| ======= |
| Ingress |
| ======= |
| |
| The ingress component is the primary entry point for all traffic to the cluster, |
| it is currently deployed as an instance of ``ingress-nginx``. It is tuned to work |
| out of the box and should require no changes |
| |
| .. admonition:: Warning |
| :class: warning |
| |
| The ingress component is a critical part of the cluster, and should be |
| managed with care. Any changes to the ingress configuration should be |
| carefully reviewed and tested before being applied to the cluster. |
| |
| If you make any changes to the ingress configuration, you may see a small |
| outage as the ingress controller is restarted. |
| |
| ********** |
| Helm Chart |
| ********** |
| |
| The ingress component is deployed using the ``ingress-nginx`` helm chart. The |
| chart is configured with a number of values to ensure it works correctly with |
| the cluster out of the box, however, you can override these values by adding |
| the following to your inventory: |
| |
| .. code-block:: yaml |
| |
| ingress_nginx_helm_values: |
| foo: bar |
| |
| These values will be merged with the default values in the chart, and will be |
| used to configure the ingress controller. |
| |
| *********************** |
| TLS Version and Ciphers |
| *********************** |
| |
| To provide the most secure baseline configuration possible, ``ingress-nginx`` |
| defaults to using TLS 1.2 and 1.3 only, with a `secure set of TLS ciphers <https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#ssl-ciphers>`_. |
| |
| Verifying TLS Version and Ciphers |
| ================================= |
| |
| In order to check the TLS version and ciphers used by the ingress controller, |
| you can use the [sslscan](https://github.com/rbsec/sslscan) tool: |
| |
| .. code-block:: console |
| |
| sslscan dashboard.cloud.example.com |
| |
| Legacy TLS |
| ========== |
| |
| The default configuration, though secure, does not support some older browsers |
| and operating systems. |
| |
| In order to change this behaviour, you can make to make the following changes |
| to the ``ingress_nginx_helm_values`` variable, the following example is using the |
| `Mozilla SSL Configuration Generator <https://ssl-config.mozilla.org/#server=nginx&config=old>`_ |
| configured for the *old* profile: |
| |
| .. code-block:: yaml |
| |
| ingress_nginx_helm_values: |
| controller: |
| config: |
| ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" |
| ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" |