how enable only high secure ssl ciphers in haproxy ingress?

[agonzalezm]

default haproxy ingress install has many yellow insecure ciphers enabled, how can i enable only secure ciphers (green ones)

i tried this in ingress yaml but didnt work:

ingress.kubernetes.io/ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384"

[agonzalezm]

anyone can explain details how to remove these ciphers with haproxy ingress helm charts installed?

[fabianonunes]

You can use the global-config-snippet option in ConfigMap to set the ciphers:

apiVersion: v1
kind: ConfigMap
metadata:
  name: haproxy-kubernetes-ingress
  namespace: default
data:
  global-config-snippet: |
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

If you are using Helm, you can pass these options in controller.config from values.yaml:

# (...)
controller:
  config:
    global-config-snippet: |
      ssl-default-bind-ciphersuites ...
      ssl-default-bind-options ...

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.