contrib/kube-prometheus: Begin to fix cipher suites

This commit is contained in:
Matthias Loibl
2019-01-21 20:04:42 +01:00
parent 4c9912ece5
commit 264cf11bf0
3 changed files with 8 additions and 6 deletions

View File

@@ -59,12 +59,12 @@ local configMapList = k.core.v1.configMapList;
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
// 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // Doesn't work with h2
// 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // Doesn't work with h2
// 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', // TODO: Might not work with h2
// 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', // TODO: Might not work with h2
// 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305', // TODO: Might not work with h2
// 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305', // TODO: Might not work with h2
],
cadvisorSelector: 'job="kubelet"',

View File

@@ -134,6 +134,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local proxyClusterMetrics =
container.new('kube-rbac-proxy-main', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([
'--logtostderr',
'--secure-listen-address=:8443',
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
'--upstream=http://127.0.0.1:8081/',

View File

@@ -106,6 +106,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
local proxy =
container.new('kube-rbac-proxy', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([
'--logtostderr',
'--secure-listen-address=$(IP):' + $._config.nodeExporter.port,
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
'--upstream=http://127.0.0.1:' + $._config.nodeExporter.port + '/',