set golang's secure cipher suites as etcd's cipher suites

Signed-off-by: zhzhuang-zju <m17799853869@163.com>
2023-11-20 11:50:57 +08:00 · 2023-11-20 11:50:57 +08:00 · 9b1e18bbd2
parent 4d6e9d7d1e
commit 9b1e18bbd2
5 changed files with 35 additions and 4 deletions
--- a/artifacts/deploy/karmada-etcd.yaml
+++ b/artifacts/deploy/karmada-etcd.yaml
@ -82,6 +82,10 @@ spec:
            - --trusted-ca-file=/etc/karmada/pki/etcd-ca.crt
            - --data-dir=/var/lib/etcd
            - --snapshot-count=10000
+            # Setting Golang's secure cipher suites as etcd's cipher suites.
+            # They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
+            # Consistent with the Preferred values of k8s’s default cipher suites.
+            - --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      volumes:
        - hostPath:
            path: /var/lib/karmada-etcd
--- a/charts/karmada/templates/etcd.yaml
+++ b/charts/karmada/templates/etcd.yaml
@ -97,6 +97,10 @@ spec:
            - --key-file=/etc/kubernetes/pki/etcd/karmada.key
            - --trusted-ca-file=/etc/kubernetes/pki/etcd/server-ca.crt
            - --data-dir=/var/lib/etcd
+            # Setting Golang's secure cipher suites as etcd's cipher suites.
+            # They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
+            # Consistent with the Preferred values of k8s’s default cipher suites.
+            - --cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      volumes:
        - name: etcd-cert
          secret:
--- a/operator/pkg/controlplane/etcd/etcd.go
+++ b/operator/pkg/controlplane/etcd/etcd.go
@ -9,6 +9,7 @@ import (
 	kuberuntime "k8s.io/apimachinery/pkg/runtime"
 	clientset "k8s.io/client-go/kubernetes"
 	clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/component-base/cli/flag"

 	operatorv1alpha1 "github.com/karmada-io/karmada/operator/pkg/apis/operator/v1alpha1"
 	"github.com/karmada-io/karmada/operator/pkg/constants"
@ -47,7 +48,7 @@ func installKarmadaEtcd(client clientset.Interface, name, namespace string, cfg
 	etcdStatefulSetBytes, err := util.ParseTemplate(KarmadaEtcdStatefulSet, struct {
 		StatefulSetName, Namespace, Image, EtcdClientService string
 		CertsSecretName, EtcdPeerServiceName                 string
-		InitialCluster, EtcdDataVolumeName                   string
+		InitialCluster, EtcdDataVolumeName, EtcdCipherSuites string
 		Replicas, EtcdListenClientPort, EtcdListenPeerPort   int32
 	}{
 		StatefulSetName:      util.KarmadaEtcdName(name),
@ -58,6 +59,7 @@ func installKarmadaEtcd(client clientset.Interface, name, namespace string, cfg
 		EtcdPeerServiceName:  util.KarmadaEtcdName(name),
 		EtcdDataVolumeName:   constants.EtcdDataVolumeName,
 		InitialCluster:       strings.Join(initialClusters, ","),
+		EtcdCipherSuites:     genEtcdCipherSuites(),
 		Replicas:             *cfg.Replicas,
 		EtcdListenClientPort: constants.EtcdListenClientPort,
 		EtcdListenPeerPort:   constants.EtcdListenPeerPort,
@ -127,3 +129,10 @@ func createEtcdService(client clientset.Interface, name, namespace string) error

 	return nil
 }
+
+// Setting Golang's secure cipher suites as etcd's cipher suites.
+// They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
+// Consistent with the Preferred values of k8s’s default cipher suites.
+func genEtcdCipherSuites() string {
+	return strings.Join(flag.PreferredTLSCipherNames(), ",")
+}
--- a/operator/pkg/controlplane/etcd/mainfests.go
+++ b/operator/pkg/controlplane/etcd/mainfests.go
@ -44,7 +44,8 @@ spec:
        - --key-file=/etc/karmada/pki/etcd/etcd-server.key
        - --data-dir=/var/lib/etcd
        - --snapshot-count=10000
-        - --log-level=debug
+        - --log-level=debug=
+        - --cipher-suites={{ .EtcdCipherSuites }}
        env:
        - name: KARMADA_ETCD_NAME
          valueFrom:
--- a/pkg/karmadactl/cmdinit/kubernetes/statefulset.go
+++ b/pkg/karmadactl/cmdinit/kubernetes/statefulset.go
@ -8,6 +8,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/component-base/cli/flag"
 	"k8s.io/utils/pointer"

 	"github.com/karmada-io/karmada/pkg/karmadactl/cmdinit/options"
@ -35,8 +36,9 @@ const (

 var (
 	// appLabels remove via Labels karmada StatefulSet Deployment
-	appLabels  = map[string]string{"karmada.io/bootstrapping": "app-defaults"}
-	etcdLabels = map[string]string{"app": etcdStatefulSetAndServiceName}
+	appLabels        = map[string]string{"karmada.io/bootstrapping": "app-defaults"}
+	etcdLabels       = map[string]string{"app": etcdStatefulSetAndServiceName}
+	etcdCipherSuites = genEtcdCipherSuites()
 )

 func (i *CommandInitOption) etcdVolume() (*[]corev1.Volume, *corev1.PersistentVolumeClaim) {
@ -141,6 +143,7 @@ listen-client-urls: https://${%s}:%v,http://127.0.0.1:%v
 initial-advertise-peer-urls: http://${%s}:%v
 advertise-client-urls: https://${%s}.%s.%s.svc.%s:%v
 data-dir: %s
+cipher-suites: %s

 `,
 			etcdContainerConfigDataMountPath, etcdConfigName,
@ -159,6 +162,7 @@ data-dir: %s
 			i.Namespace, i.HostClusterDomain,
 			etcdContainerClientPort,
 			etcdContainerDataVolumeMountPath,
+			etcdCipherSuites,
 		),
 	}

@ -350,3 +354,12 @@ func (i *CommandInitOption) makeETCDStatefulSet() *appsv1.StatefulSet {

 	return etcd
 }
+
+// Setting Golang's secure cipher suites as etcd's cipher suites.
+// They are obtained by the return value of the function CipherSuites() under the go/src/crypto/tls/cipher_suites.go package.
+// Consistent with the Preferred values of k8s’s default cipher suites.
+func genEtcdCipherSuites() string {
+	cipherSuites := strings.Join(flag.PreferredTLSCipherNames(), "\",\"")
+	cipherSuites = "[\"" + cipherSuites + "\"]"
+	return cipherSuites
+}