From 13e1701492339e435791143b876fcde8bdc6c184 Mon Sep 17 00:00:00 2001
From: Jan Knipper <jan.knipper@sap.com>
Date: Wed, 6 Mar 2024 16:53:17 +0100
Subject: [PATCH 1/2] Only offer TLS 1.3 in kubelet server

---
 charts/seed/templates/kubeadm.yaml        | 1 +
 pkg/api/handlers/get_cluster_bootstrap.go | 1 +
 pkg/templates/node_1.27.go                | 1 +
 3 files changed, 3 insertions(+)

diff --git a/charts/seed/templates/kubeadm.yaml b/charts/seed/templates/kubeadm.yaml
index 96c7c9c408..8eeb9074af 100644
--- a/charts/seed/templates/kubeadm.yaml
+++ b/charts/seed/templates/kubeadm.yaml
@@ -258,6 +258,7 @@ data:
     streamingConnectionIdleTimeout: 0s
     syncFrequency: 0s
     volumeStatsAggPeriod: 0s
+    tlsMinVersion: VersionTLS13
 kind: ConfigMap
 metadata:
   name: kubelet-config
diff --git a/pkg/api/handlers/get_cluster_bootstrap.go b/pkg/api/handlers/get_cluster_bootstrap.go
index 4fa0dbbe11..07f5c3b63b 100644
--- a/pkg/api/handlers/get_cluster_bootstrap.go
+++ b/pkg/api/handlers/get_cluster_bootstrap.go
@@ -46,6 +46,7 @@ authentication:
     enabled: true
 rotateCertificates: true
 nodeLeaseDurationSeconds: 20
+tlsMinVersion: VersionTLS13
 featureGates:
 `))
 
diff --git a/pkg/templates/node_1.27.go b/pkg/templates/node_1.27.go
index f309eede12..ccc5fee209 100644
--- a/pkg/templates/node_1.27.go
+++ b/pkg/templates/node_1.27.go
@@ -297,6 +297,7 @@ storage:
           rotateCertificates: true
           nodeLeaseDurationSeconds: 20
           cgroupDriver: systemd
+          tlsMinVersion: VersionTLS13
     - path: /etc/flatcar/update.conf
       filesystem: root
       mode: 0644

From 60effc41f4e3b7a9aec33d9a5a3eb80b84962a82 Mon Sep 17 00:00:00 2001
From: Jan Knipper <jan.knipper@sap.com>
Date: Tue, 12 Mar 2024 10:03:34 +0100
Subject: [PATCH 2/2] Add specific cipher list

---
 charts/seed/templates/kubeadm.yaml        | 9 ++++++++-
 pkg/api/handlers/get_cluster_bootstrap.go | 9 ++++++++-
 pkg/templates/node_1.27.go                | 9 ++++++++-
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/charts/seed/templates/kubeadm.yaml b/charts/seed/templates/kubeadm.yaml
index 8eeb9074af..a682bac1ba 100644
--- a/charts/seed/templates/kubeadm.yaml
+++ b/charts/seed/templates/kubeadm.yaml
@@ -258,7 +258,14 @@ data:
     streamingConnectionIdleTimeout: 0s
     syncFrequency: 0s
     volumeStatsAggPeriod: 0s
-    tlsMinVersion: VersionTLS13
+    tlsCipherSuites:
+    - TLS_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    - TLS_AES_128_GCM_SHA256
+    - TLS_AES_256_GCM_SHA384
+    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 kind: ConfigMap
 metadata:
   name: kubelet-config
diff --git a/pkg/api/handlers/get_cluster_bootstrap.go b/pkg/api/handlers/get_cluster_bootstrap.go
index 07f5c3b63b..21279a3865 100644
--- a/pkg/api/handlers/get_cluster_bootstrap.go
+++ b/pkg/api/handlers/get_cluster_bootstrap.go
@@ -46,7 +46,14 @@ authentication:
     enabled: true
 rotateCertificates: true
 nodeLeaseDurationSeconds: 20
-tlsMinVersion: VersionTLS13
+tlsCipherSuites:
+- TLS_CHACHA20_POLY1305_SHA256
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+- TLS_AES_128_GCM_SHA256
+- TLS_AES_256_GCM_SHA384
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 featureGates:
 `))
 
diff --git a/pkg/templates/node_1.27.go b/pkg/templates/node_1.27.go
index ccc5fee209..14c20e498c 100644
--- a/pkg/templates/node_1.27.go
+++ b/pkg/templates/node_1.27.go
@@ -297,7 +297,14 @@ storage:
           rotateCertificates: true
           nodeLeaseDurationSeconds: 20
           cgroupDriver: systemd
-          tlsMinVersion: VersionTLS13
+          tlsCipherSuites:
+          - TLS_CHACHA20_POLY1305_SHA256
+          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+          - TLS_AES_128_GCM_SHA256
+          - TLS_AES_256_GCM_SHA384
+          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
     - path: /etc/flatcar/update.conf
       filesystem: root
       mode: 0644