openshift
Add support for TLS curves in TLSProfile
This change will add a new Curves field to the TLSProfile specification.
This is required in order to support new PQC curves, we need a config for explicitly setting the supported elliptic curves algorithms ("curve suite") that are negotiated during the SSL/TLS handshake with ECDHE.
This PR is related to openshift/cluster-ingress-operator#1287 and openshift/router#678
Pipeline controller notification
This repository is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.
For optional jobs, comment /test ? to see a list of all defined jobs. Review these jobs and use /test <job> to manually trigger optional jobs most likely to be impacted by the proposed changes.
Hello @davidesalerno! Some important instructions when contributing to openshift/api: API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
๐ Walkthrough
Walkthrough
This pull request adds a new TLSCurve string type with seven named constants and a Curves []TLSCurve field to TLSProfileSpec and related structs. Default curve lists are set for Old, Intermediate, and Modern profiles. Ingress-specific types IngressCustomTLSProfile and IngressTLSProfileSpec were added, exposing ciphers, minTLSVersion, and curves. A TLSCurvesConfiguration feature gate was introduced. Generated artifacts (CRDs, OpenAPI, Swagger docs, deepcopy, and payload manifests) were updated to include the curves field, enum values, validation rules, examples, and documentation.
๐ฅ Pre-merge checks | โ 2 | โ 1
โ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | โ ๏ธ Warning | Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. | Write docstrings for the functions missing them to satisfy the coverage threshold. |
โ Passed checks (2 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | โ Passed | The title clearly describes the main change: adding TLS curves support to OpenShift API's TLSProfile specification, which is the primary objective of the changeset. |
| Description check | โ Passed | The description accurately explains the purpose of the change: adding a Curves field to TLSProfile to support post-quantum cryptography curves, and provides relevant context and related PR references. |
โ๏ธ Tip: You can configure your own custom pre-merge checks in the settings.
โจ Finishing touches
- [ ] ๐ Generate docstrings
๐งช Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
[!WARNING] There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.
๐ง golangci-lint (2.5.0)
Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
https://github.com/openshift/api/compare/58da6c8c1090bcc312e8f1bd3d8bca87cd47227d..eba1e60731dc58f0c314e2ef10ed38dd3f528c00 dropped X448. Was that intentional, perhaps because Go's crypto/tls package doesn't include support? Do we have agreement from stakeholders that the current set of curves is sufficient? https://github.com/openshift/api/blob/eba1e60731dc58f0c314e2ef10ed38dd3f528c00/config/v1/types_tlssecurityprofile.go#L205-L224
https://github.com/openshift/api/compare/58da6c8c1090bcc312e8f1bd3d8bca87cd47227d..eba1e60731dc58f0c314e2ef10ed38dd3f528c00 dropped X448. Was that intentional, perhaps because Go's crypto/tls package doesn't include support? Do we have agreement from stakeholders that the current set of curves is sufficient?
https://github.com/openshift/api/blob/eba1e60731dc58f0c314e2ef10ed38dd3f528c00/config/v1/types_tlssecurityprofile.go#L205-L224
@Miciah
Yes, I removed X448 based on what suggested here @sanchezl about the mapping with Go crypto/tls
@davidesalerno please work with @richardsonnick to get a jira/rfe number associated with this PR.
Based on the discussions in https://github.com/openshift/enhancements/pull/1894, it sounds like this is potentially blocked on upstream kubelet/apiserver support for curves?
Would it make sense to introduce this type but only apply it for the TLS configuration in ingress? Or would we like to hold this until we can ensure all components would conform to this?
@yuqi-zhang I discussed this with some engineers internally and we decided that the upstream changes should not block this api change. However, we will need to do this at some point to ensure consistency.
@yuqi-zhang I discussed this with some engineers internally and we decided that the upstream changes should not block this api change. However, we will need to do this at some point to ensure consistency.
I don't really understand how the API will plumb through to kubelet / apiserver if upstream components don't actually set the servers to use these TLS curves.
I had to revert TLS Curve support for Kueue because I can't really add support for configuring TLS curves if there isn't support for this in SecureServing as extended apiservers won't be protected.
Copying your comment from the slack thread:
[TLS 1.3 is non-configurable in golang ](https://github.com/golang/go/issues/29349)(i.e. curves, cipher suites, etc cannot be changed from the default)
The upstream configuration object for the kubelet config does not currently have TLS curve support (and we do not currently have plans to add this)
So based on that, we are ok with TechPreview only curve support for TLS 1.2, and only for ingress and apiserver. We don't allow TLS 1.3 + curve, or curve + anything kubelet related.
In that case, since this PR is currently adding curves to the tlsprofile in kubeletconfig as well, perhaps we should split those types such that tlsprofile in kubeletconfig doesn't have curve option, which I think is Kevin's concern.
Please let me know if any of that is incorrect, thanks!
My main concern is similar to @everettraven (https://github.com/openshift/enhancements/pull/1894#issuecomment-3671473044).
Kube-APIServer / Kubelet upstream components do not yet have the flags to set this on their respective servers. So unless I am missing something we would need to carry some kind of patch downstream that adds these CLI parameters so that the servers actually respect the API we set.
Otherwise we end up having an API that doesn't actually configure the kubernetes components to use the right tls curves.
"So based on that, we are ok with TechPreview only curve support for TLS 1.2, and only for ingress and apiserver. We don't allow TLS 1.3 + curve, or curve + anything kubelet related."
To my knowledge this comment is correct. We are forced to keep this as TechPreview until TLS1.3 curve specification support is provided upstream.
To my knowledge this comment is correct. We are forced to keep this as TechPreview until TLS1.3 curve specification support is provided upstream.
Keeping it tech preview until support is provided by core components seems reasonable to me. I suspect we would like to get the Kubernetes API server and the Kubelet to support this configuration as part of this effort since both of those configuration APIs rely on this type and any changes are subsequently reflected as configuration options on those APIs as well.
I don't know that this needs to necessarily wait until TLS 1.3 curve configuration support if we are able to block configuring fields for now when minTLSVersion is set to 1.3.
@davidesalerno: This pull request references NE-2334 which is a valid jira issue.
In response to this:
This change will add a new Curves field to the TLSProfile specification.
This is required in order to support new PQC curves, we need a config for explicitly setting the supported elliptic curves algorithms ("curve suite") that are negotiated during the SSL/TLS handshake with ECDHE.
This PR is related to openshift/cluster-ingress-operator#1287 and openshift/router#678
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.
There's also a few issues from coderabbit (inconsistent curve naming) and CI (lack of unit tests, code generation failures) that should be addressed.
Also had a similar question to https://github.com/openshift/enhancements/pull/1894#issuecomment-3785847877 . Should we split the APIs so the kubeletconfig one doesn't have curve configuration for now?
@davidesalerno: /override requires failed status contexts to operate on, but none was given
In response to this:
/override
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@davidesalerno: davidesalerno unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file, and the following github teams:openshift: openshift-release-oversight openshift-staff-engineers openshift-sustaining-engineers.
In response to this:
/override pull-ci-openshift-api-master-verify-crd-schema
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
@davidesalerno: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/minor-e2e-upgrade-minor | 06dfa52b53f5a7951f13dee6b78c14ef6557b31c | link | true | /test minor-e2e-upgrade-minor |
| ci/prow/verify | 06dfa52b53f5a7951f13dee6b78c14ef6557b31c | link | true | /test verify |
| ci/prow/verify-crd-schema | 06dfa52b53f5a7951f13dee6b78c14ef6557b31c | link | true | /test verify-crd-schema |
| ci/prow/images | 06dfa52b53f5a7951f13dee6b78c14ef6557b31c | link | true | /test images |
| ci/prow/minor-images | 06dfa52b53f5a7951f13dee6b78c14ef6557b31c | link | true | /test minor-images |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.