From 95a1a9f431e19852e36bdb9ec5de268cd59f209c Mon Sep 17 00:00:00 2001
From: Jared Miller <jmiller@mirantis.com>
Date: Wed, 13 Feb 2019 15:57:37 -0500
Subject: [PATCH] Disable weak tls ciphers for kube-apiserver

Set `--tls-cipher-suites` to golang defaults minus 3DES
Implementation of change made in
https://review.openstack.org/#/c/634815/

Change-Id: Icbeded84d5973b042a779ba20569654d2d91b563
---
 global/software/charts/kubernetes/core/apiserver.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/global/software/charts/kubernetes/core/apiserver.yaml b/global/software/charts/kubernetes/core/apiserver.yaml
index e64ed9b8e..b74b20762 100644
--- a/global/software/charts/kubernetes/core/apiserver.yaml
+++ b/global/software/charts/kubernetes/core/apiserver.yaml
@@ -123,6 +123,11 @@ data:
     apiserver:
       etcd:
         endpoints: https://127.0.0.1:2378
+      tls:
+        tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
+        # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
+        # Possible values: VersionTLS10, VersionTLS11, VersionTLS12
+        tls-min-version: 'VersionTLS12'
     command_prefix:
       - /apiserver
       - --service-cluster-ip-range=SERVICE_CIDR