Set a fixed cipher suite set for Traefik
Explicitly set the support cipher suite for Ingress TLS using Traefik, following Mozilla intermediate minus DES3: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 Move the Traefik configuration to a ConfigMap for more flexbility than provided by command line arguments. Change-Id: I5a5a95385c4143cce21c60073ae168336c4b2f27 Story: 2005326 Task: 30254
This commit is contained in:
parent
fb82777983
commit
470fc261d5
|
@ -1,6 +1,45 @@
|
|||
INGRESS_TRAEFIK_MANIFEST=/srv/magnum/kubernetes/ingress-traefik.yaml
|
||||
INGRESS_TRAEFIK_MANIFEST_CONTENT=$(cat <<EOF
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: ingress-traefik
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: ingress-traefik-backend
|
||||
data:
|
||||
traefik.toml: |-
|
||||
logLevel = "INFO"
|
||||
defaultEntryPoints = ["http", "https"]
|
||||
[api]
|
||||
[kubernetes]
|
||||
[entryPoints]
|
||||
[entryPoints.http]
|
||||
address = ":80"
|
||||
[entryPoints.https]
|
||||
address = ":443"
|
||||
[entryPoints.https.tls]
|
||||
cipherSuites = [
|
||||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA"
|
||||
]
|
||||
---
|
||||
kind: DaemonSet
|
||||
apiVersion: extensions/v1beta1
|
||||
metadata:
|
||||
|
@ -32,12 +71,14 @@ spec:
|
|||
containerPort: 8080
|
||||
securityContext:
|
||||
privileged: true
|
||||
args:
|
||||
- --api
|
||||
- --logLevel=INFO
|
||||
- --kubernetes
|
||||
- --entrypoints=Name:http Address::80
|
||||
- --entrypoints=Name:https Address::443 TLS
|
||||
volumeMounts:
|
||||
- name: ingress-traefik
|
||||
mountPath: /etc/traefik/traefik.toml
|
||||
subPath: traefik.toml
|
||||
volumes:
|
||||
- name: ingress-traefik
|
||||
configMap:
|
||||
name: ingress-traefik
|
||||
nodeSelector:
|
||||
role: ${INGRESS_CONTROLLER_ROLE}
|
||||
---
|
||||
|
|
Loading…
Reference in New Issue