Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow specifying custom dh param #402

Merged
merged 1 commit into from
Mar 8, 2017
Merged

Conversation

glerchundi
Copy link
Contributor

fixes #162

@k8s-ci-robot
Copy link
Contributor

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA.

Once you've signed, please reply here (e.g. "I signed it!") and we'll verify. Thanks.


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Mar 8, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@glerchundi
Copy link
Contributor Author

I signed it!

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Mar 8, 2017
@coveralls
Copy link

Coverage Status

Coverage decreased (-0.4%) to 45.915% when pulling f41e8fd06d83155e987c0f7f4d8f5ce34072967c on glerchundi:master into fedf342 on kubernetes:master.

@glerchundi
Copy link
Contributor Author

glerchundi commented Mar 8, 2017

I already tested it empirically and seems to works, I pushed an image with this change in case you wanted to test yourself: quay.io/glerchundi/nginx-ingress-controller:0.9.0-beta.3

Create the dh containing secret:

apiVersion: v1
kind: Secret
metadata:
  name: lb-dhparam
type: Opaque
data:
  dhparam.pem: "...base64 encoded data..."

And the configmap with the actual secret pointer:

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-conf
data:
  ssl-dh-param: "default/lb-dhparam"

Enough.

/cc @aledbf

@aledbf aledbf self-assigned this Mar 8, 2017
@glerchundi
Copy link
Contributor Author

glerchundi commented Mar 8, 2017

added an example, rebased and squashed to one commit

@aledbf aledbf added the nginx label Mar 8, 2017
@coveralls
Copy link

Coverage Status

Coverage decreased (-0.4%) to 45.915% when pulling e1c1dfa on glerchundi:master into fedf342 on kubernetes:master.

@rikatz
Copy link
Contributor

rikatz commented Mar 8, 2017

This is nice, indeed I've tested the also the dhparam and got this error, but forgot to check.

Just a question, is it interesting to generate a default-dh-param also, as there is a default-ssl-certificate?

This could give us to a 'more secure' default backend, but does not need to be present (it's optional).

@aledbf
Copy link
Member

aledbf commented Mar 8, 2017

@rikatz the difference here is that we need to share the dh param if you are running multiple instances.

@aledbf
Copy link
Member

aledbf commented Mar 8, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 8, 2017
@rikatz
Copy link
Contributor

rikatz commented Mar 8, 2017

@aledbf yeap, but DH Param may be served for each vhost also. My doubt is that if we couldn't create this also for the default backends :)

But this is good for me now, we can improve this later :)

@aledbf aledbf merged commit 4c0a616 into kubernetes:master Mar 8, 2017
@aledbf
Copy link
Member

aledbf commented Mar 8, 2017

@glerchundi thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. nginx
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ConfigMap parameter ssl-dh-param produces invalid configuration
6 participants