summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJared Miller <jmiller@mirantis.com>2019-02-04 16:32:24 -0500
committerJared Miller <jmiller@mirantis.com>2019-02-04 16:34:31 -0500
commit8fe4333edab84fac0679093695e3b7beab251ab3 (patch)
tree489f5b8f73e37262e344b23b88f4b3d1a389914c
parent76c942b5ce9c106f69173ab8e03319238087262a (diff)
Allow tls versions and ciphers to be configuredHEADmaster
Add the ability to set tls version and cipher suites Change-Id: Ifb3d1ed315c0ed8d679e5ab71cf2484dc8329dbd Vulnerability: https://sweet32.info/
Notes
Notes (review): Code-Review+2: Scott Hussey <sthussey@att.com> Code-Review+1: Nishant Kumar <nishant.e.kumar@ericsson.com> Code-Review+1: Dan Crank <dan.no@att.com> Code-Review+1: PRATEEK REDDY DODDA <pd2839@att.com> Code-Review+2: Matt McEuen <matt.mceuen@att.com> Workflow+1: Matt McEuen <matt.mceuen@att.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 13 Feb 2019 20:44:06 +0000 Reviewed-on: https://review.openstack.org/634815 Project: openstack/airship-promenade Branch: refs/heads/master
-rw-r--r--charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl7
-rw-r--r--charts/apiserver/values.yaml6
2 files changed, 12 insertions, 1 deletions
diff --git a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
index 73f6ccf..9dc844f 100644
--- a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
+++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
@@ -61,7 +61,12 @@ spec:
61 {{- end }} 61 {{- end }}
62 {{- end }} 62 {{- end }}
63 {{- end }} 63 {{- end }}
64 64 {{- $acceptable_keys := list "tls-min-version" "tls-cipher-suites" }}
65 {{- range $key, $val := .Values.apiserver.tls }}
66 {{- if has $key $acceptable_keys }}
67 - --{{ $key }}={{ $val | quote }}
68 {{- end }}
69 {{- end }}
65 ports: 70 ports:
66 - containerPort: {{ .Values.network.kubernetes_apiserver.port }} 71 - containerPort: {{ .Values.network.kubernetes_apiserver.port }}
67 72
diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml
index b7c5ecf..231e9e1 100644
--- a/charts/apiserver/values.yaml
+++ b/charts/apiserver/values.yaml
@@ -121,6 +121,12 @@ apiserver:
121 etcd: 121 etcd:
122 endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local 122 endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
123 host_etc_path: /etc/kubernetes/apiserver 123 host_etc_path: /etc/kubernetes/apiserver
124#XXX another possible configuration
125# tls:
126# tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
127# # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
128# #Possible values: VersionTLS10, VersionTLS11, VersionTLS12
129# tls-min-version: 'VersionTLS12'
124 130
125network: 131network:
126 kubernetes_apiserver: 132 kubernetes_apiserver: