-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
None
-
None
-
None
-
None
Summary
Update the TLS security profile implementation to support curve preferences once openshift/api#2583 is merged.
{info}Blocked: This story is blocked until openshift/api#2583 is merged and library-go is updated to support curve preferences.{info}Background
OpenShift TLS profiles currently specify:
- TLS protocol versions (e.g., TLS 1.2, TLS 1.3)
- Cipher suites (e.g., ECDHE-RSA-AES128-GCM-SHA256)
Once openshift/api#2583 merges, TLS profiles will also include:
- Curve preferences (e.g., X25519, P-256, P-384)
This is important for PQC (Post-Quantum Cryptography) readiness, as PQC-resilient key exchange algorithms will use specific curves.
Implementation Steps
Once openshift/api#2583 is merged:
1. Update go.mod to pull latest openshift/api with curve support
2. Update TLS helper package to extract curve preferences from profile
3. Update GetGoTLSConfig to set tls.Config.CurvePreferences
4. Add unit tests for curve preferences handling
5. Add E2E tests to verify curve preferences are applied
Files to Modify
- go.mod - Update openshift/api version
- internal/controller/tls/tls_security_profile.go - Add curve handling
- internal/controller/tls/tls_security_profile_test.go - Add curve tests
Acceptance Criteria
- [ ] openshift/api#2583 is merged (blocker)
- [ ] TLS helper extracts curve preferences from profile
- [ ] tls.Config.CurvePreferences set based on profile
- [ ] Default curves used when profile has no curve preferences
- [ ] Unit tests for curve preferences
- [ ] E2E tests verify curve configuration
Reference
- openshift/api#2583 - Add TLS curve preferences
- Implementation Guide
- Go tls.Config.CurvePreferences