Allow tls versions and ciphers to be configured

Add the ability to set tls version and cipher suites Change-Id: Ifb3d1ed315c0ed8d679e5ab71cf2484dc8329dbd Vulnerability: https://sweet32.info/
2019-02-04 16:32:24 -05:00 · 2019-02-04 16:32:24 -05:00 · 8fe4333eda
parent 76c942b5ce
commit 8fe4333eda
2 changed files with 12 additions and 1 deletions
--- a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
+++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
@ -61,7 +61,12 @@ spec:
        {{- end }}
        {{- end }}
        {{- end }}
-
+        {{- $acceptable_keys := list "tls-min-version" "tls-cipher-suites" }}
+        {{- range $key, $val := .Values.apiserver.tls }}
+        {{- if has $key  $acceptable_keys }}
+        - --{{ $key }}={{ $val | quote }}
+        {{- end }}
+        {{- end }}
      ports:
        - containerPort: {{ .Values.network.kubernetes_apiserver.port }}

--- a/charts/apiserver/values.yaml
+++ b/charts/apiserver/values.yaml
@ -121,6 +121,12 @@ apiserver:
  etcd:
    endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
  host_etc_path: /etc/kubernetes/apiserver
+#XXX another possible configuration
+#  tls:
+#    tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
+#    # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
+#    #Possible values: VersionTLS10, VersionTLS11, VersionTLS12
+#    tls-min-version: 'VersionTLS12'

 network:
  kubernetes_apiserver: