From e03f712b8d9bdf88b947e5c4d423caadb0e80c7d Mon Sep 17 00:00:00 2001 From: Christophe Jauffret Date: Fri, 31 May 2024 16:53:52 +0200 Subject: [PATCH] force ccm cipher-suites to fix sweet32 CVE (#439) --- templates/ccm/nutanix-ccm.yaml | 1 + templates/cluster-template-csi.yaml | 1 + templates/cluster-template.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/templates/ccm/nutanix-ccm.yaml b/templates/ccm/nutanix-ccm.yaml index 57e025a0b8..fc92ec6f8b 100644 --- a/templates/ccm/nutanix-ccm.yaml +++ b/templates/ccm/nutanix-ccm.yaml @@ -197,6 +197,7 @@ spec: args: - "--leader-elect=true" - "--cloud-config=/etc/cloud/nutanix_config.json" + - "--tls-cipher-suites=${TLS_CIPHER_SUITES=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}" resources: requests: cpu: 100m diff --git a/templates/cluster-template-csi.yaml b/templates/cluster-template-csi.yaml index 0cf150f9f2..427abe4f17 100644 --- a/templates/cluster-template-csi.yaml +++ b/templates/cluster-template-csi.yaml @@ -208,6 +208,7 @@ data: args: - "--leader-elect=true" - "--cloud-config=/etc/cloud/nutanix_config.json" + - "--tls-cipher-suites=${TLS_CIPHER_SUITES=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}" resources: requests: cpu: 100m diff --git a/templates/cluster-template.yaml b/templates/cluster-template.yaml index 4f58bb6423..f520e23149 100644 --- a/templates/cluster-template.yaml +++ b/templates/cluster-template.yaml @@ -208,6 +208,7 @@ data: args: - "--leader-elect=true" - "--cloud-config=/etc/cloud/nutanix_config.json" + - "--tls-cipher-suites=${TLS_CIPHER_SUITES=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}" resources: requests: cpu: 100m