From 3dfa22e3fd8c650789176b9f4a8e46ab43ef5ebf Mon Sep 17 00:00:00 2001 From: Victor Garcia Date: Wed, 24 Jan 2018 22:51:27 -0500 Subject: [PATCH] Possible cipher suites values and tls versions in help for apiserver and kubelet --- cmd/kubelet/app/options/options.go | 9 ++++++--- .../apiserver/pkg/server/options/serving.go | 9 ++++++--- .../src/k8s.io/apiserver/pkg/util/flag/BUILD | 1 + .../pkg/util/flag/ciphersuites_flag.go | 18 ++++++++++++++++++ 4 files changed, 31 insertions(+), 6 deletions(-) diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go index 82d319e21d1..5cc7935a941 100644 --- a/cmd/kubelet/app/options/options.go +++ b/cmd/kubelet/app/options/options.go @@ -487,13 +487,16 @@ func AddKubeletConfigFlags(mainfs *pflag.FlagSet, c *kubeletconfig.KubeletConfig "If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key "+ "are generated for the public address and saved to the directory passed to --cert-dir.") fs.StringVar(&c.TLSPrivateKeyFile, "tls-private-key-file", c.TLSPrivateKeyFile, "File containing x509 private key matching --tls-cert-file.") + + tlsCipherPossibleValues := flag.TLSCipherPossibleValues() fs.StringSliceVar(&c.TLSCipherSuites, "tls-cipher-suites", c.TLSCipherSuites, "Comma-separated list of cipher suites for the server. "+ - "Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+ - "If omitted, the default Go cipher suites will be used") + "If omitted, the default Go cipher suites will be used. "+ + "Possible values: "+strings.Join(tlsCipherPossibleValues, ",")) + tlsPossibleVersions := flag.TLSPossibleVersions() fs.StringVar(&c.TLSMinVersion, "tls-min-version", c.TLSMinVersion, "Minimum TLS version supported. "+ - "Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.") + "Possible values: "+strings.Join(tlsPossibleVersions, ", ")) fs.BoolVar(&c.RotateCertificates, "rotate-certificates", c.RotateCertificates, " Auto rotate the kubelet client certificates by requesting new certificates from the kube-apiserver when the certificate expiration approaches.") fs.Int32Var(&c.RegistryPullQPS, "registry-qps", c.RegistryPullQPS, "If > 0, limit registry pull QPS to this value. If 0, unlimited.") diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go index 27536571382..5d21da26179 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go @@ -22,6 +22,7 @@ import ( "net" "path" "strconv" + "strings" "github.com/golang/glog" "github.com/spf13/pflag" @@ -134,14 +135,16 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&s.ServerCert.CertKey.KeyFile, "tls-private-key-file", s.ServerCert.CertKey.KeyFile, "File containing the default x509 private key matching --tls-cert-file.") + tlsCipherPossibleValues := utilflag.TLSCipherPossibleValues() fs.StringSliceVar(&s.CipherSuites, "tls-cipher-suites", s.CipherSuites, "Comma-separated list of cipher suites for the server. "+ - "Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+ - "If omitted, the default Go cipher suites will be used") + "If omitted, the default Go cipher suites will be use. "+ + "Possible values: "+strings.Join(tlsCipherPossibleValues, ",")) + tlsPossibleVersions := utilflag.TLSPossibleVersions() fs.StringVar(&s.MinTLSVersion, "tls-min-version", s.MinTLSVersion, "Minimum TLS version supported. "+ - "Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.") + "Possible values: "+strings.Join(tlsPossibleVersions, ", ")) fs.Var(utilflag.NewNamedCertKeyArray(&s.SNICertKeys), "tls-sni-cert-key", ""+ "A pair of x509 certificate and private key file paths, optionally suffixed with a list of "+ diff --git a/staging/src/k8s.io/apiserver/pkg/util/flag/BUILD b/staging/src/k8s.io/apiserver/pkg/util/flag/BUILD index 7a73ad0d5fe..1883510d566 100644 --- a/staging/src/k8s.io/apiserver/pkg/util/flag/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/util/flag/BUILD @@ -40,6 +40,7 @@ go_library( deps = [ "//vendor/github.com/golang/glog:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library", ], ) diff --git a/staging/src/k8s.io/apiserver/pkg/util/flag/ciphersuites_flag.go b/staging/src/k8s.io/apiserver/pkg/util/flag/ciphersuites_flag.go index 73fd62c100a..764747c2591 100644 --- a/staging/src/k8s.io/apiserver/pkg/util/flag/ciphersuites_flag.go +++ b/staging/src/k8s.io/apiserver/pkg/util/flag/ciphersuites_flag.go @@ -19,6 +19,8 @@ package flag import ( "crypto/tls" "fmt" + + "k8s.io/apimachinery/pkg/util/sets" ) // ciphers maps strings into tls package cipher constants in @@ -48,6 +50,14 @@ var ciphers = map[string]uint16{ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, } +func TLSCipherPossibleValues() []string { + cipherKeys := sets.NewString() + for key := range ciphers { + cipherKeys.Insert(key) + } + return cipherKeys.List() +} + func TLSCipherSuites(cipherNames []string) ([]uint16, error) { if len(cipherNames) == 0 { return nil, nil @@ -69,6 +79,14 @@ var versions = map[string]uint16{ "VersionTLS12": tls.VersionTLS12, } +func TLSPossibleVersions() []string { + versionsKeys := sets.NewString() + for key := range versions { + versionsKeys.Insert(key) + } + return versionsKeys.List() +} + func TLSVersion(versionName string) (uint16, error) { if len(versionName) == 0 { return DefaultTLSVersion(), nil