Add TLS configuration support for machineset controller webhooks

Introduce command-line flags for TLS cipher suites and minimum version in the machineset controller. Update the container creation logic to utilize these TLS settings

Author: RadekManak

cmd/machineset/main.go

@@ -17,6 +17,7 @@ limitations under the License.
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"log"
@@ -29,6 +30,7 @@ import (
 	osconfigv1 "github.com/openshift/api/config/v1"
 	apifeatures "github.com/openshift/api/features"
 	machinev1 "github.com/openshift/api/machine/v1beta1"
+	utiltls "github.com/openshift/controller-runtime-common/pkg/tls"
 	mapiwebhooks "github.com/openshift/machine-api-operator/pkg/webhooks"
 
 	"k8s.io/apiserver/pkg/util/feature"
@@ -85,6 +87,12 @@ func main() {
 	webhookCertdir := flag.String("webhook-cert-dir", defaultWebhookCertdir,
 		"Webhook cert dir, only used when webhook-enabled is true.")
 
+	tlsCipherSuites := flag.String("tls-cipher-suites", "",
+		"Comma-separated list of TLS cipher suites.")
+
+	tlsMinVersion := flag.String("tls-min-version", "",
+		"Minimum TLS version supported.")
+
 	healthAddr := flag.String(
 		"health-addr",
 		":9441",
@@ -159,9 +167,19 @@ func main() {
 	}
 
 	if *webhookEnabled {
+		tlsProfile := osconfigv1.TLSProfileSpec{
+			MinTLSVersion: osconfigv1.TLSProtocolVersion(*tlsMinVersion),
+		}
+		if *tlsCipherSuites != "" {
+			tlsProfile.Ciphers = strings.Split(*tlsCipherSuites, ",")
+		}
+
+		tlsOpts, _ := utiltls.NewTLSConfigFromProfile(tlsProfile)
+
 		opts.WebhookServer = webhook.NewServer(webhook.Options{
 			Port:    *webhookPort,
 			CertDir: *webhookCertdir,
+			TLSOpts: []func(*tls.Config){tlsOpts},
 		})
 	}
 

pkg/operator/sync.go

@@ -511,9 +511,10 @@ func newRBACConfigVolumes() []corev1.Volume {
 }
 
 func newPodTemplateSpec(config *OperatorConfig, features map[string]bool) *corev1.PodTemplateSpec {
-	containers := newContainers(config, features)
+	tlsArgs := getTLSArgs(config.TLSProfile)
+	containers := newContainers(config, features, tlsArgs)
 	withMHCProxy := config.Controllers.MachineHealthCheck != ""
-	proxyContainers := newKubeProxyContainers(config.Controllers.KubeRBACProxy, withMHCProxy, config.TLSProfile)
+	proxyContainers := newKubeProxyContainers(config.Controllers.KubeRBACProxy, withMHCProxy, tlsArgs)
 	tolerations := []corev1.Toleration{
 		{
 			Key:    "node-role.kubernetes.io/master",
@@ -655,7 +656,7 @@ func buildFeatureGatesString(featureGates map[string]bool) string {
 	return "--feature-gates=" + strings.Join(parts, ",")
 }
 
-func newContainers(config *OperatorConfig, features map[string]bool) []corev1.Container {
+func newContainers(config *OperatorConfig, features map[string]bool, tlsArgs []string) []corev1.Container {
 	resources := corev1.ResourceRequirements{
 		Requests: map[corev1.ResourceName]resource.Quantity{
 			corev1.ResourceMemory: resource.MustParse("20Mi"),
@@ -680,14 +681,17 @@ func newContainers(config *OperatorConfig, features map[string]bool) []corev1.Co
 		machineControllerArgs = append(machineControllerArgs, "--max-concurrent-reconciles=10")
 	}
 
+	machineSetControllerArgs := append([]string{}, featureGateArgs...)
+	machineSetControllerArgs = append(machineSetControllerArgs, tlsArgs...)
+
 	proxyEnvArgs := getProxyArgs(config)
 
 	containers := []corev1.Container{
 		{
 			Name:      "machineset-controller",
 			Image:     config.Controllers.MachineSet,
 			Command:   []string{"/machineset-controller"},
-			Args:      featureGateArgs,
+			Args:      machineSetControllerArgs,
 			Resources: resources,
 			Env:       proxyEnvArgs,
 			Ports: []corev1.ContainerPort{
@@ -856,7 +860,7 @@ func newContainers(config *OperatorConfig, features map[string]bool) []corev1.Co
 	return containers
 }
 
-func newKubeProxyContainers(image string, withMHCProxy bool, tlsProfile configv1.TLSProfileSpec) []corev1.Container {
+func getTLSArgs(tlsProfile configv1.TLSProfileSpec) []string {
 	// Compute TLS arguments once from the profile
 	tlsConfigFn, _ := utiltls.NewTLSConfigFromProfile(tlsProfile)
 	tlsConf := &tls.Config{}
@@ -870,6 +874,10 @@ func newKubeProxyContainers(image string, withMHCProxy bool, tlsProfile configv1
 	}
 	tlsArgs = append(tlsArgs, fmt.Sprintf("--tls-min-version=%s", tlsProfile.MinTLSVersion))
 
+	return tlsArgs
+}
+
+func newKubeProxyContainers(image string, withMHCProxy bool, tlsArgs []string) []corev1.Container {
 	proxyContainers := []corev1.Container{
 		newKubeProxyContainer(image, "machineset-mtrc", metrics.DefaultMachineSetMetricsAddress, machineSetExposeMetricsPort, tlsArgs),
 		newKubeProxyContainer(image, "machine-mtrc", metrics.DefaultMachineMetricsAddress, machineExposeMetricsPort, tlsArgs),

pkg/operator/sync_test.go

@@ -574,7 +574,7 @@ func TestNewKubeProxyContainers(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			g := NewWithT(t)
 
-			containers := newKubeProxyContainers(tc.image, tc.withMHCProxy, tc.tlsProfile)
+			containers := newKubeProxyContainers(tc.image, tc.withMHCProxy, getTLSArgs(tc.tlsProfile))
 
 			// Verify we get the expected number of containers
 			g.Expect(containers).To(HaveLen(len(tc.expectedPorts)))
@@ -617,3 +617,91 @@ func TestNewKubeProxyContainers(t *testing.T) {
 		})
 	}
 }
+
+func TestNewContainersTLSArgs(t *testing.T) {
+	testCases := []struct {
+		name       string
+		config     *OperatorConfig
+		tlsProfile configv1.TLSProfileSpec
+	}{
+		{
+			name: "TLS 1.2 with cipher suites",
+			config: &OperatorConfig{
+				TargetNamespace: targetNamespace,
+				PlatformType:    configv1.AWSPlatformType,
+				Controllers: Controllers{
+					Provider:           "provider-image:latest",
+					MachineSet:         "machineset-image:latest",
+					NodeLink:           "nodelink-image:latest",
+					MachineHealthCheck: "mhc-image:latest",
+				},
+			},
+			tlsProfile: configv1.TLSProfileSpec{
+				Ciphers: []string{
+					"ECDHE-ECDSA-AES128-GCM-SHA256",
+					"ECDHE-RSA-AES128-GCM-SHA256",
+				},
+				MinTLSVersion: configv1.VersionTLS12,
+			},
+		},
+		{
+			name: "TLS 1.3 without cipher suites",
+			config: &OperatorConfig{
+				TargetNamespace: targetNamespace,
+				PlatformType:    configv1.GCPPlatformType,
+				Controllers: Controllers{
+					Provider:           "provider-image:latest",
+					MachineSet:         "machineset-image:latest",
+					NodeLink:           "nodelink-image:latest",
+					MachineHealthCheck: "",
+				},
+			},
+			tlsProfile: configv1.TLSProfileSpec{
+				Ciphers:       []string{},
+				MinTLSVersion: configv1.VersionTLS13,
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			tlsArgs := getTLSArgs(tc.tlsProfile)
+			containers := newContainers(tc.config, map[string]bool{}, tlsArgs)
+
+			containerArgs := map[string][]string{}
+			for _, c := range containers {
+				containerArgs[c.Name] = c.Args
+			}
+
+			g.Expect(containerArgs).To(HaveKey("machineset-controller"))
+			g.Expect(containerArgs).To(HaveKey("machine-controller"))
+			g.Expect(containerArgs).To(HaveKey("nodelink-controller"))
+
+			// Only machineset-controller should receive TLS args.
+			machineSetJoined := strings.Join(containerArgs["machineset-controller"], " ")
+			g.Expect(machineSetJoined).To(ContainSubstring("--tls-min-version="+string(tc.tlsProfile.MinTLSVersion)),
+				"machineset-controller should have --tls-min-version")
+			if len(tc.tlsProfile.Ciphers) > 0 {
+				g.Expect(machineSetJoined).To(ContainSubstring("--tls-cipher-suites="),
+					"machineset-controller should have --tls-cipher-suites when ciphers are specified")
+			}
+
+			for _, name := range []string{"machine-controller", "nodelink-controller"} {
+				joined := strings.Join(containerArgs[name], " ")
+				g.Expect(joined).ToNot(ContainSubstring("--tls-min-version="),
+					"%s should not have TLS args", name)
+				g.Expect(joined).ToNot(ContainSubstring("--tls-cipher-suites="),
+					"%s should not have TLS args", name)
+			}
+
+			if tc.config.Controllers.MachineHealthCheck != "" {
+				g.Expect(containerArgs).To(HaveKey("machine-healthcheck-controller"))
+				mhcJoined := strings.Join(containerArgs["machine-healthcheck-controller"], " ")
+				g.Expect(mhcJoined).ToNot(ContainSubstring("--tls-min-version="),
+					"machine-healthcheck-controller should not have TLS args")
+			}
+		})
+	}
+}