feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd

This increases ootb security and provides STIG compliance for
this area at least.

Author: jimmidyson

pkg/handlers/generic/mutation/etcd/inject.go

@@ -5,6 +5,8 @@ package etcd
 
 import (
 	"context"
+	"crypto/tls"
+	"strings"
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -45,6 +47,21 @@ func newEtcdPatchHandler(
 	}
 }
 
+var defaultEtcdExtraArgs = map[string]string{
+	"auto-tls":      "false",
+	"peer-auto-tls": "false",
+	"cipher-suites": strings.Join(
+		[]string{
+			tls.CipherSuiteName(tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
+			tls.CipherSuiteName(tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256),
+			tls.CipherSuiteName(tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384),
+			tls.CipherSuiteName(tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
+		},
+		",",
+	),
+	"tls-min-version": "TLS1.2",
+}
+
 func (h *etcdPatchHandler) Mutate(
 	ctx context.Context,
 	obj *unstructured.Unstructured,
@@ -62,11 +79,7 @@ func (h *etcdPatchHandler) Mutate(
 		h.variableName,
 		h.variableFieldPath...,
 	)
-	if err != nil {
-		if variables.IsNotFoundError(err) {
-			log.V(5).Info("etcd variable not defined")
-			return nil
-		}
+	if err != nil && !variables.IsNotFoundError(err) {
 		return err
 	}
 
@@ -95,10 +108,25 @@ func (h *etcdPatchHandler) Mutate(
 			}
 
 			localEtcd := obj.Spec.Template.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.Local
-			if etcd.Image != nil && etcd.Image.Tag != "" {
+
+			if localEtcd.ExtraArgs == nil {
+				localEtcd.ExtraArgs = make(map[string]string, len(defaultEtcdExtraArgs))
+			}
+
+			for k, v := range defaultEtcdExtraArgs {
+				if _, ok := localEtcd.ExtraArgs[k]; !ok {
+					localEtcd.ExtraArgs[k] = v
+				}
+			}
+
+			if etcd.Image == nil {
+				return nil
+			}
+
+			if etcd.Image.Tag != "" {
 				localEtcd.ImageTag = etcd.Image.Tag
 			}
-			if etcd.Image != nil && etcd.Image.Repository != "" {
+			if etcd.Image.Repository != "" {
 				localEtcd.ImageRepository = etcd.Image.Repository
 			}
 

pkg/handlers/generic/mutation/etcd/inject_test.go

@@ -56,6 +56,12 @@ var _ = Describe("Generate etcd patches", func() {
 							"local": map[string]interface{}{
 								"imageRepository": "my-registry.io/my-org/my-repo",
 								"imageTag":        "v3.5.99_custom.0",
+								"extraArgs": map[string]interface{}{
+									"auto-tls":        "false",
+									"peer-auto-tls":   "false",
+									"cipher-suites":   "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", //nolint:lll // Long list of ciphers ok in test.
+									"tls-min-version": "TLS1.2",
+								},
 							},
 						},
 					),
@@ -85,6 +91,12 @@ var _ = Describe("Generate etcd patches", func() {
 						map[string]interface{}{
 							"local": map[string]interface{}{
 								"imageRepository": "my-registry.io/my-org/my-repo",
+								"extraArgs": map[string]interface{}{
+									"auto-tls":        "false",
+									"peer-auto-tls":   "false",
+									"cipher-suites":   "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", //nolint:lll // Long list of ciphers ok in test.
+									"tls-min-version": "TLS1.2",
+								},
 							},
 						},
 					),
@@ -114,6 +126,12 @@ var _ = Describe("Generate etcd patches", func() {
 						map[string]interface{}{
 							"local": map[string]interface{}{
 								"imageTag": "v3.5.99_custom.0",
+								"extraArgs": map[string]interface{}{
+									"auto-tls":        "false",
+									"peer-auto-tls":   "false",
+									"cipher-suites":   "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", //nolint:lll // Long list of ciphers ok in test.
+									"tls-min-version": "TLS1.2",
+								},
 							},
 						},
 					),