This topic describes how you can configure TLS for Supply Chain Security Tools (SCST) - Store.
ImportantSCST - Store only supports TLS v1.2.
In tap-values.yaml
, tls.server.rfcCiphers
are set as shown in the following YAML:
metadata_store:
tls:
server:
rfcCiphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Where tls.server.rfcCiphers
is a list of cipher suites for the server. Values are from the Go TLS package constants. If you omit values, the default Go cipher suites are used. These are the default values:
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
The following is a complete example of TLS configuration:
metadata_store:
tls:
namespace: NAMESPACE
secretName: SECRET-NAME
server:
rfcCiphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Where:
NAMESPACE
is the name of the namespace you want to configure TLS with.SECRET-NAME
is the name of the secret you want to configure TLS with.