-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
Future Sustainability
-
False
-
-
False
-
3
-
None
-
None
-
OCP Node Kueue Sprint 281, OCP Node Kueue Sprint 282
Write a Kubernetes Enhancement Proposal (KEP) for adding configurable TLS profiles to Kueue's Configuration API.
Scope
- Design document for complete TLS configuration:
- minTLSVersion - Minimum TLS protocol version (1.0, 1.1, 1.2, 1.3)
- cipherSuites - List of allowed cipher suites
- curvePreferences - Elliptic curve preferences for key exchange (X25519, P-256, P-384, P-521)
- Impact analysis on metrics server, webhook server, and visibility server
- Graduation criteria and test plan
Proposed Configuration API
type ControllerWebhook struct { // ... existing fields ... // MinTLSVersion is the minimum TLS version supported. // Valid values are: "1.0", "1.1", "1.2", "1.3" // Defaults to "1.2" MinTLSVersion string `json:"minTLSVersion,omitempty"` // CipherSuites is the list of allowed cipher suites. // Uses IANA cipher suite names. CipherSuites []string `json:"cipherSuites,omitempty"` // CurvePreferences is the list of elliptic curves for key exchange. // Valid values: "X25519", "P-256", "P-384", "P-521" // Defaults to Go's default curve preferences. CurvePreferences []string `json:"curvePreferences,omitempty"` } type ControllerMetrics struct { // ... existing fields ... MinTLSVersion string `json:"minTLSVersion,omitempty"` CipherSuites []string `json:"cipherSuites,omitempty"` CurvePreferences []string `json:"curvePreferences,omitempty"` }
TLSOpts Implementation Pattern
metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) {
config.MinVersion = tlsVersionFromConfig(cfg.Metrics.MinTLSVersion)
config.CipherSuites = cipherSuitesFromConfig(cfg.Metrics.CipherSuites)
config.CurvePreferences = curvesFromConfig(cfg.Metrics.CurvePreferences)
})
Acceptance Criteria
- [ ] KEP is submitted to kubernetes-sigs/kueue repository
- [ ] KEP design includes minTLSVersion, cipherSuites, and curvePreferences
- [ ] KEP is approved by Kueue maintainers
References
- Upstream Kueue Repository
- Kueue KEP Template
- Go tls.Config - Shows CurvePreferences field
- Go tls.CurveID - Available curve constants
- links to