I'm asking upfront before creating a pull-request. We need to pass in custom DH parameters by supplying ssl_dhparam <file> to the nginx config. I could create a patch that simply supports setting ssl_dhparam and it would then require the user to make sure he mounts <file> into the container at the given location.

On the other hand, you might prefer that the value to ssl-dhparam/nginx.org/ssl-dhparam is not a filename, but rather the name of a namespace/secret and we look for the key dhparam.pem - very much like certificates are handled right now. So let's explain by examples.

Variant 1: filename

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-ingress
  namespace: kube-system
data:
  ssl-dhparam: ciphers/dh4096.pem

And then mount that file to /etc/nginx/ciphers/dh4096/pem in the DaemonSet or Deployment

Variant 2: reference to a secret

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-ingress
  namespace: kube-system
data:
  ssl-dhparam: kube-system/dh-params

apiVersion: v1
kind: Secret
metadata:
  name: dh-params
  namespace: kube-system
type: Opaque
data:
  dhparam.pem: ABC==

The second variant would require the controller to automagically create the file from the reference, but it would also allow for a seamless update of these parameters - for whatever reason.

Of course variant 1 is easier to implement, so I would like to know, which version you prefer?