Ingress¶

The ingress component is the primary entry point for all traffic to the cluster, it is currently deployed as an instance of ingress-nginx. It is tuned to work out of the box and should require no changes

Warning

The ingress component is a critical part of the cluster, and should be managed with care. Any changes to the ingress configuration should be carefully reviewed and tested before being applied to the cluster.

If you make any changes to the ingress configuration, you may see a small outage as the ingress controller is restarted.

Helm Chart¶

The ingress component is deployed using the ingress-nginx helm chart. The chart is configured with a number of values to ensure it works correctly with the cluster out of the box, however, you can override these values by adding the following to your inventory:

ingress_nginx_helm_values:
  foo: bar

These values will be merged with the default values in the chart, and will be used to configure the ingress controller.

TLS Version and Ciphers¶

To provide the most secure baseline configuration possible, ingress-nginx defaults to using TLS 1.2 and 1.3 only, with a secure set of TLS ciphers.

Verifying TLS Version and Ciphers¶

In order to check the TLS version and ciphers used by the ingress controller, you can use the [sslscan](https://github.com/rbsec/sslscan) tool:

sslscan dashboard.cloud.example.com

Legacy TLS¶

The default configuration, though secure, does not support some older browsers and operating systems.

In order to change this behaviour, you can make to make the following changes to the ingress_nginx_helm_values variable, the following example is using the Mozilla SSL Configuration Generator configured for the old profile:

ingress_nginx_helm_values:
  controller:
    config:
      ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
      ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"