blob: 7f31536b2810ccd96de45d43d7e417b7685e74fc [file] [log] [blame] [edit]
=======
Ingress
=======
The ingress component is the primary entry point for all traffic to the cluster,
it is currently deployed as an instance of ``ingress-nginx``. It is tuned to work
out of the box and should require no changes
.. admonition:: Warning
:class: warning
The ingress component is a critical part of the cluster, and should be
managed with care. Any changes to the ingress configuration should be
carefully reviewed and tested before being applied to the cluster.
If you make any changes to the ingress configuration, you may see a small
outage as the ingress controller is restarted.
**********
Helm Chart
**********
The ingress component is deployed using the ``ingress-nginx`` helm chart. The
chart is configured with a number of values to ensure it works correctly with
the cluster out of the box, however, you can override these values by adding
the following to your inventory:
.. code-block:: yaml
ingress_nginx_helm_values:
foo: bar
These values will be merged with the default values in the chart, and will be
used to configure the ingress controller.
***********************
TLS Version and Ciphers
***********************
To provide the most secure baseline configuration possible, ``ingress-nginx``
defaults to using TLS 1.2 and 1.3 only, with a `secure set of TLS ciphers <https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#ssl-ciphers>`_.
Verifying TLS Version and Ciphers
=================================
In order to check the TLS version and ciphers used by the ingress controller,
you can use the [sslscan](https://github.com/rbsec/sslscan) tool:
.. code-block:: console
sslscan dashboard.cloud.example.com
Legacy TLS
==========
The default configuration, though secure, does not support some older browsers
and operating systems.
In order to change this behaviour, you can make to make the following changes
to the ``ingress_nginx_helm_values`` variable, the following example is using the
`Mozilla SSL Configuration Generator <https://ssl-config.mozilla.org/#server=nginx&config=old>`_
configured for the *old* profile:
.. code-block:: yaml
ingress_nginx_helm_values:
controller:
config:
ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"