Vault--;Update TLS ciphers

This commit is contained in:
Danny Bessems 2023-12-28 13:15:22 +11:00
parent 1d0e465630
commit 184dca5e37
5 changed files with 10 additions and 103 deletions

View File

@ -77,14 +77,15 @@ spec:
- secp521r1 - secp521r1
- secp384r1 - secp384r1
cipherSuites: cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_FALLBACK_SCSV - TLS_FALLBACK_SCSV
- apiVersion: bitnami.com/v1alpha1 - apiVersion: bitnami.com/v1alpha1
kind: SealedSecret kind: SealedSecret
@ -109,9 +110,9 @@ spec:
- websecure - websecure
matchRule: Host(`ingress.spamasaurus.com`) matchRule: Host(`ingress.spamasaurus.com`)
middlewares: middlewares:
# - name: 2fa-authentication@file - name: 2fa-authentication@file
- name: security-headers@file - name: security-headers@file
- name: compression@file # - name: compression@file
logs: logs:
general: general:
level: DEBUG level: DEBUG
@ -125,6 +126,8 @@ spec:
redirectTo: redirectTo:
port: websecure port: websecure
websecure: websecure:
forwardedHeaders:
insecure: true
tls: tls:
options: defaults@file options: defaults@file
certResolver: default certResolver: default

View File

@ -1,35 +0,0 @@
### 1) HashiCorp Vault
Not currently in use (using bitnami sealed-secrets instead); left for reference
##### 1.1) Create `persistentVolume` and `ingressRoute`
*Requires specifying a `uid` & `gid` in the flexvolSMB-`persistentVolume`*
```shell
kubectl create namespace vault
kubectl apply -f services/Vault/persistentVolume-Vault.yml
kubectl apply -f services/Vault/ingressRoute-Vault.yml
```
##### 1.2) Install Helm Chart
*REMOVED; left for reference*
See [HashiCorp Vault](https://www.vaultproject.io/docs/platform/k8s/helm/run):
```shell
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install vault hashicorp/vault --namespace vault --values=services/Vault/chart-values.yml
```
Configure Vault for use;
- ~~Enable Kubernetes authentication (see https://www.vaultproject.io/api-docs/auth/kubernetes)~~- Store basic access policy template
- Enable `kv`-engine
```
# kubectl exec -n vault -it vault-0 -- sh
# It might be necessary to first login with an existing token:
# vault login
cat <<EOF > /home/vault/app-policy.hcl
path "secret*" {
capabilities = ["read"]
}
EOF
vault secrets enable -path=secret -version=2 kv
```

View File

@ -1,10 +0,0 @@
server:
dataStorage:
enabled: true
size: 1Gi
storageClass: flexvolsmb-vault-data
accessMode: ReadWriteMany
priorityClassName: system-cluster-critical
ui:
enabled: true

View File

@ -1,18 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: vault
namespace: vault
spec:
entryPoints:
- websecure
routes:
- match: Host(`secure.spamasaurus.com`)
kind: Rule
services:
- name: vault
namespace: vault
port: 8200
middlewares:
- name: security-headers@file
- name: compression@file

View File

@ -1,33 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-vault-data
namespace: vault
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-vault-data
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
namespace: default
options:
opts: domain=bessems.eu,file_mode=0755,dir_mode=0755,uid=100,gid=1000,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/vault/data
---
#apiVersion: v1
#kind: PersistentVolumeClaim
#metadata:
# name: data-vault-0
# namespace: vault
#spec:
# accessModes:
# - ReadWriteMany
# storageClassName: flexvolsmb-vault-data
# resources:
# requests:
# storage: 1Gi