Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding feature to set TLS configuration #776

Closed
wants to merge 4 commits into from

Conversation

kangsheng89
Copy link

Issue #, if available:

Description of changes:
This is enable user to configure TLS setting for the controller manager

  • setting for minimum TLS version
  • setting for preferred TLS cipher suites

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@kangsheng89
Copy link
Author

@ysdongAmazon could help to review this?

@kangsheng89
Copy link
Author

@sshver could help to approve and trigger the workflow?

@kangsheng89
Copy link
Author

@sshver once this done, do i require to update helm chart at https://github.com/aws/eks-charts/tree/master/stable/appmesh-controller?

Copy link
Contributor

@joesbigidea joesbigidea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for submitting this! I have a couple of small changes that would be good to include.

// TLSVersion helper function returns the TLS Version ID for the version name passed.
tlsVersion, err := k8sapiflag.TLSVersion(tlsOpt.minVersion)
if err != nil {
setupLog.Error(err, "TLS version invalid")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should be exiting on failure to honor this setting. The same applies to the cipher suites.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also it would be good to handle the interpreting of the tls options in main up front, and just pass the values into this function. That would keep any argument handling logic in a single place, and make sure it happens right away on startup similar to other argument parsing failures.

Copy link
Author

@kangsheng89 kangsheng89 May 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joesbigidea Thank for highlighting on exiting on failure. For second point, my opinion is that when NewManager is called, it will callback on setting the TLS config, if we exit with failure, the controller will not able to start anyway. Furthermore, this config is expecting the callback function https://github.com/kubernetes-sigs/controller-runtime/blob/v0.14.6/pkg/manager/manager.go#L253

May b u could show me how u organize the argument handling logic and i could refer to it. Hehe.. I am not the expert in this domain nor familiar on the organization for this project and need your help to guide me.

main.go Show resolved Hide resolved
// This function get the option from command argument (tlsConfig), check the validity through k8sapiflag
// and set the config for webhook server.
// refer to https://pkg.go.dev/k8s.io/component-base/cli/flag
func tlsConfigSetting(cfg *tls.Config, tlsOpt tlsConfig) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably warrants a unit test.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joesbigidea i dint see any unit-test current for the main.go from makefile refer to https://github.com/aws/aws-app-mesh-controller-for-k8s/blob/master/Makefile#L35. Could u help me on this?

@joesbigidea
Copy link
Contributor

@kangsheng89 Since we want to get this change out quickly @sshver made a few small structural changes to this in a separate PR. That PR has been manually tested and we'll go ahead and get that one merged and released. Thank you for your contribution.

@kangsheng89
Copy link
Author

Thank you! @joesbigidea and @sshver

@kangsheng89 kangsheng89 deleted the feat/tls_config branch May 29, 2024 12:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants