Parametrising TLS ciphers for observatorium-api

Author: moadz

Diff for: examples/main.jsonnet

@@ -73,6 +73,7 @@ local apiWithTLS = (import '../jsonnet/lib/observatorium-api.libsonnet')(config
     caKey: 'ca',
     reloadInterval: '1m',
     serverName: 'example.com',
+    cipherSuites: 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
   },
 });
 

Diff for: examples/manifests/deployment-with-tls.yaml

@@ -57,6 +57,7 @@ spec:
         - --tls.healthchecks.server-ca-file=/var/run/tls/ca
         - --tls.reload-interval=1m
         - --tls.healthchecks.server-name=example.com
+        - --tls.cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
         image: quay.io/observatorium/api:master-2020-09-04-v0.1.1-131-ga4c5a9c
         imagePullPolicy: IfNotPresent
         livenessProbe:

Diff for: jsonnet/lib/observatorium-api.libsonnet

@@ -208,6 +208,12 @@ function(params) {
                         '--tls.healthchecks.server-name=' + api.config.tls.serverName,
                       ]
                     else []
+                  ) + (
+                    if std.objectHas(api.config.tls, 'cipherSuites') then
+                      [
+                        '--tls.cipher-suites=' + api.config.tls.cipherSuites,
+                      ]
+                    else []
                   )
                 else []
               ) + (