Merge pull request #4253 from zhzhuang-zju/tls-etcd

set golang's secure cipher suites as etcd's cipher suites
karmada-io · Nov 20, 2023 · d1598a9 · d1598a9
2 parents 79531ea + 9b1e18b
commit d1598a9
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 4 deletions.
diff --git a/artifacts/deploy/karmada-etcd.yaml b/artifacts/deploy/karmada-etcd.yaml
@@ -82,6 +82,10 @@ spec:
             - --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt
             - --data-dir=/var/lib/etcd
             - --snapshot-count=10000
+            # Setting Golang's secure cipher suites as etcd's cipher suites.
+            # They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
+            # Consistent with the Preferred values of k8s’s default cipher suites.
+            - --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
       volumes:
         - hostPath:
             path: /var/lib/karmada-etcd

diff --git a/charts/karmada/templates/etcd.yaml b/charts/karmada/templates/etcd.yaml
@@ -97,6 +97,10 @@ spec:
             - --key-file=/etc/kubernetes/pki/etcd/karmada.key
             - --trusted-ca-file=/etc/kubernetes/pki/etcd/server-ca.crt
             - --data-dir=/var/lib/etcd
+            # Setting Golang's secure cipher suites as etcd's cipher suites.
+            # They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
+            # Consistent with the Preferred values of k8s’s default cipher suites.
+            - --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
       volumes:
         - name: etcd-cert
           secret:

diff --git a/operator/pkg/controlplane/etcd/etcd.go b/operator/pkg/controlplane/etcd/etcd.go
@@ -9,6 +9,7 @@ import (
 	kuberuntime "k8s.io/apimachinery/pkg/runtime"
 	clientset "k8s.io/client-go/kubernetes"
 	clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/component-base/cli/flag"
 
 	operatorv1alpha1 "github.com/karmada-io/karmada/operator/pkg/apis/operator/v1alpha1"
 	"github.com/karmada-io/karmada/operator/pkg/constants"
@@ -47,7 +48,7 @@ func installKarmadaEtcd(client clientset.Interface, name, namespace string, cfg
 	etcdStatefulSetBytes, err := util.ParseTemplate(KarmadaEtcdStatefulSet, struct {
 		StatefulSetName, Namespace, Image, EtcdClientService string
 		CertsSecretName, EtcdPeerServiceName                 string
-		InitialCluster, EtcdDataVolumeName                   string
+		InitialCluster, EtcdDataVolumeName, EtcdCipherSuites string
 		Replicas, EtcdListenClientPort, EtcdListenPeerPort   int32
 	}{
 		StatefulSetName:      util.KarmadaEtcdName(name),
@@ -58,6 +59,7 @@ func installKarmadaEtcd(client clientset.Interface, name, namespace string, cfg
 		EtcdPeerServiceName:  util.KarmadaEtcdName(name),
 		EtcdDataVolumeName:   constants.EtcdDataVolumeName,
 		InitialCluster:       strings.Join(initialClusters, ","),
+		EtcdCipherSuites:     genEtcdCipherSuites(),
 		Replicas:             *cfg.Replicas,
 		EtcdListenClientPort: constants.EtcdListenClientPort,
 		EtcdListenPeerPort:   constants.EtcdListenPeerPort,
@@ -127,3 +129,10 @@ func createEtcdService(client clientset.Interface, name, namespace string) error
 
 	return nil
 }
+
+// Setting Golang's secure cipher suites as etcd's cipher suites.
+// They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
+// Consistent with the Preferred values of k8s’s default cipher suites.
+func genEtcdCipherSuites() string {
+	return strings.Join(flag.PreferredTLSCipherNames(), ",")
+}
diff --git a/operator/pkg/controlplane/etcd/mainfests.go b/operator/pkg/controlplane/etcd/mainfests.go
@@ -44,7 +44,8 @@ spec:
         - --key-file=/etc/karmada/pki/etcd/etcd-server.key
         - --data-dir=/var/lib/etcd
         - --snapshot-count=10000
-        - --log-level=debug
+        - --log-level=debug=
+        - --cipher-suites={{ .EtcdCipherSuites }}
         env:
         - name: KARMADA_ETCD_NAME
           valueFrom:

diff --git a/pkg/karmadactl/cmdinit/kubernetes/statefulset.go b/pkg/karmadactl/cmdinit/kubernetes/statefulset.go
@@ -8,6 +8,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/component-base/cli/flag"
 	"k8s.io/utils/pointer"
 
 	"github.com/karmada-io/karmada/pkg/karmadactl/cmdinit/options"
@@ -35,8 +36,9 @@ const (
 
 var (
 	// appLabels remove via Labels karmada StatefulSet Deployment
-	appLabels  = map[string]string{"karmada.io/bootstrapping": "app-defaults"}
-	etcdLabels = map[string]string{"app": etcdStatefulSetAndServiceName}
+	appLabels        = map[string]string{"karmada.io/bootstrapping": "app-defaults"}
+	etcdLabels       = map[string]string{"app": etcdStatefulSetAndServiceName}
+	etcdCipherSuites = genEtcdCipherSuites()
 )
 
 func (i *CommandInitOption) etcdVolume() (*[]corev1.Volume, *corev1.PersistentVolumeClaim) {
@@ -141,6 +143,7 @@ listen-client-urls: https://${%s}:%v,http://127.0.0.1:%v
 initial-advertise-peer-urls: http://${%s}:%v
 advertise-client-urls: https://${%s}.%s.%s.svc.%s:%v
 data-dir: %s
+cipher-suites: %s
 
 `,
 			etcdContainerConfigDataMountPath, etcdConfigName,
@@ -159,6 +162,7 @@ data-dir: %s
 			i.Namespace, i.HostClusterDomain,
 			etcdContainerClientPort,
 			etcdContainerDataVolumeMountPath,
+			etcdCipherSuites,
 		),
 	}
 
@@ -350,3 +354,12 @@ func (i *CommandInitOption) makeETCDStatefulSet() *appsv1.StatefulSet {
 
 	return etcd
 }
+
+// Setting Golang's secure cipher suites as etcd's cipher suites.
+// They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
+// Consistent with the Preferred values of k8s’s default cipher suites.
+func genEtcdCipherSuites() string {
+	cipherSuites := strings.Join(flag.PreferredTLSCipherNames(), "\",\"")
+	cipherSuites = "[\"" + cipherSuites + "\"]"
+	return cipherSuites
+}