diff --git a/config/v1/types_tlssecurityprofile.go b/config/v1/types_tlssecurityprofile.go index b18ef647c2f..697da4b91d0 100644 --- a/config/v1/types_tlssecurityprofile.go +++ b/config/v1/types_tlssecurityprofile.go @@ -202,6 +202,27 @@ const ( TLSProfileCustomType TLSProfileType = "Custom" ) +// TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. +// There is a one-to-one mapping between these names and the curve IDs defined +// in crypto/tls package based on IANA's "TLS Supported Groups" registry: +// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 +// +// +kubebuilder:validation:Enum=X25519;P-256;P-384;P-521;X25519MLKEM768 +type TLSCurve string + +const ( + // TLSCurveX25519 represents X25519. + TLSCurveX25519 TLSCurve = "X25519" + // TLSCurveP256 represents P-256 (secp256r1). + TLSCurveP256 TLSCurve = "P-256" + // TLSCurveP384 represents P-384 (secp384r1). + TLSCurveP384 TLSCurve = "P-384" + // TLSCurveP521 represents P-521 (secp521r1). + TLSCurveP521 TLSCurve = "P-521" + // TLSCurveX25519MLKEM768 represents X25519MLKEM768. + TLSCurveX25519MLKEM768 TLSCurve = "X25519MLKEM768" +) + // TLSProfileSpec is the desired behavior of a TLSSecurityProfile. type TLSProfileSpec struct { // ciphers is used to specify the cipher algorithms that are negotiated @@ -213,6 +234,37 @@ type TLSProfileSpec struct { // // +listType=atomic Ciphers []string `json:"ciphers"` + // curves is used to specify the elliptic curves that are used during + // the TLS handshake. Operators may remove entries their operands do + // not support. + // + // TLSProfiles Old, Intermediate, Modern are including by default the following + // curves: X25519, P-256, P-384, X25519MLKEM768 + // TLSProfiles Custom do not include any curves by default. + // NOTE: since this field is optional, if no curves are specified, the default curves + // used by the underlying TLS library will be used. + // + // For example, to use X25519 and P-256 (yaml): + // + // # Example: Force PQC-only encryption + // apiVersion: config.openshift.io/v1 + // kind: APIServer + // spec: + // tlsSecurityProfile: + // type: Custom + // custom: + // ciphers: + // - TLS_AES_128_GCM_SHA256 + // - TLS_AES_256_GCM_SHA384 + // - TLS_CHACHA20_POLY1305_SHA256 + // curves: + // - X25519MLKEM768 # PQC-only: only hybrid quantum-resistant curve + // minTLSVersion: VersionTLS13 + // + // +optional + // +listType=atomic + // +kubebuilder:validation:MaxItems=5 + Curves []TLSCurve `json:"curves,omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol // that is negotiated during the TLS handshake. For example, to use TLS // versions 1.1, 1.2 and 1.3 (yaml): @@ -283,6 +335,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "AES256-SHA", "DES-CBC3-SHA", }, + Curves: []TLSCurve{ + TLSCurveX25519, + TLSCurveP256, + TLSCurveP384, + TLSCurveX25519MLKEM768, + }, MinTLSVersion: VersionTLS10, }, TLSProfileIntermediateType: { @@ -299,6 +357,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "DHE-RSA-AES128-GCM-SHA256", "DHE-RSA-AES256-GCM-SHA384", }, + Curves: []TLSCurve{ + TLSCurveX25519, + TLSCurveP256, + TLSCurveP384, + TLSCurveX25519MLKEM768, + }, MinTLSVersion: VersionTLS12, }, TLSProfileModernType: { @@ -307,6 +371,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", }, + Curves: []TLSCurve{ + TLSCurveX25519, + TLSCurveP256, + TLSCurveP384, + TLSCurveX25519MLKEM768, + }, MinTLSVersion: VersionTLS13, }, } diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..8d473a67948 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -330,6 +330,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml index 37662cb58d8..835ec1f6f68 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -261,6 +261,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..91a1814bf2a 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -330,6 +330,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..ebc520fc82e 100644 --- a/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -330,6 +330,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go index fe8c1122735..8f396ca4aef 100644 --- a/config/v1/zz_generated.deepcopy.go +++ b/config/v1/zz_generated.deepcopy.go @@ -6001,6 +6001,11 @@ func (in *TLSProfileSpec) DeepCopyInto(out *TLSProfileSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Curves != nil { + in, out := &in.Curves, &out.Curves + *out = make([]TLSCurve, len(*in)) + copy(*out, *in) + } return } diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml index 2fe53f839aa..e20ee733b8f 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/AAA_ungated.yaml @@ -261,6 +261,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml index a3919b9a489..a0e9cb5ac1e 100644 --- a/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml +++ b/config/v1/zz_generated.featuregated-crd-manifests/apiservers.config.openshift.io/KMSEncryptionProvider.yaml @@ -330,6 +330,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 778fed917c7..8c34d551ec0 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -2871,6 +2871,7 @@ func (OldTLSProfile) SwaggerDoc() map[string]string { var map_TLSProfileSpec = map[string]string{ "": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml):\n\n ciphers:\n - DES-CBC3-SHA", + "curves": "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nTLSProfiles Old, Intermediate, Modern are including by default the following curves: X25519, P-256, P-384, X25519MLKEM768 TLSProfiles Custom do not include any curves by default. NOTE: since this field is optional, if no curves are specified, the default curves used by the underlying TLS library will be used.\n\nFor example, to use X25519 and P-256 (yaml):\n\n# Example: Force PQC-only encryption apiVersion: config.openshift.io/v1 kind: APIServer spec:\n tlsSecurityProfile:\n type: Custom\n custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n curves:\n - X25519MLKEM768 # PQC-only: only hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13", "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", } diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml index b056dc99c17..211d9c43146 100644 --- a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_kubeletconfigs.crd.yaml @@ -144,6 +144,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml index 579f6f2c280..9fae5de2da4 100644 --- a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml +++ b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/kubeletconfigs.machineconfiguration.openshift.io/AAA_ungated.yaml @@ -145,6 +145,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index d6324e7e688..d45c62b0355 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -11784,6 +11784,26 @@ func schema_openshift_api_config_v1_CustomTLSProfile(ref common.ReferenceCallbac }, }, }, + "curves": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nTLSProfiles Old, Intermediate, Modern are including by default the following curves: X25519, P-256, P-384, X25519MLKEM768 TLSProfiles Custom do not include any curves by default. NOTE: since this field is optional, if no curves are specified, the default curves used by the underlying TLS library will be used.\n\nFor example, to use X25519 and P-256 (yaml):\n\n# Example: Force PQC-only encryption apiVersion: config.openshift.io/v1 kind: APIServer spec:\n tlsSecurityProfile:\n type: Custom\n custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n curves:\n - X25519MLKEM768 # PQC-only: only hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, "minTLSVersion": { SchemaProps: spec.SchemaProps{ Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", @@ -19885,6 +19905,26 @@ func schema_openshift_api_config_v1_TLSProfileSpec(ref common.ReferenceCallback) }, }, }, + "curves": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nTLSProfiles Old, Intermediate, Modern are including by default the following curves: X25519, P-256, P-384, X25519MLKEM768 TLSProfiles Custom do not include any curves by default. NOTE: since this field is optional, if no curves are specified, the default curves used by the underlying TLS library will be used.\n\nFor example, to use X25519 and P-256 (yaml):\n\n# Example: Force PQC-only encryption apiVersion: config.openshift.io/v1 kind: APIServer spec:\n tlsSecurityProfile:\n type: Custom\n custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n curves:\n - X25519MLKEM768 # PQC-only: only hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, "minTLSVersion": { SchemaProps: spec.SchemaProps{ Description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", diff --git a/openapi/openapi.json b/openapi/openapi.json index 4c3e0a984a8..7fc418f4142 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -6003,6 +6003,15 @@ }, "x-kubernetes-list-type": "atomic" }, + "curves": { + "description": "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nTLSProfiles Old, Intermediate, Modern are including by default the following curves: X25519, P-256, P-384, X25519MLKEM768 TLSProfiles Custom do not include any curves by default. NOTE: since this field is optional, if no curves are specified, the default curves used by the underlying TLS library will be used.\n\nFor example, to use X25519 and P-256 (yaml):\n\n# Example: Force PQC-only encryption apiVersion: config.openshift.io/v1 kind: APIServer spec:\n tlsSecurityProfile:\n type: Custom\n custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n curves:\n - X25519MLKEM768 # PQC-only: only hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, "minTLSVersion": { "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", "type": "string", @@ -6630,18 +6639,6 @@ "key" ], "x-kubernetes-list-type": "map" - }, - "serviceEndpoints": { - "description": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 11.", - "type": "array", - "items": { - "default": {}, - "$ref": "#/definitions/com.github.openshift.api.config.v1.GCPServiceEndpoint" - }, - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map" } } }, @@ -6691,26 +6688,6 @@ } } }, - "com.github.openshift.api.config.v1.GCPServiceEndpoint": { - "description": "GCPServiceEndpoint store the configuration of a custom url to override existing defaults of GCP Services.", - "type": "object", - "required": [ - "name", - "url" - ], - "properties": { - "name": { - "description": "name is the name of the GCP service whose endpoint is being overridden. This must be provided and cannot be empty.\n\nAllowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, Storage, and TagManager.\n\nAs an example, when setting the name to Compute all requests made by the caller to the GCP Compute Service will be directed to the endpoint specified in the url field.", - "type": "string", - "default": "" - }, - "url": { - "description": "url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified in the name field. url is required, must use the scheme https, must not be more than 253 characters in length, and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL)\n\nAn example of a valid endpoint that overrides the Compute Service: \"https://compute-myendpoint1.p.googleapis.com\"", - "type": "string", - "default": "" - } - } - }, "com.github.openshift.api.config.v1.GenericAPIServerConfig": { "description": "GenericAPIServerConfig is an inline-able struct for aggregated apiservers that need to store data in etcd", "type": "object", @@ -10615,7 +10592,7 @@ "type": "string" }, "profileCustomizations": { - "description": "profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles.", + "description": "profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. Deprecated: no longer needed, since DRA is GA starting with 4.21, and is enabled by' default in the cluster, this field will be removed in 4.24.", "default": {}, "$ref": "#/definitions/com.github.openshift.api.config.v1.ProfileCustomizations" } @@ -10794,6 +10771,15 @@ }, "x-kubernetes-list-type": "atomic" }, + "curves": { + "description": "curves is used to specify the elliptic curves that are used during the TLS handshake. Operators may remove entries their operands do not support.\n\nTLSProfiles Old, Intermediate, Modern are including by default the following curves: X25519, P-256, P-384, X25519MLKEM768 TLSProfiles Custom do not include any curves by default. NOTE: since this field is optional, if no curves are specified, the default curves used by the underlying TLS library will be used.\n\nFor example, to use X25519 and P-256 (yaml):\n\n# Example: Force PQC-only encryption apiVersion: config.openshift.io/v1 kind: APIServer spec:\n tlsSecurityProfile:\n type: Custom\n custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n curves:\n - X25519MLKEM768 # PQC-only: only hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, "minTLSVersion": { "description": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11\n\nNOTE: currently the highest minTLSVersion allowed is VersionTLS12", "type": "string", @@ -24787,7 +24773,7 @@ } }, "com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStream": { - "description": "OSImageStream describes a set of streams and associated URLs available for the MachineConfigPools to be used as base OS images.\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", + "description": "OSImageStream describes a set of streams and associated images available for the MachineConfigPools to be used as base OS images.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.", "type": "object", "required": [ "spec" @@ -24812,6 +24798,7 @@ }, "status": { "description": "status describes the last observed state of this OSImageStream. Populated by the MachineConfigOperator after reading release metadata. When not present, the controller has not yet reconciled this resource.", + "default": {}, "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStreamStatus" } } @@ -24846,20 +24833,46 @@ } } }, + "com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStreamSet": { + "type": "object", + "required": [ + "name", + "osImage", + "osExtensionsImage" + ], + "properties": { + "name": { + "description": "name is the required identifier of the stream.\n\nname is determined by the operator based on the OCI label of the discovered OS or Extension Image.\n\nMust be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.').", + "type": "string" + }, + "osExtensionsImage": { + "description": "osExtensionsImage is a required OS Extensions Image referenced by digest.\n\nosExtensionsImage bundles the extra repositories used to enable extensions, augmenting the base operating system without modifying the underlying immutable osImage.\n\nThe format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", + "type": "string" + }, + "osImage": { + "description": "osImage is a required OS Image referenced by digest.\n\nosImage contains the immutable, fundamental operating system components, including the kernel and base utilities, that define the core environment for the node's host operating system.\n\nThe format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", + "type": "string" + } + } + }, "com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStreamSpec": { "description": "OSImageStreamSpec defines the desired state of a OSImageStream.", "type": "object" }, "com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStreamStatus": { - "description": "OSImageStreamStatus describes the current state of a OSImageStream.", + "description": "OSImageStreamStatus describes the current state of a OSImageStream", "type": "object", + "required": [ + "availableStreams", + "defaultStream" + ], "properties": { "availableStreams": { - "description": "availableStreams is a list of the available OS Image Streams available and their associated URLs for both OS and Extensions images.\n\nA maximum of 100 streams may be specified.", + "description": "availableStreams is a list of the available OS Image Streams that can be used as the base image for MachineConfigPools. availableStreams is required, must have at least one item, must not exceed 100 items, and must have unique entries keyed on the name field.", "type": "array", "items": { "default": {}, - "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStreamURLSet" + "$ref": "#/definitions/com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStreamSet" }, "x-kubernetes-list-map-keys": [ "name" @@ -24867,29 +24880,7 @@ "x-kubernetes-list-type": "map" }, "defaultStream": { - "description": "defaultStream is the name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool. Must reference the name of one of the streams in availableStreams. Must be set when availableStreams is not empty. When not set and availableStreams is empty, controllers should use the default one stated in the release image.", - "type": "string" - } - } - }, - "com.github.openshift.api.machineconfiguration.v1alpha1.OSImageStreamURLSet": { - "type": "object", - "required": [ - "name", - "osImageURL", - "osExtensionsImageURL" - ], - "properties": { - "name": { - "description": "name is the identifier of the stream.\n\nMust not be empty and must not exceed 70 characters in length. Must only contain alphanumeric characters, hyphens ('-'), or dots ('.').", - "type": "string" - }, - "osExtensionsImageURL": { - "description": "osExtensionsImageURL is an OS Extensions Image referenced by digest.\n\nThe format of the URL ref is: host[:port][/namespace]/name@sha256:", - "type": "string" - }, - "osImageURL": { - "description": "osImageURL is an OS Image referenced by digest.\n\nThe format of the URL ref is: host[:port][/namespace]/name@sha256:", + "description": "defaultStream is the name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool.\n\nIt must be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'), and must reference the name of one of the streams in availableStreams.", "type": "string" } } @@ -24901,9 +24892,8 @@ ], "properties": { "name": { - "description": "name is an OCI Image referenced by digest.\n\nThe format of the image ref is: host[:port][/namespace]/name@sha256:", - "type": "string", - "default": "" + "description": "name is an OCI Image referenced by digest. The format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", + "type": "string" } } }, diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml index d37991c458c..b00c90e2a5c 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml @@ -2019,6 +2019,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -3316,6 +3348,37 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves that + are used during\nthe TLS handshake. Operators may remove entries + their operands do\nnot support.\n\nTLSProfiles Old, Intermediate, + Modern are including by default the following\ncurves: X25519, + P-256, P-384, X25519MLKEM768\nTLSProfiles Custom do not include + any curves by default.\nNOTE: since this field is optional, + if no curves are specified, the default curves\nused by the + underlying TLS library will be used.\n\nFor example, to use + X25519 and P-256 (yaml):\n\n# Example: Force PQC-only encryption\napiVersion: + config.openshift.io/v1\nkind: APIServer\nspec:\n tlsSecurityProfile:\n + \ type: Custom\n custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only hybrid + quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml index 06666a2e7ca..6bdda7a8c72 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml @@ -2013,6 +2013,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol @@ -3299,6 +3331,37 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves that + are used during\nthe TLS handshake. Operators may remove entries + their operands do\nnot support.\n\nTLSProfiles Old, Intermediate, + Modern are including by default the following\ncurves: X25519, + P-256, P-384, X25519MLKEM768\nTLSProfiles Custom do not include + any curves by default.\nNOTE: since this field is optional, + if no curves are specified, the default curves\nused by the + underlying TLS library will be used.\n\nFor example, to use + X25519 and P-256 (yaml):\n\n# Example: Force PQC-only encryption\napiVersion: + config.openshift.io/v1\nkind: APIServer\nspec:\n tlsSecurityProfile:\n + \ type: Custom\n custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only hybrid + quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml index f4416bf9b3c..8d473a67948 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml @@ -330,6 +330,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml index 37662cb58d8..835ec1f6f68 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-Default.crd.yaml @@ -261,6 +261,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml index bfeefa11f36..91a1814bf2a 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml @@ -330,6 +330,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml index a49976e0dfd..ebc520fc82e 100644 --- a/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml @@ -330,6 +330,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol diff --git a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml index b056dc99c17..211d9c43146 100644 --- a/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml +++ b/payload-manifests/crds/0000_80_machine-config_01_kubeletconfigs.crd.yaml @@ -144,6 +144,38 @@ spec: type: string type: array x-kubernetes-list-type: atomic + curves: + description: "curves is used to specify the elliptic curves + that are used during\nthe TLS handshake. Operators may + remove entries their operands do\nnot support.\n\nTLSProfiles + Old, Intermediate, Modern are including by default the following\ncurves: + X25519, P-256, P-384, X25519MLKEM768\nTLSProfiles Custom + do not include any curves by default.\nNOTE: since this + field is optional, if no curves are specified, the default + curves\nused by the underlying TLS library will be used.\n\nFor + example, to use X25519 and P-256 (yaml):\n\n# Example: Force + PQC-only encryption\napiVersion: config.openshift.io/v1\nkind: + APIServer\nspec:\n tlsSecurityProfile:\n type: Custom\n + \ custom:\n ciphers:\n\t - TLS_AES_128_GCM_SHA256\n + \ - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n + \ curves:\n - X25519MLKEM768 # PQC-only: only + hybrid quantum-resistant curve\n minTLSVersion: VersionTLS13" + items: + description: |- + TLSCurve is a named curve identifier that can be used in TLSProfile.Curves. + There is a one-to-one mapping between these names and the curve IDs defined + in crypto/tls package based on IANA's "TLS Supported Groups" registry: + https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 + enum: + - X25519 + - P-256 + - P-384 + - P-521 + - X25519MLKEM768 + type: string + maxItems: 5 + type: array + x-kubernetes-list-type: atomic minTLSVersion: description: |- minTLSVersion is used to specify the minimal version of the TLS protocol