[cherry-pick: release-v0.80.x] fix(consoleplugin): translate IANA ciphers to OpenSSL for nginx#3655
Open
tekton-robot wants to merge 1 commit into
Open
[cherry-pick: release-v0.80.x] fix(consoleplugin): translate IANA ciphers to OpenSSL for nginx#3655tekton-robot wants to merge 1 commit into
tekton-robot wants to merge 1 commit into
Conversation
Apply cluster cipher suites to the nginx ssl_ciphers directive by translating IANA cipher suite names (used by OpenShift TLS profiles) to their OpenSSL equivalents required by nginx. The mapping is derived by inverting library-go's openSSLToIANACiphersMap (the canonical source of truth for OpenShift TLS profile ciphers). TLS 1.3 ciphers are intentionally excluded since nginx/OpenSSL negotiates them automatically when TLSv1.3 appears in ssl_protocols. This resolves the tls-scanner TC08 finding where the console plugin nginx was not honoring the cluster cipher suite (Intermediate profile). Relates-To: SRVKP-9632 Signed-off-by: Jawed khelil <jkhelil@redhat.com> Assisted-by: Claude Sonnet 4.6 (via Cursor) Co-authored-by: Cursor <cursoragent@cursor.com>
4 tasks
Contributor
Author
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Member
|
/release-note-none |
Member
|
/retest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a cherry-pick of #3639
Summary
pipelines-console-pluginnginx was not honoring the cluster cipher suite (Intermediate profile) —api_server_tls_config_compliance.ciphers=falseianaToOpenSSLCiphers()to translate IANA cipher suite names (from the OpenShift APIServer TLS profile) to the OpenSSL names required by nginx'sssl_ciphersdirectiveopenSSLToIANACiphersMap— the canonical source of truth for OpenShift profile ciphersTLS_AES_*,TLS_CHACHA20_*) are intentionally skipped: nginx/OpenSSL negotiates them automatically whenTLSv1.3is inssl_protocolsssl_prefer_server_ciphers on;is emitted alongsidessl_ciphersso the cluster-defined ordering is respectedContext
Part of the central TLS management work (SRVKP-9632). The console plugin already:
ssl_protocolsand ML-KEM PQC groups (ssl_conf_command Groups X25519MLKEM768:X25519)This PR adds the missing
ssl_cipherspiece.Behaviour when APIServer cipher list is nil
When no explicit
tlsSecurityProfileis set onAPIServer/cluster, the operator receives a nil cipher list and writes nossl_ciphersdirective. Nginx then falls back to its built-in default (HIGH:!aNULL:!MD5), which on RHEL/OpenSSL 3.x expands to ~131 cipher suites — far broader than any OpenShift TLS profile.This is intentional and consistent with all other Pipelines components: propagate what the APIServer provides, never invent a fallback cipher list. Production OpenShift clusters always carry an explicit TLS profile (the platform default is Intermediate, confirmed by
library-go: DefaultTLSProfileType = TLSProfileIntermediateType). A cluster with no profile set is misconfigured from a compliance standpoint — the operator should not silently mask that.To reproduce real production conditions, explicitly set the Intermediate profile:
oc patch apiserver cluster --type=merge \ -p '{"spec":{"tlsSecurityProfile":{"type":"Intermediate","intermediate":{}}}}'Cluster validation evidence
APIServer set to Intermediate profile. The nginx ConfigMap is generated with exactly the 6 TLS 1.2 Intermediate ciphers:
Live TLS handshake tests:
ECDHE-RSA-AES128-GCM-SHA256(Intermediate cipher)AES256-SHA(Old-profile-only cipher)Test plan
tls-scannerand confirm TC08 passesRelates-To: SRVKP-9632