wireapp · jschaul · Feb 22, 2022 · Nov 8, 2021 · Nov 9, 2021 · Nov 9, 2021
@@ -0,0 +1 @@
+Your kubernetes server version must be >= 1.19 (type `kubectl version` to check)
@@ -0,0 +1 @@
+If you have custom overrides for the nginx-ingress-controller, you must change the config value 'nginx-ingress' to 'ingress-nginx' or risk falling back to default settings.
@@ -0,0 +1 @@
+Add TLS 1.3 support on the ingress level.
@@ -1,4 +1,6 @@
 dependencies:
-- name: nginx-ingress
-  version: 1.33.3
-  repository: https://charts.helm.sh/stable
+- name: ingress-nginx
+  # version support: https://github.com/kubernetes/ingress-nginx#support-versions-table
+  # chart version 4.0.17 == app version v1.1.1; k8s [1.19 - 1.23]
+  version: 4.0.17
+  repository: https://kubernetes.github.io/ingress-nginx
@@ -1,14 +1,19 @@
-# Default values for nginx-ingress-controller
+# FUTUREWORK(hardening): create a dhparam with openssl
+# see https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
+# and set the controller.config.ssl-dh-param value accordingly. Via helm pre-hook?
 
-nginx-ingress:
+# Default values for nginx-ingress-controller
+ingress-nginx:
   controller:
     config:
       # NOTE: These are some sane defaults (compliant to TR-02102-2), you may want to overrride them on your own installation
       # For TR-02102-2 see https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.html
+      # For an overview, see https://docs.wire.com/how-to/install/tls.html
       # As a Wire employee, for Wire-internal discussions and context see
       # * https://wearezeta.atlassian.net/browse/FS-33
       # * https://wearezeta.atlassian.net/browse/FS-444
-      ssl-ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
+      ssl-ciphers: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
+      ssl-protocols: "TLSv1.2 TLSv1.3"
       http2-max-field-size: 16k
       http2-max-header-size: 32k
       proxy-buffer-size: 16k

@@ -18,6 +18,8 @@ environments:
 repositories:
   - name: stable
     url: 'https://charts.helm.sh/stable'
+  - name: ingress
+    url: 'https://kubernetes.github.io/ingress-nginx'
 
 releases:
   - name: '{{ .Values.namespace }}-fake-aws'
@@ -30,13 +32,13 @@ releases:
     namespace: '{{ .Values.namespace }}'
     chart: '../.local/charts/databases-ephemeral'
 
-  - name: '{{ .Values.namespace }}-nginx-ingress-controller'
+  - name: '{{ .Values.namespace }}-ic'
     namespace: '{{ .Values.namespace }}'
     chart: '../.local/charts/nginx-ingress-controller'
     values:
       - './helm_vars/nginx-ingress-controller/values.yaml'
 
-  - name: '{{ .Values.namespace }}-nginx-ingress-services'
+  - name: '{{ .Values.namespace }}-is'
     namespace: '{{ .Values.namespace }}'
     chart: '../.local/charts/nginx-ingress-services'
     values:

@@ -30,6 +30,8 @@ environments:
 repositories:
   - name: stable
     url: 'https://charts.helm.sh/stable'
+  - name: ingress
+    url: 'https://kubernetes.github.io/ingress-nginx'
 
 releases:
   - name: '{{ .Values.namespace }}-fake-aws'
@@ -52,19 +54,19 @@ releases:
     namespace: '{{ .Values.namespaceFed2 }}'
     chart: '../.local/charts/databases-ephemeral'
 
-  - name: '{{ .Values.namespace }}-nginx-ingress-controller'
+  - name: '{{ .Values.namespace }}-ic'
     namespace: '{{ .Values.namespace }}'
     chart: '../.local/charts/nginx-ingress-controller'
     values:
       - './helm_vars/nginx-ingress-controller/values.yaml'
 
-  - name: '{{ .Values.namespace }}-nginx-ingress-controller-2'
+  - name: '{{ .Values.namespace }}-ic-2'
     namespace: '{{ .Values.namespaceFed2 }}'
     chart: '../.local/charts/nginx-ingress-controller'
     values:
       - './helm_vars/nginx-ingress-controller/values.yaml'
 
-  - name: '{{ .Values.namespace }}-nginx-ingress-services'
+  - name: '{{ .Values.namespace }}-is'
     namespace: '{{ .Values.namespace }}'
     chart: '../.local/charts/nginx-ingress-services'
     values:
@@ -77,7 +79,7 @@ releases:
       - name: config.dns.federator
         value: {{ .Values.federationDomain }}
 
-  - name: '{{ .Values.namespace }}-nginx-ingress-services-2'
+  - name: '{{ .Values.namespace }}-is-2'
     namespace: '{{ .Values.namespaceFed2 }}'
     chart: '../.local/charts/nginx-ingress-services'
     values:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Your kubernetes server version must be >= 1.19 (type `kubectl version` to check)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		If you have custom overrides for the nginx-ingress-controller, you must change the config value 'nginx-ingress' to 'ingress-nginx' or risk falling back to default settings.