feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd (#808)

This increases ootb security and provides STIG compliance for
this area at least.

Fixes #806.

Author: jimmidyson

pkg/handlers/generic/mutation/etcd/inject.go

@@ -5,6 +5,8 @@ package etcd
 
 import (
 	"context"
+	"crypto/tls"
+	"strings"
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -45,6 +47,25 @@ func newEtcdPatchHandler(
 	}
 }
 
+// defaultEtcdExtraArgs holds secure default flags for etcd. These flags are
+// set in order to satisfy both STIG and FIPS requirements by explicitly disabling certain
+// insecure features (e.g. `auto-tls`), setting a required minimum TLS version to v1.2,
+// and setting a list of secure cipher suites that satisfy both FIPS and non-FIPS scenarios.
+var defaultEtcdExtraArgs = map[string]string{
+	"auto-tls":      "false",
+	"peer-auto-tls": "false",
+	"cipher-suites": strings.Join(
+		[]string{
+			tls.CipherSuiteName(tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
+			tls.CipherSuiteName(tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256),
+			tls.CipherSuiteName(tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384),
+			tls.CipherSuiteName(tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
+		},
+		",",
+	),
+	"tls-min-version": "TLS1.2",
+}
+
 func (h *etcdPatchHandler) Mutate(
 	ctx context.Context,
 	obj *unstructured.Unstructured,
@@ -62,11 +83,7 @@ func (h *etcdPatchHandler) Mutate(
 		h.variableName,
 		h.variableFieldPath...,
 	)
-	if err != nil {
-		if variables.IsNotFoundError(err) {
-			log.V(5).Info("etcd variable not defined")
-			return nil
-		}
+	if err != nil && !variables.IsNotFoundError(err) {
 		return err
 	}
 
@@ -95,10 +112,25 @@ func (h *etcdPatchHandler) Mutate(
 			}
 
 			localEtcd := obj.Spec.Template.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.Local
-			if etcd.Image != nil && etcd.Image.Tag != "" {
+
+			if localEtcd.ExtraArgs == nil {
+				localEtcd.ExtraArgs = make(map[string]string, len(defaultEtcdExtraArgs))
+			}
+
+			for k, v := range defaultEtcdExtraArgs {
+				if _, ok := localEtcd.ExtraArgs[k]; !ok {
+					localEtcd.ExtraArgs[k] = v
+				}
+			}
+
+			if etcd.Image == nil {
+				return nil
+			}
+
+			if etcd.Image.Tag != "" {
 				localEtcd.ImageTag = etcd.Image.Tag
 			}
-			if etcd.Image != nil && etcd.Image.Repository != "" {
+			if etcd.Image.Repository != "" {
 				localEtcd.ImageRepository = etcd.Image.Repository
 			}
 

pkg/handlers/generic/mutation/etcd/inject_test.go

@@ -22,6 +22,15 @@ func TestEtcdPolicyPatch(t *testing.T) {
 	RunSpecs(t, "etcd mutator suite")
 }
 
+// tlsExtraArgs holds the final set of extraArgs that should be set in the etcd for a default configuration.
+// See inject.go for the reasoning behind these values.
+var tlsExtraArgs = map[string]interface{}{
+	"auto-tls":        "false",
+	"peer-auto-tls":   "false",
+	"cipher-suites":   "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", //nolint:lll // Long list of ciphers ok in test.
+	"tls-min-version": "TLS1.2",
+}
+
 var _ = Describe("Generate etcd patches", func() {
 	patchGenerator := func() mutation.GeneratePatches {
 		return mutation.NewMetaGeneratePatchesHandler("", helpers.TestEnv.Client, NewPatch()).(mutation.GeneratePatches)
@@ -56,6 +65,7 @@ var _ = Describe("Generate etcd patches", func() {
 							"local": map[string]interface{}{
 								"imageRepository": "my-registry.io/my-org/my-repo",
 								"imageTag":        "v3.5.99_custom.0",
+								"extraArgs":       tlsExtraArgs,
 							},
 						},
 					),
@@ -85,6 +95,7 @@ var _ = Describe("Generate etcd patches", func() {
 						map[string]interface{}{
 							"local": map[string]interface{}{
 								"imageRepository": "my-registry.io/my-org/my-repo",
+								"extraArgs":       tlsExtraArgs,
 							},
 						},
 					),
@@ -113,7 +124,8 @@ var _ = Describe("Generate etcd patches", func() {
 						"etcd",
 						map[string]interface{}{
 							"local": map[string]interface{}{
-								"imageTag": "v3.5.99_custom.0",
+								"imageTag":  "v3.5.99_custom.0",
+								"extraArgs": tlsExtraArgs,
 							},
 						},
 					),