fix(consoleplugin): translate IANA ciphers to OpenSSL for nginx#3639
Merged
tekton-robot merged 1 commit intoJul 1, 2026
Merged
Conversation
Member
Author
|
/release-note-none |
Member
Author
|
/hold |
Member
Author
|
/unhold |
1 similar comment
Member
Author
|
/unhold |
Member
Author
|
/hold |
Member
Author
|
/unhold |
Member
Author
|
/hold |
Apply cluster cipher suites to the nginx ssl_ciphers directive by translating IANA cipher suite names (used by OpenShift TLS profiles) to their OpenSSL equivalents required by nginx. The mapping is derived by inverting library-go's openSSLToIANACiphersMap (the canonical source of truth for OpenShift TLS profile ciphers). TLS 1.3 ciphers are intentionally excluded since nginx/OpenSSL negotiates them automatically when TLSv1.3 appears in ssl_protocols. This resolves the tls-scanner TC08 finding where the console plugin nginx was not honoring the cluster cipher suite (Intermediate profile). Relates-To: SRVKP-9632 Signed-off-by: Jawed khelil <jkhelil@redhat.com> Assisted-by: Claude Sonnet 4.6 (via Cursor) Co-authored-by: Cursor <cursoragent@cursor.com>
9dea456 to
42b50a1
Compare
Member
Author
|
/unhold |
pramodbindal
approved these changes
Jul 1, 2026
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pramodbindal The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Contributor
|
LGTM |
Contributor
|
/lgtm |
Member
Author
|
/cherry-pick release-v0.80.x |
Contributor
|
✅ Cherry-pick to A new pull request has been created to cherry-pick this change to PR: #3655 Please review and merge the cherry-pick PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pipelines-console-pluginnginx was not honoring the cluster cipher suite (Intermediate profile) —api_server_tls_config_compliance.ciphers=falseianaToOpenSSLCiphers()to translate IANA cipher suite names (from the OpenShift APIServer TLS profile) to the OpenSSL names required by nginx'sssl_ciphersdirectiveopenSSLToIANACiphersMap— the canonical source of truth for OpenShift profile ciphersTLS_AES_*,TLS_CHACHA20_*) are intentionally skipped: nginx/OpenSSL negotiates them automatically whenTLSv1.3is inssl_protocolsssl_prefer_server_ciphers on;is emitted alongsidessl_ciphersso the cluster-defined ordering is respectedContext
Part of the central TLS management work (SRVKP-9632). The console plugin already:
ssl_protocolsand ML-KEM PQC groups (ssl_conf_command Groups X25519MLKEM768:X25519)This PR adds the missing
ssl_cipherspiece.Behaviour when APIServer cipher list is nil
When no explicit
tlsSecurityProfileis set onAPIServer/cluster, the operator receives a nil cipher list and writes nossl_ciphersdirective. Nginx then falls back to its built-in default (HIGH:!aNULL:!MD5), which on RHEL/OpenSSL 3.x expands to ~131 cipher suites — far broader than any OpenShift TLS profile.This is intentional and consistent with all other Pipelines components: propagate what the APIServer provides, never invent a fallback cipher list. Production OpenShift clusters always carry an explicit TLS profile (the platform default is Intermediate, confirmed by
library-go: DefaultTLSProfileType = TLSProfileIntermediateType). A cluster with no profile set is misconfigured from a compliance standpoint — the operator should not silently mask that.To reproduce real production conditions, explicitly set the Intermediate profile:
oc patch apiserver cluster --type=merge \ -p '{"spec":{"tlsSecurityProfile":{"type":"Intermediate","intermediate":{}}}}'Cluster validation evidence
APIServer set to Intermediate profile. The nginx ConfigMap is generated with exactly the 6 TLS 1.2 Intermediate ciphers:
Live TLS handshake tests:
ECDHE-RSA-AES128-GCM-SHA256(Intermediate cipher)AES256-SHA(Old-profile-only cipher)Test plan
tls-scannerand confirm TC08 passesRelates-To: SRVKP-9632