Fix handling of TLS configuration args

Also fixes an unrelated error formatting issue turned up while testing.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
pull/2142/head
Brad Davidson 2020-08-18 16:44:10 -07:00
parent e826439e79
commit 79c499f0e0
2 changed files with 13 additions and 9 deletions

View File

@ -187,18 +187,22 @@ func run(app *cli.Context, cfg *cmds.Server) error {
serverConfig.ControlConfig.Disables["ccm"] = true serverConfig.ControlConfig.Disables["ccm"] = true
} }
TLSMinVersion := getArgValueFromList("tls-min-version", cfg.ExtraAPIArgs) tlsMinVersionArg := getArgValueFromList("tls-min-version", cfg.ExtraAPIArgs)
serverConfig.ControlConfig.TLSMinVersion, err = kubeapiserverflag.TLSVersion(TLSMinVersion) serverConfig.ControlConfig.TLSMinVersion, err = kubeapiserverflag.TLSVersion(tlsMinVersionArg)
if err != nil { if err != nil {
return errors.Wrapf(err, "Invalid TLS Version %s: %v", TLSMinVersion, err) return errors.Wrap(err, "Invalid tls-min-version")
} }
// TLS config based on mozilla ssl-config generator // TLS config based on mozilla ssl-config generator
// https://ssl-config.mozilla.org/#server=golang&version=1.13.6&config=intermediate&guideline=5.4 // https://ssl-config.mozilla.org/#server=golang&version=1.13.6&config=intermediate&guideline=5.4
// Need to disable the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Cipher for TLS1.2 // Need to disable the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Cipher for TLS1.2
TLSCipherSuites := []string{getArgValueFromList("tls-cipher-suites", cfg.ExtraAPIArgs)} tlsCipherSuitesArg := getArgValueFromList("tls-cipher-suites", cfg.ExtraAPIArgs)
if len(TLSCipherSuites) == 0 || TLSCipherSuites[0] == "" { tlsCipherSuites := strings.Split(tlsCipherSuitesArg, ",")
TLSCipherSuites = []string{ for i := range tlsCipherSuites {
tlsCipherSuites[i] = strings.TrimSpace(tlsCipherSuites[i])
}
if len(tlsCipherSuites) == 0 || tlsCipherSuites[0] == "" {
tlsCipherSuites = []string{
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
@ -207,9 +211,9 @@ func run(app *cli.Context, cfg *cmds.Server) error {
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
} }
} }
serverConfig.ControlConfig.TLSCipherSuites, err = kubeapiserverflag.TLSCipherSuites(TLSCipherSuites) serverConfig.ControlConfig.TLSCipherSuites, err = kubeapiserverflag.TLSCipherSuites(tlsCipherSuites)
if err != nil { if err != nil {
return errors.Wrapf(err, "Invalid TLS Cipher Suites %s: %v", TLSCipherSuites, err) return errors.Wrap(err, "Invalid tls-cipher-suites")
} }
logrus.Info("Starting "+version.Program+" ", app.App.Version) logrus.Info("Starting "+version.Program+" ", app.App.Version)

View File

@ -41,7 +41,7 @@ func Rootless(stateDir string) error {
logrus.Fatal(err) logrus.Fatal(err)
} }
if err := child.Child(*childOpt); err != nil { if err := child.Child(*childOpt); err != nil {
logrus.Fatal("child died", err) logrus.Fatalf("child died: %v", err)
} }
} }