From 184dca5e37743acd443cc51ed0456c79183dfee1 Mon Sep 17 00:00:00 2001
From: Danny Bessems <danny@bessems.eu>
Date: Thu, 28 Dec 2023 13:15:22 +1100
Subject: [PATCH] Vault--;Update TLS ciphers

---
 .../Traefik2.x/helmchartconfig-traefik.yaml   | 17 +++++----
 services/Vault/README.md                      | 35 -------------------
 services/Vault/chart-values.yml               | 10 ------
 services/Vault/ingressRoute-Vault.yml         | 18 ----------
 services/Vault/persistentVolume-Vault.yml     | 33 -----------------
 5 files changed, 10 insertions(+), 103 deletions(-)
 delete mode 100644 services/Vault/README.md
 delete mode 100644 services/Vault/chart-values.yml
 delete mode 100644 services/Vault/ingressRoute-Vault.yml
 delete mode 100644 services/Vault/persistentVolume-Vault.yml

diff --git a/ingress/Traefik2.x/helmchartconfig-traefik.yaml b/ingress/Traefik2.x/helmchartconfig-traefik.yaml
index 3756f69..6dcf116 100644
--- a/ingress/Traefik2.x/helmchartconfig-traefik.yaml
+++ b/ingress/Traefik2.x/helmchartconfig-traefik.yaml
@@ -77,14 +77,15 @@ spec:
                     - secp521r1
                     - secp384r1
                   cipherSuites:
-                    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-                    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-                    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-                    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-                    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                     - TLS_AES_128_GCM_SHA256
                     - TLS_AES_256_GCM_SHA384
                     - TLS_CHACHA20_POLY1305_SHA256
+                    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+                    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+                    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+                    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+                    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+                    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
                     - TLS_FALLBACK_SCSV
       - apiVersion: bitnami.com/v1alpha1
         kind: SealedSecret
@@ -109,9 +110,9 @@ spec:
           - websecure
         matchRule: Host(`ingress.spamasaurus.com`)
         middlewares:
-          # - name: 2fa-authentication@file
+          - name: 2fa-authentication@file
           - name: security-headers@file
-          - name: compression@file
+          # - name: compression@file
     logs:
       general:
         level: DEBUG
@@ -125,6 +126,8 @@ spec:
         redirectTo:
           port: websecure
       websecure:
+        forwardedHeaders:
+          insecure: true
         tls:
           options: defaults@file
           certResolver: default
diff --git a/services/Vault/README.md b/services/Vault/README.md
deleted file mode 100644
index f48268d..0000000
--- a/services/Vault/README.md
+++ /dev/null
@@ -1,35 +0,0 @@
-### 1) HashiCorp Vault
-Not currently in use (using bitnami sealed-secrets instead); left for reference
-
-##### 1.1) Create `persistentVolume` and `ingressRoute`
-*Requires specifying a `uid` & `gid` in the flexvolSMB-`persistentVolume`*
-```shell
-kubectl create namespace vault
-kubectl apply -f services/Vault/persistentVolume-Vault.yml
-kubectl apply -f services/Vault/ingressRoute-Vault.yml
-```
-##### 1.2) Install Helm Chart
-*REMOVED; left for reference*
-See [HashiCorp Vault](https://www.vaultproject.io/docs/platform/k8s/helm/run):
-```shell
-helm repo add hashicorp https://helm.releases.hashicorp.com
-helm repo update
-helm install vault hashicorp/vault --namespace vault --values=services/Vault/chart-values.yml
-```
-Configure Vault for use;
-- ~~Enable Kubernetes authentication (see https://www.vaultproject.io/api-docs/auth/kubernetes)~~- Store basic access policy template
-- Enable `kv`-engine
-```
-# kubectl exec -n vault -it vault-0 -- sh
-
-# It might be necessary to first login with an existing token:
-# vault login
-
-cat <<EOF > /home/vault/app-policy.hcl
-path "secret*" {
-  capabilities = ["read"]
-}
-EOF
-
-vault secrets enable -path=secret -version=2 kv
-```
diff --git a/services/Vault/chart-values.yml b/services/Vault/chart-values.yml
deleted file mode 100644
index 6deadca..0000000
--- a/services/Vault/chart-values.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-server:
-  dataStorage:
-    enabled: true
-    size: 1Gi
-    storageClass: flexvolsmb-vault-data
-    accessMode: ReadWriteMany
-  priorityClassName: system-cluster-critical
-
-ui:
-  enabled: true
diff --git a/services/Vault/ingressRoute-Vault.yml b/services/Vault/ingressRoute-Vault.yml
deleted file mode 100644
index 268b956..0000000
--- a/services/Vault/ingressRoute-Vault.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: vault
-  namespace: vault
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`secure.spamasaurus.com`)
-      kind: Rule
-      services:
-        - name: vault
-          namespace: vault
-          port: 8200
-      middlewares:
-        - name: security-headers@file
-        - name: compression@file
diff --git a/services/Vault/persistentVolume-Vault.yml b/services/Vault/persistentVolume-Vault.yml
deleted file mode 100644
index 0c835e7..0000000
--- a/services/Vault/persistentVolume-Vault.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: flexvolsmb-vault-data
-  namespace: vault
-spec:
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteMany
-  storageClassName: flexvolsmb-vault-data
-  flexVolume:
-    driver: mount/smb
-    secretRef:
-      name: smb-secret
-      namespace: default
-    options:
-      opts: domain=bessems.eu,file_mode=0755,dir_mode=0755,uid=100,gid=1000,iocharset=utf8,nobrl
-      server: 192.168.11.225
-      share: /K3s.Volumes/vault/data
----
-#apiVersion: v1
-#kind: PersistentVolumeClaim
-#metadata:
-#  name: data-vault-0
-#  namespace: vault
-#spec:
-#  accessModes:
-#    - ReadWriteMany
-#  storageClassName: flexvolsmb-vault-data
-#  resources:
-#    requests:
-#      storage: 1Gi