diff --git a/pkg/clusterapi/apibuilder.go b/pkg/clusterapi/apibuilder.go index 19c7b72c47d6..34e9f4c8f384 100644 --- a/pkg/clusterapi/apibuilder.go +++ b/pkg/clusterapi/apibuilder.go @@ -140,17 +140,17 @@ func KubeadmControlPlane(clusterSpec *cluster.Spec, infrastructureObject APIObje }, }, ControllerManager: bootstrapv1.ControlPlaneComponent{ - ExtraArgs: map[string]string{}, + ExtraArgs: ControllerManagerArgs(clusterSpec), }, }, InitConfiguration: &bootstrapv1.InitConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ - KubeletExtraArgs: map[string]string{}, + KubeletExtraArgs: SecureTlsCipherSuitesExtraArgs(), }, }, JoinConfiguration: &bootstrapv1.JoinConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ - KubeletExtraArgs: map[string]string{}, + KubeletExtraArgs: SecureTlsCipherSuitesExtraArgs(), }, }, PreKubeadmCommands: []string{}, diff --git a/pkg/clusterapi/apibuilder_test.go b/pkg/clusterapi/apibuilder_test.go index 6adb3d64751f..68af980b8028 100644 --- a/pkg/clusterapi/apibuilder_test.go +++ b/pkg/clusterapi/apibuilder_test.go @@ -225,17 +225,17 @@ func wantKubeadmControlPlane() *controlplanev1.KubeadmControlPlane { }, }, ControllerManager: bootstrapv1.ControlPlaneComponent{ - ExtraArgs: map[string]string{}, + ExtraArgs: tlsCipherSuitesArgs(), }, }, InitConfiguration: &bootstrapv1.InitConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ - KubeletExtraArgs: map[string]string{}, + KubeletExtraArgs: tlsCipherSuitesArgs(), }, }, JoinConfiguration: &bootstrapv1.JoinConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ - KubeletExtraArgs: map[string]string{}, + KubeletExtraArgs: tlsCipherSuitesArgs(), }, }, PreKubeadmCommands: []string{}, diff --git a/pkg/clusterapi/controllermanagerargs.go b/pkg/clusterapi/controllermanagerargs.go new file mode 100644 index 000000000000..bc157f3dcf9a --- /dev/null +++ b/pkg/clusterapi/controllermanagerargs.go @@ -0,0 +1,10 @@ +package clusterapi + +import ( + "github.com/aws/eks-anywhere/pkg/cluster" +) + +func ControllerManagerArgs(clusterSpec *cluster.Spec) ExtraArgs { + return SecureTlsCipherSuitesExtraArgs(). + Append(NodeCIDRMaskExtraArgs(&clusterSpec.Cluster.Spec.ClusterNetwork)) +} diff --git a/pkg/clusterapi/controllermanagerargs_test.go b/pkg/clusterapi/controllermanagerargs_test.go new file mode 100644 index 000000000000..e7d3629d3cc8 --- /dev/null +++ b/pkg/clusterapi/controllermanagerargs_test.go @@ -0,0 +1,81 @@ +package clusterapi_test + +import ( + "reflect" + "testing" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/aws/eks-anywhere/internal/test" + "github.com/aws/eks-anywhere/pkg/api/v1alpha1" + "github.com/aws/eks-anywhere/pkg/cluster" + "github.com/aws/eks-anywhere/pkg/clusterapi" +) + +func TestSetControllerManagerArgs(t *testing.T) { + tests := []struct { + name string + clusterSpec *cluster.Spec + want clusterapi.ExtraArgs + }{ + { + name: "without Node CIDR mask", + clusterSpec: givenClusterSpec(), + want: map[string]string{"tls-cipher-suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}, + }, + { + name: "with Node CIDR mask", + clusterSpec: givenClusterSpecWithNodeCIDR(), + want: map[string]string{"node-cidr-mask-size": "28", "tls-cipher-suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := clusterapi.ControllerManagerArgs(tt.clusterSpec) + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("ControllerManagerArgs()/%s got = %v, want %v", tt.name, got, tt.want) + } + }) + } +} + +func givenClusterSpecWithNodeCIDR() *cluster.Spec { + cluster := givenClusterSpec() + nodeCidrMaskSize := new(int) + *nodeCidrMaskSize = 28 + cluster.Cluster.Spec.ClusterNetwork = v1alpha1.ClusterNetwork{ + Nodes: &v1alpha1.Nodes{CIDRMaskSize: nodeCidrMaskSize}, + } + return cluster +} + +func givenClusterSpec() *cluster.Spec { + return test.NewClusterSpec(func(s *cluster.Spec) { + s.Cluster = &v1alpha1.Cluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "snow-test", + Namespace: "test-namespace", + }, + Spec: v1alpha1.ClusterSpec{ + ClusterNetwork: v1alpha1.ClusterNetwork{ + CNI: v1alpha1.Cilium, + Pods: v1alpha1.Pods{ + CidrBlocks: []string{ + "10.1.0.0/16", + }, + }, + Services: v1alpha1.Services{ + CidrBlocks: []string{ + "10.96.0.0/12", + }, + }, + }, + }, + } + }) +} + +func tlsCipherSuitesArgs() map[string]string { + return map[string]string{"tls-cipher-suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"} +} diff --git a/pkg/clusterapi/identity_test.go b/pkg/clusterapi/identity_test.go index b738906647d8..7bb06e403e6a 100644 --- a/pkg/clusterapi/identity_test.go +++ b/pkg/clusterapi/identity_test.go @@ -105,17 +105,17 @@ func TestConfigureAWSIAMAuthInKubeadmControlPlane(t *testing.T) { }, }, ControllerManager: bootstrapv1.ControlPlaneComponent{ - ExtraArgs: map[string]string{}, + ExtraArgs: tlsCipherSuitesArgs(), }, }, InitConfiguration: &bootstrapv1.InitConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ - KubeletExtraArgs: map[string]string{}, + KubeletExtraArgs: tlsCipherSuitesArgs(), }, }, JoinConfiguration: &bootstrapv1.JoinConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ - KubeletExtraArgs: map[string]string{}, + KubeletExtraArgs: tlsCipherSuitesArgs(), }, }, PreKubeadmCommands: []string{}, @@ -273,17 +273,17 @@ func TestConfigureOIDCInKubeadmControlPlane(t *testing.T) { }, }, ControllerManager: bootstrapv1.ControlPlaneComponent{ - ExtraArgs: map[string]string{}, + ExtraArgs: tlsCipherSuitesArgs(), }, }, InitConfiguration: &bootstrapv1.InitConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ - KubeletExtraArgs: map[string]string{}, + KubeletExtraArgs: tlsCipherSuitesArgs(), }, }, JoinConfiguration: &bootstrapv1.JoinConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ - KubeletExtraArgs: map[string]string{}, + KubeletExtraArgs: tlsCipherSuitesArgs(), }, }, PreKubeadmCommands: []string{}, @@ -368,17 +368,17 @@ func TestConfigurePodIamAuthInKubeadmControlPlane(t *testing.T) { }, }, ControllerManager: bootstrapv1.ControlPlaneComponent{ - ExtraArgs: map[string]string{}, + ExtraArgs: tlsCipherSuitesArgs(), }, }, InitConfiguration: &bootstrapv1.InitConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ - KubeletExtraArgs: map[string]string{}, + KubeletExtraArgs: tlsCipherSuitesArgs(), }, }, JoinConfiguration: &bootstrapv1.JoinConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ - KubeletExtraArgs: map[string]string{}, + KubeletExtraArgs: tlsCipherSuitesArgs(), }, }, PreKubeadmCommands: []string{}, diff --git a/pkg/clusterapi/systemctl_test.go b/pkg/clusterapi/systemctl_test.go index 9d50a2c1fa16..c59227e26438 100644 --- a/pkg/clusterapi/systemctl_test.go +++ b/pkg/clusterapi/systemctl_test.go @@ -61,6 +61,7 @@ func TestRestartContainerdInKubeadmControlPlane(t *testing.T) { clusterapi.RestartContainerdInKubeadmControlPlane(got, tt.cluster) want := wantKubeadmControlPlane() want.Spec.KubeadmConfigSpec.PreKubeadmCommands = tt.want + g.Expect(got).To(Equal(want)) }) } diff --git a/pkg/providers/snow/apibuilder_test.go b/pkg/providers/snow/apibuilder_test.go index 45c808c170a4..ed77eee86d58 100644 --- a/pkg/providers/snow/apibuilder_test.go +++ b/pkg/providers/snow/apibuilder_test.go @@ -128,20 +128,22 @@ func wantKubeadmControlPlane() *controlplanev1.KubeadmControlPlane { }, }, ControllerManager: bootstrapv1.ControlPlaneComponent{ - ExtraArgs: map[string]string{}, + ExtraArgs: tlsCipherSuitesArgs(), }, }, InitConfiguration: &bootstrapv1.InitConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ KubeletExtraArgs: map[string]string{ - "provider-id": "aws-snow:////'{{ ds.meta_data.instance_id }}'", + "provider-id": "aws-snow:////'{{ ds.meta_data.instance_id }}'", + "tls-cipher-suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", }, }, }, JoinConfiguration: &bootstrapv1.JoinConfiguration{ NodeRegistration: bootstrapv1.NodeRegistrationOptions{ KubeletExtraArgs: map[string]string{ - "provider-id": "aws-snow:////'{{ ds.meta_data.instance_id }}'", + "provider-id": "aws-snow:////'{{ ds.meta_data.instance_id }}'", + "tls-cipher-suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", }, }, }, @@ -557,3 +559,7 @@ func TestSnowMachineTemplates(t *testing.T) { } tt.Expect(got).To(Equal(want)) } + +func tlsCipherSuitesArgs() map[string]string { + return map[string]string{"tls-cipher-suites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"} +} diff --git a/pkg/providers/snow/testdata/expected_results_main_cp.yaml b/pkg/providers/snow/testdata/expected_results_main_cp.yaml index ffe57015d340..08890fac21a5 100644 --- a/pkg/providers/snow/testdata/expected_results_main_cp.yaml +++ b/pkg/providers/snow/testdata/expected_results_main_cp.yaml @@ -59,7 +59,9 @@ spec: apiServer: {} bottlerocketBootstrap: {} bottlerocketControl: {} - controllerManager: {} + controllerManager: + extraArgs: + tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 dns: imageRepository: public.ecr.aws/eks-distro/coredns imageTag: v1.8.4-eks-1-21-9 @@ -81,6 +83,7 @@ spec: nodeRegistration: kubeletExtraArgs: provider-id: aws-snow:////'{{ ds.meta_data.instance_id }}' + tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 joinConfiguration: bottlerocketBootstrap: {} bottlerocketControl: {} @@ -88,6 +91,7 @@ spec: nodeRegistration: kubeletExtraArgs: provider-id: aws-snow:////'{{ ds.meta_data.instance_id }}' + tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 pause: {} proxy: {} registryMirror: {}