Adding support to provide tls version and tls cipher suites. (#778)

* Set default minimum TLS version for webhook server to 1.2
* Adding options to set TLS version and cipher suites

Author: sshver

config/helm/appmesh-controller/templates/deployment.yaml

@@ -124,6 +124,9 @@ spec:
         # this must be same as livenessProbe port which can be configured 
         - --health-probe-port={{ .Values.livenessProbe.httpGet.port }}
         - --wait-until-proxy-ready={{ .Values.sidecar.waitUntilProxyReady }}
+        # TLS configuration
+        - --tls-min-version={{ .Values.tlsMinVersion }}
+        - --tls-cipher-suite={{ .Values.tlsCipherSuite }}
         {{- if .Values.env }}
         env:
           {{- range $key, $value := .Values.env }}

config/helm/appmesh-controller/values.yaml

@@ -147,6 +147,10 @@ podDisruptionBudget: {}
 # Environment variables to set in appmesh-controller pod
 env: {}
 
+# TLS setting for appmesh-controller
+tlsMinVersion: VersionTLS12
+tlsCipherSuite:
+
 #Example
 #env:
 #    http_proxy: http://proxyserver:3128

main.go

@@ -18,7 +18,7 @@ package main
 
 import (
 	"context"
-	"github.com/aws/aws-sdk-go/service/eks"
+	"crypto/tls"
 	"os"
 	"strconv"
 	"time"
@@ -30,6 +30,7 @@ import (
 	"github.com/aws/aws-app-mesh-controller-for-k8s/pkg/virtualrouter"
 	"github.com/aws/aws-app-mesh-controller-for-k8s/pkg/virtualservice"
 	sdkgoaws "github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/eks"
 	"github.com/spf13/pflag"
 
 	"github.com/aws/aws-app-mesh-controller-for-k8s/pkg/conversions"
@@ -42,6 +43,7 @@ import (
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
+	k8sapiflag "k8s.io/component-base/cli/flag"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
@@ -73,6 +75,11 @@ var (
 	setupLog = ctrl.Log.WithName("setup")
 )
 
+type tlsConfig struct {
+	minVersion   string
+	cipherSuites []string
+}
+
 func init() {
 	_ = clientgoscheme.AddToScheme(scheme)
 
@@ -147,6 +154,33 @@ func main() {
 
 	k8sVersion := k8s.ServerVersion(clientSet.Discovery())
 
+	optionsTlSOptsFuncs := []func(*tls.Config){}
+
+	setupLog.Info("TlsVersion", "TLSVersion", injectConfig.TlsMinVersion)
+	setupLog.Info("TlsCipherSuite", "TlsCipherSuite", injectConfig.TlsCipherSuite)
+
+	// This function get the option from command argument (tlsConfig), check the validity through k8sapiflag
+	// and set the config for webhook server.
+	// refer to https://pkg.go.dev/k8s.io/component-base/cli/flag
+	tlsOption := func(cfg *tls.Config) {
+		tlsVersion, err := k8sapiflag.TLSVersion(injectConfig.TlsMinVersion)
+		if err != nil {
+			setupLog.Error(err, "TLS version invalid")
+			os.Exit(1)
+		}
+		cfg.MinVersion = tlsVersion
+
+		// TLSCipherSuites helper function returns a list of cipher suite IDs from the cipher suite names passed.
+		cipherSuiteIDs, err := k8sapiflag.TLSCipherSuites(injectConfig.TlsCipherSuite)
+		if err != nil {
+			setupLog.Error(err, "Failed to convert TLS cipher suite name to ID")
+			os.Exit(1)
+		}
+		cfg.CipherSuites = cipherSuiteIDs
+	}
+
+	optionsTlSOptsFuncs = append(optionsTlSOptsFuncs, tlsOption)
+
 	mgr, err := ctrl.NewManager(kubeConfig, ctrl.Options{
 		Scheme:                     scheme,
 		SyncPeriod:                 &syncPeriod,
@@ -156,6 +190,7 @@ func main() {
 		LeaderElectionID:           "appmesh-controller-leader-election",
 		LeaderElectionResourceLock: resourcelock.ConfigMapsLeasesResourceLock,
 		HealthProbeBindAddress:     healthProbeBindAddress,
+		TLSOpts:                    optionsTlSOptsFuncs,
 	})
 
 	customController := k8s.NewCustomController(

pkg/inject/config.go

@@ -59,6 +59,9 @@ const (
 	flagXRayImage            = "xray-image"
 
 	flagClusterName = "cluster-name"
+
+	flagTlsMinVersion  = "tls-min-version"
+	flagTlsCipherSuite = "tls-cipher-suite"
 )
 
 type Config struct {
@@ -123,6 +126,10 @@ type Config struct {
 	XRayImage            string
 
 	ClusterName string
+
+	// TLS settings
+	TlsMinVersion  string
+	TlsCipherSuite []string
 }
 
 // MultipleTracer checks if more than one tracer is configured.
@@ -224,6 +231,11 @@ func (cfg *Config) BindFlags(fs *pflag.FlagSet) {
 		"Secret access key for envoy container (for integration testing)")
 	fs.StringVar(&cfg.EnvoyAwsSessionToken, flagEnvoyAwsSessionToken, "",
 		"Session token for envoy container (for integration testing)")
+	fs.StringVar(&cfg.TlsMinVersion, flagTlsMinVersion, "VersionTLS12",
+		"Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.")
+	fs.StringSliceVar(&cfg.TlsCipherSuite, flagTlsCipherSuite, nil,
+		"Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be used")
+
 }
 
 func (cfg *Config) BindEnv() error {