Overview
When using Traefik as Edge Router in Konvoy, operators require to configure HTTPS connections (i.e, TLS protocol version, cipher suites, enforce SNI checking, etc) and adhere to industry best practices, frequently.
In this article, we describe which parameters should be specified in the cluster.yaml to specify which TLS protocol version and cipher-suites traefik must use when handling HTTPS connections.
Solution
To specify the minimum TLS version and cipher-suites traefik must use to handle HTTPS connections, the values “tlsMinVersion” and “cipherSuites” can be specified, respectively, in the cluster.yaml to override the default values in the Traefik helm chart used in konvoy.
- name: traefik
enabled: true
values: |
ssl:
tlsMinVersion: VersionTLS12
sniStrict: true
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
To apply the changes, the following command must be executed:
> ./konvoy deploy addons
To confirm whether the changes were applied or to simply check the minimum TLS versions and cipher-suites, the operator could collect the traefik-kubeaddons configmap in the kubeaddons namespace with the following command:
> kubectl get cm traefik-kubeaddons -n kubeaddons -o yaml
The parameters minVersion and cipherSuites must be specified under [entrypoints.https.tls], as can be seen below:
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
]
References:
[1] https://doc.traefik.io/traefik/https/overview/
[2] https://doc.traefik.io/traefik/v2.0/https/tls/
[3] https://doc.traefik.io/traefik/https/tls/#minimum-tls-version