Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make WebhookAuthenticators use Pinniped's preferred TLS version and ciphers when testing connection and during authentication attempts #1917

Merged
merged 7 commits into from
Apr 19, 2024
Merged

Make WebhookAuthenticators use Pinniped's preferred TLS version and ciphers when testing connection and during authentication attempts #1917

merged 7 commits into from
Apr 19, 2024

Conversation

cfryanr
Copy link
Member

@cfryanr cfryanr commented Apr 18, 2024
edited
Loading

The Concierge's WebhookAuthenticators were not previously honoring Pinniped's preferred TLS configuration. This PR changes them to use Pinniped's preferred TLS version and ciphers when:

  • dialing the web hook's server to test the connection to decide what status conditions to write onto the WebhookAuthenticator resource
  • calling the webhook endpoint during actual end-user authentication attempts

WebhookAuthenticators will use Pinniped's "default" profile for client TLS configuration, which is either:

Release note:

WebhookAuthenticators now honor Pinniped's preferred client TLS configuration, including its
preferred allowed TLS v1.2 ciphers. This could be a breaking change if your webhook server is
serving requests using only TLS v1.2 (not allowing TLS v1.3) and does not allow any of Pinniped's
preferred TLS v1.2 ciphers. Note that Pinniped's preferred TLS v1.2 cipher list is different
depending on if it was compiled in FIPS compatibility mode or not.

@codecov Codecov
Copy link

codecov bot commented Apr 18, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 87.78626% with 16 lines in your changes are missing coverage. Please review.

Project coverage is 38.62%. Comparing base (59fef0c) to head (7c0c321).

Files Patch % Lines
internal/testutil/tlsserver/tlsserver.go 85.29% 7 Missing and 3 partials ⚠️
internal/kubeclient/kubeclient.go 84.61% 2 Missing and 2 partials ⚠️
...enticator/webhookcachefiller/webhookcachefiller.go 93.54% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1917      +/-   ##
==========================================
+ Coverage   38.57%   38.62%   +0.05%     
==========================================
  Files         350      349       -1     
  Lines       44514    44506       -8     
==========================================
+ Hits        17171    17191      +20     
+ Misses      26828    26799      -29     
- Partials      515      516       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cfryanr cfryanr changed the title Make WebhookAuthenticators use Pinniped's preferred TLS version and ciphers when testing connection to server and during authentication attempts Make WebhookAuthenticators use Pinniped's preferred TLS version and ciphers when testing connection and during authentication attempts Apr 18, 2024
@cfryanr cfryanr enabled auto-merge April 19, 2024 19:52
@cfryanr cfryanr merged commit c79f8c8 into main Apr 19, 2024
41 checks passed
@cfryanr cfryanr deleted the dial_config branch April 19, 2024 20:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuatcasey joshuatcasey joshuatcasey approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cfryanr @joshuatcasey @vmwclabot