Enforce default cipher suites list

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
This commit is contained in:
Romain 2024-07-23 16:30:05 +02:00 committed by GitHub
parent c3e943658a
commit 70dd7cdc71
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 154 additions and 28 deletions

View file

@ -876,64 +876,69 @@ func createChainMiddleware(ctx context.Context, namespace string, chain *traefik
} }
func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options { func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options {
tlsOptionsCRD := client.GetTLSOptions() tlsOptionsCRDs := client.GetTLSOptions()
var tlsOptions map[string]tls.Options var tlsOptions map[string]tls.Options
if len(tlsOptionsCRD) == 0 { if len(tlsOptionsCRDs) == 0 {
return tlsOptions return tlsOptions
} }
tlsOptions = make(map[string]tls.Options) tlsOptions = make(map[string]tls.Options)
var nsDefault []string var nsDefault []string
for _, tlsOption := range tlsOptionsCRD { for _, tlsOptionsCRD := range tlsOptionsCRDs {
logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOption.Name), log.Str("namespace", tlsOption.Namespace))) logger := log.FromContext(log.With(ctx, log.Str("tlsOption", tlsOptionsCRD.Name), log.Str("namespace", tlsOptionsCRD.Namespace)))
var clientCAs []tls.FileOrContent var clientCAs []tls.FileOrContent
for _, secretName := range tlsOption.Spec.ClientAuth.SecretNames { for _, secretName := range tlsOptionsCRD.Spec.ClientAuth.SecretNames {
secret, exists, err := client.GetSecret(tlsOption.Namespace, secretName) secret, exists, err := client.GetSecret(tlsOptionsCRD.Namespace, secretName)
if err != nil { if err != nil {
logger.Errorf("Failed to fetch secret %s/%s: %v", tlsOption.Namespace, secretName, err) logger.Errorf("Failed to fetch secret %s/%s: %v", tlsOptionsCRD.Namespace, secretName, err)
continue continue
} }
if !exists { if !exists {
logger.Warnf("Secret %s/%s does not exist", tlsOption.Namespace, secretName) logger.Warnf("Secret %s/%s does not exist", tlsOptionsCRD.Namespace, secretName)
continue continue
} }
cert, err := getCABlocks(secret, tlsOption.Namespace, secretName) cert, err := getCABlocks(secret, tlsOptionsCRD.Namespace, secretName)
if err != nil { if err != nil {
logger.Errorf("Failed to extract CA from secret %s/%s: %v", tlsOption.Namespace, secretName, err) logger.Errorf("Failed to extract CA from secret %s/%s: %v", tlsOptionsCRD.Namespace, secretName, err)
continue continue
} }
clientCAs = append(clientCAs, tls.FileOrContent(cert)) clientCAs = append(clientCAs, tls.FileOrContent(cert))
} }
id := makeID(tlsOption.Namespace, tlsOption.Name) id := makeID(tlsOptionsCRD.Namespace, tlsOptionsCRD.Name)
// If the name is default, we override the default config. // If the name is default, we override the default config.
if tlsOption.Name == tls.DefaultTLSConfigName { if tlsOptionsCRD.Name == tls.DefaultTLSConfigName {
id = tlsOption.Name id = tlsOptionsCRD.Name
nsDefault = append(nsDefault, tlsOption.Namespace) nsDefault = append(nsDefault, tlsOptionsCRD.Namespace)
} }
alpnProtocols := tls.DefaultTLSOptions.ALPNProtocols tlsOption := tls.Options{}
if len(tlsOption.Spec.ALPNProtocols) > 0 { tlsOption.SetDefaults()
alpnProtocols = tlsOption.Spec.ALPNProtocols
tlsOption.MinVersion = tlsOptionsCRD.Spec.MinVersion
tlsOption.MaxVersion = tlsOptionsCRD.Spec.MaxVersion
if tlsOptionsCRD.Spec.CipherSuites != nil {
tlsOption.CipherSuites = tlsOptionsCRD.Spec.CipherSuites
} }
tlsOptions[id] = tls.Options{ tlsOption.CurvePreferences = tlsOptionsCRD.Spec.CurvePreferences
MinVersion: tlsOption.Spec.MinVersion, tlsOption.ClientAuth = tls.ClientAuth{
MaxVersion: tlsOption.Spec.MaxVersion, CAFiles: clientCAs,
CipherSuites: tlsOption.Spec.CipherSuites, ClientAuthType: tlsOptionsCRD.Spec.ClientAuth.ClientAuthType,
CurvePreferences: tlsOption.Spec.CurvePreferences,
ClientAuth: tls.ClientAuth{
CAFiles: clientCAs,
ClientAuthType: tlsOption.Spec.ClientAuth.ClientAuthType,
},
SniStrict: tlsOption.Spec.SniStrict,
ALPNProtocols: alpnProtocols,
} }
tlsOption.SniStrict = tlsOptionsCRD.Spec.SniStrict
if tlsOptionsCRD.Spec.ALPNProtocols != nil {
tlsOption.ALPNProtocols = tlsOptionsCRD.Spec.ALPNProtocols
}
tlsOptions[id] = tlsOption
} }
if len(nsDefault) > 1 { if len(nsDefault) > 1 {

View file

@ -860,6 +860,21 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
"http/1.1", "http/1.1",
"acme-tls/1", "acme-tls/1",
}, },
CipherSuites: []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
},
}, },
}, },
}, },
@ -915,6 +930,21 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
"http/1.1", "http/1.1",
"acme-tls/1", "acme-tls/1",
}, },
CipherSuites: []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
},
}, },
}, },
}, },
@ -3063,6 +3093,21 @@ func TestLoadIngressRoutes(t *testing.T) {
"http/1.1", "http/1.1",
"acme-tls/1", "acme-tls/1",
}, },
CipherSuites: []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
},
}, },
}, },
}, },
@ -3121,6 +3166,21 @@ func TestLoadIngressRoutes(t *testing.T) {
"http/1.1", "http/1.1",
"acme-tls/1", "acme-tls/1",
}, },
CipherSuites: []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
},
}, },
}, },
}, },
@ -5511,6 +5571,21 @@ func TestCrossNamespace(t *testing.T) {
"cross-ns-tls-options-cn": { "cross-ns-tls-options-cn": {
MinVersion: "VersionTLS12", MinVersion: "VersionTLS12",
ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"}, ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"},
CipherSuites: []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
},
}, },
}, },
}, },
@ -5555,6 +5630,21 @@ func TestCrossNamespace(t *testing.T) {
"cross-ns-tls-options-cn": { "cross-ns-tls-options-cn": {
MinVersion: "VersionTLS12", MinVersion: "VersionTLS12",
ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"}, ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"},
CipherSuites: []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
},
}, },
}, },
}, },
@ -5803,6 +5893,21 @@ func TestCrossNamespace(t *testing.T) {
"cross-ns-tls-options-cn": { "cross-ns-tls-options-cn": {
MinVersion: "VersionTLS12", MinVersion: "VersionTLS12",
ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"}, ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"},
CipherSuites: []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
},
}, },
}, },
}, },
@ -5846,6 +5951,21 @@ func TestCrossNamespace(t *testing.T) {
"cross-ns-tls-options-cn": { "cross-ns-tls-options-cn": {
MinVersion: "VersionTLS12", MinVersion: "VersionTLS12",
ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"}, ALPNProtocols: []string{"h2", "http/1.1", "acme-tls/1"},
CipherSuites: []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
},
}, },
}, },
}, },

View file

@ -32,6 +32,7 @@ type Options struct {
func (o *Options) SetDefaults() { func (o *Options) SetDefaults() {
// ensure http2 enabled // ensure http2 enabled
o.ALPNProtocols = DefaultTLSOptions.ALPNProtocols o.ALPNProtocols = DefaultTLSOptions.ALPNProtocols
o.CipherSuites = DefaultTLSOptions.CipherSuites
} }
// +k8s:deepcopy-gen=true // +k8s:deepcopy-gen=true