From d1221fa0c8b6db9a5da1f25adcaff497dd4f05c2 Mon Sep 17 00:00:00 2001 From: jamct Date: Wed, 22 Apr 2020 17:22:31 +0200 Subject: [PATCH] use strong cipher suites for tls --- .../templates/ingress/05-global-ingress.yml | 27 ++++++++++++++++++- team-setup/values.yaml | 8 +++++- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/team-setup/templates/ingress/05-global-ingress.yml b/team-setup/templates/ingress/05-global-ingress.yml index 1e6c4db..0de05f6 100644 --- a/team-setup/templates/ingress/05-global-ingress.yml +++ b/team-setup/templates/ingress/05-global-ingress.yml @@ -22,4 +22,29 @@ spec: - name: landingpage port: 80 middlewares: - - name: global-redirect-http \ No newline at end of file + - name: global-redirect-http +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: TLSOption +metadata: + name: default + namespace: default +spec: + cipherSuites: + {{- if .Values.ciphers }} + {{- range .Values.ciphers }} + - {{ . }} + {{- end }} + {{ else }} + # a collection of secure cipher suites (tested with sslabs.com) + - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" + - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" + - "TLS_AES_128_GCM_SHA256" + - "TLS_AES_256_GCM_SHA384" + - "TLS_CHACHA20_POLY1305_SHA256" + - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + - "TLS_FALLBACK_SCSV" + {{- end }} \ No newline at end of file diff --git a/team-setup/values.yaml b/team-setup/values.yaml index f858ed0..19fa8fc 100644 --- a/team-setup/values.yaml +++ b/team-setup/values.yaml @@ -4,4 +4,10 @@ acme: app: name: cloud - domain: example.org \ No newline at end of file + domain: example.org + +# optional parameters (uncomment if needed) + +# a list of tls cipher suites +# ciphers: +# - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" \ No newline at end of file