Comments (5)
pleshakov
commented on August 28, 2024
It'd be great if you could implement the Variant 2!
For future extensions that support similar directives that require a file, we can have a similar approach deploying the file in a Kubernetes resource and we can reuse this implementation.
It makes more sense to me to deploy a dh-params file in a ConfigMap resource, since this file is not secret.
from kubernetes-ingress.
df-mreidel
commented on August 28, 2024
Referencing a ConfigMap from inside a ConfigMap seems rather unnecessary. Shall I then treat the value as the content of the file to write? Like this:
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-ingress
namespace: kube-system
data:
ssl-dhparam: |
-----BEGIN DH PARAMETERS-----
ABC==
-----END DH PARAMETERS-----Are you really sure dhparams don't need to be kept secret?
from kubernetes-ingress.
pleshakov
commented on August 28, 2024
Referencing a ConfigMap from inside a ConfigMap seems rather unnecessary. Shall I then treat the value as the content of the file to write?
I like referencing a ConfigMap for the following reasons:
- Typically a ssl-dhparam file is ~2KB, so putting it in a separate Configap doesn't clutter the main ConfigMap
- I assume we'll have more features in the Ingress controller that need to reference a file. If we don't embed files inside the ConfigMap, we won't end up with one big ConfigMap.
However, embedding a ssl-dhparam in the main ConfigMap is easier and can be a temporal solution.
Are you really sure dhparams don't need to be kept secret?
Yes
from kubernetes-ingress.
thetechnick
commented on August 28, 2024
@pleshakov
I would like to add this together with other settings needed for perfect forward secrecy.
This would include these nginx directives:
ssl_protocols,ssl_prefer_server_ciphers,ssl_ciphers and ssl_dhparam
Configmap
data:
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
ssl-prefer-server-ciphers: "true" #default false
ssl-ciphers: >
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !MEDIUM"
ssl-dhparam-file:
-----BEGIN DH PARAMETERS-----
ABC==
-----END DH PARAMETERS-----For now I would also add the dhparam content as a string here.
If we need the functionality to use references to other configmaps/secrets for other configs too, we can add a new option ssl-dhparam: default/dhparam or similar.
from kubernetes-ingress.
pleshakov
commented on August 28, 2024
@thetechnick looks good!
from kubernetes-ingress.
Related Issues (20)
- Extend `ip` as an option to listeners for TransportServer HOT 1
- Release NGINX Ingress Controller 3.6.2
- Release NGINX Ingress Controller 3.6.2 - Marketplaces
- POC - Make it easier to "attach" a VirtualServerRoute to a VirtualServer
- Helm chart >0.10.4 not found HOT 3
- Adding support forward all headrs from downstream to upstream HOT 2
- Investigate codecov reports HOT 1
- Investigate the feasability of a schemaless helm chart.
- make access log config map params work for stream
- Update release automation to append new versions of AppProtect WAF v5 HOT 1
- Exclude autogenerated, go tooling and vendor files from codecov HOT 1
- Add `telemetry-schema` to `verify-codegen` CI job
- Lack of clarity in README for `values-plus.yaml` file HOT 3
- Test the built images from release branch HOT 1
- Unable to get realip from AWS ALB HOT 5
- Panic when creating VirtualServer HOT 7
- Enforcer nmap v5 crashes on startup with no active waf policy configured HOT 3
- Generate release notes from commits since the last release
- Update Bug Report to use Issue Forms HOT 1
- Include info on values-icp..yaml, original in a blog post HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-ingress.