TLS server options

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.1
 	github.com/hashicorp/go-hclog v0.9.2
+	github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1
 	github.com/hashicorp/vault/sdk v0.1.14-0.20191205220236-47cffd09f972
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/kr/text v0.2.0

go.sum

@@ -239,7 +239,14 @@ github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHh
 github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 h1:78ki3QBevHwYrVxnyVeaEz+7WtifHhauYF23es/0KlI=
+github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 h1:nd0HIW15E6FG1MsnArYaHfuw9C2zgzM8LxkG5Ty/788=
+github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
+github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1 h1:Yc026VyMyIpq1UWRnakHRG01U8fJm+nEfEmjoAb00n8=
+github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
+github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
 github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
@@ -334,6 +341,8 @@ github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS4
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=

subcommand/injector/command.go

@@ -16,6 +16,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-secure-stdlib/tlsutil"
 	agentInject "github.com/hashicorp/vault-k8s/agent-inject"
 	"github.com/hashicorp/vault-k8s/helper/cert"
 	"github.com/hashicorp/vault-k8s/leader"
@@ -36,32 +37,35 @@ import (
 type Command struct {
 	UI cli.Ui
 
-	flagListen                     string // Address of Vault Server
-	flagLogLevel                   string // Log verbosity
-	flagLogFormat                  string // Log format
-	flagCertFile                   string // TLS Certificate to serve
-	flagKeyFile                    string // TLS private key to serve
-	flagExitOnRetryFailure         bool   // Set template_config.exit_on_retry_failure on agent
-	flagStaticSecretRenderInterval string // Set template_config.static_secret_render_interval on agent
-	flagAutoName                   string // MutatingWebhookConfiguration for updating
-	flagAutoHosts                  string // SANs for the auto-generated TLS cert.
-	flagVaultService               string // Name of the Vault service
-	flagProxyAddress               string // HTTP proxy address used to talk to the Vault service
-	flagVaultImage                 string // Name of the Vault Image to use
-	flagVaultAuthType              string // Type of Vault Auth Method to use
-	flagVaultAuthPath              string // Mount path of the Vault Auth Method
-	flagRevokeOnShutdown           bool   // Revoke Vault Token on pod shutdown
-	flagRunAsUser                  string // User (uid) to run Vault agent as
-	flagRunAsGroup                 string // Group (gid) to run Vault agent as
-	flagRunAsSameUser              bool   // Run Vault agent as the User (uid) of the first application container
-	flagSetSecurityContext         bool   // Set SecurityContext in injected containers
-	flagTelemetryPath              string // Path under which to expose metrics
-	flagUseLeaderElector           bool   // Use leader elector code
-	flagDefaultTemplate            string // Toggles which default template to use
-	flagResourceRequestCPU         string // Set CPU request in the injected containers
-	flagResourceRequestMem         string // Set Memory request in the injected containers
-	flagResourceLimitCPU           string // Set CPU limit in the injected containers
-	flagResourceLimitMem           string // Set Memory limit in the injected containers
+	flagListen                      string // Address of Vault Server
+	flagLogLevel                    string // Log verbosity
+	flagLogFormat                   string // Log format
+	flagCertFile                    string // TLS Certificate to serve
+	flagKeyFile                     string // TLS private key to serve
+	flagExitOnRetryFailure          bool   // Set template_config.exit_on_retry_failure on agent
+	flagStaticSecretRenderInterval  string // Set template_config.static_secret_render_interval on agent
+	flagAutoName                    string // MutatingWebhookConfiguration for updating
+	flagAutoHosts                   string // SANs for the auto-generated TLS cert.
+	flagVaultService                string // Name of the Vault service
+	flagProxyAddress                string // HTTP proxy address used to talk to the Vault service
+	flagVaultImage                  string // Name of the Vault Image to use
+	flagVaultAuthType               string // Type of Vault Auth Method to use
+	flagVaultAuthPath               string // Mount path of the Vault Auth Method
+	flagRevokeOnShutdown            bool   // Revoke Vault Token on pod shutdown
+	flagRunAsUser                   string // User (uid) to run Vault agent as
+	flagRunAsGroup                  string // Group (gid) to run Vault agent as
+	flagRunAsSameUser               bool   // Run Vault agent as the User (uid) of the first application container
+	flagSetSecurityContext          bool   // Set SecurityContext in injected containers
+	flagTelemetryPath               string // Path under which to expose metrics
+	flagUseLeaderElector            bool   // Use leader elector code
+	flagDefaultTemplate             string // Toggles which default template to use
+	flagResourceRequestCPU          string // Set CPU request in the injected containers
+	flagResourceRequestMem          string // Set Memory request in the injected containers
+	flagResourceLimitCPU            string // Set CPU limit in the injected containers
+	flagResourceLimitMem            string // Set Memory limit in the injected containers
+	flagTLSMinVersion               string // Minimum TLS version supported by the webhook server
+	flagTLSCipherSuites             string // Comma-separated list of supported cipher suites
+	flagTLSPreferServerCipherSuites bool   // Prefer this server's cipher suites over the client cipher suites
 
 	flagSet *flag.FlagSet
 
@@ -120,7 +124,8 @@ func (c *Command) Run(args []string) int {
 	logger := hclog.New(&hclog.LoggerOptions{
 		Name:       "handler",
 		Level:      level,
-		JSONFormat: (c.flagLogFormat == "json")})
+		JSONFormat: (c.flagLogFormat == "json"),
+	})
 
 	namespace := getNamespace()
 	var secrets informerv1.SecretInformer
@@ -206,11 +211,28 @@ func (c *Command) Run(args []string) int {
 	}
 
 	var handler http.Handler = mux
+	minTLSVersion, ok := tlsutil.TLSLookup[c.flagTLSMinVersion]
+	if !ok {
+		c.UI.Error(fmt.Sprintf("Failed to parse minimum TLS version %q", c.flagTLSMinVersion))
+		return 1
+	}
+	ciphers, err := tlsutil.ParseCiphers(c.flagTLSCipherSuites)
+	if err != nil {
+		c.UI.Error(fmt.Sprintf("Failed to parse TLS cipher suites list %q: %s", c.flagTLSCipherSuites, err))
+		return 1
+	}
 	server := &http.Server{
-		Addr:      c.flagListen,
-		Handler:   handler,
-		TLSConfig: &tls.Config{GetCertificate: c.getCertificate},
-		ErrorLog:  logger.StandardLogger(&hclog.StandardLoggerOptions{ForceLevel: hclog.Error}),
+		Addr:    c.flagListen,
+		Handler: handler,
+		TLSConfig: &tls.Config{
+			GetCertificate:           c.getCertificate,
+			MinVersion:               minTLSVersion,
+			PreferServerCipherSuites: c.flagTLSPreferServerCipherSuites,
+		},
+		ErrorLog: logger.StandardLogger(&hclog.StandardLoggerOptions{ForceLevel: hclog.Error}),
+	}
+	if len(ciphers) > 0 {
+		server.TLSConfig.CipherSuites = ciphers
 	}
 
 	trap := make(chan os.Signal, 1)
@@ -369,8 +391,10 @@ func (c *Command) Help() string {
 	return c.help
 }
 
-const synopsis = "Vault Agent injector service"
-const help = `
+const (
+	synopsis = "Vault Agent injector service"
+	help     = `
 Usage: vault-k8s agent-inject [options]
   Run the Admission Webhook server for injecting Vault Agent containers into pods.
 `
+)

subcommand/injector/flags.go

@@ -13,8 +13,10 @@ import (
 )
 
 const (
-	DefaultLogLevel  = "info"
-	DefaultLogFormat = "standard"
+	DefaultLogLevel                    = "info"
+	DefaultLogFormat                   = "standard"
+	defaultTLSMinVersion               = "tls12"
+	defaultTLSPreferServerCipherSuites = true
 )
 
 // Specification are the supported environment variables, prefixed with
@@ -100,6 +102,15 @@ type Specification struct {
 
 	// ResourceLimitMem is the AGENT_INJECT_MEM_LIMIT environment variable.
 	ResourceLimitMem string `envconfig:"AGENT_INJECT_MEM_LIMIT"`
+
+	// TLSMinVersion is the AGENT_INJECT_TLS_MIN_VERSION environment variable
+	TLSMinVersion string `envconfig:"tls_min_version"`
+
+	// TLSCipherSuites is the AGENT_INJECT_TLS_CIPHER_SUITES environment variable
+	TLSCipherSuites string `envconfig:"tls_cipher_suites"`
+
+	// TLSPreferServerCipherSuites is the AGENT_INJECT_TLS_PREFER_SERVER_CIPHER_SUITES environment variable
+	TLSPreferServerCipherSuites string `envconfig:"tls_prefer_server_cipher_suites"`
 }
 
 func (c *Command) init() {
@@ -160,6 +171,13 @@ func (c *Command) init() {
 	c.flagSet.StringVar(&c.flagResourceLimitMem, "memory-limit", agent.DefaultResourceLimitMem,
 		fmt.Sprintf("Memory resource limit set in injected containers. Defaults to %s", agent.DefaultResourceLimitMem))
 
+	c.flagSet.StringVar(&c.flagTLSMinVersion, "tls-min-version", defaultTLSMinVersion,
+		fmt.Sprintf(`Minimum supported version of TLS. Defaults to %s. Accepted values are "tls10", "tls11", "tls12" or "tls13"`, defaultTLSMinVersion))
+	c.flagSet.StringVar(&c.flagTLSCipherSuites, "tls-cipher-suites", "",
+		"Comma-separated list of supported cipher suites")
+	c.flagSet.BoolVar(&c.flagTLSPreferServerCipherSuites, "tls-prefer-server-cipher-suites", defaultTLSPreferServerCipherSuites,
+		fmt.Sprintf("Prefer the server's cipher suites over the client cipher suites. Defaults to %v", defaultTLSPreferServerCipherSuites))
+
 	c.help = flags.Usage(help, c.flagSet)
 }
 
@@ -311,5 +329,20 @@ func (c *Command) parseEnvs() error {
 		c.flagResourceLimitMem = envs.ResourceLimitMem
 	}
 
+	if envs.TLSMinVersion != "" {
+		c.flagTLSMinVersion = envs.TLSMinVersion
+	}
+
+	if envs.TLSCipherSuites != "" {
+		c.flagTLSCipherSuites = envs.TLSCipherSuites
+	}
+
+	if envs.TLSPreferServerCipherSuites != "" {
+		c.flagTLSPreferServerCipherSuites, err = strconv.ParseBool(envs.TLSPreferServerCipherSuites)
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }

subcommand/injector/flags_test.go

@@ -131,6 +131,8 @@ func TestCommandEnvs(t *testing.T) {
 		{env: "AGENT_INJECT_CPU_LIMIT", value: "1000m", cmdPtr: &cmd.flagResourceLimitCPU},
 		{env: "AGENT_INJECT_MEM_LIMIT", value: "256m", cmdPtr: &cmd.flagResourceLimitMem},
 		{env: "AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL", value: "12s", cmdPtr: &cmd.flagStaticSecretRenderInterval},
+		{env: "AGENT_INJECT_TLS_MIN_VERSION", value: "tls13", cmdPtr: &cmd.flagTLSMinVersion},
+		{env: "AGENT_INJECT_TLS_CIPHER_SUITES", value: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", cmdPtr: &cmd.flagTLSCipherSuites},
 	}
 
 	for _, tt := range tests {
@@ -168,6 +170,8 @@ func TestCommandEnvBools(t *testing.T) {
 		{env: "AGENT_INJECT_USE_LEADER_ELECTOR", value: false, cmdPtr: &cmd.flagUseLeaderElector},
 		{env: "AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE", value: true, cmdPtr: &cmd.flagExitOnRetryFailure},
 		{env: "AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE", value: false, cmdPtr: &cmd.flagExitOnRetryFailure},
+		{env: "AGENT_INJECT_TLS_PREFER_SERVER_CIPHER_SUITES", value: true, cmdPtr: &cmd.flagTLSPreferServerCipherSuites},
+		{env: "AGENT_INJECT_TLS_PREFER_SERVER_CIPHER_SUITES", value: false, cmdPtr: &cmd.flagTLSPreferServerCipherSuites},
 	}
 
 	for _, tt := range tests {