diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7290046d..c4fa2910 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -80,4 +80,12 @@ rules: - update - watch +- apiGroups: + - config.openshift.io + resources: + - apiservers + verbs: + - get + - list + # +kubebuilder:scaffold:rules diff --git a/helm-charts/redhat-trusted-profile-analyzer/templates/helpers/_http.tpl b/helm-charts/redhat-trusted-profile-analyzer/templates/helpers/_http.tpl index 7aed51a0..87b06cdd 100644 --- a/helm-charts/redhat-trusted-profile-analyzer/templates/helpers/_http.tpl +++ b/helm-charts/redhat-trusted-profile-analyzer/templates/helpers/_http.tpl @@ -18,6 +18,8 @@ Arguments (dict): value: "/etc/tls/tls.crt" {{ end }} +{{ include "trustification.tls.securityProfile.envVars" . }} + {{- with .module.requestLimit }} - name: HTTP_SERVER_REQUEST_LIMIT value: {{ include "trustification.common.byteSizeValue" . }} diff --git a/helm-charts/redhat-trusted-profile-analyzer/templates/helpers/_tls_profile.tpl b/helm-charts/redhat-trusted-profile-analyzer/templates/helpers/_tls_profile.tpl new file mode 100644 index 00000000..fe2ce049 --- /dev/null +++ b/helm-charts/redhat-trusted-profile-analyzer/templates/helpers/_tls_profile.tpl @@ -0,0 +1,76 @@ +{{/* +Environment variables for the TLS security profile. + +Precedence: + 1. User-specified via .Values.tls.securityProfile (string or object) + 2. Auto-detected from OpenShift APIServer CR via lookup + 3. Nothing (trustify server uses its compiled default: modern) + +Arguments (dict): + * root - . +*/}} +{{- define "trustification.tls.securityProfile.envVars" -}} + +{{- $profile := (.root.Values.tls).securityProfile -}} + +{{- if $profile -}} + {{/* User explicitly set tls.securityProfile */}} + {{- if kindIs "string" $profile }} +- name: HTTP_SERVER_TLS_SECURITY_PROFILE + value: {{ $profile | quote }} + {{- else if kindIs "map" $profile }} +- name: HTTP_SERVER_TLS_SECURITY_PROFILE + value: {{ $profile.type | quote }} + {{- if eq $profile.type "custom" }} + {{- with $profile.minTLSVersion }} +- name: HTTP_SERVER_TLS_MIN_VERSION + value: {{ . | quote }} + {{- end }} + {{- with $profile.ciphers }} +- name: HTTP_SERVER_TLS_CIPHERS + value: {{ join ":" . | quote }} + {{- end }} + {{- with $profile.ciphersuites }} +- name: HTTP_SERVER_TLS_CIPHERSUITES + value: {{ join ":" . | quote }} + {{- end }} + {{- end }} + {{- end }} + +{{- else if eq (include "trustification.openshift.detect" .root) "true" -}} + {{/* Auto-detect from OpenShift APIServer CR */}} + {{- $apiserver := (lookup "config.openshift.io/v1" "APIServer" "" "cluster") -}} + {{- $tlsProfile := dig "spec" "tlsSecurityProfile" dict $apiserver -}} + {{- with $tlsProfile -}} + {{- $type := .type | lower }} +- name: HTTP_SERVER_TLS_SECURITY_PROFILE + value: {{ $type | quote }} + {{- if eq $type "custom" }} + {{- with .custom -}} + {{- with .minTLSVersion }} +- name: HTTP_SERVER_TLS_MIN_VERSION + value: {{ include "trustification.tls.securityProfile.mapVersion" . | quote }} + {{- end }} + {{- with .ciphers }} +- name: HTTP_SERVER_TLS_CIPHERS + value: {{ join ":" . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + +{{- end }} + +{{- end }} + +{{/* +Map OpenShift TLS version names to trustify version strings. + +VersionTLS10 -> 1.0, VersionTLS11 -> 1.1, VersionTLS12 -> 1.2, VersionTLS13 -> 1.3 + +Arguments: version string (e.g. "VersionTLS12") +*/}} +{{- define "trustification.tls.securityProfile.mapVersion" -}} +{{- $map := dict "VersionTLS10" "1.0" "VersionTLS11" "1.1" "VersionTLS12" "1.2" "VersionTLS13" "1.3" -}} +{{- get $map . | default . -}} +{{- end }} diff --git a/helm-charts/redhat-trusted-profile-analyzer/values.schema.yaml b/helm-charts/redhat-trusted-profile-analyzer/values.schema.yaml index 5c4f74ba..5d26a3e6 100644 --- a/helm-charts/redhat-trusted-profile-analyzer/values.schema.yaml +++ b/helm-charts/redhat-trusted-profile-analyzer/values.schema.yaml @@ -178,6 +178,51 @@ properties: additionalTrustAnchor: type: string description: The path of the certificate to add to the list of trust anchors + securityProfile: + description: | + TLS security profile aligned with OpenShift TLS Security Profiles. + On OpenShift, auto-detected from the cluster's APIServer CR if not set. + Can be a simple string (old, intermediate, modern) or an object with + type and custom settings. + oneOf: + - type: string + enum: + - old + - intermediate + - modern + - type: object + required: + - type + additionalProperties: false + properties: + type: + type: string + enum: + - old + - intermediate + - modern + - custom + minTLSVersion: + type: string + description: | + Minimum TLS version (custom profile only). + enum: + - "1.0" + - "1.1" + - "1.2" + - "1.3" + ciphers: + type: array + items: + type: string + description: | + TLS 1.2 cipher list in OpenSSL format (custom profile only). + ciphersuites: + type: array + items: + type: string + description: | + TLS 1.3 ciphersuites in OpenSSL format (custom profile only). modules: type: object