fix(base-cluster): weak cipher suites removal (#276)

* chore: incremental patch Chart version increase * fix: allow only safe cipher suites for TLSv1.2 and permit extra configurable options * chore: Update 'README.md's --------- Co-authored-by: jpkraemer-mg <[email protected]>
4ALLPORTAL · Nov 29, 2024 · 18d1099 · 18d1099
1 parent 59b2061
commit 18d1099
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 2 deletions.
diff --git a/charts/base-cluster/Chart.yaml b/charts/base-cluster/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A generic, base cluster setup
 name: base-cluster
-version: 40.2.2
+version: 40.2.3
 home: "https://4allportal.com"
 maintainers:
   - name: jpkraemer-mg

diff --git a/charts/base-cluster/README.md b/charts/base-cluster/README.md
@@ -1,6 +1,6 @@
 # base-cluster
 
-![Version: 40.2.2](https://img.shields.io/badge/Version-40.2.2-informational?style=flat-square)
+![Version: 40.2.3](https://img.shields.io/badge/Version-40.2.3-informational?style=flat-square)
 
 A generic, base cluster setup
 
@@ -217,6 +217,7 @@ This helm chart requires flux v2 to be installed (https://fluxcd.io/docs/install
 | speedtest.image.registry | string | `""` |  |
 | speedtest.image.repository | string | `"adolfintel/speedtest"` |  |
 | speedtest.image.tag | string | `"latest"` |  |
+| traefik.cipherSuites | list | `[]` |  |
 | traefik.debug.enabled | bool | `false` |  |
 | traefik.log.level | string | `"ERROR"` |  |
 | traefik.maxReplicas | int | `8` |  |

diff --git a/charts/base-cluster/templates/ingress/traefik.yaml b/charts/base-cluster/templates/ingress/traefik.yaml
@@ -123,6 +123,13 @@ spec:
       default:
         preferServerCipherSuites: true
         minVersion: VersionTLS12
+        cipherSuites:
+          - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+          {{- with .Values.traefik.cipherSuites }}
+          - {{- . | toYaml | nindent 10 }}
+          {{- end }}
 
     podSecurityContext:
       runAsUser: 65532

diff --git a/charts/base-cluster/values.schema.json b/charts/base-cluster/values.schema.json
@@ -265,6 +265,12 @@
               "default": false
             }
           }
+        },
+        "cipherSuites": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
         }
       },
       "additionalProperties": false

diff --git a/charts/base-cluster/values.yaml b/charts/base-cluster/values.yaml
@@ -75,6 +75,7 @@ traefik:
       memory: 500Mi
   minReplicas: 2
   maxReplicas: 8
+  cipherSuites: []
 
 speedtest:
   enabled: true