Added configmap settings to support perfect forward secrecy #85
Conversation
| if existsSPSC && err != nil { | ||
| glog.Error(err) | ||
| } else { | ||
| cfg.MainServerSSLPreferServerCiphers = sslPreferServerCiphers |
There was a problem hiding this comment.
Although it doesn't lead to a bug, line 375 is executed when the ssl-prefer-server-ciphers doesn't exists in the configmap
| @@ -85,13 +93,15 @@ func NewUpstreamWithDefaultServer(name string) Upstream { | |||
| // NewNginxController creates a NGINX controller | |||
| func NewNginxController(nginxConfPath string, local bool) (*NginxController, error) { | |||
| ngxc := NginxController{ | |||
| nginxEtcPath: path.Join(nginxConfPath, "etc"), | |||
There was a problem hiding this comment.
Can we use the nginxCertsPathfolder to store the pem file?
There was a problem hiding this comment.
I was worried that someone uses dhparam as a secret name which would override the certificate secret. (I know this is a edge case, but I do not trust users)
But if we add the namespace to the filename of the certificates we can also use the cert folder for the dhparam.pem, this will also solve a not yet raised issue, if a secret with the same name is used in two namespaces.
There was a problem hiding this comment.
But if we add the namespace to the filename of the certificates we can also use the cert folder for the dhparam.pem, this will also solve a not yet raised issue, if a secret with the same name is used in two namespaces.
Thanks for catching that. I've created a separate issue for that -- #89
| func (nginx *NginxController) createCertsDir() { | ||
| if err := os.Mkdir(nginx.nginxCertsPath, os.ModeDir); err != nil { | ||
| glog.Fatalf("Couldn't create directory %v: %v", nginx.nginxCertsPath, err) | ||
| func (nginx *NginxController) createDir(path string) { |
There was a problem hiding this comment.
should be a function, not a method, since it doesn't depend on NginxController anymore
| @@ -467,7 +490,7 @@ func (lbc *LoadBalancerController) createIngress(ing *extensions.Ingress) nginx. | |||
| glog.Warningf("Error retrieving secret %v for Ingress %v: %v", secretName, ing.Name, err) | |||
| continue | |||
| } | |||
| ingEx.Secrets[secretName] = secret | |||
| ingEx.Secrets[fmt.Sprintf("%s-%s", ing.GetNamespace(), secretName)] = secret | |||
There was a problem hiding this comment.
This creates a bug. The code in the configurator still uses the secretName as a key.
Better to solve the problem #89 in a separate pull request.
| if err != nil { | ||
| glog.Errorf("Configmap %s/%s: Could not update dhparams: %v", cfgm.GetNamespace(), cfgm.GetName(), err) | ||
| } | ||
| cfg.MainServerSSLDHParam = fileName |
There was a problem hiding this comment.
In case of an error when writing the dh param file, setting cfg.MainServerSSLDHParam = fileName will lead to an invalid NGINX configuration, when the dh param file doesn't exist
I have tested this PR on my environment using the https://www.ssllabs.com checker.
Fixes #69