Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

fix(): reduce minimum tls version for osm controller, verifier, health #5292

Merged
merged 1 commit into from
Mar 20, 2023
Merged

fix(): reduce minimum tls version for osm controller, verifier, health #5292

merged 1 commit into from
Mar 20, 2023

Conversation

whitneygriffith
Copy link
Contributor

@whitneygriffith whitneygriffith commented Mar 13, 2023
edited
Loading

Description:
Backport the following fix for #5282 into release-v1.2

Part of #5282

Testing done:
Confirmed demo, health check and verifier worked as expected when OSM control plane has the following configuration:

Tls Max Protocol Version:  TLSv1_2 
Tls Min Protocol Version:  TLSv1_2

Affected area:

Functional Area
New Functionality [ ]
CI System [ ]
CLI Tool [ ]
Certificate Management [ ]
Control Plane [x]
Demo [ ]
Documentation [ ]
Egress [ ]
Ingress [ ]
Install [ ]
Networking [ ]
Observability [ ]
Performance [ ]
SMI Policy [ ]
Security [ ]
Sidecar Injection [ ]
Tests [ ]
Upgrade [ ]
Other [ ]

keithmattix
keithmattix suggested changes Mar 13, 2023
View reviewed changes
Copy link
Contributor

@keithmattix keithmattix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good, but could you add an E2E test to make sure we continuously verify that setting the sidecar to maxTLSVersion v1.2 does not break anything?

@codecov-commenter
Copy link

codecov-commenter commented Mar 16, 2023
edited
Loading

Codecov Report

Merging #5292 (4881735) into release-v1.2 (899fdb8) will increase coverage by 0.01%.
The diff coverage is 33.33%.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@               Coverage Diff                @@
##           release-v1.2    #5292      +/-   ##
================================================
+ Coverage         68.83%   68.84%   +0.01%     
================================================
  Files               210      210              
  Lines             15679    15679              
================================================
+ Hits              10792    10794       +2     
+ Misses             4836     4834       -2     
  Partials             51       51
Flag Coverage Δ
unittests 68.84% <33.33%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/cli/verifier/pod.go 52.55% <0.00%> (ø)
pkg/health/health.go 52.11% <0.00%> (ø)
pkg/utils/mtls.go 100.00% <100.00%> (ø)

... and 1 file with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@whitneygriffith
fix(): reduce minimum tls version for osm controller, verifier, health
6e66bfb 
Signed-off-by: Whitney Griffith <whgriffi@microsoft.com>
@whitneygriffith
Copy link
Contributor Author

Changes look good, but could you add an E2E test to make sure we continuously verify that setting the sidecar to maxTLSVersion v1.2 does not break anything?

Added an e2e test

keithmattix
keithmattix approved these changes Mar 20, 2023
View reviewed changes
Copy link
Contributor

@keithmattix keithmattix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work; thanks for the tests! I assume there will be a follow-up PR removing unsupported versions (or just marking them as unsupported?

@whitneygriffith
Copy link
Contributor Author

Good work; thanks for the tests! I assume there will be a follow-up PR removing unsupported versions (or just marking them as unsupported?

Yes! I will be creating a PR that will be removing TLSv1_0 and TLSv1_1 for the envoy max TLS Version.

jaellio
jaellio approved these changes Mar 20, 2023
View reviewed changes
tests/e2e/e2e_envoy_max_mtls_version_test.go

// Prior iterations of OSM supported a wide range of min and max MTLS versions for the envoy sidecar (TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2 and TLSv1_3)
// even though the OSM Control Plane's minimum version has been upgraded to TLSv1_2
// This test verifies that the envoy sidecar maxTLSVersion is compatible with the current osm control plane's minTLSVersion
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
// This test verifies that the envoy sidecar maxTLSVersion is compatible with the current osm control plane's minTLSVersion
// This test verifies that the envoy sidecar maxTLSVersion is compatible with the current OSM control plane's minTLSVersion

tests/e2e/e2e_envoy_max_mtls_version_test.go
// Prior iterations of OSM supported a wide range of min and max MTLS versions for the envoy sidecar (TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2 and TLSv1_3)
// even though the OSM Control Plane's minimum version has been upgraded to TLSv1_2
// This test verifies that the envoy sidecar maxTLSVersion is compatible with the current osm control plane's minTLSVersion
var _ = OSMDescribe("Test envoy maxTLSVersion is compatible with osm control plane's minTLSVersion",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
var _ = OSMDescribe("Test envoy maxTLSVersion is compatible with osm control plane's minTLSVersion",
var _ = OSMDescribe("Test envoy maxTLSVersion is compatible with OSM control plane's minTLSVersion",

@jaellio jaellio mentioned this pull request Mar 20, 2023
Merged
@jaellio jaellio merged commit 1a9b067 into openservicemesh:release-v1.2 Mar 20, 2023
This was referenced Apr 3, 2023
Closed
Closed
Closed
jaellio pushed a commit to jaellio/osm that referenced this pull request Apr 5, 2023
@whitneygriffith @jaellio
fix(): reduce minimum tls version for osm controller, verifier, health (
2bf13e5 
openservicemesh#5292)

Addresses potentially incompatible envoy max tls version
and OSM control plane min tls version by updating the OSM
control plane min tls version from TLSv1_3 to TLSv1_2.

Fixes openservicemesh#5282.

Signed-off-by: Whitney Griffith <whgriffi@microsoft.com>
@jaellio jaellio mentioned this pull request Apr 5, 2023
Merged
jaellio pushed a commit to jaellio/osm that referenced this pull request Apr 5, 2023
@whitneygriffith @jaellio
fix(): reduce minimum tls version for osm controller, verifier, health (
06cbf03 
openservicemesh#5292)

Addresses potentially incompatible envoy max tls version
and OSM control plane min tls version by updating the OSM
control plane min tls version from TLSv1_3 to TLSv1_2.

Fixes openservicemesh#5282.

Signed-off-by: Whitney Griffith <whgriffi@microsoft.com>
Signed-off-by: jaellio <jaellio@microsoft.com>
jaellio pushed a commit to jaellio/osm that referenced this pull request Apr 7, 2023
@whitneygriffith
fix(): reduce minimum tls version for osm controller, verifier, health (
20b4aec 
openservicemesh#5292)

Addresses potentially incompatible envoy max tls version
and OSM control plane min tls version by updating the OSM
control plane min tls version from TLSv1_3 to TLSv1_2.

Fixes openservicemesh#5282.

Signed-off-by: Whitney Griffith <whgriffi@microsoft.com>
Signed-off-by: jaellio <jaellio@microsoft.com>
jaellio pushed a commit to jaellio/osm that referenced this pull request Apr 7, 2023
@whitneygriffith @jaellio
fix(): reduce minimum tls version for osm controller, verifier, health (
b77f975 
openservicemesh#5292)

Addresses potentially incompatible envoy max tls version
and OSM control plane min tls version by updating the OSM
control plane min tls version from TLSv1_3 to TLSv1_2.

Fixes openservicemesh#5282.

Signed-off-by: Whitney Griffith <whgriffi@microsoft.com>
Signed-off-by: jaellio <jaellio@microsoft.com>
jaellio pushed a commit to jaellio/osm that referenced this pull request Apr 11, 2023
@whitneygriffith @jaellio
fix(): reduce minimum tls version for osm controller, verifier, health (
3fa5720 
openservicemesh#5292)

Addresses potentially incompatible envoy max tls version
and OSM control plane min tls version by updating the OSM
control plane min tls version from TLSv1_3 to TLSv1_2.

Fixes openservicemesh#5282.

Signed-off-by: Whitney Griffith <whgriffi@microsoft.com>
Signed-off-by: jaellio <jaellio@microsoft.com>
jaellio pushed a commit that referenced this pull request Apr 11, 2023
@whitneygriffith @jaellio
fix(): reduce minimum tls version for osm controller, verifier, health (
0582092 
#5292)

Addresses potentially incompatible envoy max tls version
and OSM control plane min tls version by updating the OSM
control plane min tls version from TLSv1_3 to TLSv1_2.

Fixes #5282.

Signed-off-by: Whitney Griffith <whgriffi@microsoft.com>
Signed-off-by: jaellio <jaellio@microsoft.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@shashankram shashankram Awaiting requested review from shashankram

@nojnhuh nojnhuh Awaiting requested review from nojnhuh

@trstringer trstringer Awaiting requested review from trstringer

@steeling steeling Awaiting requested review from steeling

@shalier shalier Awaiting requested review from shalier

2 more reviewers

@keithmattix keithmattix keithmattix approved these changes

@jaellio jaellio jaellio approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@whitneygriffith @codecov-commenter @keithmattix @jaellio