Epic Goal

Hardcoding TLS configuration creates a security vulnerability because it does not align with our evolving, centrally managed security policy for Post-Quantum Cryptography (PQC) readiness. And today, not all OpenShift components (Core or layered) obey central TLS configuration, leading to inconsistencies & lack of observance of custom TLS profiles defined by customers.

This is a release blocker as of OCP 4.22

Why is this important?

Hardcoding TLS configuration creates a security vulnerability because it does not align with our evolving, centrally managed security policy for Post-Quantum Cryptography (PQC) readiness.

This epic is part of an initiative that requires refactoring the component to dynamically inherit its TLS settings from the designated global configuration source, rather than managing them locally.

• We need to ensure OpenShift components use the correct TLS version and cipher suites to prepare for the pending PQC-readiness.
• PQC-resilient algorithms will be available only in TLS 1.3+.
• Components should obtain their TLS configuration information from the API Server, Kubelet configuration, or Ingress configuration, so that customers who want to opt into PQC-resilient ciphers can do so across the entire platform by adjusting, at most, three documented knobs. You should check:
  • API Server configuration - For components that should match the API server TLS profile (should be the default for most)
  • Kubelet configuration - For components running on nodes
  • Ingress configuration - For components serving ingress traffic
• You should ensure your component pulls its TLS configuration from one of the three knobs customers can adjust to comply with any custom TLS profiles they define. Experience has shown that not all customers use the default TLS profiles (Old, Intermediate, Modern…), but instead create custom TLS profiles by starting with a base profile and disabling algorithms their security team considers unsafe.

Planning Done Checklist

The following items must be completed on the Epic prior to moving the Epic from Planning to the ToDo status

• Priority+ is set by engineering
• Epic must be Linked to a +Parent Feature
• Target version+ must be set
• Assignee+ must be set
• (Enhancement Proposal is Implementable
• (No outstanding questions about major work breakdown
• (Are all Stakeholders known? Have they all been notified about this item?
• Does this epic affect SD? {}Have they been notified{+}? (View plan definition for current suggested assignee)
  1. Please use the “Discussion Needed: Service Delivery Architecture Overview” checkbox to facilitate the conversation with SD Architects. The SD architecture team monitors this checkbox which should then spur the conversation between SD and epic stakeholders. Once the conversation has occurred, uncheck the “Discussion Needed: Service Delivery Architecture Overview” checkbox and record the outcome of the discussion in the epic description here.
  2. The guidance here is that unless it is very clear that your epic doesn’t have any managed services impact, default to use the Discussion Needed checkbox to facilitate that conversation.

Additional information on each of the above items can be found here: Networking Definition of Planned

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Openshift Cluster Ingress Operator have to use the new Curves field into the TLSProfile to configure the router accordingly
• OpenShift Router should use the TLS curves to configure HAProxy's ssl-default-bind-curves to configure openssl's supported groups

Dependencies (internal and external)

1. Openshift API have to add support for TLS curves in TLSProfile in a specific Curves field

Open questions::

NONE

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>