easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update ciphers and infos for them

Browse Source
This commit is contained in:
Matthias Loibl
2019-01-22 16:59:34 +01:00
parent 264cf11bf0
commit 8a29b4f383
1 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
jsonnet/kube-prometheus/kube-prometheus.libsonnet
View File

@@ -43,24 +43,28 @@ local configMapList = k.core.v1.configMapList;
namespace: 'default', namespace: 'default',
tlsCipherSuites: [ tlsCipherSuites: [
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // required by h2: http://golang.org/cl/30721
// 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 // 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661 // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
'TLS_RSA_WITH_AES_128_CBC_SHA', // 'TLS_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
'TLS_RSA_WITH_AES_256_CBC_SHA', // 'TLS_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA256',
'TLS_RSA_WITH_AES_128_GCM_SHA256', // 'TLS_RSA_WITH_AES_128_GCM_SHA256', // disabled by h2
'TLS_RSA_WITH_AES_256_GCM_SHA384', // 'TLS_RSA_WITH_AES_256_GCM_SHA384', // disabled by h2
// 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', // 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',// disabled by h2
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', // 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',// disabled by h2
// 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566 // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661 // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', // disabled by h2
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', // disabled by h2
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
// 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', // Doesn't work with h2
// 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', // Doesn't work with h2 // disabled by h2 means: https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/http2/ciphers.go
// 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', // TODO: Might not work with h2 // 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', // TODO: Might not work with h2
// 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', // TODO: Might not work with h2 // 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', // TODO: Might not work with h2
// 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305', // TODO: Might not work with h2 // 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305', // TODO: Might not work with h2