Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion pkg/etcdenvvar/etcd_env.go
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,14 @@ func getObservedTLSMinVersion(envVarContext envVarContext) (tlsutil.TLSVersion,
return "", fmt.Errorf("couldn't get minTLSVersion from observedConfig: %w", err)
}

// During bootstrap the config observation controller hasn't converged yet,
// so observedConfig.servingInfo.minTLSVersion will be empty. Fall back to
// TLSProfileIntermediateType defaults (TLS 1.2).
if observedMinTLSVersion == "" {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check isn't really necessary, crypto.TLSVersion returns TLSVersion12 if the input is empty: https://github.com/openshift/library-go/blob/257053230f0be3e7325f38dc00d98147c7f77e16/pkg/crypto/crypto.go#L86

klog.Warningf("observedConfig minTLSVersion is empty, falling back to TLSProfileIntermediateType default (TLS 1.2)")
return tlsutil.TLSVersion12, nil
}

// map tls version to string recognized by etcd
v, err := crypto.TLSVersion(observedMinTLSVersion)
if err != nil {
Expand Down Expand Up @@ -328,10 +336,20 @@ func getCipherSuites(envVarContext envVarContext) (map[string]string, error) {
return nil, fmt.Errorf("couldn't get cipherSuites from observedConfig: %w", err)
}

// During bootstrap the config observation controller hasn't converged yet,
// so observedConfig.servingInfo.cipherSuites will be empty. Fall back to
// TLSProfileIntermediateType defaults, matching the render path
// (pkg/cmd/render/env.go:getTLSCipherSuites).
if len(observedCipherSuites) == 0 {
klog.Warningf("observedConfig cipherSuites is empty, falling back to TLSProfileIntermediateType defaults")
profileSpec := v1.TLSProfiles[v1.TLSProfileIntermediateType]
observedCipherSuites = crypto.OpenSSLToIANACipherSuites(profileSpec.Ciphers)
}

actualCipherSuites := tlshelpers.SupportedEtcdCiphers(observedCipherSuites)

if len(actualCipherSuites) == 0 {
return nil, fmt.Errorf("no supported cipherSuites not found in observedConfig")
return nil, fmt.Errorf("no supported cipherSuites found in observedConfig")
}

observedMinTLSVersion, err := getObservedTLSMinVersion(envVarContext)
Expand Down
98 changes: 98 additions & 0 deletions pkg/etcdenvvar/etcd_env_test.go
Original file line number Diff line number Diff line change
@@ -1,11 +1,109 @@
package etcdenvvar

import (
"strings"
"testing"

operatorv1 "github.com/openshift/api/operator/v1"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gopkg.in/yaml.v3"
"k8s.io/apimachinery/pkg/runtime"
)

func TestGetCipherSuites(t *testing.T) {
testCases := []struct {
name string
observedConfig map[string]any
expectErr bool
errContains string
expectEnvKey string
expectCiphers []string
}{
{
name: "populated observedConfig returns expected ciphers",
observedConfig: map[string]any{
"servingInfo": map[string]any{
"cipherSuites": []string{
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
},
"minTLSVersion": "VersionTLS12",
},
},
expectEnvKey: "ETCD_CIPHER_SUITES",
expectCiphers: []string{
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
},
},
{
name: "empty observedConfig falls back to TLSProfileIntermediateType defaults",
observedConfig: map[string]any{},
expectEnvKey: "ETCD_CIPHER_SUITES",
expectCiphers: []string{
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
},
},
{
name: "observedConfig with only unsupported ciphers returns error",
observedConfig: map[string]any{
"servingInfo": map[string]any{
"cipherSuites": []string{
"TLS_UNSUPPORTED_CIPHER_1",
"TLS_UNSUPPORTED_CIPHER_2",
},
"minTLSVersion": "VersionTLS12",
},
},
expectErr: true,
errContains: "no supported cipherSuites found",
},
}

for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
observedConfigYaml, err := yaml.Marshal(tc.observedConfig)
require.NoError(t, err)

ctx := envVarContext{
spec: operatorv1.StaticPodOperatorSpec{
OperatorSpec: operatorv1.OperatorSpec{
ObservedConfig: runtime.RawExtension{Raw: observedConfigYaml},
},
},
}

result, err := getCipherSuites(ctx)

if tc.expectErr {
require.Error(t, err)
assert.Contains(t, err.Error(), tc.errContains)
return
}

require.NoError(t, err)
require.NotNil(t, result)

cipherValue, ok := result[tc.expectEnvKey]
require.True(t, ok, "expected key %q in result", tc.expectEnvKey)

actualCiphers := strings.Split(cipherValue, ",")
assert.Equal(t, tc.expectCiphers, actualCiphers)
})
}
}

func TestConvertDBSize(t *testing.T) {
testCases := []struct {
name string
Expand Down