Explicitly set defaultServing ciphers in FIPS mode

This is a no-op today, but could change in the future when we add support for FIPS in non-strict mode. Signed-off-by: Monis Khan <mok@vmware.com>
vmware-tanzu · Mar 31, 2022 · 0390c22 · 0390c22
1 parent d97efcb
commit 0390c22
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go
@@ -17,6 +17,8 @@ import (
 	"C"                     // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
 	_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
 
+	"k8s.io/apiserver/pkg/server/options"
+
 	"go.pinniped.dev/internal/plog"
 )
 
@@ -63,3 +65,7 @@ func Secure(rootCAs *x509.CertPool) *tls.Config {
 func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
 	return Default(rootCAs)
 }
+
+func secureServing(opts *options.SecureServingOptionsWithLoopback) {
+	return defaultServing(opts)
+}
diff --git a/internal/crypto/ptls/ptls.go b/internal/crypto/ptls/ptls.go
@@ -82,11 +82,6 @@ func defaultServing(opts *options.SecureServingOptionsWithLoopback) {
 	opts.MinTLSVersion = defaultServingOptionsMinTLSVersion
 }
 
-func secureServing(opts *options.SecureServingOptionsWithLoopback) {
-	opts.MinTLSVersion = secureServingOptionsMinTLSVersion
-	opts.CipherSuites = nil
-}
-
 func secureClient(opts *options.RecommendedOptions, f RestConfigFunc) error {
 	inClusterClient, inClusterConfig, err := f(nil)
 	if err != nil {

diff --git a/internal/crypto/ptls/secure.go b/internal/crypto/ptls/secure.go
@@ -9,6 +9,8 @@ package ptls
 import (
 	"crypto/tls"
 	"crypto/x509"
+
+	"k8s.io/apiserver/pkg/server/options"
 )
 
 // secureServingOptionsMinTLSVersion is the minimum tls version in the format
@@ -42,3 +44,8 @@ func Secure(rootCAs *x509.CertPool) *tls.Config {
 	}
 	return c
 }
+
+func secureServing(opts *options.SecureServingOptionsWithLoopback) {
+	opts.MinTLSVersion = secureServingOptionsMinTLSVersion
+	opts.CipherSuites = nil
+}