From 07066e020d52914a60a91b6ee5f67d7a5375f82f Mon Sep 17 00:00:00 2001
From: Monis Khan <i@monis.app>
Date: Thu, 31 Mar 2022 17:07:47 -0400
Subject: [PATCH] Explicitly set defaultServing ciphers in FIPS mode

This is a no-op today, but could change in the future when we add
support for FIPS in non-strict mode.

Signed-off-by: Monis Khan <mok@vmware.com>
---
 internal/crypto/ptls/fips_strict.go | 6 ++++++
 internal/crypto/ptls/ptls.go        | 5 -----
 internal/crypto/ptls/secure.go      | 7 +++++++
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/internal/crypto/ptls/fips_strict.go b/internal/crypto/ptls/fips_strict.go
index cebcebb4..a6a3c65d 100644
--- a/internal/crypto/ptls/fips_strict.go
+++ b/internal/crypto/ptls/fips_strict.go
@@ -17,6 +17,8 @@ import (
 	"C"                     // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
 	_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
 
+	"k8s.io/apiserver/pkg/server/options"
+
 	"go.pinniped.dev/internal/plog"
 )
 
@@ -63,3 +65,7 @@ func Secure(rootCAs *x509.CertPool) *tls.Config {
 func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
 	return Default(rootCAs)
 }
+
+func secureServing(opts *options.SecureServingOptionsWithLoopback) {
+	defaultServing(opts)
+}
diff --git a/internal/crypto/ptls/ptls.go b/internal/crypto/ptls/ptls.go
index 3eb45d41..ab331e38 100644
--- a/internal/crypto/ptls/ptls.go
+++ b/internal/crypto/ptls/ptls.go
@@ -82,11 +82,6 @@ func defaultServing(opts *options.SecureServingOptionsWithLoopback) {
 	opts.MinTLSVersion = defaultServingOptionsMinTLSVersion
 }
 
-func secureServing(opts *options.SecureServingOptionsWithLoopback) {
-	opts.MinTLSVersion = secureServingOptionsMinTLSVersion
-	opts.CipherSuites = nil
-}
-
 func secureClient(opts *options.RecommendedOptions, f RestConfigFunc) error {
 	inClusterClient, inClusterConfig, err := f(nil)
 	if err != nil {
diff --git a/internal/crypto/ptls/secure.go b/internal/crypto/ptls/secure.go
index 9f07b633..ddea0816 100644
--- a/internal/crypto/ptls/secure.go
+++ b/internal/crypto/ptls/secure.go
@@ -9,6 +9,8 @@ package ptls
 import (
 	"crypto/tls"
 	"crypto/x509"
+
+	"k8s.io/apiserver/pkg/server/options"
 )
 
 // secureServingOptionsMinTLSVersion is the minimum tls version in the format
@@ -42,3 +44,8 @@ func Secure(rootCAs *x509.CertPool) *tls.Config {
 	}
 	return c
 }
+
+func secureServing(opts *options.SecureServingOptionsWithLoopback) {
+	opts.MinTLSVersion = secureServingOptionsMinTLSVersion
+	opts.CipherSuites = nil
+}