CORE-5589 Add config to select minimum TLS version

[michael-redpanda]

Backports Required

• none - not a bug fix
• none - this is a backport
• none - issue does not exist in previous branches
• none - papercut/not impactful enough to backport
• v24.1.x
• v23.3.x
• v23.2.x

Release Notes

Features

• Adds new cluster config tls_min_version that allows users of Redpanda to specify the minimum version of TLS Redpanda will support. By default, the value is TLS v1.2.

[michael-redpanda]

/dt

[vbotbuildovich]

skipped ducktape retry in https://buildkite.com/redpanda/redpanda/builds/51444#0190a8ff-f282-4962-9130-cdae90c56395:
pandatriage cache was not found

skipped ducktape retry in https://buildkite.com/redpanda/redpanda/builds/51444#0190a8ff-f283-4374-b05f-c8f3ace0da97:
pandatriage cache was not found

skipped ducktape retry in https://buildkite.com/redpanda/redpanda/builds/51444#0190a900-3c9c-4c3d-bb30-f7515b63be79:
pandatriage cache was not found

skipped ducktape retry in https://buildkite.com/redpanda/redpanda/builds/51444#0190a900-3c9a-47f4-a945-b7234c7c4231:
pandatriage cache was not found

skipped ducktape retry in https://buildkite.com/redpanda/redpanda/builds/51444#0190a900-3c9e-4f7b-99bc-0f992927e9c8:
pandatriage cache was not found

[michael-redpanda]

/dt

[vbotbuildovich]

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/51544#0190b861-ef5a-44a6-9745-c5d733a65b9d

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/51585#0190bc60-8720-4496-92aa-093c7a1664fb

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/51585#0190bc61-afa7-4c95-ab0e-76c7e1a9aceb

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/51585#0190bc61-afa5-4650-8c17-53a7948dc346

ducktape was retried in https://buildkite.com/redpanda/redpanda/builds/51722#0190c614-6cde-4282-8ace-4a0b0c2ac07b

[michael-redpanda]

Force push 9620dba:

• Switched from minimum_tls_version to tls_min_version

[Deflaimun]

What specific string do we want our users using in this property?
"v.1.3" or "1.3" ?

[kbatuigas]

Suggested change

	"The minimum version of TLS that Redpanda will support.",
	"The minimum TLS version that Redpanda supports.",

Nit, for economy / alignment with docs style guide

[michael-redpanda]

What specific string do we want our users using in this property? "v.1.3" or "1.3" ?

"v1.3"

[oleiman]

looks good. i need to go over the dt tests in a bit more detail, but I wanted to flag the legacy_default thing before bed.

[oleiman]

suggestion: a default match to avoid throwing?

[BenPope]

suggestion: a default match to avoid throwing?

Yeah, and I think this can be reused in the next commit.

[oleiman]

So this is the issue from late last year that @dotnwat was referring to. I think we're subject to this weird behavior here as well. You might try:

• upgrade from <= logical 12 to HEAD
• set the min tls version to 1.2
• restart the broker
• see whether the min tls version is set back to 1.0

In this case I think the escape hatch would be to set something other than the current version non-legacy default (e.g. 1.1 or 1.3), but it's worth being aware of, esp. if this is a compliance concern.

[michael-redpanda]

Thanks for flagging. I'll write up a DT test for this specifically

[michael-redpanda]

Yeah thanks for flagging that is an issue. Setting to v1.2 and then restarting resets it back to v1.0....

[BenPope]

suggestion: a default match to avoid throwing?

Yeah, and I think this can be reused in the next commit.

[BenPope]

is acceptable_values used anywhere else?

perhaps:

Suggested change

	if (
	std::find(acceptable_values.begin(), acceptable_values.end(), value)
	== acceptable_values.end()) {
	return false;
	}
	rhs = string_switch<type>(std::string_view{value})
	.match(to_string_view(type::v1_0), type::v1_0)
	.match(to_string_view(type::v1_1), type::v1_1)
	.match(to_string_view(type::v1_2), type::v1_2)
	.match(to_string_view(type::v1_3), type::v1_3);
	return true;
	auto out = string_switch<std::optional<type>>(std::string_view{value})
	.match(to_string_view(type::v1_0), type::v1_0)
	.match(to_string_view(type::v1_1), type::v1_1)
	.match(to_string_view(type::v1_2), type::v1_2)
	.match(to_string_view(type::v1_3), type::v1_3)
	.default_match(std::nullopt);
	if(out.has_value()) {
	rhs = out.value();
	}
	return out.has_value();

[aanthony-rp]

couple nits, not blocking. Looks clear to me what's going on. nice work, good tests.

[michael-redpanda]

Force push 1cb3b6d:

• Lint zee python

[dotnwat]

lgtm.

curious why legacy_default was removed? it's not that i think it should or short not be used, but rather, if it was thought to have been needed before, it's surprising that the need disappeared given it solves such a specific problem.

[BenPope]

I'm intrigued, why is it set here, but not, for example, for the oidc client or the cloud_roles client?

Which also begs the question, should it be possible to configure this per client, or listener?

[michael-redpanda]

I'm intrigued, why is it set here, but not, for example, for the oidc client or the cloud_roles client?

Thanks for pointing that out, definitely a miss. I'll make the changes, but it's probably not as big as a deal as ensuring our services can be selective of what TLS version they support.

Which also begs the question, should it be possible to configure this per client, or listener?

Maybe in a future update. For now, to get something done to help our customers was to provide a single cluster config.

[michael-redpanda]

lgtm.

curious why legacy_default was removed? it's not that i think it should or short not be used, but rather, if it was thought to have been needed before, it's surprising that the need disappeared given it solves such a specific problem.

1. Because it was broken for this use case. If I started with a v24.1 cluster and upgraded it, yes the value of the config went to v1.0, but if I tried to set it to v1.2 (the default value) and restarted, the legacy default code would reset it to v1.0.
2. @deniscoady did some analysis using telemetry data and saw that the TLSv1.2 and TLSv1.3 were the only protocols in use
3. Other products by default only enable TLSv1.2 and TLSv1.3 out of the box

[michael-redpanda]

Force push c3a61b3:

• Added set_minimum_tls_version to remaining users of TLS

[michael-redpanda]

Force push 8bf2e75:

• Being consistent in how tls_min_version is accessed

[dotnwat]

Because it was broken for this use case. If I started with a v24.1 cluster and upgraded it, yes the value of the config went to v1.0, but if I tried to set it to v1.2 (the default value) and restarted, the legacy default code would reset it to v1.0.

The feature being broken doesn't eliminate a problem that exists, right?

@deniscoady did some analysis using telemetry data and saw that the TLSv1.2 and TLSv1.3 were the only protocols in use
Other products by default only enable TLSv1.2 and TLSv1.3 out of the box

I guess these are the reasons why altered upgrade behavior is no longer needed?

[michael-redpanda]

Because it was broken for this use case. If I started with a v24.1 cluster and upgraded it, yes the value of the config went to v1.0, but if I tried to set it to v1.2 (the default value) and restarted, the legacy default code would reset it to v1.0.

The feature being broken doesn't eliminate a problem that exists, right?

Correct but....

@deniscoady did some analysis using telemetry data and saw that the TLSv1.2 and TLSv1.3 were the only protocols in use
Other products by default only enable TLSv1.2 and TLSv1.3 out of the box

I guess these are the reasons why altered upgrade behavior is no longer needed?

yes this eliminated the need.

[michael-redpanda]

CI Failure:

• CORE-5514