NE-2744: UPSTREAM: 8227: fix(tls): use Go TLS defaults#194
Conversation
Remove fixed TLS 1.2 cipher suite list and maximum TLS version so crypto/tls can use its maintained defaults. Keep TLS 1.2 as the minimum supported version. Document the shared TLS default behavior for plugins that expose TLS configuration and add coverage to ensure CoreDNS leaves Go-managed TLS fields unset. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
|
Skipping CI for Draft Pull Request. |
|
@aswinsuryan: This pull request references NE-2744 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughModifies TLS configuration defaults by removing explicit MaxVersion and CipherSuites restrictions from setTLSDefaults, keeping only MinVersion TLS1.2, and relying on Go crypto/tls defaults otherwise. Adds nosec annotations, updates tests with default-value assertions, and documents the change across plugin READMEs. ChangesTLS defaults relaxation
Estimated code review effort: 2 (Simple) | ~12 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
/retest-required |
|
@aswinsuryan: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/assign @davidesalerno |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: davidesalerno The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/jira refresh |
|
@candita: This pull request references NE-2744 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold |
1. Why is this pull request needed and what does it do?
Cherry-pick of coredns#8227 which removes hardcoded TLS cipher
suites and MaxVersion from setTLSDefaults, delegating to Go crypto/tls
defaults. This enables post-quantum key exchange (ML-KEM/X25519MLKEM768)
supported natively since Go 1.24.
2. Which issues (if any) are related?
3. Which documentation changes (if any) need to be made?
4. Does this introduce a backward incompatible change or deprecation?
Summary by CodeRabbit
Documentation
Bug Fixes