Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1364

Support TLS v1.3: Improve validation of TLS Modern Profile for Control-Plane components

XMLWordPrintable

    • Product / Portfolio Work
    • OCPSTRAT-1858Support Post Quantum Cryptography 2025 requirements in OCP
    • 0% To Do, 0% In Progress, 100% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • XS
    • None
    • None
    • None
    • None
    • None

      Feature Overview (aka. Goal Summary)  

      Customers in highly regulated environments are required to adopt strong ciphers. For control-plane components, this means all components must support the modern TLSProfile with TLS 1.3.

      Note: Post-Quantum Cryptography support in TLS will ONLY be available with TLS 1.3, thus support is required. For more information about PQC support, see https://issues.redhat.com/browse/OCPSTRAT-1858

      During internal discussions [1] for RFE-4992 and follow-up conversations, it became clear we need a dedicated CI job to track and validate that OpenShift control-plane components are aligned and functional with the TLSProfiles configured on the system.

      [1] https://redhat-internal.slack.com/archives/CB48XQ4KZ/p1713288937307359 

      Goals (aka. expected user outcomes)

      1. The resulting user outcome from this internal CI validation will be the support of TLS 1.3 in the OpenShift control-plane components.

      Requirements (aka. Acceptance Criteria):

      • Create a CI job that would test that the cluster stays fully operational when enabling the Modern TLS profile
      • This requires updates to our docs

       

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both both
      Classic (standalone cluster) yes
      Hosted control planes yes
      Multi node, Compact (three node), or Single node (SNO), or all all
      Connected / Restricted Network all
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) all
      Operator compatibility ??
      Backport needed (list applicable versions) n/a
      UI need (e.g. OpenShift Console, dynamic plugin, OCM) n/a
      Other (please specify) unknown

       

              jjung@redhat.com JP Jung
              wcabanba@redhat.com William Caban
              None
              Amy Fredj (Inactive), Anjali Telang, Gaurav Singh, Kirsten Newcomer, Maria Simon Marcos, Ramon Acedo, William Caban
              Kevin Rizza Kevin Rizza
              Stanislav Láznička Stanislav Láznička (Inactive)
              Rahul Gangwar Rahul Gangwar
              Andrea Hoffer Andrea Hoffer
              Kyle Walker Kyle Walker
              Votes:
              2 Vote for this issue
              Watchers:
              23 Start watching this issue

                Created:
                Updated:
                Resolved: