Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd #808

Merged
merged 2 commits into from
Jul 17, 2024
Merged

feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd #808

merged 2 commits into from
Jul 17, 2024

Conversation

jimmidyson
Copy link
Member

@jimmidyson jimmidyson commented Jul 16, 2024
edited
Loading

This increases ootb security and provides STIG compliance for
this area at least.

Fixes #806.

tuxtof
tuxtof approved these changes Jul 16, 2024
View reviewed changes
Copy link
Contributor

@tuxtof tuxtof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test are OK on my side

@github-actions github-actions bot added feature and removed feature labels Jul 16, 2024
dkoshkin
dkoshkin approved these changes Jul 16, 2024
View reviewed changes
pkg/handlers/generic/mutation/etcd/inject.go Outdated Show resolved Hide resolved
@dlipovetsky
Copy link
Contributor

Does this affect FIPS compliance in any way?

@jimmidyson
Copy link
Member Author

@dlipovetsky

Does this affect FIPS compliance in any way?

That is a good call out! And yes it does 😞 While go did upgrade BoringCrypto that supports TLS 1.3 in go 1.21.6, it was then reverted in subsequent versions including >go1.21.6 and go1.22 until the new version of BoringCrypto is approved by NIST.

@jimmidyson
Copy link
Member Author

The motivation for this change was to mitigate against sweet32 due to vulnerable 3DES ciphers. In go1.23 3DES ciphers are disabled by default so this change will be unnecessary when etcd is built with go1.23.

In the meantime, I will adopt the recommended ciphers in #806 by @tuxtof instead. I have checked they are all FIPS-compliant so this should work for both FIPS and non-FIPS deployments until TLS1.3 is supported in go FIPS.

@jimmidyson jimmidyson changed the title feat: Enforce TLS v1.3 and disable auto TLS for etcd feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd Jul 17, 2024
@github-actions github-actions bot added feature and removed feature labels Jul 17, 2024
@jimmidyson
feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd
450e82c 
This increases ootb security and provides STIG compliance for
this area at least.
@jimmidyson jimmidyson enabled auto-merge (squash) July 17, 2024 12:39
@jimmidyson jimmidyson merged commit d51805f into main Jul 17, 2024
15 checks passed
@jimmidyson jimmidyson deleted the jimmi/tls-1.3 branch July 17, 2024 18:39
@github-actions github-actions bot mentioned this pull request Jul 17, 2024
Merged
jimmidyson added a commit that referenced this pull request Jul 18, 2024
@jimmidyson @github-actions
release(main): v0.13.0 (#804)
79fcaca 
🤖 I have created a release *beep* *boop*
---


## 0.13.0 (2024-07-18)

<!-- Release notes generated using configuration in .github/release.yaml
at main -->

## What's Changed
### Exciting New Features 🎉
* feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd by
@jimmidyson in
#808
* feat: Bump default k8s version for tests to v1.29.6 by @jimmidyson in
#784
### Fixes 🔧
* fix: add omitempty to addon strategy by @dkoshkin in
#795
* fix: update CCM to 0.3.4 to fix sweet32 issue by @tuxtof in
#805
* fix: Clean up MetalLB pod security standards labels by @jimmidyson in
#807
* fix: Fix ownership of ClusterAutoscaler resources by @jimmidyson in
#810
### Other Changes
* ci: Run e2e jobs only if unit-test, lint-*, and pre-commit jobs pass
by @dlipovetsky in
#796
* ci: Enable verbose output for e2e tests by @dlipovetsky in
#797
* test: Verify ServiceLoadBalancer in e2e Docker and Nutanix tests by
@dlipovetsky in
#788
* refactor: Use CAPI conditions check where possible by @dlipovetsky in
#789
* test(e2e): Use parallel tests for providers other than Docker by
@jimmidyson in
#787

## New Contributors
* @tuxtof made their first contribution in
#805

**Full Changelog**:
v0.12.1...v0.13.0

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlipovetsky dlipovetsky dlipovetsky left review comments

@faiq faiq faiq approved these changes

@dkoshkin dkoshkin dkoshkin approved these changes

@tuxtof tuxtof tuxtof approved these changes

Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Improve default ETCD configuration
5 participants
@jimmidyson @dlipovetsky @tuxtof @dkoshkin @faiq