Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug 1823852: pkg/server: disable weak TLS versions #1649

Merged
merged 2 commits into from
Apr 24, 2020

Conversation

runcom
Copy link
Member

@runcom runcom commented Apr 14, 2020

Coming from an user request but it makes sense as we (OpenShift) use and control
that port.

It's not fully clear to me if we can drop tls < 1.2 but I'm leaning toward so for security reasons

Signed-off-by: Antonio Murdaca runcom@linux.com

@cgwalters also ptal

Coming from an user request but it makes sense as we (OpenShift) use and control
that port.

Signed-off-by: Antonio Murdaca <runcom@linux.com>
@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Apr 14, 2020
@openshift-ci-robot
Copy link
Contributor

@runcom: This pull request references Bugzilla bug 1823852, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.5.0) matches configured target release for branch (4.5.0)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1823852: pkg/server: disable weak TLS versions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@runcom runcom added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 14, 2020
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 14, 2020
@openshift-ci-robot
Copy link
Contributor

@runcom: This pull request references Bugzilla bug 1823852, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.5.0) matches configured target release for branch (4.5.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1823852: pkg/server: disable weak TLS versions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@runcom
Copy link
Member Author

runcom commented Apr 14, 2020

/cherry-pick release-4.4

@openshift-cherrypick-robot

@runcom: once the present PR merges, I will cherry-pick it on top of release-4.4 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.4
/cherry-pick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@runcom
Copy link
Member Author

runcom commented Apr 14, 2020

/cherry-pick release-4.3

@openshift-cherrypick-robot

@runcom: once the present PR merges, I will cherry-pick it on top of release-4.3 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@runcom
Copy link
Member Author

runcom commented Apr 14, 2020

/retest

@runcom
Copy link
Member Author

runcom commented Apr 14, 2020

/retest
/skip

@openshift-ci-robot
Copy link
Contributor

@runcom: The /retest command does not accept any targets.
The following commands are available to trigger jobs:

  • /test e2e-aws
  • /test e2e-aws-disruptive
  • /test e2e-aws-scaleup-rhel7
  • /test e2e-gcp-op
  • /test e2e-gcp-upgrade
  • /test e2e-metal-ipi
  • /test e2e-openstack
  • /test e2e-ovirt
  • /test e2e-vsphere
  • /test images
  • /test unit
  • /test verify

Use /test all to run all jobs.

In response to this:

/retest
/skip

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ashcrow
Copy link
Member

ashcrow commented Apr 14, 2020

/retest

@ashcrow
Copy link
Member

ashcrow commented Apr 14, 2020

/retest

pkg/server/api.go Show resolved Hide resolved
pkg/server/api.go Show resolved Hide resolved
@runcom
Copy link
Member Author

runcom commented Apr 15, 2020

/skip

@runcom
Copy link
Member Author

runcom commented Apr 15, 2020

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 15, 2020
@runcom
Copy link
Member Author

runcom commented Apr 15, 2020

This is good to go now, ptal

pkg/server/api.go Outdated Show resolved Hide resolved
Co-Authored-By: Colin Walters <walters@verbum.org>
Signed-off-by: Antonio Murdaca <runcom@linux.com>
@cgwalters
Copy link
Member

It's not fully clear to me if we can drop tls < 1.2 but I'm leaning toward so for security reasons

The only thing hitting this endpoint now should be CoreOS; so the minimum version here is really "maximum TLS supported by CoreOS". I suspect in fact we could bump it up to 1.3.

Although, I guess more precisely it's "maximum TLS supported by RHCOS 4.1...since we don't update bootimages yet.

@runcom
Copy link
Member Author

runcom commented Apr 15, 2020

The only thing hitting this endpoint now should be CoreOS; so the minimum version here is really "maximum TLS supported by CoreOS". I suspect in fact we could bump it up to 1.3.

Although, I guess more precisely it's "maximum TLS supported by RHCOS 4.1...since we don't update bootimages yet.

awesome, that was my impression as well: since we control the other side of the connection, we can safely assume those are going to be the only proto to be used.

Anyway, since TLS 1.2 doesn't seem to be an issue, what if we stick with that? or do you feel strong about moving to 1.3?

@runcom
Copy link
Member Author

runcom commented Apr 15, 2020

from all the e2e tests failing tho, I'm not sure if we can do this lol will keep checking.

@kikisdeliveryservice
Copy link
Contributor

/skip

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 23, 2020
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ashcrow, runcom, sinnykumari

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [ashcrow,runcom,sinnykumari]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/retest

@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/refresh

1 similar comment
@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/refresh

@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/retest e2e-aws

@openshift-ci-robot
Copy link
Contributor

@runcom: The /retest command does not accept any targets.
The following commands are available to trigger jobs:

  • /test e2e-aws
  • /test e2e-aws-disruptive
  • /test e2e-aws-scaleup-rhel7
  • /test e2e-gcp-op
  • /test e2e-gcp-upgrade
  • /test e2e-metal-ipi
  • /test e2e-openstack
  • /test e2e-ovirt
  • /test e2e-vsphere
  • /test images
  • /test unit
  • /test verify

Use /test all to run all jobs.

In response to this:

/retest e2e-aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/test e2e-aws

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/refresh
/retest

@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/test e2e-aws

@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/retest

@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/refresh

@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/retest

@kikisdeliveryservice
Copy link
Contributor

PR seems to be hitting a lot of prometheus related erors in e2e-aws.. are these flakes/known bugs?

@runcom
Copy link
Member Author

runcom commented Apr 23, 2020

/refresh

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Apr 24, 2020

@runcom: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-scaleup-rhel7 f76bd18 link /test e2e-aws-scaleup-rhel7

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit a6dc119 into openshift:master Apr 24, 2020
@openshift-ci-robot
Copy link
Contributor

@runcom: All pull requests linked via external trackers have merged: openshift/machine-config-operator#1649. Bugzilla bug 1823852 has been moved to the MODIFIED state.

In response to this:

Bug 1823852: pkg/server: disable weak TLS versions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot

@runcom: new pull request created: #1680

In response to this:

/cherry-pick release-4.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot

@runcom: new pull request created: #1681

In response to this:

/cherry-pick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@runcom runcom deleted the tls-weak branch April 24, 2020 06:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants