Skip to content

Commit

Permalink
feat: Support tls-cipher-suite configuration for kubelet
Browse files Browse the repository at this point in the history
  • Loading branch information
@okozachenko1203
okozachenko1203 committed Dec 6, 2023
1 parent c1047f4 commit 5010c9a
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 9 deletions.
24 changes: 16 additions & 8 deletions docs/user/labels.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,14 @@ is often accomplished by deploying a driver on each node.

## Kubernetes

* `api_server_tls_cipher_suites`

Specify the list of TLS cipher suites to use for the Kubernetes API server,
separated by commas. If not specified, the default list of cipher suites
will be used using the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=go&config=intermediate).

Default value: `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`

* `auto_healing_enabled`

Enable auto-healing for the cluster. This will automatically replace failed
Expand All @@ -152,6 +160,14 @@ is often accomplished by deploying a driver on each node.

Default value: `false`

* `kubelet_tls_cipher_suites`

Specify the list of TLS cipher suites to use in communication between the
kubelet and applications, separated by commas. If not specified, the
default list of cipher suites will be used.

Default value: `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`

* `kube_tag`

The version of Kubernetes to use.
Expand All @@ -166,14 +182,6 @@ is often accomplished by deploying a driver on each node.

Default value: `true`

* `tls_cipher_suites`

Specify the list of TLS cipher suites to use for the Kubernetes API server,
separated by commas. If not specified, the default list of cipher suites
will be used using the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=go&config=intermediate).

Default value: `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`

## OIDC

* `oidc_issuer_url`
Expand Down
65 changes: 64 additions & 1 deletion magnum_cluster_api/resources.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1004,6 +1004,15 @@ def get_object(self) -> objects.ClusterClass:
},
},
},
{
"name": "kubeletTLSCipherSuites",
"required": True,
"schema": {
"openAPIV3Schema": {
"type": "string",
},
},
},
{
"name": "nodeCidr",
"required": True,
Expand Down Expand Up @@ -1571,6 +1580,20 @@ def get_object(self) -> objects.ClusterClass:
"variable": "apiServerTLSCipherSuites",
},
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/initConfiguration/nodeRegistration/kubeletExtraArgs/tls-cipher-suites", # noqa: E501
"valueFrom": {
"variable": "kubeletTLSCipherSuites",
},
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/joinConfiguration/nodeRegistration/kubeletExtraArgs/tls-cipher-suites", # noqa: E501
"valueFrom": {
"variable": "kubeletTLSCipherSuites",
},
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/files/-",
Expand Down Expand Up @@ -1662,6 +1685,38 @@ def get_object(self) -> objects.ClusterClass:
},
],
},
{
"name": "workerConfig",
"definitions": [
{
"selector": {
"apiVersion": objects.KubeadmConfigTemplate.version,
"kind": objects.KubeadmConfigTemplate.kind,
"matchResources": {
"machineDeploymentClass": {
"names": ["default-worker"],
}
},
},
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/clusterConfiguration/initConfiguration/nodeRegistration/kubeletExtraArgs/tls-cipher-suites", # noqa: E501
"valueFrom": {
"variable": "kubeletTLSCipherSuites",
},
},
{
"op": "add",
"path": "/spec/template/spec/clusterConfiguration/joinConfiguration/nodeRegistration/kubeletExtraArgs/tls-cipher-suites", # noqa: E501
"valueFrom": {
"variable": "kubeletTLSCipherSuites",
},
},
],
},
],
},
],
},
},
Expand Down Expand Up @@ -1857,7 +1912,7 @@ def get_object(self) -> objects.Cluster:
"name": "apiServerTLSCipherSuites",
"value": utils.get_cluster_label(
self.cluster,
"tls_cipher_suites",
"api_server_tls_cipher_suites",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", # noqa: E501
),
},
Expand Down Expand Up @@ -2001,6 +2056,14 @@ def get_object(self) -> objects.Cluster:
self.context,
),
},
{
"name": "kubeletTLSCipherSuites",
"value": utils.get_cluster_label(
self.cluster,
"kubelet_tls_cipher_suites",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", # noqa: E501
),
},
{
"name": "nodeCidr",
"value": utils.get_cluster_label(
Expand Down

0 comments on commit 5010c9a

Please sign in to comment.