From f5dc9cc51e271030811ab1b7c39dc30aa19a711e Mon Sep 17 00:00:00 2001 From: Phil Cameron Date: Tue, 6 Jun 2017 16:30:29 -0400 Subject: [PATCH 1/2] Update router cipher suites From https://wiki.mozilla.org/Security/Server_Side_TLS update the three cipher suites: # Modern cipher suite (no legacy browser support) - not currently used # Intermediate cipher suite (default) - currently used # Old cipher suite (maximum compatibility but insecure) - not currently used --- images/router/haproxy/conf/haproxy-config.template | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template index c86415dd598e..77c17695db9d 100644 --- a/images/router/haproxy/conf/haproxy-config.template +++ b/images/router/haproxy/conf/haproxy-config.template @@ -29,15 +29,15 @@ global # Modern cipher suite (no legacy browser support) from https://wiki.mozilla.org/Security/Server_Side_TLS # tune.ssl.default-dh-param 2048 - # ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + # ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 # Intermediate cipher suite (default) from https://wiki.mozilla.org/Security/Server_Side_TLS tune.ssl.default-dh-param 2048 - ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS # Old cipher suite (maximum compatibility but insecure) from https://wiki.mozilla.org/Security/Server_Side_TLS # tune.ssl.default-dh-param 1024 - # ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA + # ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP defaults maxconn {{env "ROUTER_MAX_CONNECTIONS" "20000"}} From f2896fc8ba911f9aa508f55c6b843a663d352749 Mon Sep 17 00:00:00 2001 From: Phil Cameron Date: Tue, 6 Jun 2017 17:06:09 -0400 Subject: [PATCH 2/2] Allow specifying haproxy SSL Cipher list The user can select from among 3 predefined cipher lists: modern, intermediate, or old. Alternatively the use may provide a custom cipher list see "man 1 ciphers". The list is used to negotiate a cipher between a user and haproxyi during bind. The predefined lists are from: https://wiki.mozilla.org/Security/Server_Side_TLS A new option to "oc adm router", --ciphers, is added to specify the cipher list. The values are modern|intermediate|old, or a ":" separated list of ciphers from "man 1 ciphers" Option --ciphers creates an environmen variable, ROUTER_CIPHERS, which is passed to the router pod. See https://trello.com/c/oeP7vrTZ --- contrib/completions/bash/oadm | 2 ++ contrib/completions/bash/oc | 2 ++ contrib/completions/bash/openshift | 6 +++++ contrib/completions/zsh/oadm | 2 ++ contrib/completions/zsh/oc | 2 ++ contrib/completions/zsh/openshift | 6 +++++ .../haproxy/conf/haproxy-config.template | 26 ++++++++++++++++--- pkg/cmd/admin/router/router.go | 6 +++++ pkg/cmd/infra/router/template.go | 3 +++ pkg/router/template/plugin.go | 1 + test/cmd/router.sh | 2 ++ 11 files changed, 54 insertions(+), 4 deletions(-) diff --git a/contrib/completions/bash/oadm b/contrib/completions/bash/oadm index 2e311aa4b211..f4cf132d8771 100644 --- a/contrib/completions/bash/oadm +++ b/contrib/completions/bash/oadm @@ -4739,6 +4739,8 @@ _oadm_router() flags_with_completion=() flags_completion=() + flags+=("--ciphers=") + local_nonpersistent_flags+=("--ciphers=") flags+=("--create") local_nonpersistent_flags+=("--create") flags+=("--default-cert=") diff --git a/contrib/completions/bash/oc b/contrib/completions/bash/oc index b611f23209fd..1add28246ca3 100644 --- a/contrib/completions/bash/oc +++ b/contrib/completions/bash/oc @@ -4742,6 +4742,8 @@ _oc_adm_router() flags_with_completion=() flags_completion=() + flags+=("--ciphers=") + local_nonpersistent_flags+=("--ciphers=") flags+=("--create") local_nonpersistent_flags+=("--create") flags+=("--default-cert=") diff --git a/contrib/completions/bash/openshift b/contrib/completions/bash/openshift index 325b46a84ce7..709f6f7df54c 100644 --- a/contrib/completions/bash/openshift +++ b/contrib/completions/bash/openshift @@ -4739,6 +4739,8 @@ _openshift_admin_router() flags_with_completion=() flags_completion=() + flags+=("--ciphers=") + local_nonpersistent_flags+=("--ciphers=") flags+=("--create") local_nonpersistent_flags+=("--create") flags+=("--default-cert=") @@ -9870,6 +9872,8 @@ _openshift_cli_adm_router() flags_with_completion=() flags_completion=() + flags+=("--ciphers=") + local_nonpersistent_flags+=("--ciphers=") flags+=("--create") local_nonpersistent_flags+=("--create") flags+=("--default-cert=") @@ -23201,6 +23205,8 @@ _openshift_infra_router() flags_with_completion+=("--certificate-authority") flags_completion+=("_filedir") local_nonpersistent_flags+=("--certificate-authority=") + flags+=("--ciphers=") + local_nonpersistent_flags+=("--ciphers=") flags+=("--client-certificate=") flags_with_completion+=("--client-certificate") flags_completion+=("_filedir") diff --git a/contrib/completions/zsh/oadm b/contrib/completions/zsh/oadm index fea315d83c05..a431ff504345 100644 --- a/contrib/completions/zsh/oadm +++ b/contrib/completions/zsh/oadm @@ -4888,6 +4888,8 @@ _oadm_router() flags_with_completion=() flags_completion=() + flags+=("--ciphers=") + local_nonpersistent_flags+=("--ciphers=") flags+=("--create") local_nonpersistent_flags+=("--create") flags+=("--default-cert=") diff --git a/contrib/completions/zsh/oc b/contrib/completions/zsh/oc index efef6196fc10..d065bf51ed14 100644 --- a/contrib/completions/zsh/oc +++ b/contrib/completions/zsh/oc @@ -4891,6 +4891,8 @@ _oc_adm_router() flags_with_completion=() flags_completion=() + flags+=("--ciphers=") + local_nonpersistent_flags+=("--ciphers=") flags+=("--create") local_nonpersistent_flags+=("--create") flags+=("--default-cert=") diff --git a/contrib/completions/zsh/openshift b/contrib/completions/zsh/openshift index ccff6c7a83ee..f14a75851e40 100644 --- a/contrib/completions/zsh/openshift +++ b/contrib/completions/zsh/openshift @@ -4888,6 +4888,8 @@ _openshift_admin_router() flags_with_completion=() flags_completion=() + flags+=("--ciphers=") + local_nonpersistent_flags+=("--ciphers=") flags+=("--create") local_nonpersistent_flags+=("--create") flags+=("--default-cert=") @@ -10019,6 +10021,8 @@ _openshift_cli_adm_router() flags_with_completion=() flags_completion=() + flags+=("--ciphers=") + local_nonpersistent_flags+=("--ciphers=") flags+=("--create") local_nonpersistent_flags+=("--create") flags+=("--default-cert=") @@ -23350,6 +23354,8 @@ _openshift_infra_router() flags_with_completion+=("--certificate-authority") flags_completion+=("_filedir") local_nonpersistent_flags+=("--certificate-authority=") + flags+=("--ciphers=") + local_nonpersistent_flags+=("--ciphers=") flags+=("--client-certificate=") flags_with_completion+=("--client-certificate") flags_completion+=("_filedir") diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template index 77c17695db9d..12ebe1b857db 100644 --- a/images/router/haproxy/conf/haproxy-config.template +++ b/images/router/haproxy/conf/haproxy-config.template @@ -27,17 +27,35 @@ global # TODO: use when 1.5.14 is available # ssl-default-bind-options no-sslv3 +# The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS, +# or the user can provide one using the ROUTER_CIPHERS environment variable. +# By default when a cipher set is not provided, intermediate is used. +{{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }} # Modern cipher suite (no legacy browser support) from https://wiki.mozilla.org/Security/Server_Side_TLS - # tune.ssl.default-dh-param 2048 - # ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + tune.ssl.default-dh-param 2048 + ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 +{{ else }} + {{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }} # Intermediate cipher suite (default) from https://wiki.mozilla.org/Security/Server_Side_TLS tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + {{ else }} + + {{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }} # Old cipher suite (maximum compatibility but insecure) from https://wiki.mozilla.org/Security/Server_Side_TLS - # tune.ssl.default-dh-param 1024 - # ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP + tune.ssl.default-dh-param 1024 + ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP + + {{- else }} + # user provided list of ciphers (Colon separated list as seen above) + # the env default is not used here since we can't get here with empty ROUTER_CIPHERS + tune.ssl.default-dh-param 2048 + ssl-default-bind-ciphers {{env "ROUTER_CIPHERS" "ECDHE-ECDSA-CHACHA20-POLY1305"}} + {{- end }} + {{- end }} +{{- end }} defaults maxconn {{env "ROUTER_MAX_CONNECTIONS" "20000"}} diff --git a/pkg/cmd/admin/router/router.go b/pkg/cmd/admin/router/router.go index ddd60eddb8fc..ce8b9e9755ae 100644 --- a/pkg/cmd/admin/router/router.go +++ b/pkg/cmd/admin/router/router.go @@ -226,6 +226,10 @@ type RouterConfig struct { // MetricsImage is the image to run a sidecar container with in the router // pod. MetricsImage string + + // Ciphers is the set of ciphers to use with bind + // modern | intermediate | old | set of cihers + Ciphers string } const ( @@ -305,6 +309,7 @@ func NewCmdRouter(f *clientcmd.Factory, parentName, name string, out, errout io. cmd.Flags().StringVar(&cfg.ExternalHostPartitionPath, "external-host-partition-path", cfg.ExternalHostPartitionPath, "If the underlying router implementation uses partitions for control boundaries, this is the path to use for that partition.") cmd.Flags().BoolVar(&cfg.DisableNamespaceOwnershipCheck, "disable-namespace-ownership-check", cfg.DisableNamespaceOwnershipCheck, "Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.") cmd.Flags().StringVar(&cfg.MaxConnections, "max-connections", cfg.MaxConnections, "Specifies the maximum number of concurrent connections. Not supported for F5.") + cmd.Flags().StringVar(&cfg.Ciphers, "ciphers", cfg.Ciphers, "Specifies the cipher suites to use. You can choose a predefined cipher set ('modern', 'intermediate', or 'old') or specify exact cipher suites by passing a : separated list. Not supported for F5.") cfg.Action.BindForOutput(cmd.Flags()) cmd.Flags().String("output-version", "", "The preferred API versions of the output objects") @@ -644,6 +649,7 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write "ROUTER_EXTERNAL_HOST_PRIVKEY": privkeyPath, "ROUTER_EXTERNAL_HOST_INTERNAL_ADDRESS": cfg.ExternalHostInternalIP, "ROUTER_EXTERNAL_HOST_VXLAN_GW_CIDR": cfg.ExternalHostVxLANGateway, + "ROUTER_CIPHERS": cfg.Ciphers, "STATS_PORT": strconv.Itoa(cfg.StatsPort), "STATS_USERNAME": cfg.StatsUsername, "STATS_PASSWORD": cfg.StatsPassword, diff --git a/pkg/cmd/infra/router/template.go b/pkg/cmd/infra/router/template.go index a68d6ad666ff..b0d91aeaa9d3 100644 --- a/pkg/cmd/infra/router/template.go +++ b/pkg/cmd/infra/router/template.go @@ -71,6 +71,7 @@ type TemplateRouter struct { RouterService *ktypes.NamespacedName BindPortsAfterSync bool MaxConnections string + Ciphers string MetricsType string } @@ -100,6 +101,7 @@ func (o *TemplateRouter) Bind(flag *pflag.FlagSet) { flag.BoolVar(&o.ExtendedValidation, "extended-validation", util.Env("EXTENDED_VALIDATION", "true") == "true", "If set, then an additional extended validation step is performed on all routes admitted in by this router. Defaults to true and enables the extended validation checks.") flag.BoolVar(&o.BindPortsAfterSync, "bind-ports-after-sync", util.Env("ROUTER_BIND_PORTS_AFTER_SYNC", "") == "true", "Bind ports only after route state has been synchronized") flag.StringVar(&o.MaxConnections, "max-connections", util.Env("ROUTER_MAX_CONNECTIONS", ""), "Specifies the maximum number of concurrent connections.") + flag.StringVar(&o.Ciphers, "ciphers", util.Env("ROUTER_CIPHERS", ""), "Specifies the cipher suites to use. You can choose a predefined cipher set ('modern', 'intermediate', or 'old') or specify exact cipher suites by passing a : separated list.") flag.StringVar(&o.MetricsType, "metrics-type", util.Env("ROUTER_METRICS_TYPE", ""), "Specifies the type of metrics to gather. Supports 'haproxy'.") } @@ -299,6 +301,7 @@ func (o *TemplateRouterOptions) Run() error { IncludeUDP: o.RouterSelection.IncludeUDP, AllowWildcardRoutes: o.RouterSelection.AllowWildcardRoutes, MaxConnections: o.MaxConnections, + Ciphers: o.Ciphers, } oc, kc, err := o.Config.Clients() diff --git a/pkg/router/template/plugin.go b/pkg/router/template/plugin.go index f8819668823e..c9661e03a1f4 100644 --- a/pkg/router/template/plugin.go +++ b/pkg/router/template/plugin.go @@ -54,6 +54,7 @@ type TemplatePluginConfig struct { PeerService *ktypes.NamespacedName BindPortsAfterSync bool MaxConnections string + Ciphers string } // routerInterface controls the interaction of the plugin with the underlying router implementation diff --git a/test/cmd/router.sh b/test/cmd/router.sh index 84aa9acb333e..e37ec4642418 100755 --- a/test/cmd/router.sh +++ b/test/cmd/router.sh @@ -42,6 +42,8 @@ os::cmd::expect_failure_and_text 'oadm router --dry-run --host-network=false --h os::cmd::expect_failure_and_text 'oadm router --dry-run --host-network=false --host-ports=false --router-canonical-hostname=1.2.3.4 -o yaml' 'error: canonical hostname must not be an IP address' # max_conn os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --max-connections=14583 -o yaml' '14583' +# ciphers +os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --ciphers=modern -o yaml' 'modern' # mount tls crt as secret os::cmd::expect_success_and_not_text 'oadm router --dry-run --host-network=false --host-ports=false -o yaml' 'value: /etc/pki/tls/private/tls.crt'