operator: Configure kube-rbac-proxy sidecar to use Intermediate TLS security profile in OCP (#7092)

3 years ago · defba23526
parent c271f7923a
commit defba23526
3 changed files with 5 additions and 0 deletions
--- a/operator/CHANGELOG.md
+++ b/operator/CHANGELOG.md
@ -1,5 +1,6 @@
 ## Main

+- [7092](https://github.com/grafana/loki/pull/7092) **aminesnow**: Configure kube-rbac-proxy sidecar to use Intermediate TLS security profile in OCP
 - [6870](https://github.com/grafana/loki/pull/6870) **aminesnow**: Configure gateway to honor the global tlsSecurityProfile on Openshift
 - [6999](https://github.com/grafana/loki/pull/6999) **Red-GV**: Adding LokiStack Gateway alerts
 - [7000](https://github.com/grafana/loki/pull/7000) **xperimental**: Configure default node affinity for all pods
--- a/operator/bundle/manifests/loki-operator.clusterserviceversion.yaml
+++ b/operator/bundle/manifests/loki-operator.clusterserviceversion.yaml
@ -1231,6 +1231,8 @@ spec:
                - --logtostderr=true
                - --tls-cert-file=/var/run/secrets/serving-cert/tls.crt
                - --tls-private-key-file=/var/run/secrets/serving-cert/tls.key
+                - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256
+                - --tls-min-version=VersionTLS12
                - --v=0
                image: quay.io/openshift/origin-kube-rbac-proxy:latest
                name: kube-rbac-proxy
--- a/operator/config/overlays/openshift/manager_auth_proxy_patch.yaml
+++ b/operator/config/overlays/openshift/manager_auth_proxy_patch.yaml
@ -14,6 +14,8 @@ spec:
        - "--logtostderr=true"
        - "--tls-cert-file=/var/run/secrets/serving-cert/tls.crt"
        - "--tls-private-key-file=/var/run/secrets/serving-cert/tls.key"
+        - "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256"
+        - "--tls-min-version=VersionTLS12"
        - "--v=0"
        ports:
        - containerPort: 8443