Browse Source

Set a fixed cipher suite set for Traefik

Explicitly set the support cipher suite for Ingress TLS using Traefik,
following Mozilla intermediate minus DES3:
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29

Move the Traefik configuration to a ConfigMap for more flexbility than
provided by command line arguments.

Change-Id: I5a5a95385c4143cce21c60073ae168336c4b2f27
Story: 2005326
Task: 30254
changes/49/648649/1
Ricardo Rocha 2 years ago
parent
commit
470fc261d5
1 changed files with 47 additions and 6 deletions
  1. +47
    -6
      magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh

+ 47
- 6
magnum/drivers/common/templates/kubernetes/fragments/enable-ingress-traefik.sh View File

@ -1,6 +1,45 @@
INGRESS_TRAEFIK_MANIFEST=/srv/magnum/kubernetes/ingress-traefik.yaml
INGRESS_TRAEFIK_MANIFEST_CONTENT=$(cat <<EOF
---
kind: ConfigMap
apiVersion: v1
metadata:
name: ingress-traefik
namespace: kube-system
labels:
k8s-app: ingress-traefik-backend
data:
traefik.toml: |-
logLevel = "INFO"
defaultEntryPoints = ["http", "https"]
[api]
[kubernetes]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA"
]
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
@ -32,12 +71,14 @@ spec:
containerPort: 8080
securityContext:
privileged: true
args:
- --api
- --logLevel=INFO
- --kubernetes
- --entrypoints=Name:http Address::80
- --entrypoints=Name:https Address::443 TLS
volumeMounts:
- name: ingress-traefik
mountPath: /etc/traefik/traefik.toml
subPath: traefik.toml
volumes:
- name: ingress-traefik
configMap:
name: ingress-traefik
nodeSelector:
role: ${INGRESS_CONTROLLER_ROLE}
---


Loading…
Cancel
Save