The ingress NGINX server is configured for mTLS with CloudFlare who provides the public endpoint for this website. mTLS certificate authentication prevents CloudFlare connecting to a rogue origin, by authenticating the certificate presented by ingress. Ingress also authenticates incoming connections, by client certificate, accepting connections from CloudFlare only.
In addition to mutual certificate authentication, a ipv4 & ipv6-based allow-list is created by downloading CloudFlare IP ranges via
curl "https://www.cloudflare.com/{ips-v4,ips-v6}" -o resources/cloudflare-#1.txt
and creating an ingress annotation, nginx.ingress.kubernetes.io/whitelist-source-range with these CIDRs.
Multiple sites and versions, such as a beta site, are included in the static git repo, which includes NGINX ingress configuration for OIDC authentication & authorization. kubernetes secrets are utilized to keep secrets out of git and configmaps.