Description
I'm asking upfront before creating a pull-request. We need to pass in custom DH parameters by supplying ssl_dhparam <file>
to the nginx config. I could create a patch that simply supports setting ssl_dhparam
and it would then require the user to make sure he mounts <file>
into the container at the given location.
On the other hand, you might prefer that the value to ssl-dhparam
/nginx.org/ssl-dhparam
is not a filename, but rather the name of a namespace/secret and we look for the key dhparam.pem - very much like certificates are handled right now. So let's explain by examples.
Variant 1: filename
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-ingress
namespace: kube-system
data:
ssl-dhparam: ciphers/dh4096.pem
And then mount that file to /etc/nginx/ciphers/dh4096/pem
in the DaemonSet or Deployment
Variant 2: reference to a secret
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-ingress
namespace: kube-system
data:
ssl-dhparam: kube-system/dh-params
apiVersion: v1
kind: Secret
metadata:
name: dh-params
namespace: kube-system
type: Opaque
data:
dhparam.pem: ABC==
The second variant would require the controller to automagically create the file from the reference, but it would also allow for a seamless update of these parameters - for whatever reason.
Of course variant 1 is easier to implement, so I would like to know, which version you prefer?