From 9b1e18bbd21423aa587f91cf59215fe11cc6c902 Mon Sep 17 00:00:00 2001 From: zhzhuang-zju Date: Mon, 20 Nov 2023 11:50:57 +0800 Subject: [PATCH] set golang's secure cipher suites as etcd's cipher suites Signed-off-by: zhzhuang-zju --- artifacts/deploy/karmada-etcd.yaml | 4 ++++ charts/karmada/templates/etcd.yaml | 4 ++++ operator/pkg/controlplane/etcd/etcd.go | 11 ++++++++++- operator/pkg/controlplane/etcd/mainfests.go | 3 ++- .../cmdinit/kubernetes/statefulset.go | 17 +++++++++++++++-- 5 files changed, 35 insertions(+), 4 deletions(-) diff --git a/artifacts/deploy/karmada-etcd.yaml b/artifacts/deploy/karmada-etcd.yaml index 0a316f3b4..54ac0acb8 100644 --- a/artifacts/deploy/karmada-etcd.yaml +++ b/artifacts/deploy/karmada-etcd.yaml @@ -82,6 +82,10 @@ spec: - --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt - --data-dir=/var/lib/etcd - --snapshot-count=10000 + # Setting Golang's secure cipher suites as etcd's cipher suites. + # They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package. + # Consistent with the Preferred values of k8s’s default cipher suites. + - --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 volumes: - hostPath: path: /var/lib/karmada-etcd diff --git a/charts/karmada/templates/etcd.yaml b/charts/karmada/templates/etcd.yaml index de4e61a58..786bfd25d 100644 --- a/charts/karmada/templates/etcd.yaml +++ b/charts/karmada/templates/etcd.yaml @@ -97,6 +97,10 @@ spec: - --key-file=/etc/kubernetes/pki/etcd/karmada.key - --trusted-ca-file=/etc/kubernetes/pki/etcd/server-ca.crt - --data-dir=/var/lib/etcd + # Setting Golang's secure cipher suites as etcd's cipher suites. + # They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package. + # Consistent with the Preferred values of k8s’s default cipher suites. + - --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 volumes: - name: etcd-cert secret: diff --git a/operator/pkg/controlplane/etcd/etcd.go b/operator/pkg/controlplane/etcd/etcd.go index 1ee02c3c8..5c1177dd9 100644 --- a/operator/pkg/controlplane/etcd/etcd.go +++ b/operator/pkg/controlplane/etcd/etcd.go @@ -9,6 +9,7 @@ import ( kuberuntime "k8s.io/apimachinery/pkg/runtime" clientset "k8s.io/client-go/kubernetes" clientsetscheme "k8s.io/client-go/kubernetes/scheme" + "k8s.io/component-base/cli/flag" operatorv1alpha1 "github.com/karmada-io/karmada/operator/pkg/apis/operator/v1alpha1" "github.com/karmada-io/karmada/operator/pkg/constants" @@ -47,7 +48,7 @@ func installKarmadaEtcd(client clientset.Interface, name, namespace string, cfg etcdStatefulSetBytes, err := util.ParseTemplate(KarmadaEtcdStatefulSet, struct { StatefulSetName, Namespace, Image, EtcdClientService string CertsSecretName, EtcdPeerServiceName string - InitialCluster, EtcdDataVolumeName string + InitialCluster, EtcdDataVolumeName, EtcdCipherSuites string Replicas, EtcdListenClientPort, EtcdListenPeerPort int32 }{ StatefulSetName: util.KarmadaEtcdName(name), @@ -58,6 +59,7 @@ func installKarmadaEtcd(client clientset.Interface, name, namespace string, cfg EtcdPeerServiceName: util.KarmadaEtcdName(name), EtcdDataVolumeName: constants.EtcdDataVolumeName, InitialCluster: strings.Join(initialClusters, ","), + EtcdCipherSuites: genEtcdCipherSuites(), Replicas: *cfg.Replicas, EtcdListenClientPort: constants.EtcdListenClientPort, EtcdListenPeerPort: constants.EtcdListenPeerPort, @@ -127,3 +129,10 @@ func createEtcdService(client clientset.Interface, name, namespace string) error return nil } + +// Setting Golang's secure cipher suites as etcd's cipher suites. +// They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package. +// Consistent with the Preferred values of k8s’s default cipher suites. +func genEtcdCipherSuites() string { + return strings.Join(flag.PreferredTLSCipherNames(), ",") +} diff --git a/operator/pkg/controlplane/etcd/mainfests.go b/operator/pkg/controlplane/etcd/mainfests.go index a0e8d8b8a..c175e0294 100644 --- a/operator/pkg/controlplane/etcd/mainfests.go +++ b/operator/pkg/controlplane/etcd/mainfests.go @@ -44,7 +44,8 @@ spec: - --key-file=/etc/karmada/pki/etcd/etcd-server.key - --data-dir=/var/lib/etcd - --snapshot-count=10000 - - --log-level=debug + - --log-level=debug= + - --cipher-suites={{ .EtcdCipherSuites }} env: - name: KARMADA_ETCD_NAME valueFrom: diff --git a/pkg/karmadactl/cmdinit/kubernetes/statefulset.go b/pkg/karmadactl/cmdinit/kubernetes/statefulset.go index 5310ad09c..771fc3aea 100644 --- a/pkg/karmadactl/cmdinit/kubernetes/statefulset.go +++ b/pkg/karmadactl/cmdinit/kubernetes/statefulset.go @@ -8,6 +8,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/component-base/cli/flag" "k8s.io/utils/pointer" "github.com/karmada-io/karmada/pkg/karmadactl/cmdinit/options" @@ -35,8 +36,9 @@ const ( var ( // appLabels remove via Labels karmada StatefulSet Deployment - appLabels = map[string]string{"karmada.io/bootstrapping": "app-defaults"} - etcdLabels = map[string]string{"app": etcdStatefulSetAndServiceName} + appLabels = map[string]string{"karmada.io/bootstrapping": "app-defaults"} + etcdLabels = map[string]string{"app": etcdStatefulSetAndServiceName} + etcdCipherSuites = genEtcdCipherSuites() ) func (i *CommandInitOption) etcdVolume() (*[]corev1.Volume, *corev1.PersistentVolumeClaim) { @@ -141,6 +143,7 @@ listen-client-urls: https://${%s}:%v,http://127.0.0.1:%v initial-advertise-peer-urls: http://${%s}:%v advertise-client-urls: https://${%s}.%s.%s.svc.%s:%v data-dir: %s +cipher-suites: %s `, etcdContainerConfigDataMountPath, etcdConfigName, @@ -159,6 +162,7 @@ data-dir: %s i.Namespace, i.HostClusterDomain, etcdContainerClientPort, etcdContainerDataVolumeMountPath, + etcdCipherSuites, ), } @@ -350,3 +354,12 @@ func (i *CommandInitOption) makeETCDStatefulSet() *appsv1.StatefulSet { return etcd } + +// Setting Golang's secure cipher suites as etcd's cipher suites. +// They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package. +// Consistent with the Preferred values of k8s’s default cipher suites. +func genEtcdCipherSuites() string { + cipherSuites := strings.Join(flag.PreferredTLSCipherNames(), "\",\"") + cipherSuites = "[\"" + cipherSuites + "\"]" + return cipherSuites +}