Support modern TLS security Profile

Author: wangke19

openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver.go

@@ -184,6 +184,7 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
 		string(configv1.TLSProfileOldType),
 		string(configv1.TLSProfileIntermediateType),
 		string(configv1.TLSProfileCustomType),
+		string(configv1.TLSProfileModernType),
 	}
 
 	switch profile.Type {
@@ -200,7 +201,9 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
 			errs = append(errs, field.Required(fieldPath.Child("intermediate"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
 		}
 	case configv1.TLSProfileModernType:
-		errs = append(errs, field.NotSupported(fieldPath.Child("type"), profile.Type, availableTypes))
+		if profile.Modern == nil {
+			errs = append(errs, field.Required(fieldPath.Child("modern"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
+		}
 	case configv1.TLSProfileCustomType:
 		if profile.Custom == nil {
 			errs = append(errs, field.Required(fieldPath.Child("custom"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
@@ -247,10 +250,6 @@ func haveRequiredHTTP2CipherSuites(suites []string) bool {
 func validateMinTLSVersion(fieldPath *field.Path, version configv1.TLSProtocolVersion) field.ErrorList {
 	errs := field.ErrorList{}
 
-	if version == configv1.VersionTLS13 {
-		return append(errs, field.NotSupported(fieldPath, version, []string{string(configv1.VersionTLS10), string(configv1.VersionTLS11), string(configv1.VersionTLS12)}))
-	}
-
 	if _, err := libgocrypto.TLSVersion(string(version)); err != nil {
 		errs = append(errs, field.Invalid(fieldPath, version, err.Error()))
 	}

openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver_test.go

@@ -143,28 +143,13 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
 				field.Required(rootFieldPath.Child("intermediate"), "type set to Intermediate, but the corresponding field is unset"),
 			},
 		},
-		{
-			name: "modern type - currently unsupported",
-			profile: &configv1.TLSSecurityProfile{
-				Type:   configv1.TLSProfileModernType,
-				Modern: &configv1.ModernTLSProfile{},
-			},
-			want: field.ErrorList{
-				field.NotSupported(rootFieldPath.Child("type"), configv1.TLSProfileModernType,
-					[]string{
-						string(configv1.TLSProfileOldType),
-						string(configv1.TLSProfileIntermediateType),
-						string(configv1.TLSProfileCustomType),
-					}),
-			},
-		},
 		{
 			name: "unknown type",
 			profile: &configv1.TLSSecurityProfile{
 				Type: "something",
 			},
 			want: field.ErrorList{
-				field.Invalid(rootFieldPath.Child("type"), "something", "unknown type, valid values are: [Old Intermediate Custom]"),
+				field.Invalid(rootFieldPath.Child("type"), "something", "unknown type, valid values are: [Old Intermediate Custom Modern]"),
 			},
 		},
 		{
@@ -211,21 +196,6 @@ func Test_validateTLSSecurityProfile(t *testing.T) {
 				field.Invalid(rootFieldPath.Child("custom", "ciphers"), []string(nil), "http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)"),
 			},
 		},
-		{
-			name: "min tls 1.3 - currently unsupported",
-			profile: &configv1.TLSSecurityProfile{
-				Type: "Custom",
-				Custom: &configv1.CustomTLSProfile{
-					TLSProfileSpec: configv1.TLSProfileSpec{
-						Ciphers:       []string{"ECDHE-ECDSA-CHACHA20-POLY1305"},
-						MinTLSVersion: configv1.VersionTLS13,
-					},
-				},
-			},
-			want: field.ErrorList{
-				field.NotSupported(rootFieldPath.Child("custom", "minTLSVersion"), configv1.VersionTLS13, []string{string(configv1.VersionTLS10), string(configv1.VersionTLS11), string(configv1.VersionTLS12)}),
-			},
-		},
 		{
 			name: "custom profile missing required http2 ciphers",
 			profile: &configv1.TLSSecurityProfile{