Merge pull request #638 from lilic/ciphers

Bug 1991068: Allow only supported cipher suites
openshift · Aug 11, 2021 · 0cfcb37 · 0cfcb37
2 parents c2226ad + cae3a7f
commit 0cfcb37
Show file tree

Hide file tree

Showing 2,282 changed files with 191,516 additions and 128,172 deletions.
diff --git a/go.mod b/go.mod
@@ -8,38 +8,38 @@ require (
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.1.2
-	github.com/grpc-ecosystem/grpc-gateway v1.14.6 // indirect
-	github.com/openshift/api v0.0.0-20210521075222-e273a339932a
-	github.com/openshift/build-machinery-go v0.0.0-20210423112049-9415d7ebd33e
-	github.com/openshift/client-go v0.0.0-20210521082421-73d9475a9142
-	github.com/openshift/library-go v0.0.0-20210624101008-7aab941b4a2b
+	github.com/openshift/api v0.0.0-20210730095913-85e1d547cdee
+	github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37
+	github.com/openshift/client-go v0.0.0-20210730113412-1811c1b3fc0e
+	github.com/openshift/library-go v0.0.0-20210804150119-965974e0af3f
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.7.1
-	github.com/prometheus/common v0.10.0
-	github.com/spf13/cobra v1.1.3
+	github.com/prometheus/client_golang v1.11.0
+	github.com/prometheus/common v0.26.0
+	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
 	github.com/vishvananda/netlink v1.0.0
 	github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect
-	go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489
+	go.etcd.io/etcd/api/v3 v3.5.0
+	go.etcd.io/etcd/client/pkg/v3 v3.5.0
+	go.etcd.io/etcd/client/v3 v3.5.0
+	go.etcd.io/etcd/tests/v3 v3.5.0
 	go.uber.org/zap v1.17.0
-	golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073
-	google.golang.org/grpc v1.29.1
+	golang.org/x/sys v0.0.0-20210616094352-59db8d763f22
+	google.golang.org/grpc v1.38.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
-	k8s.io/api v0.21.1
-	k8s.io/apiextensions-apiserver v0.21.1
-	k8s.io/apimachinery v0.21.1
-	k8s.io/apiserver v0.21.1
-	k8s.io/client-go v0.21.1
-	k8s.io/component-base v0.21.1
+	k8s.io/api v0.22.0
+	k8s.io/apiextensions-apiserver v0.22.0
+	k8s.io/apimachinery v0.22.0
+	k8s.io/apiserver v0.22.0
+	k8s.io/client-go v0.22.0
+	k8s.io/component-base v0.22.0
 	k8s.io/cri-api v0.21.0
-	k8s.io/klog/v2 v2.8.0
-	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
+	k8s.io/klog/v2 v2.9.0
+	k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9
 )
 
 replace (
 	github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2
-	// points to temporary-watch-reduction-patch-1.21 to pick up k/k/pull/101102 - please remove it once the pr merges and a new Z release is cut
-	k8s.io/apiserver => github.com/openshift/kubernetes-apiserver v0.0.0-20210419140141-620426e63a99
 	vbom.ml/util => github.com/fvbommel/util v0.0.0-20180919145318-efcd4e0f9787
 )
diff --git a/go.sum b/go.sum
diff --git a/pkg/cmd/backuprestore/etcdclientutils.go b/pkg/cmd/backuprestore/etcdclientutils.go
@@ -3,14 +3,14 @@ package backuprestore
 import (
 	"context"
 	"fmt"
-	"google.golang.org/grpc"
 	"io"
-	"k8s.io/klog/v2"
 	"os"
 	"time"
 
-	"go.etcd.io/etcd/clientv3"
-	"go.etcd.io/etcd/pkg/transport"
+	"go.etcd.io/etcd/client/pkg/v3/transport"
+	clientv3 "go.etcd.io/etcd/client/v3"
+	"google.golang.org/grpc"
+	"k8s.io/klog/v2"
 )
 
 func getEtcdClient(endpoints []string) (*clientv3.Client, error) {

diff --git a/pkg/cmd/monitor/health/health.go b/pkg/cmd/monitor/health/health.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"time"
 
-	"go.etcd.io/etcd/clientv3"
+	clientv3 "go.etcd.io/etcd/client/v3"
 	"go.uber.org/zap"
 	"google.golang.org/grpc/connectivity"
 )

diff --git a/pkg/cmd/monitor/monitor.go b/pkg/cmd/monitor/monitor.go
@@ -12,17 +12,18 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/openshift/cluster-etcd-operator/pkg/cmd/monitor/health"
 	"github.com/openshift/library-go/pkg/serviceability"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"go.etcd.io/etcd/clientv3"
-	"go.etcd.io/etcd/pkg/transport"
+	"go.etcd.io/etcd/client/pkg/v3/transport"
+	clientv3 "go.etcd.io/etcd/client/v3"
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"
+
+	"github.com/openshift/cluster-etcd-operator/pkg/cmd/monitor/health"
 )
 
 const (

diff --git a/pkg/cmd/monitor/monitor_test.go b/pkg/cmd/monitor/monitor_test.go
@@ -10,11 +10,12 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/require"
+	"go.etcd.io/etcd/client/pkg/v3/transport"
+	"go.etcd.io/etcd/tests/v3/integration"
+
 	"github.com/openshift/cluster-etcd-operator/pkg/cmd/monitor/health"
 	u "github.com/openshift/cluster-etcd-operator/pkg/testutils"
-	"github.com/stretchr/testify/require"
-	"go.etcd.io/etcd/integration"
-	"go.etcd.io/etcd/pkg/transport"
 )
 
 var (
@@ -80,6 +81,7 @@ func newTestData(t *testing.T, testDuration time.Duration, pauseServer, resumeSe
 
 func createAndStartEtcdTestServer(t *testing.T, size int) (*integration.ClusterV3, string) {
 	srvTLS := testTLSInfo
+	integration.BeforeTest(t)
 	etcd := integration.NewClusterV3(t, &integration.ClusterConfig{Size: size, ClientTLS: &srvTLS})
 	targets := fmt.Sprintf("%s,%s,%s", etcd.Members[0].GRPCAddr(), etcd.Members[1].GRPCAddr(), etcd.Members[2].GRPCAddr())
 

diff --git a/pkg/cmd/render/env.go b/pkg/cmd/render/env.go
@@ -6,6 +6,7 @@ import (
 
 	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/cluster-etcd-operator/pkg/etcdenvvar"
+	"github.com/openshift/cluster-etcd-operator/pkg/tlshelpers"
 	"github.com/openshift/library-go/pkg/crypto"
 )
 
@@ -105,6 +106,8 @@ func getTLSCipherSuites(platform, arch string) (map[string]string, error) {
 	if len(cipherSuites) == 0 {
 		return nil, fmt.Errorf("no valid TLS ciphers found")
 	}
+	// Remove invalid ciphers.
+	cipherSuites = tlshelpers.SupportedEtcdCiphers(cipherSuites)
 	return map[string]string{
 		"ETCD_CIPHER_SUITES": strings.Join(cipherSuites, ","),
 	}, nil

diff --git a/pkg/etcdcli/etcdcli.go b/pkg/etcdcli/etcdcli.go
@@ -12,13 +12,11 @@ import (
 
 	configv1informers "github.com/openshift/client-go/config/informers/externalversions/config/v1"
 	configv1listers "github.com/openshift/client-go/config/listers/config/v1"
-	"github.com/openshift/cluster-etcd-operator/pkg/dnshelpers"
-	"github.com/openshift/cluster-etcd-operator/pkg/operator/operatorclient"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
-	"go.etcd.io/etcd/clientv3"
-	"go.etcd.io/etcd/etcdserver/etcdserverpb"
-	"go.etcd.io/etcd/pkg/transport"
+	"go.etcd.io/etcd/api/v3/etcdserverpb"
+	"go.etcd.io/etcd/client/pkg/v3/transport"
+	clientv3 "go.etcd.io/etcd/client/v3"
 	"google.golang.org/grpc"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
@@ -27,6 +25,9 @@ import (
 	corev1listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/klog/v2"
+
+	"github.com/openshift/cluster-etcd-operator/pkg/dnshelpers"
+	"github.com/openshift/cluster-etcd-operator/pkg/operator/operatorclient"
 )
 
 const (

diff --git a/pkg/etcdcli/health.go b/pkg/etcdcli/health.go
@@ -8,7 +8,7 @@ import (
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
-	"go.etcd.io/etcd/etcdserver/etcdserverpb"
+	"go.etcd.io/etcd/api/v3/etcdserverpb"
 	"k8s.io/component-base/metrics/legacyregistry"
 	klog "k8s.io/klog/v2"
 )

diff --git a/pkg/etcdcli/health_test.go b/pkg/etcdcli/health_test.go
@@ -5,7 +5,7 @@ import (
 	"reflect"
 	"testing"
 
-	"go.etcd.io/etcd/etcdserver/etcdserverpb"
+	"go.etcd.io/etcd/api/v3/etcdserverpb"
 )
 
 func TestMemberHealthStatus(t *testing.T) {

diff --git a/pkg/etcdcli/helpers.go b/pkg/etcdcli/helpers.go
@@ -4,8 +4,8 @@ import (
 	"context"
 	"fmt"
 
-	"go.etcd.io/etcd/clientv3"
-	"go.etcd.io/etcd/etcdserver/etcdserverpb"
+	"go.etcd.io/etcd/api/v3/etcdserverpb"
+	clientv3 "go.etcd.io/etcd/client/v3"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )

diff --git a/pkg/etcdcli/interfaces.go b/pkg/etcdcli/interfaces.go
@@ -3,8 +3,8 @@ package etcdcli
 import (
 	"context"
 
-	"go.etcd.io/etcd/clientv3"
-	"go.etcd.io/etcd/etcdserver/etcdserverpb"
+	"go.etcd.io/etcd/api/v3/etcdserverpb"
+	clientv3 "go.etcd.io/etcd/client/v3"
 )
 
 const (

diff --git a/pkg/etcdenvvar/etcd_env.go b/pkg/etcdenvvar/etcd_env.go
@@ -9,10 +9,12 @@ import (
 	"github.com/ghodss/yaml"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	configv1listers "github.com/openshift/client-go/config/listers/config/v1"
-	"github.com/openshift/cluster-etcd-operator/pkg/dnshelpers"
-	"github.com/openshift/cluster-etcd-operator/pkg/operator/operatorclient"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	corev1listers "k8s.io/client-go/listers/core/v1"
+
+	"github.com/openshift/cluster-etcd-operator/pkg/dnshelpers"
+	"github.com/openshift/cluster-etcd-operator/pkg/operator/operatorclient"
+	"github.com/openshift/cluster-etcd-operator/pkg/tlshelpers"
 )
 
 type envVarContext struct {
@@ -276,11 +278,13 @@ func getCipherSuites(envVarContext envVarContext) (map[string]string, error) {
 		return nil, fmt.Errorf("couldn't get cipherSuites from observedConfig: %w", err)
 	}
 
-	if len(observedCipherSuites) == 0 {
-		return nil, fmt.Errorf("cipherSuites not found in observedConfig")
+	actualCipherSuites := tlshelpers.SupportedEtcdCiphers(observedCipherSuites)
+
+	if len(actualCipherSuites) == 0 {
+		return nil, fmt.Errorf("no supported cipherSuites not found in observedConfig")
 	}
 
 	return map[string]string{
-		"ETCD_CIPHER_SUITES": strings.Join(observedCipherSuites, ","),
+		"ETCD_CIPHER_SUITES": strings.Join(actualCipherSuites, ","),
 	}, nil
 }
diff --git a/pkg/operator/clustermembercontroller/clustermembercontroller_test.go b/pkg/operator/clustermembercontroller/clustermembercontroller_test.go
@@ -3,18 +3,17 @@ package clustermembercontroller
 import (
 	"context"
 	"reflect"
+	"testing"
 
-	"github.com/openshift/cluster-etcd-operator/pkg/etcdcli"
-	"go.etcd.io/etcd/etcdserver/etcdserverpb"
+	"go.etcd.io/etcd/api/v3/etcdserverpb"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/kubernetes"
-
-	"testing"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/fake"
 	corev1lister "k8s.io/client-go/listers/core/v1"
+
+	"github.com/openshift/cluster-etcd-operator/pkg/etcdcli"
 )
 
 type fakePodLister struct {

diff --git a/pkg/operator/defragcontroller/defragcontroller.go b/pkg/operator/defragcontroller/defragcontroller.go
@@ -9,15 +9,16 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	configv1listers "github.com/openshift/client-go/config/listers/config/v1"
-	"github.com/openshift/cluster-etcd-operator/pkg/etcdcli"
-	"github.com/openshift/cluster-etcd-operator/pkg/operator/ceohelpers"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
-	"go.etcd.io/etcd/clientv3"
-	"go.etcd.io/etcd/etcdserver/etcdserverpb"
+	"go.etcd.io/etcd/api/v3/etcdserverpb"
+	clientv3 "go.etcd.io/etcd/client/v3"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/klog/v2"
+
+	"github.com/openshift/cluster-etcd-operator/pkg/etcdcli"
+	"github.com/openshift/cluster-etcd-operator/pkg/operator/ceohelpers"
 )
 
 const (

diff --git a/pkg/operator/defragcontroller/defragcontroller_test.go b/pkg/operator/defragcontroller/defragcontroller_test.go
@@ -3,25 +3,26 @@ package defragcontroller
 import (
 	"context"
 	"fmt"
-	"go.etcd.io/etcd/etcdserver/etcdserverpb"
 	"regexp"
 	"strings"
 	"testing"
 
 	configv1 "github.com/openshift/api/config/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	configv1listers "github.com/openshift/client-go/config/listers/config/v1"
-	"github.com/openshift/cluster-etcd-operator/pkg/etcdcli"
-	u "github.com/openshift/cluster-etcd-operator/pkg/testutils"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 	"github.com/stretchr/testify/require"
-	"go.etcd.io/etcd/clientv3"
-	"go.etcd.io/etcd/integration"
-	"go.etcd.io/etcd/pkg/transport"
+	"go.etcd.io/etcd/api/v3/etcdserverpb"
+	"go.etcd.io/etcd/client/pkg/v3/transport"
+	clientv3 "go.etcd.io/etcd/client/v3"
+	"go.etcd.io/etcd/tests/v3/integration"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/tools/cache"
+
+	"github.com/openshift/cluster-etcd-operator/pkg/etcdcli"
+	u "github.com/openshift/cluster-etcd-operator/pkg/testutils"
 )
 
 var (
@@ -122,6 +123,7 @@ func TestNewDefragController(t *testing.T) {
 	}
 	for _, scenario := range scenarios {
 		t.Run(scenario.name, func(t *testing.T) {
+			integration.BeforeTest(t)
 			// use integration etcd to create etcd members and status
 			testServer := integration.NewClusterV3(t, &integration.ClusterConfig{Size: scenario.clusterSize})
 			defer testServer.Terminate(t)

diff --git a/pkg/operator/etcdendpointscontroller/etcdendpointscontroller_test.go b/pkg/operator/etcdendpointscontroller/etcdendpointscontroller_test.go
@@ -5,8 +5,8 @@ import (
 	"testing"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
-	"go.etcd.io/etcd/etcdserver/etcdserverpb"
-	"go.etcd.io/etcd/pkg/mock/mockserver"
+	"go.etcd.io/etcd/api/v3/etcdserverpb"
+	"go.etcd.io/etcd/client/v3/mock/mockserver"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/runtime"

diff --git a/pkg/testutils/testutils.go b/pkg/testutils/testutils.go
@@ -3,16 +3,18 @@ package testutils
 import (
 	"encoding/base64"
 	"fmt"
+	"path/filepath"
+
 	configv1 "github.com/openshift/api/config/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
-	"github.com/openshift/cluster-etcd-operator/pkg/etcdcli"
-	"github.com/openshift/cluster-etcd-operator/pkg/operator/operatorclient"
-	"go.etcd.io/etcd/etcdserver/etcdserverpb"
-	"go.etcd.io/etcd/pkg/mock/mockserver"
+	"go.etcd.io/etcd/api/v3/etcdserverpb"
+	"go.etcd.io/etcd/client/v3/mock/mockserver"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/uuid"
-	"path/filepath"
+
+	"github.com/openshift/cluster-etcd-operator/pkg/etcdcli"
+	"github.com/openshift/cluster-etcd-operator/pkg/operator/operatorclient"
 )
 
 func MustAbsPath(path string) string {

diff --git a/pkg/tlshelpers/tlshelpers.go b/pkg/tlshelpers/tlshelpers.go
@@ -10,7 +10,9 @@ import (
 	"time"
 
 	"github.com/openshift/library-go/pkg/crypto"
+	"go.etcd.io/etcd/client/pkg/v3/tlsutil"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/klog/v2"
 )
 
 const (
@@ -132,3 +134,18 @@ func getCommonNameFromOrg(org string) (string, error) {
 	}
 	return "", errors.New("unable to recognise secret name")
 }
+
+func SupportedEtcdCiphers(cipherSuites []string) []string {
+	allowedCiphers := []string{}
+	for _, cipher := range cipherSuites {
+		_, ok := tlsutil.GetCipherSuite(cipher)
+		if !ok {
+			// skip and log unsupported ciphers
+			klog.Warningf("cipher is not supported for use with etcd, skipping: %q", cipher)
+			continue
+		}
+		allowedCiphers = append(allowedCiphers, cipher)
+	}
+	return allowedCiphers
+
+}