Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce min-tls and ciphers-suite application options for webhook server #556

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Introduce min-tls and ciphers-suite application options for webhook server #556

wants to merge 1 commit into from

Conversation

arsenalzp
Copy link
Contributor

This PR is introducing Minimum TLS version and Ciphers Suite feature which were requested in issue #528.

@cert-manager-prow cert-manager-prow bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Feb 13, 2025
@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign inteon for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 13, 2025
@cert-manager-prow
Copy link
Contributor

Hi @arsenalzp. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-prow cert-manager-prow bot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 13, 2025
@erikgb
Copy link
Contributor

erikgb commented Feb 13, 2025

@arsenalzp, thanks for working on this. Could you take a look at how this is implemented in cert-manager? We would prefer a similar construct, at least the same defaults, descriptions etc. And the PR also needs to be rebased. 😺

@cert-manager-prow cert-manager-prow bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 13, 2025
@arsenalzp
Copy link
Contributor Author

@arsenalzp, thanks for working on this. Could you take a look at how this is implemented in cert-manager? We would prefer a similar construct, at least the same defaults, descriptions etc. And the PR also needs to be rebased. 😺

I did as requested by you.

@cert-manager-prow cert-manager-prow bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 13, 2025
@arsenalzp
Copy link
Contributor Author

/ok-to-test

@cert-manager-prow
Copy link
Contributor

@arsenalzp: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@erikgb
Copy link
Contributor

erikgb commented Feb 18, 2025

/ok-to-test

@cert-manager-prow cert-manager-prow bot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 18, 2025
@arsenalzp arsenalzp force-pushed the issue_528 branch 2 times, most recently from bfae5b6 to 136f5f1 Compare February 19, 2025 20:18
@cert-manager-prow cert-manager-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Feb 19, 2025
@erikgb
Copy link
Contributor

erikgb commented Feb 19, 2025

Try running make fix-golangci-lint, @arsenalzp.

@arsenalzp
add min-tls and ciphers-suite application options
201a409 
Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>

fix typos

Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>

add test of TLS configuration

Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>

improve parameters naming, add k8s TLS untils

Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>

Delete deploy/charts/trust-manager/values.schema.json

Signed-off-by: Oleksandr Krutko <46520164+arsenalzp@users.noreply.github.com>

add boilerplate in test file

Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>

fix test file boilerplate, generate Help files

Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>

add values schema

Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>

fix linter warnings

Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>
@arsenalzp
Copy link
Contributor Author

Try running make fix-golangci-lint, @arsenalzp.

Thank you!
I tried to eliminate linter errors brought by my code, however there are number of errors in util_test.go, certificates_test.go and types_test.go files.

@arsenalzp
Copy link
Contributor Author

arsenalzp commented Feb 21, 2025
edited
Loading

Colleagues, any decision on this PR? Can we merge it?

SgtCoDFish
SgtCoDFish requested changes Feb 24, 2025
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few comments, what do you think? Thanks for this!

cmd/trust-manager/app/ciphers_test.go
Comment on lines +92 to +95
if err != nil {
return
}
defer resp.Body.Close()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: the defer will never get called if we return here; the order should be different. Does that sound right to you?

Also since this doesn't call t.Error this test won't ever fail.

Suggested change
if err != nil {
return
}
defer resp.Body.Close()
defer resp.Body.Close()
if err == nil {
t.Error("expected an error from talking to a server with an unsupported cipher suite but got none")
return
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello,
Yes, looks good! Thank you!

cmd/trust-manager/app/ciphers_test.go
Comment on lines +69 to +73
resp, err := client.Get(fmt.Sprintf("https://%s", net.JoinHostPort("localhost", "6443"))) //nolint: noctx
if err != nil {
t.Fatalf("error to connect to webhook server, %s\n", err)
}
resp.Body.Close()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: If we call Fatalf the Body will never be closed - as far as I know at least!

Suggested change
resp, err := client.Get(fmt.Sprintf("https://%s", net.JoinHostPort("localhost", "6443"))) //nolint: noctx
if err != nil {
t.Fatalf("error to connect to webhook server, %s\n", err)
}
resp.Body.Close()
resp, err := client.Get(fmt.Sprintf("https://%s", net.JoinHostPort("localhost", "6443"))) //nolint: noctx
defer resp.Body.Close()
if err != nil {
t.Fatalf("error to connect to webhook server, %s\n", err)
}

cmd/trust-manager/app/ciphers_test.go
Comment on lines +114 to +115
"--webhook-host=0.0.0.0",
"--webhook-port=6443",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Do we need to listen on 0.0.0.0 here? Could we listen on 127.0.0.1 to make it a little safer?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SgtCoDFish SgtCoDFish SgtCoDFish requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. ok-to-test size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@arsenalzp @erikgb @SgtCoDFish