diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index bc95ee7657..30c7473405 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -2869,29 +2869,6 @@ } } }, - "v1.CustomTLSProfile": { - "description": "CustomTLSProfile is a user-defined TLS security profile. Be extremely careful using a custom TLS profile as invalid configurations can be catastrophic.", - "type": "object", - "required": [ - "ciphers", - "minTLSVersion" - ], - "properties": { - "ciphers": { - "description": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", - "type": "array", - "items": { - "type": "string", - "default": "" - } - }, - "minTLSVersion": { - "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", - "type": "string", - "default": "" - } - } - }, "v1.DeleteOptions": { "description": "DeleteOptions may be provided when deleting an API object.", "type": "object", @@ -2959,10 +2936,6 @@ } } }, - "v1.IntermediateTLSProfile": { - "description": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", - "type": "object" - }, "v1.LabelSelector": { "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", "type": "object", @@ -3082,10 +3055,6 @@ } } }, - "v1.ModernTLSProfile": { - "description": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility", - "type": "object" - }, "v1.NodeAffinity": { "description": "Node affinity is a group of node affinity scheduling rules.", "type": "object", @@ -3273,10 +3242,6 @@ } } }, - "v1.OldTLSProfile": { - "description": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility", - "type": "object" - }, "v1.OwnerReference": { "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", "type": "object", @@ -3657,44 +3622,6 @@ } } }, - "v1.TLSSecurityProfile": { - "description": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", - "type": "object", - "properties": { - "custom": { - "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n minTLSVersion: VersionTLS11", - "$ref": "#/definitions/v1.CustomTLSProfile" - }, - "intermediate": { - "description": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n minTLSVersion: VersionTLS12", - "$ref": "#/definitions/v1.IntermediateTLSProfile" - }, - "modern": { - "description": "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n minTLSVersion: VersionTLS13\n\nNOTE: Currently unsupported.", - "$ref": "#/definitions/v1.ModernTLSProfile" - }, - "old": { - "description": "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA\n minTLSVersion: VersionTLS10", - "$ref": "#/definitions/v1.OldTLSProfile" - }, - "type": { - "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.", - "type": "string", - "default": "" - } - }, - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "custom": "Custom", - "intermediate": "Intermediate", - "modern": "Modern", - "old": "Old" - } - } - ] - }, "v1.Time": { "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", "type": "string", @@ -3990,7 +3917,7 @@ }, "tlsSecurityProfile": { "description": "TLSSecurityProfile is used by operators to apply cluster-wide TLS security settings to operands.", - "$ref": "#/definitions/v1.TLSSecurityProfile" + "$ref": "#/definitions/v1beta1.TLSSecurityProfile" }, "uploadProxyURLOverride": { "description": "Override the URL used when uploading to a DataVolume", @@ -4199,6 +4126,29 @@ } } }, + "v1beta1.CustomTLSProfile": { + "description": "CustomTLSProfile is a user-defined TLS security profile. Be extremely careful using a custom TLS profile as invalid configurations can be catastrophic.", + "type": "object", + "required": [ + "ciphers", + "minTLSVersion" + ], + "properties": { + "ciphers": { + "description": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + "type": "array", + "items": { + "type": "string", + "default": "" + } + }, + "minTLSVersion": { + "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + "type": "string", + "default": "" + } + } + }, "v1beta1.CustomizeComponents": { "description": "CustomizeComponents defines patches for components deployed by the CDI operator.", "type": "object", @@ -5090,6 +5040,18 @@ } } }, + "v1beta1.IntermediateTLSProfile": { + "description": "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", + "type": "object" + }, + "v1beta1.ModernTLSProfile": { + "description": "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility", + "type": "object" + }, + "v1beta1.OldTLSProfile": { + "description": "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility", + "type": "object" + }, "v1beta1.StorageSpec": { "description": "StorageSpec defines the Storage type specification", "type": "object", @@ -5138,6 +5100,44 @@ } } }, + "v1beta1.TLSSecurityProfile": { + "description": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", + "type": "object", + "properties": { + "custom": { + "description": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n minTLSVersion: VersionTLS11", + "$ref": "#/definitions/v1beta1.CustomTLSProfile" + }, + "intermediate": { + "description": "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n minTLSVersion: VersionTLS12", + "$ref": "#/definitions/v1beta1.IntermediateTLSProfile" + }, + "modern": { + "description": "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n minTLSVersion: VersionTLS13\n\nNOTE: Currently unsupported.", + "$ref": "#/definitions/v1beta1.ModernTLSProfile" + }, + "old": { + "description": "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA\n minTLSVersion: VersionTLS10", + "$ref": "#/definitions/v1beta1.OldTLSProfile" + }, + "type": { + "description": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.", + "type": "string", + "default": "" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "type", + "fields-to-discriminateBy": { + "custom": "Custom", + "intermediate": "Intermediate", + "modern": "Modern", + "old": "Old" + } + } + ] + }, "v1beta1.UploadTokenRequest": { "description": "UploadTokenRequest is the CR used to initiate a CDI upload", "type": "object", diff --git a/pkg/apis/core/v1beta1/openapi_generated.go b/pkg/apis/core/v1beta1/openapi_generated.go index 5b6a1dfd3c..94ab625ed8 100644 --- a/pkg/apis/core/v1beta1/openapi_generated.go +++ b/pkg/apis/core/v1beta1/openapi_generated.go @@ -565,6 +565,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ClaimPropertySet": schema_pkg_apis_core_v1beta1_ClaimPropertySet(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ComponentConfig": schema_pkg_apis_core_v1beta1_ComponentConfig(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ConditionState": schema_pkg_apis_core_v1beta1_ConditionState(ref), + "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.CustomTLSProfile": schema_pkg_apis_core_v1beta1_CustomTLSProfile(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.CustomizeComponents": schema_pkg_apis_core_v1beta1_CustomizeComponents(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.CustomizeComponentsPatch": schema_pkg_apis_core_v1beta1_CustomizeComponentsPatch(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.DataImportCron": schema_pkg_apis_core_v1beta1_DataImportCron(ref), @@ -601,16 +602,21 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ImportProxy": schema_pkg_apis_core_v1beta1_ImportProxy(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ImportSourceType": schema_pkg_apis_core_v1beta1_ImportSourceType(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ImportStatus": schema_pkg_apis_core_v1beta1_ImportStatus(ref), + "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.IntermediateTLSProfile": schema_pkg_apis_core_v1beta1_IntermediateTLSProfile(ref), + "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ModernTLSProfile": schema_pkg_apis_core_v1beta1_ModernTLSProfile(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ObjectTransfer": schema_pkg_apis_core_v1beta1_ObjectTransfer(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ObjectTransferCondition": schema_pkg_apis_core_v1beta1_ObjectTransferCondition(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ObjectTransferList": schema_pkg_apis_core_v1beta1_ObjectTransferList(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ObjectTransferSpec": schema_pkg_apis_core_v1beta1_ObjectTransferSpec(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ObjectTransferStatus": schema_pkg_apis_core_v1beta1_ObjectTransferStatus(ref), + "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.OldTLSProfile": schema_pkg_apis_core_v1beta1_OldTLSProfile(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.StorageProfile": schema_pkg_apis_core_v1beta1_StorageProfile(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.StorageProfileList": schema_pkg_apis_core_v1beta1_StorageProfileList(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.StorageProfileSpec": schema_pkg_apis_core_v1beta1_StorageProfileSpec(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.StorageProfileStatus": schema_pkg_apis_core_v1beta1_StorageProfileStatus(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.StorageSpec": schema_pkg_apis_core_v1beta1_StorageSpec(ref), + "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.TLSProfileSpec": schema_pkg_apis_core_v1beta1_TLSProfileSpec(ref), + "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.TLSSecurityProfile": schema_pkg_apis_core_v1beta1_TLSSecurityProfile(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.TransferSource": schema_pkg_apis_core_v1beta1_TransferSource(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.TransferTarget": schema_pkg_apis_core_v1beta1_TransferTarget(ref), "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.VolumeCloneSource": schema_pkg_apis_core_v1beta1_VolumeCloneSource(ref), @@ -26831,7 +26837,7 @@ func schema_pkg_apis_core_v1beta1_CDIConfigSpec(ref common.ReferenceCallback) co "tlsSecurityProfile": { SchemaProps: spec.SchemaProps{ Description: "TLSSecurityProfile is used by operators to apply cluster-wide TLS security settings to operands.", - Ref: ref("github.com/openshift/api/config/v1.TLSSecurityProfile"), + Ref: ref("kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.TLSSecurityProfile"), }, }, "imagePullSecrets": { @@ -26859,7 +26865,7 @@ func schema_pkg_apis_core_v1beta1_CDIConfigSpec(ref common.ReferenceCallback) co }, }, Dependencies: []string{ - "github.com/openshift/api/config/v1.TLSSecurityProfile", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/api/core/v1.ResourceRequirements", "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.FilesystemOverhead", "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ImportProxy"}, + "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/api/core/v1.ResourceRequirements", "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.FilesystemOverhead", "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ImportProxy", "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.TLSSecurityProfile"}, } } @@ -27296,6 +27302,43 @@ func schema_pkg_apis_core_v1beta1_ConditionState(ref common.ReferenceCallback) c } } +func schema_pkg_apis_core_v1beta1_CustomTLSProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "CustomTLSProfile is a user-defined TLS security profile. Be extremely careful using a custom TLS profile as invalid configurations can be catastrophic.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "ciphers": { + SchemaProps: spec.SchemaProps{ + Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "minTLSVersion": { + SchemaProps: spec.SchemaProps{ + Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"ciphers", "minTLSVersion"}, + }, + }, + } +} + func schema_pkg_apis_core_v1beta1_CustomizeComponents(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -28886,6 +28929,28 @@ func schema_pkg_apis_core_v1beta1_ImportStatus(ref common.ReferenceCallback) com } } +func schema_pkg_apis_core_v1beta1_IntermediateTLSProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "IntermediateTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29", + Type: []string{"object"}, + }, + }, + } +} + +func schema_pkg_apis_core_v1beta1_ModernTLSProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ModernTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility", + Type: []string{"object"}, + }, + }, + } +} + func schema_pkg_apis_core_v1beta1_ObjectTransfer(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -29123,6 +29188,17 @@ func schema_pkg_apis_core_v1beta1_ObjectTransferStatus(ref common.ReferenceCallb } } +func schema_pkg_apis_core_v1beta1_OldTLSProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "OldTLSProfile is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility", + Type: []string{"object"}, + }, + }, + } +} + func schema_pkg_apis_core_v1beta1_StorageProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -29412,6 +29488,105 @@ func schema_pkg_apis_core_v1beta1_StorageSpec(ref common.ReferenceCallback) comm } } +func schema_pkg_apis_core_v1beta1_TLSProfileSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "ciphers": { + SchemaProps: spec.SchemaProps{ + Description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + "minTLSVersion": { + SchemaProps: spec.SchemaProps{ + Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + Required: []string{"ciphers", "minTLSVersion"}, + }, + }, + } +} + +func schema_pkg_apis_core_v1beta1_TLSSecurityProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "type": { + SchemaProps: spec.SchemaProps{ + Description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.\n\nNote that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "old": { + SchemaProps: spec.SchemaProps{ + Description: "old is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n - DHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - DHE-RSA-AES128-SHA256\n - DHE-RSA-AES256-SHA256\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA\n minTLSVersion: VersionTLS10", + Ref: ref("kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.OldTLSProfile"), + }, + }, + "intermediate": { + SchemaProps: spec.SchemaProps{ + Description: "intermediate is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29\n\nand looks like this (yaml):\n\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - DHE-RSA-AES128-GCM-SHA256\n - DHE-RSA-AES256-GCM-SHA384\n minTLSVersion: VersionTLS12", + Ref: ref("kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.IntermediateTLSProfile"), + }, + }, + "modern": { + SchemaProps: spec.SchemaProps{ + Description: "modern is a TLS security profile based on:\n\nhttps://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility\n\nand looks like this (yaml):\n\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n minTLSVersion: VersionTLS13\n\nNOTE: Currently unsupported.", + Ref: ref("kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ModernTLSProfile"), + }, + }, + "custom": { + SchemaProps: spec.SchemaProps{ + Description: "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n minTLSVersion: VersionTLS11", + Ref: ref("kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.CustomTLSProfile"), + }, + }, + }, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "type", + "fields-to-discriminateBy": map[string]interface{}{ + "custom": "Custom", + "intermediate": "Intermediate", + "modern": "Modern", + "old": "Old", + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.CustomTLSProfile", "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.IntermediateTLSProfile", "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.ModernTLSProfile", "kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1.OldTLSProfile"}, + } +} + func schema_pkg_apis_core_v1beta1_TransferSource(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/pkg/operator/resources/crds_generated.go b/pkg/operator/resources/crds_generated.go index 72bf4c08cc..0c5bb6af16 100644 --- a/pkg/operator/resources/crds_generated.go +++ b/pkg/operator/resources/crds_generated.go @@ -253,7 +253,7 @@ spec: can be catastrophic. An example custom profile looks like this: \n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - minTLSVersion: TLSv1.1" + minTLSVersion: VersionTLS11" nullable: true properties: ciphers: @@ -269,15 +269,18 @@ spec: description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions - 1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n - NOTE: currently the highest minTLSVersion allowed is - VersionTLS12" + 1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: VersionTLS11 + \n NOTE: currently the highest minTLSVersion allowed + is VersionTLS12" enum: - VersionTLS10 - VersionTLS11 - VersionTLS12 - VersionTLS13 type: string + required: + - ciphers + - minTLSVersion type: object intermediate: description: "intermediate is a TLS security profile based @@ -288,7 +291,7 @@ spec: - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - minTLSVersion: TLSv1.2" + minTLSVersion: VersionTLS12" nullable: true type: object modern: @@ -296,7 +299,7 @@ spec: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported." + minTLSVersion: VersionTLS13 \n NOTE: Currently unsupported." nullable: true type: object old: @@ -313,7 +316,7 @@ spec: ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA - - DES-CBC3-SHA minTLSVersion: TLSv1.0" + - DES-CBC3-SHA minTLSVersion: VersionTLS10" nullable: true type: object type: @@ -2553,7 +2556,7 @@ spec: can be catastrophic. An example custom profile looks like this: \n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - minTLSVersion: TLSv1.1" + minTLSVersion: VersionTLS11" nullable: true properties: ciphers: @@ -2569,15 +2572,18 @@ spec: description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions - 1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n - NOTE: currently the highest minTLSVersion allowed is - VersionTLS12" + 1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: VersionTLS11 + \n NOTE: currently the highest minTLSVersion allowed + is VersionTLS12" enum: - VersionTLS10 - VersionTLS11 - VersionTLS12 - VersionTLS13 type: string + required: + - ciphers + - minTLSVersion type: object intermediate: description: "intermediate is a TLS security profile based @@ -2588,7 +2594,7 @@ spec: - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - minTLSVersion: TLSv1.2" + minTLSVersion: VersionTLS12" nullable: true type: object modern: @@ -2596,7 +2602,7 @@ spec: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported." + minTLSVersion: VersionTLS13 \n NOTE: Currently unsupported." nullable: true type: object old: @@ -2613,7 +2619,7 @@ spec: ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA - - DES-CBC3-SHA minTLSVersion: TLSv1.0" + - DES-CBC3-SHA minTLSVersion: VersionTLS10" nullable: true type: object type: @@ -4822,7 +4828,7 @@ spec: can be catastrophic. An example custom profile looks like this: \n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - minTLSVersion: TLSv1.1" + minTLSVersion: VersionTLS11" nullable: true properties: ciphers: @@ -4837,14 +4843,17 @@ spec: description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 - and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n NOTE: currently - the highest minTLSVersion allowed is VersionTLS12" + and 1.3 (yaml): \n minTLSVersion: VersionTLS11 \n NOTE: + currently the highest minTLSVersion allowed is VersionTLS12" enum: - VersionTLS10 - VersionTLS11 - VersionTLS12 - VersionTLS13 type: string + required: + - ciphers + - minTLSVersion type: object intermediate: description: "intermediate is a TLS security profile based on: @@ -4854,14 +4863,14 @@ spec: - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - - DHE-RSA-AES256-GCM-SHA384 minTLSVersion: TLSv1.2" + DHE-RSA-AES256-GCM-SHA384 minTLSVersion: VersionTLS12" nullable: true type: object modern: description: "modern is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: - TLSv1.3 \n NOTE: Currently unsupported." + VersionTLS13 \n NOTE: Currently unsupported." nullable: true type: object old: @@ -4876,7 +4885,7 @@ spec: - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - AES256-SHA256 - - AES128-SHA - AES256-SHA - DES-CBC3-SHA minTLSVersion: TLSv1.0" + - AES128-SHA - AES256-SHA - DES-CBC3-SHA minTLSVersion: VersionTLS10" nullable: true type: object type: diff --git a/pkg/util/tls-crypto-watch/BUILD.bazel b/pkg/util/tls-crypto-watch/BUILD.bazel index e85b75df82..a293241286 100644 --- a/pkg/util/tls-crypto-watch/BUILD.bazel +++ b/pkg/util/tls-crypto-watch/BUILD.bazel @@ -10,7 +10,6 @@ go_library( "//pkg/client/informers/externalversions:go_default_library", "//pkg/common:go_default_library", "//staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1:go_default_library", - "//vendor/github.com/openshift/api/config/v1:go_default_library", "//vendor/github.com/openshift/library-go/pkg/crypto:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/client-go/tools/cache:go_default_library", diff --git a/pkg/util/tls-crypto-watch/tls-crypto-watch.go b/pkg/util/tls-crypto-watch/tls-crypto-watch.go index 8ce4168a61..ca4c55c2ad 100644 --- a/pkg/util/tls-crypto-watch/tls-crypto-watch.go +++ b/pkg/util/tls-crypto-watch/tls-crypto-watch.go @@ -24,7 +24,6 @@ import ( "crypto/tls" "sync" - ocpconfigv1 "github.com/openshift/api/config/v1" ocpcrypto "github.com/openshift/library-go/pkg/crypto" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/tools/cache" @@ -126,11 +125,11 @@ func (ctw *cdiConfigTLSWatcher) updateConfig(config *cdiv1.CDIConfig) { } // SelectCipherSuitesAndMinTLSVersion returns cipher names and minimal TLS version according to the input profile -func SelectCipherSuitesAndMinTLSVersion(profile *ocpconfigv1.TLSSecurityProfile) ([]string, ocpconfigv1.TLSProtocolVersion) { +func SelectCipherSuitesAndMinTLSVersion(profile *cdiv1.TLSSecurityProfile) ([]string, cdiv1.TLSProtocolVersion) { if profile == nil { - profile = &ocpconfigv1.TLSSecurityProfile{ - Type: ocpconfigv1.TLSProfileIntermediateType, - Intermediate: &ocpconfigv1.IntermediateTLSProfile{}, + profile = &cdiv1.TLSSecurityProfile{ + Type: cdiv1.TLSProfileIntermediateType, + Intermediate: &cdiv1.IntermediateTLSProfile{}, } } @@ -138,14 +137,14 @@ func SelectCipherSuitesAndMinTLSVersion(profile *ocpconfigv1.TLSSecurityProfile) return profile.Custom.TLSProfileSpec.Ciphers, profile.Custom.TLSProfileSpec.MinTLSVersion } - return ocpconfigv1.TLSProfiles[profile.Type].Ciphers, ocpconfigv1.TLSProfiles[profile.Type].MinTLSVersion + return cdiv1.TLSProfiles[profile.Type].Ciphers, cdiv1.TLSProfiles[profile.Type].MinTLSVersion } // DefaultCryptoConfig returns a crypto config with legitimate defaults to start with func DefaultCryptoConfig() *CryptoConfig { - defaultType := ocpconfigv1.TLSProfileIntermediateType - minTLSVersion, _ := ocpcrypto.TLSVersion(string(ocpconfigv1.TLSProfiles[defaultType].MinTLSVersion)) - ciphers := CipherSuitesIDs(ocpconfigv1.TLSProfiles[defaultType].Ciphers) + defaultType := cdiv1.TLSProfileIntermediateType + minTLSVersion, _ := ocpcrypto.TLSVersion(string(cdiv1.TLSProfiles[defaultType].MinTLSVersion)) + ciphers := CipherSuitesIDs(cdiv1.TLSProfiles[defaultType].Ciphers) return &CryptoConfig{ CipherSuites: ciphers, diff --git a/staging/src/kubevirt.io/containerized-data-importer-api/go.mod b/staging/src/kubevirt.io/containerized-data-importer-api/go.mod index af59430095..801c8baec8 100644 --- a/staging/src/kubevirt.io/containerized-data-importer-api/go.mod +++ b/staging/src/kubevirt.io/containerized-data-importer-api/go.mod @@ -3,7 +3,6 @@ module kubevirt.io/containerized-data-importer-api go 1.21 require ( - github.com/openshift/api v0.0.0-20230406152840-ce21e3fe5da2 k8s.io/api v0.28.3 k8s.io/apimachinery v0.28.3 k8s.io/klog/v2 v2.100.1 diff --git a/staging/src/kubevirt.io/containerized-data-importer-api/go.sum b/staging/src/kubevirt.io/containerized-data-importer-api/go.sum index e0ee726556..bc42c3c80d 100644 --- a/staging/src/kubevirt.io/containerized-data-importer-api/go.sum +++ b/staging/src/kubevirt.io/containerized-data-importer-api/go.sum @@ -116,8 +116,6 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs= -github.com/openshift/api v0.0.0-20230406152840-ce21e3fe5da2 h1:lpKBKpI8or60mSEEKrpS67cevp8XaW8vfmXSwCZXKd0= -github.com/openshift/api v0.0.0-20230406152840-ce21e3fe5da2/go.mod h1:ctXNyWanKEjGj8sss1KjjHQ3ENKFm33FFnS5BKaIPh4= github.com/openshift/custom-resource-status v1.1.2 h1:C3DL44LEbvlbItfd8mT5jWrqPfHnSOQoQf/sypqA6A4= github.com/openshift/custom-resource-status v1.1.2/go.mod h1:DB/Mf2oTeiAmVVX1gN+NEqweonAPY0TKUwADizj8+ZA= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= diff --git a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/BUILD.bazel b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/BUILD.bazel index f4df9d45a5..cf461188a0 100644 --- a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/BUILD.bazel +++ b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/BUILD.bazel @@ -9,6 +9,7 @@ go_library( "register.go", "types.go", "types_swagger_generated.go", + "types_tlssecurityprofile.go", "types_transfer.go", "utils.go", "zz_generated.deepcopy.go", @@ -17,7 +18,6 @@ go_library( visibility = ["//visibility:public"], deps = [ "//staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core:go_default_library", - "//vendor/github.com/openshift/api/config/v1:go_default_library", "//vendor/k8s.io/api/authentication/v1:go_default_library", "//vendor/k8s.io/api/authorization/v1:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library", diff --git a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/types.go b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/types.go index e2c54111bf..09c16bc168 100644 --- a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/types.go +++ b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/types.go @@ -17,7 +17,6 @@ limitations under the License. package v1beta1 import ( - ocpconfigv1 "github.com/openshift/api/config/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" sdkapi "kubevirt.io/controller-lifecycle-operator-sdk/api" @@ -1010,7 +1009,7 @@ type CDIConfigSpec struct { // +optional DataVolumeTTLSeconds *int32 `json:"dataVolumeTTLSeconds,omitempty"` // TLSSecurityProfile is used by operators to apply cluster-wide TLS security settings to operands. - TLSSecurityProfile *ocpconfigv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"` + TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"` // The imagePullSecrets used to pull the container images ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"` // LogVerbosity overrides the default verbosity level used to initialize loggers diff --git a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/types_tlssecurityprofile.go b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/types_tlssecurityprofile.go new file mode 100644 index 0000000000..5b910bf515 --- /dev/null +++ b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/types_tlssecurityprofile.go @@ -0,0 +1,264 @@ +package v1beta1 + +// following copied from github.com/openshift/api/config/v1 + +// TLSSecurityProfile defines the schema for a TLS security profile. This object +// is used by operators to apply TLS security settings to operands. +// +union +type TLSSecurityProfile struct { + // type is one of Old, Intermediate, Modern or Custom. Custom provides + // the ability to specify individual TLS security profile parameters. + // Old, Intermediate and Modern are TLS security profiles based on: + // + // https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations + // + // The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers + // are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be + // reduced. + // + // Note that the Modern profile is currently not supported because it is not + // yet well adopted by common software libraries. + // + // +unionDiscriminator + // +optional + Type TLSProfileType `json:"type"` + // old is a TLS security profile based on: + // + // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + // + // and looks like this (yaml): + // + // ciphers: + // - TLS_AES_128_GCM_SHA256 + // - TLS_AES_256_GCM_SHA384 + // - TLS_CHACHA20_POLY1305_SHA256 + // - ECDHE-ECDSA-AES128-GCM-SHA256 + // - ECDHE-RSA-AES128-GCM-SHA256 + // - ECDHE-ECDSA-AES256-GCM-SHA384 + // - ECDHE-RSA-AES256-GCM-SHA384 + // - ECDHE-ECDSA-CHACHA20-POLY1305 + // - ECDHE-RSA-CHACHA20-POLY1305 + // - DHE-RSA-AES128-GCM-SHA256 + // - DHE-RSA-AES256-GCM-SHA384 + // - DHE-RSA-CHACHA20-POLY1305 + // - ECDHE-ECDSA-AES128-SHA256 + // - ECDHE-RSA-AES128-SHA256 + // - ECDHE-ECDSA-AES128-SHA + // - ECDHE-RSA-AES128-SHA + // - ECDHE-ECDSA-AES256-SHA384 + // - ECDHE-RSA-AES256-SHA384 + // - ECDHE-ECDSA-AES256-SHA + // - ECDHE-RSA-AES256-SHA + // - DHE-RSA-AES128-SHA256 + // - DHE-RSA-AES256-SHA256 + // - AES128-GCM-SHA256 + // - AES256-GCM-SHA384 + // - AES128-SHA256 + // - AES256-SHA256 + // - AES128-SHA + // - AES256-SHA + // - DES-CBC3-SHA + // minTLSVersion: VersionTLS10 + // + // +optional + // +nullable + Old *OldTLSProfile `json:"old,omitempty"` + // intermediate is a TLS security profile based on: + // + // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 + // + // and looks like this (yaml): + // + // ciphers: + // - TLS_AES_128_GCM_SHA256 + // - TLS_AES_256_GCM_SHA384 + // - TLS_CHACHA20_POLY1305_SHA256 + // - ECDHE-ECDSA-AES128-GCM-SHA256 + // - ECDHE-RSA-AES128-GCM-SHA256 + // - ECDHE-ECDSA-AES256-GCM-SHA384 + // - ECDHE-RSA-AES256-GCM-SHA384 + // - ECDHE-ECDSA-CHACHA20-POLY1305 + // - ECDHE-RSA-CHACHA20-POLY1305 + // - DHE-RSA-AES128-GCM-SHA256 + // - DHE-RSA-AES256-GCM-SHA384 + // minTLSVersion: VersionTLS12 + // + // +optional + // +nullable + Intermediate *IntermediateTLSProfile `json:"intermediate,omitempty"` + // modern is a TLS security profile based on: + // + // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + // + // and looks like this (yaml): + // + // ciphers: + // - TLS_AES_128_GCM_SHA256 + // - TLS_AES_256_GCM_SHA384 + // - TLS_CHACHA20_POLY1305_SHA256 + // minTLSVersion: VersionTLS13 + // + // NOTE: Currently unsupported. + // + // +optional + // +nullable + Modern *ModernTLSProfile `json:"modern,omitempty"` + // custom is a user-defined TLS security profile. Be extremely careful using a custom + // profile as invalid configurations can be catastrophic. An example custom profile + // looks like this: + // + // ciphers: + // - ECDHE-ECDSA-CHACHA20-POLY1305 + // - ECDHE-RSA-CHACHA20-POLY1305 + // - ECDHE-RSA-AES128-GCM-SHA256 + // - ECDHE-ECDSA-AES128-GCM-SHA256 + // minTLSVersion: VersionTLS11 + // + // +optional + // +nullable + Custom *CustomTLSProfile `json:"custom,omitempty"` +} + +// OldTLSProfile is a TLS security profile based on: +// https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility +type OldTLSProfile struct{} + +// IntermediateTLSProfile is a TLS security profile based on: +// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 +type IntermediateTLSProfile struct{} + +// ModernTLSProfile is a TLS security profile based on: +// https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility +type ModernTLSProfile struct{} + +// CustomTLSProfile is a user-defined TLS security profile. Be extremely careful +// using a custom TLS profile as invalid configurations can be catastrophic. +type CustomTLSProfile struct { + TLSProfileSpec `json:",inline"` +} + +// TLSProfileType defines a TLS security profile type. +// +kubebuilder:validation:Enum=Old;Intermediate;Modern;Custom +type TLSProfileType string + +const ( + // Old is a TLS security profile based on: + // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility + TLSProfileOldType TLSProfileType = "Old" + // Intermediate is a TLS security profile based on: + // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 + TLSProfileIntermediateType TLSProfileType = "Intermediate" + // Modern is a TLS security profile based on: + // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility + TLSProfileModernType TLSProfileType = "Modern" + // Custom is a TLS security profile that allows for user-defined parameters. + TLSProfileCustomType TLSProfileType = "Custom" +) + +// TLSProfileSpec is the desired behavior of a TLSSecurityProfile. +type TLSProfileSpec struct { + // ciphers is used to specify the cipher algorithms that are negotiated + // during the TLS handshake. Operators may remove entries their operands + // do not support. For example, to use DES-CBC3-SHA (yaml): + // + // ciphers: + // - DES-CBC3-SHA + // + Ciphers []string `json:"ciphers"` + // minTLSVersion is used to specify the minimal version of the TLS protocol + // that is negotiated during the TLS handshake. For example, to use TLS + // versions 1.1, 1.2 and 1.3 (yaml): + // + // minTLSVersion: VersionTLS11 + // + // NOTE: currently the highest minTLSVersion allowed is VersionTLS12 + // + MinTLSVersion TLSProtocolVersion `json:"minTLSVersion"` +} + +// TLSProtocolVersion is a way to specify the protocol version used for TLS connections. +// Protocol versions are based on the following most common TLS configurations: +// +// https://ssl-config.mozilla.org/ +// +// Note that SSLv3.0 is not a supported protocol version due to well known +// vulnerabilities such as POODLE: https://en.wikipedia.org/wiki/POODLE +// +kubebuilder:validation:Enum=VersionTLS10;VersionTLS11;VersionTLS12;VersionTLS13 +type TLSProtocolVersion string + +const ( + // VersionTLSv10 is version 1.0 of the TLS security protocol. + VersionTLS10 TLSProtocolVersion = "VersionTLS10" + // VersionTLSv11 is version 1.1 of the TLS security protocol. + VersionTLS11 TLSProtocolVersion = "VersionTLS11" + // VersionTLSv12 is version 1.2 of the TLS security protocol. + VersionTLS12 TLSProtocolVersion = "VersionTLS12" + // VersionTLSv13 is version 1.3 of the TLS security protocol. + VersionTLS13 TLSProtocolVersion = "VersionTLS13" +) + +// TLSProfiles Contains a map of TLSProfileType names to TLSProfileSpec. +// +// NOTE: The caller needs to make sure to check that these constants are valid for their binary. Not all +// entries map to values for all binaries. In the case of ties, the kube-apiserver wins. Do not fail, +// just be sure to whitelist only and everything will be ok. +var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ + TLSProfileOldType: { + Ciphers: []string{ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256", + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES128-GCM-SHA256", + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-CHACHA20-POLY1305", + "ECDHE-RSA-CHACHA20-POLY1305", + "DHE-RSA-AES128-GCM-SHA256", + "DHE-RSA-AES256-GCM-SHA384", + "DHE-RSA-CHACHA20-POLY1305", + "ECDHE-ECDSA-AES128-SHA256", + "ECDHE-RSA-AES128-SHA256", + "ECDHE-ECDSA-AES128-SHA", + "ECDHE-RSA-AES128-SHA", + "ECDHE-ECDSA-AES256-SHA384", + "ECDHE-RSA-AES256-SHA384", + "ECDHE-ECDSA-AES256-SHA", + "ECDHE-RSA-AES256-SHA", + "DHE-RSA-AES128-SHA256", + "DHE-RSA-AES256-SHA256", + "AES128-GCM-SHA256", + "AES256-GCM-SHA384", + "AES128-SHA256", + "AES256-SHA256", + "AES128-SHA", + "AES256-SHA", + "DES-CBC3-SHA", + }, + MinTLSVersion: VersionTLS10, + }, + TLSProfileIntermediateType: { + Ciphers: []string{ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256", + "ECDHE-ECDSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES128-GCM-SHA256", + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-CHACHA20-POLY1305", + "ECDHE-RSA-CHACHA20-POLY1305", + "DHE-RSA-AES128-GCM-SHA256", + "DHE-RSA-AES256-GCM-SHA384", + }, + MinTLSVersion: VersionTLS12, + }, + TLSProfileModernType: { + Ciphers: []string{ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_CHACHA20_POLY1305_SHA256", + }, + MinTLSVersion: VersionTLS13, + }, +} diff --git a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/zz_generated.deepcopy.go b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/zz_generated.deepcopy.go index 30b665b738..012da6aa55 100644 --- a/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/zz_generated.deepcopy.go +++ b/staging/src/kubevirt.io/containerized-data-importer-api/pkg/apis/core/v1beta1/zz_generated.deepcopy.go @@ -22,7 +22,6 @@ limitations under the License. package v1beta1 import ( - configv1 "github.com/openshift/api/config/v1" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" @@ -193,7 +192,7 @@ func (in *CDIConfigSpec) DeepCopyInto(out *CDIConfigSpec) { } if in.TLSSecurityProfile != nil { in, out := &in.TLSSecurityProfile, &out.TLSSecurityProfile - *out = new(configv1.TLSSecurityProfile) + *out = new(TLSSecurityProfile) (*in).DeepCopyInto(*out) } if in.ImagePullSecrets != nil { @@ -456,6 +455,23 @@ func (in *ConditionState) DeepCopy() *ConditionState { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CustomTLSProfile) DeepCopyInto(out *CustomTLSProfile) { + *out = *in + in.TLSProfileSpec.DeepCopyInto(&out.TLSProfileSpec) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomTLSProfile. +func (in *CustomTLSProfile) DeepCopy() *CustomTLSProfile { + if in == nil { + return nil + } + out := new(CustomTLSProfile) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomizeComponents) DeepCopyInto(out *CustomizeComponents) { *out = *in @@ -1408,6 +1424,38 @@ func (in *ImportStatus) DeepCopy() *ImportStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *IntermediateTLSProfile) DeepCopyInto(out *IntermediateTLSProfile) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntermediateTLSProfile. +func (in *IntermediateTLSProfile) DeepCopy() *IntermediateTLSProfile { + if in == nil { + return nil + } + out := new(IntermediateTLSProfile) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ModernTLSProfile) DeepCopyInto(out *ModernTLSProfile) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ModernTLSProfile. +func (in *ModernTLSProfile) DeepCopy() *ModernTLSProfile { + if in == nil { + return nil + } + out := new(ModernTLSProfile) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ObjectTransfer) DeepCopyInto(out *ObjectTransfer) { *out = *in @@ -1540,6 +1588,22 @@ func (in *ObjectTransferStatus) DeepCopy() *ObjectTransferStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OldTLSProfile) DeepCopyInto(out *OldTLSProfile) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OldTLSProfile. +func (in *OldTLSProfile) DeepCopy() *OldTLSProfile { + if in == nil { + return nil + } + out := new(OldTLSProfile) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StorageProfile) DeepCopyInto(out *StorageProfile) { *out = *in @@ -1734,6 +1798,63 @@ func (in *StorageSpec) DeepCopy() *StorageSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSProfileSpec) DeepCopyInto(out *TLSProfileSpec) { + *out = *in + if in.Ciphers != nil { + in, out := &in.Ciphers, &out.Ciphers + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSProfileSpec. +func (in *TLSProfileSpec) DeepCopy() *TLSProfileSpec { + if in == nil { + return nil + } + out := new(TLSProfileSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSSecurityProfile) DeepCopyInto(out *TLSSecurityProfile) { + *out = *in + if in.Old != nil { + in, out := &in.Old, &out.Old + *out = new(OldTLSProfile) + **out = **in + } + if in.Intermediate != nil { + in, out := &in.Intermediate, &out.Intermediate + *out = new(IntermediateTLSProfile) + **out = **in + } + if in.Modern != nil { + in, out := &in.Modern, &out.Modern + *out = new(ModernTLSProfile) + **out = **in + } + if in.Custom != nil { + in, out := &in.Custom, &out.Custom + *out = new(CustomTLSProfile) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSecurityProfile. +func (in *TLSSecurityProfile) DeepCopy() *TLSSecurityProfile { + if in == nil { + return nil + } + out := new(TLSSecurityProfile) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TransferSource) DeepCopyInto(out *TransferSource) { *out = *in