diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 28a89dc67290..b552e52c721f 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -72,6 +72,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --authentication-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authorization-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/aws-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 965860552e8e..325ab21370c7 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -72,6 +72,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --authentication-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authorization-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/aws-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 28a89dc67290..b552e52c721f 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -72,6 +72,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --authentication-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authorization-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/aws-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 6729427577f9..ff73b77487bf 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -72,6 +72,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --authentication-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authorization-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/aws-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml index 6729427577f9..ff73b77487bf 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/aws-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_aws_cloud_controller_manager_deployment.yaml @@ -72,6 +72,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --authentication-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authorization-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/aws-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index a98d12f53c4d..4af0681fa91b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -74,6 +74,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --v=4 - --cluster-name= + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/azure-cloud-controller-manager image: azure-cloud-controller-manager diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index f04b83971e73..fd50a9a101ee 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -74,6 +74,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --v=4 - --cluster-name= + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/azure-cloud-controller-manager image: azure-cloud-controller-manager diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index c1fc8dcb56c2..7276e6854db8 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -74,6 +74,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --v=4 - --cluster-name= + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/azure-cloud-controller-manager image: azure-cloud-controller-manager diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index 355ee94448ad..3a7cd924f442 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -74,6 +74,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --v=4 - --cluster-name= + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/azure-cloud-controller-manager image: azure-cloud-controller-manager diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml index 355ee94448ad..3a7cd924f442 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/azure-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_azure_cloud_controller_manager_deployment.yaml @@ -74,6 +74,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --v=4 - --cluster-name= + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/azure-cloud-controller-manager image: azure-cloud-controller-manager diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index baf2c753d6ae..7e668ace899d 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -73,6 +73,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --authentication-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authorization-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/gcp-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index c53dfc1673bc..325846137471 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -73,6 +73,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --authentication-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authorization-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/gcp-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index baf2c753d6ae..7e668ace899d 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -73,6 +73,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --authentication-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authorization-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/gcp-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 2eea788e4996..8089b0bf0aa1 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -73,6 +73,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --authentication-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authorization-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/gcp-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml index 2eea788e4996..8089b0bf0aa1 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/gcp-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_gcp_cloud_controller_manager_deployment.yaml @@ -73,6 +73,8 @@ spec: - --leader-elect-resource-namespace=openshift-cloud-controller-manager - --authentication-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authorization-kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/gcp-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml index b84879a1e7e4..d0ee65c65bf0 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml @@ -85,6 +85,8 @@ spec: - --kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authentication-skip-lookup - --cluster-name=cluster_name + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/kubevirt-cloud-controller-manager image: kubevirt-cloud-controller-manager diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml index bebaf6d9afcf..8b6435cc30a0 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml @@ -85,6 +85,8 @@ spec: - --kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authentication-skip-lookup - --cluster-name=cluster_name + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/kubevirt-cloud-controller-manager image: kubevirt-cloud-controller-manager diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml index b84879a1e7e4..d0ee65c65bf0 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml @@ -85,6 +85,8 @@ spec: - --kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authentication-skip-lookup - --cluster-name=cluster_name + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/kubevirt-cloud-controller-manager image: kubevirt-cloud-controller-manager diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml index b84879a1e7e4..d0ee65c65bf0 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml @@ -85,6 +85,8 @@ spec: - --kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authentication-skip-lookup - --cluster-name=cluster_name + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/kubevirt-cloud-controller-manager image: kubevirt-cloud-controller-manager diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml index b84879a1e7e4..d0ee65c65bf0 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/kubevirt-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_kubevirt_cloud_controller_manager_deployment.yaml @@ -85,6 +85,8 @@ spec: - --kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig - --authentication-skip-lookup - --cluster-name=cluster_name + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /bin/kubevirt-cloud-controller-manager image: kubevirt-cloud-controller-manager diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml index dcf4611b8a1f..c007dfd456c4 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml @@ -76,6 +76,8 @@ spec: - --leader-elect-renew-deadline=107s - --leader-elect-retry-period=26s - --leader-elect-resource-namespace=openshift-cloud-controller-manager + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /usr/bin/openstack-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml index c7e9f0fca48d..eff5917c786f 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml @@ -76,6 +76,8 @@ spec: - --leader-elect-renew-deadline=107s - --leader-elect-retry-period=26s - --leader-elect-resource-namespace=openshift-cloud-controller-manager + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /usr/bin/openstack-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml index dcf4611b8a1f..c007dfd456c4 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml @@ -76,6 +76,8 @@ spec: - --leader-elect-renew-deadline=107s - --leader-elect-retry-period=26s - --leader-elect-resource-namespace=openshift-cloud-controller-manager + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /usr/bin/openstack-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml index dcf4611b8a1f..c007dfd456c4 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml @@ -76,6 +76,8 @@ spec: - --leader-elect-renew-deadline=107s - --leader-elect-retry-period=26s - --leader-elect-resource-namespace=openshift-cloud-controller-manager + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /usr/bin/openstack-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml index dcf4611b8a1f..c007dfd456c4 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/openstack-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_openstack_cloud_controller_manager_deployment.yaml @@ -76,6 +76,8 @@ spec: - --leader-elect-renew-deadline=107s - --leader-elect-retry-period=26s - --leader-elect-resource-namespace=openshift-cloud-controller-manager + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 command: - /usr/bin/openstack-cloud-controller-manager env: diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml index c71b53fdc08c..3dee065b0071 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/AROSwift/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml @@ -58,7 +58,10 @@ spec: weight: 100 automountServiceAccountToken: false containers: - - command: + - args: + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + command: - /bin/ibm-cloud-controller-manager - --authentication-skip-lookup - --bind-address=$(POD_IP_ADDRESS) diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml index faa641e9470b..e29eb252bebe 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/GCP/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml @@ -58,7 +58,10 @@ spec: weight: 100 automountServiceAccountToken: false containers: - - command: + - args: + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + command: - /bin/ibm-cloud-controller-manager - --authentication-skip-lookup - --bind-address=$(POD_IP_ADDRESS) diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml index c71b53fdc08c..3dee065b0071 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/IBMCloud/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml @@ -58,7 +58,10 @@ spec: weight: 100 automountServiceAccountToken: false containers: - - command: + - args: + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + command: - /bin/ibm-cloud-controller-manager - --authentication-skip-lookup - --bind-address=$(POD_IP_ADDRESS) diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml index c71b53fdc08c..3dee065b0071 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml @@ -58,7 +58,10 @@ spec: weight: 100 automountServiceAccountToken: false containers: - - command: + - args: + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + command: - /bin/ibm-cloud-controller-manager - --authentication-skip-lookup - --bind-address=$(POD_IP_ADDRESS) diff --git a/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml b/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml index c71b53fdc08c..3dee065b0071 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml +++ b/control-plane-operator/controllers/hostedcontrolplane/testdata/powervs-cloud-controller-manager/zz_fixture_TestControlPlaneComponents_powervs_cloud_controller_manager_deployment.yaml @@ -58,7 +58,10 @@ spec: weight: 100 automountServiceAccountToken: false containers: - - command: + - args: + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + command: - /bin/ibm-cloud-controller-manager - --authentication-skip-lookup - --bind-address=$(POD_IP_ADDRESS) diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/capi_manager/deployment.go b/control-plane-operator/controllers/hostedcontrolplane/v2/capi_manager/deployment.go index 242ffd03d315..7cbcf8dea539 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/capi_manager/deployment.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/capi_manager/deployment.go @@ -2,6 +2,7 @@ package capimanager import ( "fmt" + "strings" "github.com/openshift/hypershift/support/config" component "github.com/openshift/hypershift/support/controlplane-component" @@ -26,6 +27,13 @@ func (capi *CAPIManagerOptions) adaptDeployment(cpContext component.WorkloadCont c.Args = append(c.Args, "--feature-gates=MachineSetPreflightChecks=false") } + if tlsMinVersion := config.MinTLSVersion(cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(cpContext.HCP.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + if len(capi.imageOverride) > 0 { c.Image = capi.imageOverride } diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go index 0d41bad5a3bf..b00a4c418b4a 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/aws/component.go @@ -1,8 +1,16 @@ package aws import ( + "fmt" + "strings" + hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" + "github.com/openshift/hypershift/support/config" component "github.com/openshift/hypershift/support/controlplane-component" + "github.com/openshift/hypershift/support/podspec" + + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" ) const ( @@ -32,6 +40,7 @@ func (c *awsOptions) NeedsManagementKASAccess() bool { func NewComponent() component.ControlPlaneComponent { return component.NewDeploymentComponent(ComponentName, &awsOptions{}). WithPredicate(predicate). + WithAdaptFunction(adaptDeployment). WithManifestAdapter( "config.yaml", component.WithAdaptFunction(adaptConfig), @@ -47,3 +56,19 @@ func NewComponent() component.ControlPlaneComponent { func predicate(cpContext component.WorkloadContext) (bool, error) { return cpContext.HCP.Spec.Platform.Type == hyperv1.AWSPlatform, nil } + +func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Deployment) error { + hcp := cpContext.HCP + + podspec.UpdateContainer("cloud-controller-manager", deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) { + // Add TLS configuration based on cluster TLS security profile + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + }) + + return nil +} diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.go b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.go index 0841db52ed16..749fddf2a0c1 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/deployment.go @@ -2,6 +2,7 @@ package azure import ( "fmt" + "strings" "github.com/openshift/hypershift/support/azureutil" "github.com/openshift/hypershift/support/config" @@ -17,10 +18,21 @@ const ( ) func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Deployment) error { + hcp := cpContext.HCP + podspec.UpdateContainer(containerName, deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) { c.Args = append(c.Args, fmt.Sprintf("--cluster-name=%s", cpContext.HCP.Spec.InfraID), ) + + // Add TLS configuration based on cluster TLS security profile + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + if azureutil.IsAroHCPByHCP(cpContext.HCP) { c.VolumeMounts = append(c.VolumeMounts, azureutil.CreateVolumeMountForAzureSecretStoreProviderClass(config.ManagedAzureCloudProviderSecretStoreVolumeName), diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.go b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.go index 462cc6d02a34..ef415f6f8dc9 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/gcp/component.go @@ -1,8 +1,16 @@ package gcp import ( + "fmt" + "strings" + hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" + "github.com/openshift/hypershift/support/config" component "github.com/openshift/hypershift/support/controlplane-component" + "github.com/openshift/hypershift/support/podspec" + + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" ) const ( @@ -35,6 +43,7 @@ func NewComponent() component.ControlPlaneComponent { // The deployment.yaml mounts that pre-created secret. return component.NewDeploymentComponent(ComponentName, &gcpOptions{}). WithPredicate(predicate). + WithAdaptFunction(adaptDeployment). WithManifestAdapter( "config.yaml", component.WithAdaptFunction(adaptConfig), @@ -50,3 +59,19 @@ func NewComponent() component.ControlPlaneComponent { func predicate(cpContext component.WorkloadContext) (bool, error) { return cpContext.HCP.Spec.Platform.Type == hyperv1.GCPPlatform, nil } + +func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Deployment) error { + hcp := cpContext.HCP + + podspec.UpdateContainer("cloud-controller-manager", deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) { + // Add TLS configuration based on cluster TLS security profile + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + }) + + return nil +} diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.go b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.go index 7564104d6622..b81b65b0572f 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/kubevirt/deployment.go @@ -2,8 +2,10 @@ package kubevirt import ( "fmt" + "strings" hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" + "github.com/openshift/hypershift/support/config" component "github.com/openshift/hypershift/support/controlplane-component" "github.com/openshift/hypershift/support/podspec" @@ -38,6 +40,14 @@ func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Dep fmt.Sprintf("--cluster-name=%s", clusterName), ) + // Add TLS configuration based on cluster TLS security profile + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + if isExternalInfra { c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{ Name: infraKubeconfigVolumeName, diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.go b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.go index 08e12da9a32b..2762577b9d40 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/openstack/deployment.go @@ -1,7 +1,11 @@ package openstack import ( + "fmt" + "strings" + "github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/manifests" + "github.com/openshift/hypershift/support/config" component "github.com/openshift/hypershift/support/controlplane-component" "github.com/openshift/hypershift/support/podspec" @@ -20,6 +24,7 @@ const ( ) func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Deployment) error { + hcp := cpContext.HCP credentialsSecret, err := getCredentialsSecret(cpContext) if err != nil { return err @@ -36,6 +41,14 @@ func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Dep Value: cpContext.HCP.Spec.InfraID, }) + // Add TLS configuration based on cluster TLS security profile + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + if hasCACert { c.VolumeMounts = append(c.VolumeMounts, corev1.VolumeMount{ Name: trustedCAVolumeName, diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.go b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.go index 83fb2f3000e7..49a431c1bdfe 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/powervs/deployment.go @@ -2,7 +2,9 @@ package powervs import ( "fmt" + "strings" + "github.com/openshift/hypershift/support/config" component "github.com/openshift/hypershift/support/controlplane-component" "github.com/openshift/hypershift/support/podspec" @@ -20,6 +22,16 @@ func adaptDeployment(cpContext component.WorkloadContext, deployment *appsv1.Dep return fmt.Errorf(".spec.platform.powervs is not defined") } + podspec.UpdateContainer("cloud-controller-manager", deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) { + // Add TLS configuration based on cluster TLS security profile + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + c.Args = append(c.Args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + c.Args = append(c.Args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + }) + podspec.UpdateVolume(cloudCredsVolumeName, deployment.Spec.Template.Spec.Volumes, func(v *corev1.Volume) { v.Secret.SecretName = hcp.Spec.Platform.PowerVS.KubeCloudControllerCreds.Name }) diff --git a/hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go b/hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go index 6f116cd98131..e99304e43636 100644 --- a/hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go +++ b/hypershift-operator/controllers/hostedcluster/internal/platform/agent/agent.go @@ -4,9 +4,11 @@ import ( "context" "fmt" "os" + "strings" hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" "github.com/openshift/hypershift/hypershift-operator/controllers/manifests/ignitionserver" + "github.com/openshift/hypershift/support/config" "github.com/openshift/hypershift/support/images" "github.com/openshift/hypershift/support/k8sutil" "github.com/openshift/hypershift/support/upsert" @@ -63,7 +65,7 @@ func (p Agent) ReconcileCAPIInfraCR(ctx context.Context, c client.Client, create return agentCluster, nil } -func (p Agent) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { +func (p Agent) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, hcp *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { providerImage := imageCAPAgent if envImage := os.Getenv(images.AgentCAPIProviderEnvVar); len(envImage) > 0 { providerImage = envImage @@ -71,6 +73,26 @@ func (p Agent) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hy if override, ok := hcluster.Annotations[hyperv1.ClusterAPIAgentProviderImage]; ok { providerImage = override } + + // Build container args with TLS configuration + args := []string{ + "--namespace", "$(MY_NAMESPACE)", + "--health-probe-bind-address=:8081", + "--metrics-bind-address=127.0.0.1:8080", + "--leader-elect", + "--agent-namespace", hcluster.Spec.Platform.Agent.AgentNamespace, + } + + // Add TLS configuration based on cluster TLS security profile + if hcp != nil { + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + args = append(args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + args = append(args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + } + deploymentSpec := &appsv1.DeploymentSpec{ Replicas: ptr.To[int32](1), Template: corev1.PodTemplateSpec{ @@ -91,13 +113,7 @@ func (p Agent) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hy }, }, Command: []string{"/manager"}, - Args: []string{ - "--namespace", "$(MY_NAMESPACE)", - "--health-probe-bind-address=:8081", - "--metrics-bind-address=127.0.0.1:8080", - "--leader-elect", - "--agent-namespace", hcluster.Spec.Platform.Agent.AgentNamespace, - }, + Args: args, LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ HTTPGet: &corev1.HTTPGetAction{ diff --git a/hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go b/hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go index f42affcf8081..764250b4c27c 100644 --- a/hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go +++ b/hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go @@ -7,6 +7,7 @@ import ( "strings" hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" + "github.com/openshift/hypershift/support/config" "github.com/openshift/hypershift/support/images" "github.com/openshift/hypershift/support/upsert" @@ -100,7 +101,7 @@ func (p AWS) ReconcileCAPIInfraCR(ctx context.Context, c client.Client, createOr return awsCluster, nil } -func (p AWS) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { +func (p AWS) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, hcp *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { providerImage := p.capiProviderImage if envImage := os.Getenv(images.AWSCAPIProviderEnvVar); len(envImage) > 0 { // Only override CAPA image with env var if payload version < 4.12 @@ -119,6 +120,24 @@ func (p AWS) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hype featureGates = append(featureGates, "ROSA=false") } + // Build container args with TLS configuration + args := []string{ + "--namespace", "$(MY_NAMESPACE)", + "--v=4", + "--leader-elect=true", + fmt.Sprintf("--feature-gates=%s", strings.Join(featureGates, ",")), + } + + // Add TLS configuration based on cluster TLS security profile + if hcp != nil { + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + args = append(args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + args = append(args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + } + defaultMode := int32(0640) deploymentSpec := &appsv1.DeploymentSpec{ Replicas: ptr.To[int32](1), @@ -211,11 +230,7 @@ func (p AWS) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hype Value: "true", }, }, - Args: []string{"--namespace", "$(MY_NAMESPACE)", - "--v=4", - "--leader-elect=true", - fmt.Sprintf("--feature-gates=%s", strings.Join(featureGates, ",")), - }, + Args: args, Ports: []corev1.ContainerPort{ { Name: "healthz", diff --git a/hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go b/hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go index 6d633c16e840..a3fed6baf64d 100644 --- a/hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go +++ b/hypershift-operator/controllers/hostedcluster/internal/platform/azure/azure.go @@ -89,7 +89,7 @@ func (a Azure) ReconcileCAPIInfraCR( return azureCluster, nil } -func (a Azure) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { +func (a Azure) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, hcp *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { image := a.capiProviderImage if envImage := os.Getenv(images.AzureCAPIProviderEnvVar); len(envImage) > 0 { image = envImage @@ -97,6 +97,25 @@ func (a Azure) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hy if override, ok := hcluster.Annotations[hyperv1.ClusterAPIAzureProviderImage]; ok { image = override } + + // Build container args with TLS configuration + args := []string{ + "--namespace=$(MY_NAMESPACE)", + "--leader-elect=true", + "--feature-gates=MachinePool=false,ASOAPI=false", + "--disable-controllers-or-webhooks=DisableASOSecretController", + } + + // Add TLS configuration based on cluster TLS security profile + if hcp != nil { + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + args = append(args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + args = append(args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + } + defaultMode := int32(0640) deploymentSpec := &appsv1.DeploymentSpec{ Replicas: ptr.To[int32](1), @@ -108,12 +127,7 @@ func (a Azure) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hy Name: "manager", Image: image, ImagePullPolicy: corev1.PullIfNotPresent, - Args: []string{ - "--namespace=$(MY_NAMESPACE)", - "--leader-elect=true", - "--feature-gates=MachinePool=false,ASOAPI=false", - "--disable-controllers-or-webhooks=DisableASOSecretController", - }, + Args: args, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ corev1.ResourceCPU: resource.MustParse("10m"), diff --git a/hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go b/hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go index b31c21befc18..dae9e7dcce23 100644 --- a/hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go +++ b/hypershift-operator/controllers/hostedcluster/internal/platform/gcp/gcp.go @@ -22,6 +22,7 @@ import ( "strings" hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" + "github.com/openshift/hypershift/support/config" "github.com/openshift/hypershift/support/gcputil" "github.com/openshift/hypershift/support/images" "github.com/openshift/hypershift/support/k8sutil" @@ -177,7 +178,7 @@ func (p GCP) reconcileGCPCluster(gcpCluster *capigcp.GCPCluster, hcluster *hyper // CAPIProviderDeploymentSpec implements CAPG controller deployment specification. // This method creates a deployment spec for the CAPG (Cluster API Provider GCP) // controller with proper image handling, feature gates, and WIF preparation. -func (p GCP) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { +func (p GCP) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, hcp *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { // Validate GCP platform configuration is present if hcluster.Spec.Platform.GCP == nil { return nil, fmt.Errorf("GCP platform configuration is missing") @@ -202,6 +203,12 @@ func (p GCP) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hype "MachinePool=false", // Disable for Phase 1 } + // Version-conditional feature gates (future-proofing) + if p.payloadVersion != nil && p.payloadVersion.Major == 4 && p.payloadVersion.Minor > 16 { + featureGates = append(featureGates, "ClusterResourceSet=false") // Example + } + + // Build container args with TLS configuration args := []string{ "--namespace=$(MY_NAMESPACE)", "--leader-elect=true", @@ -209,6 +216,16 @@ func (p GCP) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hype "--v=2", } + // Add TLS configuration based on cluster TLS security profile + if hcp != nil { + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + args = append(args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + args = append(args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + } + containers := []corev1.Container{ { Name: "manager", diff --git a/hypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.go b/hypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.go index a536ac1df6a2..e1f12313e6eb 100644 --- a/hypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.go +++ b/hypershift-operator/controllers/hostedcluster/internal/platform/kubevirt/kubevirt.go @@ -4,8 +4,10 @@ import ( "context" "fmt" "os" + "strings" hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" + "github.com/openshift/hypershift/support/config" "github.com/openshift/hypershift/support/images" "github.com/openshift/hypershift/support/upsert" @@ -68,7 +70,7 @@ func reconcileKubevirtCluster(kubevirtCluster *capikubevirt.KubevirtCluster, hcl kubevirtCluster.Status.Ready = true } -func (p Kubevirt) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { +func (p Kubevirt) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, hcp *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { providerImage := "" if envImage := os.Getenv(images.KubevirtCAPIProviderEnvVar); len(envImage) > 0 { providerImage = envImage @@ -79,6 +81,24 @@ func (p Kubevirt) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ if providerImage == "" { return nil, fmt.Errorf("kubevirt CAPI provider image not specified by environment variable %s or annotation %s", images.KubevirtCAPIProviderEnvVar, hyperv1.ClusterAPIKubeVirtProviderImage) } + + // Build container args with TLS configuration + args := []string{ + "--namespace", "$(MY_NAMESPACE)", + "--v=4", + "--leader-elect=true", + } + + // Add TLS configuration based on cluster TLS security profile + if hcp != nil { + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + args = append(args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + args = append(args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + } + defaultMode := int32(0640) return &appsv1.DeploymentSpec{ Replicas: ptr.To[int32](1), @@ -131,11 +151,7 @@ func (p Kubevirt) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ }, }, Command: []string{"/manager"}, - Args: []string{ - "--namespace", "$(MY_NAMESPACE)", - "--v=4", - "--leader-elect=true", - }, + Args: args, Ports: []corev1.ContainerPort{ { Name: "healthz", diff --git a/hypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.go b/hypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.go index 4ce567002fe9..6ec85c0d8b25 100644 --- a/hypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.go +++ b/hypershift-operator/controllers/hostedcluster/internal/platform/openstack/openstack.go @@ -4,9 +4,11 @@ import ( "context" "fmt" "os" + "strings" hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" "github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/cloud/openstack" + "github.com/openshift/hypershift/support/config" "github.com/openshift/hypershift/support/images" "github.com/openshift/hypershift/support/openstackutil" "github.com/openshift/hypershift/support/upsert" @@ -174,7 +176,7 @@ func reconcileOpenStackClusterSpec(hcluster *hyperv1.HostedCluster, openStackClu return nil } -func (a OpenStack) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { +func (a OpenStack) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, hcp *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { capoImage := a.capiProviderImage if envImage := os.Getenv(images.OpenStackCAPIProviderEnvVar); len(envImage) > 0 { capoImage = envImage @@ -189,6 +191,32 @@ func (a OpenStack) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ if override, ok := hcluster.Annotations[hyperv1.OpenStackResourceControllerImage]; ok { orcImage = override } + + // Build container args with TLS configuration + capoArgs := []string{ + "--namespace=$(MY_NAMESPACE)", + "--leader-elect", + "--v=2", + // HyperShift runs CAPO in a namespace-scoped deployment and manages CRDs + // itself. CAPO v0.14 introduced a crdmigrator controller that requires + // cluster-scoped RBAC (list openstackclusteridentities, patch + // customresourcedefinitions) that we do not and cannot grant. Skipping + // all phases causes crdmigrator.SetupWithManager to return early without + // registering the controller, eliminating the spurious RBAC errors. + "--skip-crd-migration-phases=StorageVersionMigration", + "--skip-crd-migration-phases=CleanupManagedFields", + } + + // Add TLS configuration based on cluster TLS security profile + if hcp != nil { + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + capoArgs = append(capoArgs, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + capoArgs = append(capoArgs, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + } + allowPrivilegeEscalation := false defaultMode := int32(0640) deploymentSpec := appsv1.DeploymentSpec{ @@ -221,19 +249,7 @@ func (a OpenStack) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ Image: capoImage, ImagePullPolicy: corev1.PullIfNotPresent, Command: []string{"/manager"}, - Args: []string{ - "--namespace=$(MY_NAMESPACE)", - "--leader-elect", - "--v=2", - // HyperShift runs CAPO in a namespace-scoped deployment and manages CRDs - // itself. CAPO v0.14 introduced a crdmigrator controller that requires - // cluster-scoped RBAC (list openstackclusteridentities, patch - // customresourcedefinitions) that we do not and cannot grant. Skipping - // all phases causes crdmigrator.SetupWithManager to return early without - // registering the controller, eliminating the spurious RBAC errors. - "--skip-crd-migration-phases=StorageVersionMigration", - "--skip-crd-migration-phases=CleanupManagedFields", - }, + Args: capoArgs, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ corev1.ResourceCPU: resource.MustParse("10m"), diff --git a/hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go b/hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go index c0f1215b731b..03565f312049 100644 --- a/hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go +++ b/hypershift-operator/controllers/hostedcluster/internal/platform/powervs/powervs.go @@ -4,8 +4,10 @@ import ( "context" "fmt" "os" + "strings" hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" + "github.com/openshift/hypershift/support/config" "github.com/openshift/hypershift/support/images" "github.com/openshift/hypershift/support/upsert" @@ -75,7 +77,7 @@ func (p PowerVS) ReconcileCAPIInfraCR(ctx context.Context, c client.Client, crea return ibmCluster, nil } -func (p PowerVS) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { +func (p PowerVS) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, hcp *hyperv1.HostedControlPlane) (*appsv1.DeploymentSpec, error) { defaultMode := int32(416) providerImage := p.capiProviderImage @@ -86,6 +88,23 @@ func (p PowerVS) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ * providerImage = override } + // Build container args with TLS configuration + args := []string{"--namespace", "$(MY_NAMESPACE)", + "--v=4", + "--leader-elect=true", + "--provider-id-fmt=v2", + } + + // Add TLS configuration based on cluster TLS security profile + if hcp != nil { + if tlsMinVersion := config.MinTLSVersion(hcp.Spec.Configuration.GetTLSSecurityProfile()); tlsMinVersion != "" { + args = append(args, fmt.Sprintf("--tls-min-version=%s", tlsMinVersion)) + } + if cipherSuites := config.CipherSuites(hcp.Spec.Configuration.GetTLSSecurityProfile()); len(cipherSuites) != 0 { + args = append(args, fmt.Sprintf("--tls-cipher-suites=%s", strings.Join(cipherSuites, ","))) + } + } + deploymentSpec := &appsv1.DeploymentSpec{ Template: corev1.PodTemplateSpec{ Spec: corev1.PodSpec{ @@ -146,11 +165,7 @@ func (p PowerVS) CAPIProviderDeploymentSpec(hcluster *hyperv1.HostedCluster, _ * }, }, Command: []string{"/bin/cluster-api-provider-ibmcloud-controller-manager"}, - Args: []string{"--namespace", "$(MY_NAMESPACE)", - "--v=4", - "--leader-elect=true", - "--provider-id-fmt=v2", - }, + Args: args, Ports: []corev1.ContainerPort{ { Name: "healthz", diff --git a/hypershift-operator/controllers/hostedcluster/testdata/capi-provider/zz_fixture_TestReconcileComponents.yaml b/hypershift-operator/controllers/hostedcluster/testdata/capi-provider/zz_fixture_TestReconcileComponents.yaml index fe399d3b5d97..3bda43b78d21 100644 --- a/hypershift-operator/controllers/hostedcluster/testdata/capi-provider/zz_fixture_TestReconcileComponents.yaml +++ b/hypershift-operator/controllers/hostedcluster/testdata/capi-provider/zz_fixture_TestReconcileComponents.yaml @@ -62,6 +62,8 @@ spec: - --v=4 - --leader-elect=true - --feature-gates=EKS=false,ROSA=false + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 env: - name: MY_NAMESPACE valueFrom: diff --git a/hypershift-operator/controllers/hostedcluster/testdata/cluster-api/zz_fixture_TestReconcileComponents.yaml b/hypershift-operator/controllers/hostedcluster/testdata/cluster-api/zz_fixture_TestReconcileComponents.yaml index ca6ee942b800..6ba0c2c1c1ce 100644 --- a/hypershift-operator/controllers/hostedcluster/testdata/cluster-api/zz_fixture_TestReconcileComponents.yaml +++ b/hypershift-operator/controllers/hostedcluster/testdata/cluster-api/zz_fixture_TestReconcileComponents.yaml @@ -68,6 +68,8 @@ spec: - --leader-elect-lease-duration=137s - --leader-elect-retry-period=26s - --leader-elect-renew-deadline=107s + - --tls-min-version=VersionTLS12 + - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 env: - name: MY_NAMESPACE valueFrom: