| Mohammed Naser | a546734 | 2024-04-30 00:34:16 -0400 | [diff] [blame] | 1 | ======= |
| 2 | Ingress |
| 3 | ======= |
| 4 | |
| 5 | The ingress component is the primary entry point for all traffic to the cluster, |
| 6 | it is currently deployed as an instance of ``ingress-nginx``. It is tuned to work |
| 7 | out of the box and should require no changes |
| 8 | |
| 9 | .. admonition:: Warning |
| 10 | :class: warning |
| 11 | |
| 12 | The ingress component is a critical part of the cluster, and should be |
| 13 | managed with care. Any changes to the ingress configuration should be |
| 14 | carefully reviewed and tested before being applied to the cluster. |
| 15 | |
| 16 | If you make any changes to the ingress configuration, you may see a small |
| 17 | outage as the ingress controller is restarted. |
| 18 | |
| 19 | ********** |
| 20 | Helm Chart |
| 21 | ********** |
| 22 | |
| 23 | The ingress component is deployed using the ``ingress-nginx`` helm chart. The |
| 24 | chart is configured with a number of values to ensure it works correctly with |
| 25 | the cluster out of the box, however, you can override these values by adding |
| 26 | the following to your inventory: |
| 27 | |
| 28 | .. code-block:: yaml |
| 29 | |
| 30 | ingress_nginx_helm_values: |
| 31 | foo: bar |
| 32 | |
| 33 | These values will be merged with the default values in the chart, and will be |
| 34 | used to configure the ingress controller. |
| 35 | |
| 36 | *********************** |
| 37 | TLS Version and Ciphers |
| 38 | *********************** |
| 39 | |
| 40 | To provide the most secure baseline configuration possible, ``ingress-nginx`` |
| 41 | defaults to using TLS 1.2 and 1.3 only, with a `secure set of TLS ciphers <https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#ssl-ciphers>`_. |
| 42 | |
| 43 | Verifying TLS Version and Ciphers |
| 44 | ================================= |
| 45 | |
| 46 | In order to check the TLS version and ciphers used by the ingress controller, |
| 47 | you can use the [sslscan](https://github.com/rbsec/sslscan) tool: |
| 48 | |
| 49 | .. code-block:: console |
| 50 | |
| 51 | sslscan dashboard.cloud.example.com |
| 52 | |
| 53 | Legacy TLS |
| 54 | ========== |
| 55 | |
| 56 | The default configuration, though secure, does not support some older browsers |
| 57 | and operating systems. |
| 58 | |
| 59 | In order to change this behaviour, you can make to make the following changes |
| 60 | to the ``ingress_nginx_helm_values`` variable, the following example is using the |
| 61 | `Mozilla SSL Configuration Generator <https://ssl-config.mozilla.org/#server=nginx&config=old>`_ |
| 62 | configured for the *old* profile: |
| 63 | |
| 64 | .. code-block:: yaml |
| 65 | |
| 66 | ingress_nginx_helm_values: |
| 67 | controller: |
| 68 | config: |
| 69 | ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3" |
| 70 | ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" |