Skip to content

NE-2334: Implement enhancement in OpenShift API to support for TLS curves in TLSProfile #2583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
davidesalerno wants to merge 7 commits into
base: master
Choose a base branch
from
Open

NE-2334: Implement enhancement in OpenShift API to support for TLS curves in TLSProfile #2583

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
038ac13
NE-2334: Implement enhancement in OpenShift API to support for TLS cu…
davidesalerno Feb 4, 2026
f7e2617
Update config/v1/types_tlssecurityprofile.go
davidesalerno Feb 13, 2026
3c63622
Add feature gate test to verify that curves could be omitted
davidesalerno Feb 13, 2026
c305b14
make update
davidesalerno Feb 13, 2026
1ed9a33
make update after rebase
davidesalerno Feb 13, 2026
a5c3051
make update after rebase
davidesalerno Apr 1, 2026
540566c
Rename TLS "curves" to "groups" to align with IANA terminology
davidesalerno Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
349 changes: 349 additions & 0 deletions config/v1/tests/apiservers.config.openshift.io/TLSGroupPreferences.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,349 @@
apiVersion: apiextensions.k8s.io/v1
name: "APIServer"
crdName: apiservers.config.openshift.io
featureGates:
- TLSGroupPreferences
tests:
onCreate:
- name: Should be able to create with Custom TLS profile and groups
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
groups:
- X25519
- secp256r1
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
groups:
- X25519
- secp256r1
- name: Should be able to create with all supported curves
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- X25519
- secp256r1
- secp384r1
- secp521r1
- X25519MLKEM768
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- X25519
- secp256r1
- secp384r1
- secp521r1
- X25519MLKEM768
- name: Should fail to create with Custom TLS profile and empty curves
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups: []
expectedError: "spec.tlsSecurityProfile.custom.groups in body should have at least 1 items"
- name: Should be able to create with Custom TLS profile and groups omitted
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
- name: Should be able to create with Custom TLS profile VersionTLS10 and groups
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS10
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- secp256r1
- secp384r1
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS10
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- secp256r1
- secp384r1
- name: Should be able to create with Custom TLS profile VersionTLS11 and groups
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS11
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- secp384r1
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS11
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- secp384r1
- name: Should fail to create with more than 5 groups
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- X25519
- secp256r1
- secp384r1
- secp521r1
- X25519MLKEM768
- X25519
expectedError: "spec.tlsSecurityProfile.custom.groups: Too many: 6: must have at most 5 items"
- name: Should fail to create with invalid group value
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- InvalidCurve
expectedError: "spec.tlsSecurityProfile.custom.groups[0]: Unsupported value: \"InvalidCurve\": supported values: \"X25519\", \"secp256r1\", \"secp384r1\", \"secp521r1\", \"X25519MLKEM768\""
onUpdate:
- name: Should be able to add groups to existing Custom TLS profile
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
updated: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- X25519
- secp256r1
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- X25519
- secp256r1
- name: Should be able to update groups in existing Custom TLS profile
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- X25519
updated: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- secp256r1
- secp384r1
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- secp256r1
- secp384r1
- name: Should be able to remove groups field from existing Custom TLS profile
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- X25519
- secp256r1
updated: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
expected: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
- name: Should fail to remove all groups from existing Custom TLS profile
initial: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups:
- X25519
- secp256r1
updated: |
apiVersion: config.openshift.io/v1
kind: APIServer
spec:
audit:
profile: Default
tlsSecurityProfile:
type: Custom
custom:
minTLSVersion: VersionTLS12
ciphers:
- TLS_AES_128_GCM_SHA256
groups: []
expectedError: "spec.tlsSecurityProfile.custom.groups in body should have at least 1 items"
Loading