Can we do the same for the k8s-control-plane charm? The cipher list can be hardened technically using "api-extra-args", but would be nice it's hardened out of the box.
[default]
> Testing cipher categories
>
> NULL ciphers (no encryption) not offered (OK)
> Anonymous NULL Ciphers (no authentication) not offered (OK)
> Export ciphers (w/o ADH+NULL) not offered (OK)
> LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
> Triple DES Ciphers / IDEA offered
> Obsoleted CBC ciphers (AES, ARIA etc.) offered
> Strong encryption (AEAD ciphers) with no FS offered (OK)
> Forward Secrecy strong encryption (AEAD ciphers) offered (OK)
Can we do the same for the k8s-control-plane charm? The cipher list can be hardened technically using "api-extra-args", but would be nice it's hardened out of the box.
[default]
> Testing cipher categories
>
> NULL ciphers (no encryption) not offered (OK)
> Anonymous NULL Ciphers (no authentication) not offered (OK)
> Export ciphers (w/o ADH+NULL) not offered (OK)
> LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
> Triple DES Ciphers / IDEA offered
> Obsoleted CBC ciphers (AES, ARIA etc.) offered
> Strong encryption (AEAD ciphers) with no FS offered (OK)
> Forward Secrecy strong encryption (AEAD ciphers) offered (OK)
[with explicit list]
$ juju config -m k8s-on-openstack kubernetes- control- plane api-extra-args suites= TLS_ECDHE_ ECDSA_WITH_ AES_128_ GCM_SHA256, TLS_ECDHE_ RSA_WITH_ AES_128_ GCM_SHA256, TLS_ECDHE_ ECDSA_WITH_ AES_256_ GCM_SHA384, TLS_ECDHE_ RSA_WITH_ AES_256_ GCM_SHA384, TLS_ECDHE_ ECDSA_WITH_ CHACHA20_ POLY1305, TLS_ECDHE_ RSA_WITH_ CHACHA20_ POLY1305
tls-cipher-
> Testing cipher categories
>
> NULL ciphers (no encryption) not offered (OK)
> Anonymous NULL Ciphers (no authentication) not offered (OK)
> Export ciphers (w/o ADH+NULL) not offered (OK)
> LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK)
> Triple DES Ciphers / IDEA not offered
> Obsoleted CBC ciphers (AES, ARIA etc.) not offered
> Strong encryption (AEAD ciphers) with no FS not offered
> Forward Secrecy strong encryption (AEAD ciphers) offered (OK)