Vault--;Update TLS ciphers
This commit is contained in:
parent
1d0e465630
commit
184dca5e37
@ -77,14 +77,15 @@ spec:
|
|||||||
- secp521r1
|
- secp521r1
|
||||||
- secp384r1
|
- secp384r1
|
||||||
cipherSuites:
|
cipherSuites:
|
||||||
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
||||||
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
|
||||||
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
||||||
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
||||||
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
||||||
- TLS_AES_128_GCM_SHA256
|
- TLS_AES_128_GCM_SHA256
|
||||||
- TLS_AES_256_GCM_SHA384
|
- TLS_AES_256_GCM_SHA384
|
||||||
- TLS_CHACHA20_POLY1305_SHA256
|
- TLS_CHACHA20_POLY1305_SHA256
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||||
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||||
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||||
- TLS_FALLBACK_SCSV
|
- TLS_FALLBACK_SCSV
|
||||||
- apiVersion: bitnami.com/v1alpha1
|
- apiVersion: bitnami.com/v1alpha1
|
||||||
kind: SealedSecret
|
kind: SealedSecret
|
||||||
@ -109,9 +110,9 @@ spec:
|
|||||||
- websecure
|
- websecure
|
||||||
matchRule: Host(`ingress.spamasaurus.com`)
|
matchRule: Host(`ingress.spamasaurus.com`)
|
||||||
middlewares:
|
middlewares:
|
||||||
# - name: 2fa-authentication@file
|
- name: 2fa-authentication@file
|
||||||
- name: security-headers@file
|
- name: security-headers@file
|
||||||
- name: compression@file
|
# - name: compression@file
|
||||||
logs:
|
logs:
|
||||||
general:
|
general:
|
||||||
level: DEBUG
|
level: DEBUG
|
||||||
@ -125,6 +126,8 @@ spec:
|
|||||||
redirectTo:
|
redirectTo:
|
||||||
port: websecure
|
port: websecure
|
||||||
websecure:
|
websecure:
|
||||||
|
forwardedHeaders:
|
||||||
|
insecure: true
|
||||||
tls:
|
tls:
|
||||||
options: defaults@file
|
options: defaults@file
|
||||||
certResolver: default
|
certResolver: default
|
||||||
|
@ -1,35 +0,0 @@
|
|||||||
### 1) HashiCorp Vault
|
|
||||||
Not currently in use (using bitnami sealed-secrets instead); left for reference
|
|
||||||
|
|
||||||
##### 1.1) Create `persistentVolume` and `ingressRoute`
|
|
||||||
*Requires specifying a `uid` & `gid` in the flexvolSMB-`persistentVolume`*
|
|
||||||
```shell
|
|
||||||
kubectl create namespace vault
|
|
||||||
kubectl apply -f services/Vault/persistentVolume-Vault.yml
|
|
||||||
kubectl apply -f services/Vault/ingressRoute-Vault.yml
|
|
||||||
```
|
|
||||||
##### 1.2) Install Helm Chart
|
|
||||||
*REMOVED; left for reference*
|
|
||||||
See [HashiCorp Vault](https://www.vaultproject.io/docs/platform/k8s/helm/run):
|
|
||||||
```shell
|
|
||||||
helm repo add hashicorp https://helm.releases.hashicorp.com
|
|
||||||
helm repo update
|
|
||||||
helm install vault hashicorp/vault --namespace vault --values=services/Vault/chart-values.yml
|
|
||||||
```
|
|
||||||
Configure Vault for use;
|
|
||||||
- ~~Enable Kubernetes authentication (see https://www.vaultproject.io/api-docs/auth/kubernetes)~~- Store basic access policy template
|
|
||||||
- Enable `kv`-engine
|
|
||||||
```
|
|
||||||
# kubectl exec -n vault -it vault-0 -- sh
|
|
||||||
|
|
||||||
# It might be necessary to first login with an existing token:
|
|
||||||
# vault login
|
|
||||||
|
|
||||||
cat <<EOF > /home/vault/app-policy.hcl
|
|
||||||
path "secret*" {
|
|
||||||
capabilities = ["read"]
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
vault secrets enable -path=secret -version=2 kv
|
|
||||||
```
|
|
@ -1,10 +0,0 @@
|
|||||||
server:
|
|
||||||
dataStorage:
|
|
||||||
enabled: true
|
|
||||||
size: 1Gi
|
|
||||||
storageClass: flexvolsmb-vault-data
|
|
||||||
accessMode: ReadWriteMany
|
|
||||||
priorityClassName: system-cluster-critical
|
|
||||||
|
|
||||||
ui:
|
|
||||||
enabled: true
|
|
@ -1,18 +0,0 @@
|
|||||||
apiVersion: traefik.containo.us/v1alpha1
|
|
||||||
kind: IngressRoute
|
|
||||||
metadata:
|
|
||||||
name: vault
|
|
||||||
namespace: vault
|
|
||||||
spec:
|
|
||||||
entryPoints:
|
|
||||||
- websecure
|
|
||||||
routes:
|
|
||||||
- match: Host(`secure.spamasaurus.com`)
|
|
||||||
kind: Rule
|
|
||||||
services:
|
|
||||||
- name: vault
|
|
||||||
namespace: vault
|
|
||||||
port: 8200
|
|
||||||
middlewares:
|
|
||||||
- name: security-headers@file
|
|
||||||
- name: compression@file
|
|
@ -1,33 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: PersistentVolume
|
|
||||||
metadata:
|
|
||||||
name: flexvolsmb-vault-data
|
|
||||||
namespace: vault
|
|
||||||
spec:
|
|
||||||
capacity:
|
|
||||||
storage: 1Gi
|
|
||||||
accessModes:
|
|
||||||
- ReadWriteMany
|
|
||||||
storageClassName: flexvolsmb-vault-data
|
|
||||||
flexVolume:
|
|
||||||
driver: mount/smb
|
|
||||||
secretRef:
|
|
||||||
name: smb-secret
|
|
||||||
namespace: default
|
|
||||||
options:
|
|
||||||
opts: domain=bessems.eu,file_mode=0755,dir_mode=0755,uid=100,gid=1000,iocharset=utf8,nobrl
|
|
||||||
server: 192.168.11.225
|
|
||||||
share: /K3s.Volumes/vault/data
|
|
||||||
---
|
|
||||||
#apiVersion: v1
|
|
||||||
#kind: PersistentVolumeClaim
|
|
||||||
#metadata:
|
|
||||||
# name: data-vault-0
|
|
||||||
# namespace: vault
|
|
||||||
#spec:
|
|
||||||
# accessModes:
|
|
||||||
# - ReadWriteMany
|
|
||||||
# storageClassName: flexvolsmb-vault-data
|
|
||||||
# resources:
|
|
||||||
# requests:
|
|
||||||
# storage: 1Gi
|
|
Loading…
Reference in New Issue
Block a user