s
cipher-suites: %s
`,
etcdContainerConfigDataMountPath, etcdConfigName,
Expand All @@ -159,6 +161,7 @@ data-dir: %s
i.Namespace, i.HostClusterDomain,
etcdContainerClientPort,
etcdContainerDataVolumeMountPath,
etcdCipherSuites,
),
}

Expand Down

0 comments on commit 1742a8f

Please sign in to comment.