metrics: use TLS profile in listener

Author: djoshy

cmd/machine-config-controller/start.go

@@ -40,6 +40,8 @@ var (
 		templates                string
 		promMetricsListenAddress string
 		resourceLockNamespace    string
+		tlsCipherSuites          []string
+		tlsMinVersion            string
 	}
 )
 
@@ -48,6 +50,8 @@ func init() {
 	startCmd.PersistentFlags().StringVar(&startOpts.kubeconfig, "kubeconfig", "", "Kubeconfig file to access a remote cluster (testing only)")
 	startCmd.PersistentFlags().StringVar(&startOpts.resourceLockNamespace, "resourcelock-namespace", metav1.NamespaceSystem, "Path to the template files used for creating MachineConfig objects")
 	startCmd.PersistentFlags().StringVar(&startOpts.promMetricsListenAddress, "metrics-listen-address", "127.0.0.1:8797", "Listen address for prometheus metrics listener")
+	startCmd.PersistentFlags().StringSliceVar(&startOpts.tlsCipherSuites, "tls-cipher-suites", nil, "Comma-separated list of cipher suites for the metrics server")
+	startCmd.PersistentFlags().StringVar(&startOpts.tlsMinVersion, "tls-min-version", "VersionTLS12", "Minimum TLS version supported for the metrics server")
 }
 
 func runStartCmd(_ *cobra.Command, _ []string) {
@@ -73,7 +77,7 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 
 		ctrlctx := ctrlcommon.CreateControllerContext(ctx, cb)
 
-		go ctrlcommon.StartMetricsListener(startOpts.promMetricsListenAddress, ctrlctx.Stop, ctrlcommon.RegisterMCCMetrics)
+		go ctrlcommon.StartMetricsListener(startOpts.promMetricsListenAddress, ctrlctx.Stop, ctrlcommon.RegisterMCCMetrics, startOpts.tlsMinVersion, startOpts.tlsCipherSuites)
 
 		controllers := createControllers(ctrlctx)
 		draincontroller := drain.New(

cmd/machine-config-daemon/start.go

@@ -43,6 +43,8 @@ var (
 		kubeletHealthzEnabled      bool
 		kubeletHealthzEndpoint     string
 		promMetricsURL             string
+		tlsCipherSuites            []string
+		tlsMinVersion              string
 	}
 )
 
@@ -57,6 +59,8 @@ func init() {
 	startCmd.PersistentFlags().BoolVar(&startOpts.kubeletHealthzEnabled, "kubelet-healthz-enabled", true, "kubelet healthz endpoint monitoring")
 	startCmd.PersistentFlags().StringVar(&startOpts.kubeletHealthzEndpoint, "kubelet-healthz-endpoint", "http://localhost:10248/healthz", "healthz endpoint to check health")
 	startCmd.PersistentFlags().StringVar(&startOpts.promMetricsURL, "metrics-url", "127.0.0.1:8797", "URL for prometheus metrics listener")
+	startCmd.PersistentFlags().StringSliceVar(&startOpts.tlsCipherSuites, "tls-cipher-suites", nil, "Comma-separated list of cipher suites for the metrics server")
+	startCmd.PersistentFlags().StringVar(&startOpts.tlsMinVersion, "tls-min-version", "VersionTLS12", "Minimum TLS version supported for the metrics server")
 }
 
 //nolint:gocritic
@@ -177,7 +181,7 @@ func runStartCmd(_ *cobra.Command, _ []string) {
 	}
 
 	// Start local metrics listener
-	go ctrlcommon.StartMetricsListener(startOpts.promMetricsURL, stopCh, daemon.RegisterMCDMetrics)
+	go ctrlcommon.StartMetricsListener(startOpts.promMetricsURL, stopCh, daemon.RegisterMCDMetrics, startOpts.tlsMinVersion, startOpts.tlsCipherSuites)
 
 	ctrlctx := ctrlcommon.CreateControllerContext(ctx, cb)
 

manifests/machineconfigcontroller/deployment.yaml

@@ -24,6 +24,8 @@ spec:
         - "--resourcelock-namespace={{.TargetNamespace}}"
         - "--v={{.LogLevel}}"
         - "--payload-version={{.ReleaseVersion}}"
+        - "--tls-cipher-suites={{join .TLSCipherSuites ","}}"
+        - "--tls-min-version={{.TLSMinVersion}}"
         resources:
           requests:
             cpu: 20m

manifests/machineconfigdaemon/daemonset.yaml

@@ -32,6 +32,8 @@ spec:
           - "start"
           - "--payload-version={{.ReleaseVersion}}"
           - "--v={{.LogLevel}}"
+          - "--tls-cipher-suites={{join .TLSCipherSuites ","}}"
+          - "--tls-min-version={{.TLSMinVersion}}"
         resources:
           requests:
             cpu: 20m

pkg/controller/common/metrics.go

@@ -5,7 +5,6 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net/http"
-	"strings"
 
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -127,7 +126,7 @@ func RegisterMetrics(metrics []prometheus.Collector) error {
 }
 
 // StartMetricsListener is metrics listener via http on localhost
-func StartMetricsListener(addr string, stopCh <-chan struct{}, registerFunc func() error) {
+func StartMetricsListener(addr string, stopCh <-chan struct{}, registerFunc func() error, tlsMinVersion string, tlsCipherSuites []string) {
 	if addr == "" {
 		addr = DefaultBindAddress
 	}
@@ -139,15 +138,14 @@ func StartMetricsListener(addr string, stopCh <-chan struct{}, registerFunc func
 		return
 	}
 
-	klog.Infof("Starting metrics listener on %s", addr)
+	// Get TLS config from provided settings, or use defaults
+	tlsConfig := GetGoTLSConfig(tlsMinVersion, tlsCipherSuites)
+
+	klog.Infof("Starting metrics listener on %s with TLS min version: %s", addr, tlsMinVersion)
 	mux := http.NewServeMux()
 	mux.Handle("/metrics", promhttp.Handler())
 	s := http.Server{
-		TLSConfig: &tls.Config{
-			MinVersion:   tls.VersionTLS12,
-			NextProtos:   []string{"http/1.1"},
-			CipherSuites: cipherOrder(),
-		},
+		TLSConfig:    tlsConfig,
 		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
 		Addr:         addr,
 		Handler:      mux}
@@ -166,43 +164,3 @@ func StartMetricsListener(addr string, stopCh <-chan struct{}, registerFunc func
 		klog.Infof("Metrics listener successfully stopped")
 	}
 }
-
-func cipherOrder() []uint16 {
-	var first []uint16
-	var second []uint16
-
-	allowable := func(c *tls.CipherSuite) bool {
-		// Disallow block ciphers using straight SHA1
-		// See: https://tools.ietf.org/html/rfc7540#appendix-A
-		if strings.HasSuffix(c.Name, "CBC_SHA") {
-			return false
-		}
-		// 3DES is considered insecure
-		if strings.Contains(c.Name, "3DES") {
-			return false
-		}
-		return true
-	}
-
-	for _, c := range tls.CipherSuites() {
-		for _, v := range c.SupportedVersions {
-			if v == tls.VersionTLS13 {
-				first = append(first, c.ID)
-			}
-			if v == tls.VersionTLS12 && allowable(c) {
-				inFirst := false
-				for _, id := range first {
-					if c.ID == id {
-						inFirst = true
-						break
-					}
-				}
-				if !inFirst {
-					second = append(second, c.ID)
-				}
-			}
-		}
-	}
-
-	return append(first, second...)
-}