use safe tls-cipher-suites by lance5890 · Pull Request #1277 · openshift/cluster-ingress-operator

lance5890 · 2025-09-05T02:27:38Z

change the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 insecure cipher to more safer suites

openshift-ci · 2025-09-05T02:27:55Z

Hi @lance5890. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

candita · 2025-09-10T22:19:23Z

@lance5890 thanks for the contribution. We don't make this type of change in this manner, because we would not edit the generated file directly.

Update: you followed correct procedure here.

alebedev87 · 2025-09-12T13:07:23Z

Note: this can make sense to align the cipersuites used for kube-rbac-proxy with the logic we have for the router which uses Intermediate TLSSecurityProfile by default. To be tested though.

lance5890 · 2025-09-13T00:45:05Z

@lance5890 thanks for the contribution. We don't make this type of change in this manner, because we would not edit the generated file directly.

@candita @alebedev87
please correct me if I'm missing something, with this PR #905 , maybe we can only edit the 02-deployment yaml directly now. Aligned ciphers with Intermediate profile as suggested

manifests/02-deployment-ibm-cloud-managed.yaml

candita · 2025-09-24T15:13:24Z

@lance5890 Thanks for the updates. One more question - what is the reasoning for making these changes? Was there an issue with the metrics that you were trying to solve?

candita · 2025-09-24T15:19:31Z

/ok-to-test

candita · 2025-10-01T15:12:53Z

@lance5890 CI error messages in e2e-aws-ovn indicate an issue with cipher suite. Can you investigate?

E0926 19:57:03.889726 1 run.go:72] "command failed" err="failed to convert TLS cipher suite name to ID: Cipher suite ECDHE-ECDSA-AES128-GCM-SHA256 not supported or doesn't exist"
non-zero exit at 2025-09-26 20:02:16.064175623 +0000 UTC m=+976.226192044: cause/Error code/1 reason/ContainerExit W0926 20:02:15.415666 1 deprecated.go:66]

openshift-ci · 2025-10-02T01:06:10Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign candita for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Signed-off-by: lan.tian <lance5890@163.com>

lance5890 · 2025-10-02T07:01:46Z

/retest

lance5890 · 2025-10-02T09:05:04Z

/retest

openshift-ci · 2025-10-02T12:11:31Z

@lance5890: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	`9306886`	link	false	`/test okd-scos-e2e-aws-ovn`
ci/prow/e2e-aws-operator-techpreview	`9306886`	link	false	`/test e2e-aws-operator-techpreview`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

candita · 2025-10-08T14:41:34Z

@lance5890 the config you're changing is specifically for Prometheus's metric retrieval, is this PR to fix an issue with Prometheus? Please let us know, and update the commit message with details.

This PR is pending acceptance while waiting for your answer and we will drop review soon without an answer.

lance5890 · 2025-10-10T05:38:09Z

@lance5890 the config you're changing is specifically for Prometheus's metric retrieval, is this PR to fix an issue with Prometheus? Please let us know, and update the commit message with details.

This PR is pending acceptance while waiting for your answer and we will drop review soon without an answer.

This is not an actual issue. I just noticed that the kube-rbac-proxy uses an unsafe TLS certificate. Feel free to close this PR if it's not necessary.

candita · 2025-10-27T23:32:24Z

@lance5890 we are going to close this because we think the change should be made in https://github.com/openshift/api/blob/master/config/v1/types_tlssecurityprofile.go. If you'd like to file an issue there, that would be very helpful.

candita · 2025-10-27T23:35:20Z

/close

openshift-ci · 2025-10-27T23:35:29Z

@candita: Closed this PR.

Details

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Sep 5, 2025

openshift-ci bot requested review from gcs278 and rfredette September 5, 2025 02:28

lance5890 force-pushed the support_safe_cipher_suites branch from d67fae4 to 702a13c Compare September 13, 2025 00:33

lance5890 commented Sep 13, 2025

View reviewed changes

manifests/02-deployment-ibm-cloud-managed.yaml Outdated Show resolved Hide resolved

openshift-ci bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 24, 2025

lance5890 force-pushed the support_safe_cipher_suites branch from 702a13c to 96e454e Compare October 2, 2025 01:05

use safe tls-cipher-suites to be aligned with the route

9306886

Signed-off-by: lan.tian <lance5890@163.com>

lance5890 force-pushed the support_safe_cipher_suites branch from 96e454e to 9306886 Compare October 2, 2025 02:09

openshift-ci bot closed this Oct 27, 2025

Conversation

lance5890 commented Sep 5, 2025

Uh oh!

openshift-ci bot commented Sep 5, 2025

Uh oh!

candita commented Sep 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

alebedev87 commented Sep 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

lance5890 commented Sep 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

candita commented Sep 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

candita commented Sep 24, 2025

Uh oh!

candita commented Oct 1, 2025

Uh oh!

openshift-ci bot commented Oct 2, 2025

Uh oh!

lance5890 commented Oct 2, 2025

Uh oh!

lance5890 commented Oct 2, 2025

Uh oh!

openshift-ci bot commented Oct 2, 2025

Uh oh!

candita commented Oct 8, 2025

Uh oh!

lance5890 commented Oct 10, 2025

Uh oh!

candita commented Oct 27, 2025

Uh oh!

candita commented Oct 27, 2025

Uh oh!

openshift-ci bot commented Oct 27, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

candita commented Sep 10, 2025 •

edited

Loading

alebedev87 commented Sep 12, 2025 •

edited

Loading

lance5890 commented Sep 13, 2025 •

edited

Loading

candita commented Sep 24, 2025 •

edited

Loading