C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add etcd tls cipher suites (#7001)

Browse source 
* Add etcd tls cipher suites

* yamllint
This commit is contained in:
Samuel Liu 2020-12-08 10:13:10 +08:00 committed by GitHub
parent a69f2b09da
commit cd7212453e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 40 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
roles/etcd/defaults/main.yml
View file

@ -65,3 +65,30 @@ etcd_peer_client_auth: true
# Number of loop retries
etcd_retries: 4
## Support tls cipher suites.
# etcd_tls_cipher_suites: {}
# - TLS_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

4
roles/etcd/templates/etcd-events.env.j2
View file

@ -31,6 +31,10 @@ ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
ETCD_PEER_CLIENT_CERT_AUTH={{ etcd_peer_client_auth }}
{% if etcd_tls_cipher_suites is defined %}
ETCD_CIPHER_SUITES: {% for tls in etcd_tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
{% endif %}
{% for key, value in etcd_extra_vars.items() %}
{{ key }}={{ value }}
{% endfor %}

4
roles/etcd/templates/etcd.env.j2
View file

@ -40,6 +40,10 @@ ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
ETCD_PEER_CLIENT_CERT_AUTH={{ etcd_peer_client_auth }}
{% if etcd_tls_cipher_suites is defined %}
ETCD_CIPHER_SUITES: {% for tls in etcd_tls_cipher_suites %}{{ tls }}{{ "," if not loop.last else "" }}{% endfor %}
{% endif %}
{% for key, value in etcd_extra_vars.items() %}
{{ key }}={{ value }}
{% endfor %}

5
tests/files/packet_centos7-flannel-containerd-addons-ha.yml
View file

@ -33,3 +33,8 @@ kube_oidc_client_id: kubespray-example
tls_min_version: "VersionTLS12"
tls_cipher_suites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# test etcd tls cipher suites
etcd_tls_cipher_suites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384