rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-08-21 08:13:09 +00:00
Code Issues Releases Wiki Activity

Merge pull request #2504 from superseb/etcd_v3415_ciphers

Browse Source 
Add stricter TLS cipher for etcd v3.4.15 and up
This commit is contained in:
Sebastiaan van Steenis 2021-04-06 21:40:05 +02:00 committed by GitHub
commit b9a126c067
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cluster/plan.go
View File

@ -54,6 +54,7 @@ const (
MaxEtcdOldEnvVersion = "v3.2.99" MaxEtcdOldEnvVersion = "v3.2.99"
MaxK8s115Version = "v1.15" MaxK8s115Version = "v1.15"
MaxEtcdPort4001Version = "v3.4.3-rancher99" MaxEtcdPort4001Version = "v3.4.3-rancher99"
MaxEtcdNoStrictTLSVersion = "v3.4.14-rancher99"
EncryptionProviderConfigArgument = "encryption-provider-config" EncryptionProviderConfigArgument = "encryption-provider-config"
) )
@ -878,6 +879,10 @@ func (c *Cluster) BuildEtcdProcess(host *hosts.Host, etcdHosts []*hosts.Host, se
if err != nil { if err != nil {
logrus.Warn(err) logrus.Warn(err)
} }
maxEtcdNoStrictTLSVersion, err := util.StrToSemVer(MaxEtcdNoStrictTLSVersion)
if err != nil {
logrus.Warn(err)
}
// We removed advertising port 4001 starting with k8s 1.19 (etcd v3.4.13 and up) // We removed advertising port 4001 starting with k8s 1.19 (etcd v3.4.13 and up)
if etcdSemVer.LessThan(*maxEtcdPort4001Version) { if etcdSemVer.LessThan(*maxEtcdPort4001Version) {
@ -888,6 +893,14 @@ func (c *Cluster) BuildEtcdProcess(host *hosts.Host, etcdHosts []*hosts.Host, se
CommandArgs["advertise-client-urls"] = "https://" + host.InternalAddress + ":2379" CommandArgs["advertise-client-urls"] = "https://" + host.InternalAddress + ":2379"
} }
// Add in stricter TLS ciphter suites starting with etcd v3.4.15
if etcdSemVer.LessThan(*maxEtcdNoStrictTLSVersion) {
logrus.Debugf("etcd version [%s] is less than max version [%s] for adding stricter TLS cipher suites, not going to add stricter TLS cipher suites arguments to etcd", etcdSemVer, maxEtcdNoStrictTLSVersion)
} else {
logrus.Debugf("etcd version [%s] is higher than max version [%s] for adding stricter TLS cipher suites, going to add stricter TLS cipher suites arguments to etcd", etcdSemVer, maxEtcdNoStrictTLSVersion)
CommandArgs["cipher-suites"] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
}
Binds := []string{ Binds := []string{
fmt.Sprintf("%s:%s:z", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir), fmt.Sprintf("%s:%s:z", path.Join(host.PrefixPath, "/var/lib/etcd"), services.EtcdDataDir),
fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")), fmt.Sprintf("%s:/etc/kubernetes:z", path.Join(host.PrefixPath, "/etc/kubernetes")),