set golang's secure cipher suites as etcd's cipher suites
Signed-off-by: zhzhuang-zju <m17799853869@163.com>
This commit is contained in:
zhzhuang-zju
parent
4d6e9d7d1e
commit
9b1e18bbd2
|
|
@ -82,6 +82,10 @@ spec:
|
||||||
- --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt
|
- --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt
|
||||||
- --data-dir=/var/lib/etcd
|
- --data-dir=/var/lib/etcd
|
||||||
- --snapshot-count=10000
|
- --snapshot-count=10000
|
||||||
|
# Setting Golang's secure cipher suites as etcd's cipher suites.
|
||||||
|
# They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
|
||||||
|
# Consistent with the Preferred values of k8s’s default cipher suites.
|
||||||
|
- --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||||
volumes:
|
volumes:
|
||||||
- hostPath:
|
- hostPath:
|
||||||
path: /var/lib/karmada-etcd
|
path: /var/lib/karmada-etcd
|
||||||
|
|
|
||||||
|
|
@ -97,6 +97,10 @@ spec:
|
||||||
- --key-file=/etc/kubernetes/pki/etcd/karmada.key
|
- --key-file=/etc/kubernetes/pki/etcd/karmada.key
|
||||||
- --trusted-ca-file=/etc/kubernetes/pki/etcd/server-ca.crt
|
- --trusted-ca-file=/etc/kubernetes/pki/etcd/server-ca.crt
|
||||||
- --data-dir=/var/lib/etcd
|
- --data-dir=/var/lib/etcd
|
||||||
|
# Setting Golang's secure cipher suites as etcd's cipher suites.
|
||||||
|
# They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
|
||||||
|
# Consistent with the Preferred values of k8s’s default cipher suites.
|
||||||
|
- --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||||
volumes:
|
volumes:
|
||||||
- name: etcd-cert
|
- name: etcd-cert
|
||||||
secret:
|
secret:
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ import (
|
||||||
kuberuntime "k8s.io/apimachinery/pkg/runtime"
|
kuberuntime "k8s.io/apimachinery/pkg/runtime"
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
clientsetscheme "k8s.io/client-go/kubernetes/scheme"
|
clientsetscheme "k8s.io/client-go/kubernetes/scheme"
|
||||||
|
"k8s.io/component-base/cli/flag"
|
||||||
|
|
||||||
operatorv1alpha1 "github.com/karmada-io/karmada/operator/pkg/apis/operator/v1alpha1"
|
operatorv1alpha1 "github.com/karmada-io/karmada/operator/pkg/apis/operator/v1alpha1"
|
||||||
"github.com/karmada-io/karmada/operator/pkg/constants"
|
"github.com/karmada-io/karmada/operator/pkg/constants"
|
||||||
|
|
@ -47,7 +48,7 @@ func installKarmadaEtcd(client clientset.Interface, name, namespace string, cfg
|
||||||
etcdStatefulSetBytes, err := util.ParseTemplate(KarmadaEtcdStatefulSet, struct {
|
etcdStatefulSetBytes, err := util.ParseTemplate(KarmadaEtcdStatefulSet, struct {
|
||||||
StatefulSetName, Namespace, Image, EtcdClientService string
|
StatefulSetName, Namespace, Image, EtcdClientService string
|
||||||
CertsSecretName, EtcdPeerServiceName string
|
CertsSecretName, EtcdPeerServiceName string
|
||||||
InitialCluster, EtcdDataVolumeName string
|
InitialCluster, EtcdDataVolumeName, EtcdCipherSuites string
|
||||||
Replicas, EtcdListenClientPort, EtcdListenPeerPort int32
|
Replicas, EtcdListenClientPort, EtcdListenPeerPort int32
|
||||||
}{
|
}{
|
||||||
StatefulSetName: util.KarmadaEtcdName(name),
|
StatefulSetName: util.KarmadaEtcdName(name),
|
||||||
|
|
@ -58,6 +59,7 @@ func installKarmadaEtcd(client clientset.Interface, name, namespace string, cfg
|
||||||
EtcdPeerServiceName: util.KarmadaEtcdName(name),
|
EtcdPeerServiceName: util.KarmadaEtcdName(name),
|
||||||
EtcdDataVolumeName: constants.EtcdDataVolumeName,
|
EtcdDataVolumeName: constants.EtcdDataVolumeName,
|
||||||
InitialCluster: strings.Join(initialClusters, ","),
|
InitialCluster: strings.Join(initialClusters, ","),
|
||||||
|
EtcdCipherSuites: genEtcdCipherSuites(),
|
||||||
Replicas: *cfg.Replicas,
|
Replicas: *cfg.Replicas,
|
||||||
EtcdListenClientPort: constants.EtcdListenClientPort,
|
EtcdListenClientPort: constants.EtcdListenClientPort,
|
||||||
EtcdListenPeerPort: constants.EtcdListenPeerPort,
|
EtcdListenPeerPort: constants.EtcdListenPeerPort,
|
||||||
|
|
@ -127,3 +129,10 @@ func createEtcdService(client clientset.Interface, name, namespace string) error
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Setting Golang's secure cipher suites as etcd's cipher suites.
|
||||||
|
// They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
|
||||||
|
// Consistent with the Preferred values of k8s’s default cipher suites.
|
||||||
|
func genEtcdCipherSuites() string {
|
||||||
|
return strings.Join(flag.PreferredTLSCipherNames(), ",")
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -44,7 +44,8 @@ spec:
|
||||||
- --key-file=/etc/karmada/pki/etcd/etcd-server.key
|
- --key-file=/etc/karmada/pki/etcd/etcd-server.key
|
||||||
- --data-dir=/var/lib/etcd
|
- --data-dir=/var/lib/etcd
|
||||||
- --snapshot-count=10000
|
- --snapshot-count=10000
|
||||||
- --log-level=debug
|
- --log-level=debug=
|
||||||
|
- --cipher-suites={{ .EtcdCipherSuites }}
|
||||||
env:
|
env:
|
||||||
- name: KARMADA_ETCD_NAME
|
- name: KARMADA_ETCD_NAME
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ import (
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/api/resource"
|
"k8s.io/apimachinery/pkg/api/resource"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
"k8s.io/component-base/cli/flag"
|
||||||
"k8s.io/utils/pointer"
|
"k8s.io/utils/pointer"
|
||||||
|
|
||||||
"github.com/karmada-io/karmada/pkg/karmadactl/cmdinit/options"
|
"github.com/karmada-io/karmada/pkg/karmadactl/cmdinit/options"
|
||||||
|
|
@ -35,8 +36,9 @@ const (
|
||||||
|
|
||||||
var (
|
var (
|
||||||
// appLabels remove via Labels karmada StatefulSet Deployment
|
// appLabels remove via Labels karmada StatefulSet Deployment
|
||||||
appLabels = map[string]string{"karmada.io/bootstrapping": "app-defaults"}
|
appLabels = map[string]string{"karmada.io/bootstrapping": "app-defaults"}
|
||||||
etcdLabels = map[string]string{"app": etcdStatefulSetAndServiceName}
|
etcdLabels = map[string]string{"app": etcdStatefulSetAndServiceName}
|
||||||
|
etcdCipherSuites = genEtcdCipherSuites()
|
||||||
)
|
)
|
||||||
|
|
||||||
func (i *CommandInitOption) etcdVolume() (*[]corev1.Volume, *corev1.PersistentVolumeClaim) {
|
func (i *CommandInitOption) etcdVolume() (*[]corev1.Volume, *corev1.PersistentVolumeClaim) {
|
||||||
|
|
@ -141,6 +143,7 @@ listen-client-urls: https://${%s}:%v,http://127.0.0.1:%v
|
||||||
initial-advertise-peer-urls: http://${%s}:%v
|
initial-advertise-peer-urls: http://${%s}:%v
|
||||||
advertise-client-urls: https://${%s}.%s.%s.svc.%s:%v
|
advertise-client-urls: https://${%s}.%s.%s.svc.%s:%v
|
||||||
data-dir: %s
|
data-dir: %s
|
||||||
|
cipher-suites: %s
|
||||||
|
|
||||||
`,
|
`,
|
||||||
etcdContainerConfigDataMountPath, etcdConfigName,
|
etcdContainerConfigDataMountPath, etcdConfigName,
|
||||||
|
|
@ -159,6 +162,7 @@ data-dir: %s
|
||||||
i.Namespace, i.HostClusterDomain,
|
i.Namespace, i.HostClusterDomain,
|
||||||
etcdContainerClientPort,
|
etcdContainerClientPort,
|
||||||
etcdContainerDataVolumeMountPath,
|
etcdContainerDataVolumeMountPath,
|
||||||
|
etcdCipherSuites,
|
||||||
),
|
),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -350,3 +354,12 @@ func (i *CommandInitOption) makeETCDStatefulSet() *appsv1.StatefulSet {
|
||||||
|
|
||||||
return etcd
|
return etcd
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Setting Golang's secure cipher suites as etcd's cipher suites.
|
||||||
|
// They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
|
||||||
|
// Consistent with the Preferred values of k8s’s default cipher suites.
|
||||||
|
func genEtcdCipherSuites() string {
|
||||||
|
cipherSuites := strings.Join(flag.PreferredTLSCipherNames(), "\",\"")
|
||||||
|
cipherSuites = "[\"" + cipherSuites + "\"]"
|
||||||
|
return cipherSuites
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue