mirrors/kube-prometheus
1
0
Fork 0
mirror of https://github.com/prometheus-operator/kube-prometheus.git synced 2025-10-31 16:11:01 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1216 from fpetkovski/prometheus-adapter-cipher-suites

Browse Source 
jsonnet: disable insecure cypher suites for prometheus-adapter
This commit is contained in:
Damien Grisonnet 2021-06-23 21:19:24 +02:00 committed by GitHub
commit 2c5c20cfff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
View File

@ -53,6 +53,23 @@ local defaults = {
window: '5m', window: '5m',
}, },
}, },
tlsCipherSuites: [
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA',
],
}; };
function(params) { function(params) {
@ -145,6 +162,7 @@ function(params) {
'--metrics-relist-interval=1m', '--metrics-relist-interval=1m',
'--prometheus-url=' + pa._config.prometheusURL, '--prometheus-url=' + pa._config.prometheusURL,
'--secure-port=6443', '--secure-port=6443',
'--tls-cipher-suites=' + std.join(',', pa._config.tlsCipherSuites),
], ],
ports: [{ containerPort: 6443 }], ports: [{ containerPort: 6443 }],
volumeMounts: [ volumeMounts: [

1
manifests/prometheus-adapter-deployment.yaml
View File

@ -35,6 +35,7 @@ spec:
- --metrics-relist-interval=1m - --metrics-relist-interval=1m
- --prometheus-url=http://prometheus-k8s.monitoring.svc.cluster.local:9090/ - --prometheus-url=http://prometheus-k8s.monitoring.svc.cluster.local:9090/
- --secure-port=6443 - --secure-port=6443
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
image: directxman12/k8s-prometheus-adapter:v0.8.4 image: directxman12/k8s-prometheus-adapter:v0.8.4
name: prometheus-adapter name: prometheus-adapter
ports: ports: