From 63397f1cf2512d623e7cd89a52b178b242ba295e Mon Sep 17 00:00:00 2001
From: Jonathan Lopez <Jonathan.Lopez@inspection.gc.ca>
Date: Tue, 23 Jul 2024 09:17:15 -0400
Subject: [PATCH] Issue #313: update finesse ingress with recommended ciphers
 and curves (#314)

---
 kubernetes/aks/apps/finesse/public/ingress.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kubernetes/aks/apps/finesse/public/ingress.yaml b/kubernetes/aks/apps/finesse/public/ingress.yaml
index c1e7ad46..8d0f4aaf 100644
--- a/kubernetes/aks/apps/finesse/public/ingress.yaml
+++ b/kubernetes/aks/apps/finesse/public/ingress.yaml
@@ -10,6 +10,9 @@ metadata:
     nginx.ingress.kubernetes.io/rewrite-target: /$2  # https://kubernetes.github.io/ingress-nginx/examples/rewrite/
     ingress.kubernetes.io/force-ssl-redirect: "true"
     kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers: "true"
+    nginx.ingress.kubernetes.io/ssl-ciphers: "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
+    nginx.ingress.kubernetes.io/ssl-ecdh-curve: "secp256r1:secp384r1:secp521r1"
 spec:
   ingressClassName: nginx
   tls:
@@ -40,6 +43,9 @@ metadata:
     ingress.kubernetes.io/force-ssl-redirect: "true"
     kubernetes.io/tls-acme: "true"
     nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers: "true"
+    nginx.ingress.kubernetes.io/ssl-ciphers: "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
+    nginx.ingress.kubernetes.io/ssl-ecdh-curve: "secp256r1:secp384r1:secp521r1"
 spec:
   ingressClassName: nginx
   tls: