feat: Enforce TLS v1.3 and disable auto TLS for etcd

This increases ootb security and provides STIG compliance for
this area at least.

Author: jimmidyson

pkg/handlers/generic/mutation/etcd/inject.go

@@ -45,6 +45,12 @@ func newEtcdPatchHandler(
 	}
 }
 
+var defaultEtcdExtraArgs = map[string]string{
+	"auto-tls":        "false",
+	"peer-auto-tls":   "false",
+	"tls-min-version": "TLS1.3",
+}
+
 func (h *etcdPatchHandler) Mutate(
 	ctx context.Context,
 	obj *unstructured.Unstructured,
@@ -62,11 +68,7 @@ func (h *etcdPatchHandler) Mutate(
 		h.variableName,
 		h.variableFieldPath...,
 	)
-	if err != nil {
-		if variables.IsNotFoundError(err) {
-			log.V(5).Info("etcd variable not defined")
-			return nil
-		}
+	if err != nil && !variables.IsNotFoundError(err) {
 		return err
 	}
 
@@ -95,10 +97,25 @@ func (h *etcdPatchHandler) Mutate(
 			}
 
 			localEtcd := obj.Spec.Template.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.Local
-			if etcd.Image != nil && etcd.Image.Tag != "" {
+
+			if localEtcd.ExtraArgs == nil {
+				localEtcd.ExtraArgs = make(map[string]string, 3)
+			}
+
+			for k, v := range defaultEtcdExtraArgs {
+				if _, ok := localEtcd.ExtraArgs[k]; !ok {
+					localEtcd.ExtraArgs[k] = v
+				}
+			}
+
+			if etcd.Image == nil {
+				return nil
+			}
+
+			if etcd.Image.Tag != "" {
 				localEtcd.ImageTag = etcd.Image.Tag
 			}
-			if etcd.Image != nil && etcd.Image.Repository != "" {
+			if etcd.Image.Repository != "" {
 				localEtcd.ImageRepository = etcd.Image.Repository
 			}
 

pkg/handlers/generic/mutation/etcd/inject_test.go

@@ -56,6 +56,11 @@ var _ = Describe("Generate etcd patches", func() {
 							"local": map[string]interface{}{
 								"imageRepository": "my-registry.io/my-org/my-repo",
 								"imageTag":        "v3.5.99_custom.0",
+								"extraArgs": map[string]interface{}{
+									"auto-tls":        "false",
+									"peer-auto-tls":   "false",
+									"tls-min-version": "TLS1.3",
+								},
 							},
 						},
 					),
@@ -85,6 +90,11 @@ var _ = Describe("Generate etcd patches", func() {
 						map[string]interface{}{
 							"local": map[string]interface{}{
 								"imageRepository": "my-registry.io/my-org/my-repo",
+								"extraArgs": map[string]interface{}{
+									"auto-tls":        "false",
+									"peer-auto-tls":   "false",
+									"tls-min-version": "TLS1.3",
+								},
 							},
 						},
 					),
@@ -114,6 +124,11 @@ var _ = Describe("Generate etcd patches", func() {
 						map[string]interface{}{
 							"local": map[string]interface{}{
 								"imageTag": "v3.5.99_custom.0",
+								"extraArgs": map[string]interface{}{
+									"auto-tls":        "false",
+									"peer-auto-tls":   "false",
+									"tls-min-version": "TLS1.3",
+								},
 							},
 						},
 					),