fix: allow configuring tls-cipher-suites (#261)

This patch allows you to configure TLS cipher suites for the API server with a sane set of secure defaults. Closes #251
vexxhost · Dec 5, 2023 · d1b7ab5 · d1b7ab5
1 parent bfee0ba
commit d1b7ab5
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/docs/user/labels.md b/docs/user/labels.md
@@ -166,6 +166,14 @@ is often accomplished by deploying a driver on each node.
 
    Default value: `true`
 
+* `tls_cipher_suites`
+
+   Specify the list of TLS cipher suites to use for the Kubernetes API server,
+   separated by commas.  If not specified, the default list of cipher suites
+   will be used using the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=go&config=intermediate).
+
+   Default value: `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`
+
 ## OIDC
 
 * `oidc_issuer_url`

diff --git a/magnum_cluster_api/resources.py b/magnum_cluster_api/resources.py
@@ -783,6 +783,15 @@ def get_object(self) -> objects.ClusterClass:
                                 },
                             },
                         },
+                        {
+                            "name": "apiServerTLSCipherSuites",
+                            "required": True,
+                            "schema": {
+                                "openAPIV3Schema": {
+                                    "type": "string",
+                                },
+                            },
+                        },
                         {
                             "name": "openidConnect",
                             "required": True,
@@ -1555,6 +1564,13 @@ def get_object(self) -> objects.ClusterClass:
                                         },
                                     },
                                     "jsonPatches": [
+                                        {
+                                            "op": "add",
+                                            "path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/tls-cipher-suites",  # noqa: E501
+                                            "valueFrom": {
+                                                "variable": "apiServerTLSCipherSuites",
+                                            },
+                                        },
                                         {
                                             "op": "add",
                                             "path": "/spec/template/spec/kubeadmConfigSpec/files/-",
@@ -1837,6 +1853,14 @@ def get_object(self) -> objects.Cluster:
                                     "enabled": self.cluster.master_lb_enabled,
                                 },
                             },
+                            {
+                                "name": "apiServerTLSCipherSuites",
+                                "value": utils.get_cluster_label(
+                                    self.cluster,
+                                    "tls_cipher_suites",
+                                    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",  # noqa: E501
+                                ),
+                            },
                             {
                                 "name": "openidConnect",
                                 "value": {