search

vmware-tanzu / pinniped

Pinniped is the easy, secure way to log in to your Kubernetes clusters.
https://pinniped.dev
Apache License 2.0
541 stars 65 forks source link

Make WebhookAuthenticators use Pinniped's preferred TLS version and ciphers when testing connection and during authentication attempts #1917

Closed cfryanr closed 4 months ago

cfryanr commented 4 months ago

The Concierge's WebhookAuthenticators were not previously honoring Pinniped's preferred TLS configuration. This PR changes them to use Pinniped's preferred TLS version and ciphers when:

WebhookAuthenticators will use Pinniped's "default" profile for client TLS configuration, which is either:

Release note:

WebhookAuthenticators now honor Pinniped's preferred client TLS configuration, including its
preferred allowed TLS v1.2 ciphers. This could be a breaking change if your webhook server is
serving requests using only TLS v1.2 (not allowing TLS v1.3) and does not allow any of Pinniped's
preferred TLS v1.2 ciphers. Note that Pinniped's preferred TLS v1.2 cipher list is different
depending on if it was compiled in FIPS compatibility mode or not.
codecov[bot] commented 4 months ago

Codecov Report

Attention: Patch coverage is 87.78626% with 16 lines in your changes are missing coverage. Please review.

Project coverage is 38.62%. Comparing base (59fef0c) to head (7c0c321).

Files Patch % Lines
internal/testutil/tlsserver/tlsserver.go 85.29% 7 Missing and 3 partials :warning:
internal/kubeclient/kubeclient.go 84.61% 2 Missing and 2 partials :warning:
...enticator/webhookcachefiller/webhookcachefiller.go 93.54% 2 Missing :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #1917 +/- ## ========================================== + Coverage 38.57% 38.62% +0.05% ========================================== Files 350 349 -1 Lines 44514 44506 -8 ========================================== + Hits 17171 17191 +20 + Misses 26828 26799 -29 - Partials 515 516 +1 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.