mTLS
All checks were successful
ci/woodpecker/push/build/4 Pipeline was successful
ci/woodpecker/push/build/3 Pipeline was successful
ci/woodpecker/push/build/1 Pipeline was successful
ci/woodpecker/push/predeploy Pipeline was successful
ci/woodpecker/push/build/2 Pipeline was successful
ci/woodpecker/push/deploy/1 Pipeline was successful
ci/woodpecker/push/deploy/3 Pipeline was successful
ci/woodpecker/push/deploy/4 Pipeline was successful
ci/woodpecker/push/deploy/2 Pipeline was successful
ci/woodpecker/tag/predeploy Pipeline was successful
ci/woodpecker/tag/build/4 Pipeline was successful
ci/woodpecker/tag/build/1 Pipeline was successful
ci/woodpecker/tag/build/3 Pipeline was successful
ci/woodpecker/tag/build/2 Pipeline was successful
ci/woodpecker/tag/deploy/2 Pipeline was successful
ci/woodpecker/tag/deploy/3 Pipeline was successful
ci/woodpecker/tag/deploy/4 Pipeline was successful
ci/woodpecker/tag/deploy/1 Pipeline was successful
All checks were successful
ci/woodpecker/push/build/4 Pipeline was successful
ci/woodpecker/push/build/3 Pipeline was successful
ci/woodpecker/push/build/1 Pipeline was successful
ci/woodpecker/push/predeploy Pipeline was successful
ci/woodpecker/push/build/2 Pipeline was successful
ci/woodpecker/push/deploy/1 Pipeline was successful
ci/woodpecker/push/deploy/3 Pipeline was successful
ci/woodpecker/push/deploy/4 Pipeline was successful
ci/woodpecker/push/deploy/2 Pipeline was successful
ci/woodpecker/tag/predeploy Pipeline was successful
ci/woodpecker/tag/build/4 Pipeline was successful
ci/woodpecker/tag/build/1 Pipeline was successful
ci/woodpecker/tag/build/3 Pipeline was successful
ci/woodpecker/tag/build/2 Pipeline was successful
ci/woodpecker/tag/deploy/2 Pipeline was successful
ci/woodpecker/tag/deploy/3 Pipeline was successful
ci/woodpecker/tag/deploy/4 Pipeline was successful
ci/woodpecker/tag/deploy/1 Pipeline was successful
This commit is contained in:
@@ -107,6 +107,9 @@ metadata:
|
||||
name: api-ingress
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-production-http
|
||||
# Traefik 2 mTLS Configuration
|
||||
traefik.ingress.kubernetes.io/router.tls.options: homea2-mtls@kubernetescrd
|
||||
traefik.ingress.kubernetes.io/router.middlewares: homea2-mtls-auth@kubernetescrd
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
|
||||
45
deployment/mtls-config.yaml
Normal file
45
deployment/mtls-config.yaml
Normal file
@@ -0,0 +1,45 @@
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TLSOption
|
||||
metadata:
|
||||
name: homea2-mtls
|
||||
spec:
|
||||
clientAuth:
|
||||
secretNames:
|
||||
- mtls-ca-cert
|
||||
clientAuthType: RequireAndVerifyClientCert
|
||||
minVersion: "VersionTLS12"
|
||||
cipherSuites:
|
||||
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
|
||||
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
|
||||
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
||||
- "TLS_RSA_WITH_AES_256_GCM_SHA384"
|
||||
- "TLS_RSA_WITH_AES_128_GCM_SHA256"
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: mtls-auth
|
||||
spec:
|
||||
headers:
|
||||
customRequestHeaders:
|
||||
X-Client-Cert: ""
|
||||
customResponseHeaders:
|
||||
X-mTLS-Verified: "true"
|
||||
# Optional: Add IP whitelist for additional security
|
||||
# ipWhiteList:
|
||||
# sourceRange:
|
||||
# - "10.0.0.0/8"
|
||||
# - "192.168.0.0/16"
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: security-headers
|
||||
spec:
|
||||
headers:
|
||||
customResponseHeaders:
|
||||
X-Frame-Options: "SAMEORIGIN"
|
||||
X-Content-Type-Options: "nosniff"
|
||||
X-XSS-Protection: "1; mode=block"
|
||||
Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
|
||||
contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
|
||||
@@ -84,6 +84,9 @@ metadata:
|
||||
name: ui-ingress
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-production-http
|
||||
# Traefik 2 mTLS Configuration
|
||||
traefik.ingress.kubernetes.io/router.tls.options: homea2-mtls@kubernetescrd
|
||||
traefik.ingress.kubernetes.io/router.middlewares: homea2-mtls-auth@kubernetescrd
|
||||
spec:
|
||||
tls:
|
||||
- hosts:
|
||||
|
||||
Reference in New Issue
Block a user