From 474e9887fb867de0c5adc961b1f5f86a9ce95b31 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 14 Jul 2025 14:34:32 -0400 Subject: [PATCH 1/3] set controller xweb tls version --- charts/ziti-controller/templates/configmap.yaml | 12 +++++++----- charts/ziti-controller/values.yaml | 11 ++++++++++- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/charts/ziti-controller/templates/configmap.yaml b/charts/ziti-controller/templates/configmap.yaml index d6b2c2bb..962b6a3f 100644 --- a/charts/ziti-controller/templates/configmap.yaml +++ b/charts/ziti-controller/templates/configmap.yaml @@ -236,10 +236,10 @@ data: writeTimeout: 100000ms # minTLSVersion - optional, default TLS1.2 # The minimum version of TSL to support - minTLSVersion: TLS1.2 + minTLSVersion: {{ .Values.webBindingPki.minTLSVersion }} # maxTLSVersion - optional, default TLS1.3 # The maximum version of TSL to support - maxTLSVersion: TLS1.3 + maxTLSVersion: {{ .Values.webBindingPki.maxTLSVersion }} # apis - required # Allows one or more APIs to be bound to this webListener apis: @@ -329,10 +329,10 @@ data: writeTimeout: 100000ms # minTLSVersion - optional, default TLS1.2 # The minimum version of TSL to support - minTLSVersion: TLS1.3 + minTLSVersion: {{ .Values.webBindingPki.minTLSVersion }} # maxTLSVersion - optional, default TLS1.3 # The maximum version of TSL to support - maxTLSVersion: TLS1.3 + maxTLSVersion: {{ .Values.webBindingPki.maxTLSVersion }} # apis - required # Allows one or more APIs to be bound to this webListener apis: @@ -398,7 +398,9 @@ data: {{- end }} {{- end }} {{- end }} - options: { } + options: + minTLSVersion: {{ .Values.prometheus.minTLSVersion }} + maxTLSVersion: {{ .Values.prometheus.maxTLSVersion }} apis: - binding: metrics options: { } diff --git a/charts/ziti-controller/values.yaml b/charts/ziti-controller/values.yaml index 90b46bea..99049e97 100644 --- a/charts/ziti-controller/values.yaml +++ b/charts/ziti-controller/values.yaml @@ -176,8 +176,13 @@ prometheus: type: ClusterIP # -- extra labels for matching only this service, ie. serviceMonitor labels: - app: "prometheus" + app: prometheus annotations: {} + # -- minimum TLS version to offer to clients + minTLSVersion: TLS1.2 + # -- maximum TLS version to offer to clients + maxTLSVersion: TLS1.3 + # ServiceMonitor configuration serviceMonitor: @@ -291,6 +296,10 @@ webBindingPki: # kind: # -- metadata name of the alternative issuer # name: + # -- minimum TLS version to offer to clients + minTLSVersion: TLS1.2 + # -- maximum TLS version to offer to clients + maxTLSVersion: TLS1.3 spireAgent: # -- if you are running a container with the spire-agent binary installed From 0a992cc5e0fde23860f103109a2fe5dc9017d76e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 14 Jul 2025 18:36:20 +0000 Subject: [PATCH 2/3] helm-docs: automated action --- charts/ziti-controller/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/ziti-controller/README.md b/charts/ziti-controller/README.md index 4e6a4b68..1fd631f4 100644 --- a/charts/ziti-controller/README.md +++ b/charts/ziti-controller/README.md @@ -380,6 +380,8 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co | prometheus.advertisedHost | string | `""` | DNS name to advertise in place of the default internal cluster name built from the Helm release name | | prometheus.advertisedPort | int | `443` | cluster service, node port, load balancer, and ingress port | | prometheus.containerPort | int | `9090` | cluster service target port on the container | +| prometheus.maxTLSVersion | string | `"TLS1.3"` | maximum TLS version to offer to clients | +| prometheus.minTLSVersion | string | `"TLS1.2"` | minimum TLS version to offer to clients | | prometheus.service.annotations | object | `{}` | | | prometheus.service.enabled | bool | `false` | create a cluster service for the deployment | | prometheus.service.labels | object | `{"app":"prometheus"}` | extra labels for matching only this service, ie. serviceMonitor | @@ -407,6 +409,8 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co | webBindingPki.altServerCerts | list | `[]` | | | webBindingPki.alternativeIssuer | object | `{}` | obtain the web identity from an existing issuer instead of generating a new PKI | | webBindingPki.enabled | bool | `true` | generate a separate PKI root of trust for web bindings, i.e., client, management, and prometheus APIs | +| webBindingPki.maxTLSVersion | string | `"TLS1.3"` | maximum TLS version to offer to clients | +| webBindingPki.minTLSVersion | string | `"TLS1.2"` | minimum TLS version to offer to clients | ## TODO's From c087e5b43d0bdb8495da30fb272ad7ffa5a40763 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 14 Jul 2025 14:45:28 -0400 Subject: [PATCH 3/3] bump chart version --- charts/ziti-controller/Chart.yaml | 2 +- charts/ziti-controller/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ziti-controller/Chart.yaml b/charts/ziti-controller/Chart.yaml index e8e23879..73bf9552 100644 --- a/charts/ziti-controller/Chart.yaml +++ b/charts/ziti-controller/Chart.yaml @@ -3,4 +3,4 @@ appVersion: 1.6.5 description: Host an OpenZiti controller in Kubernetes name: ziti-controller type: application -version: 2.0.1 +version: 2.0.2 diff --git a/charts/ziti-controller/README.md b/charts/ziti-controller/README.md index 1fd631f4..8cffadc1 100644 --- a/charts/ziti-controller/README.md +++ b/charts/ziti-controller/README.md @@ -2,7 +2,7 @@ # ziti-controller -![Version: 2.0.1](https://img.shields.io/badge/Version-2.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.5](https://img.shields.io/badge/AppVersion-1.6.5-informational?style=flat-square) +![Version: 2.0.2](https://img.shields.io/badge/Version-2.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.5](https://img.shields.io/badge/AppVersion-1.6.5-informational?style=flat-square) Host an OpenZiti controller in Kubernetes