From 24a0dcdee494b39817d0ff985af463844d41a270 Mon Sep 17 00:00:00 2001 From: "KHIYANI, RAHUL (rk0850)" Date: Mon, 14 Sep 2020 16:16:19 -0500 Subject: [PATCH] Ingress: Configure ingress dhparam secret Configuring dhparam secret to generate 2048 DH group for nginx openstack ingress Change-Id: I8d8add9d518cbf928f58bfcac71e2b6c74075060 --- ingress/templates/secret-dhparam.yaml | 25 +++++++++++++++++++++++++ ingress/values.yaml | 5 ++++- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 ingress/templates/secret-dhparam.yaml diff --git a/ingress/templates/secret-dhparam.yaml b/ingress/templates/secret-dhparam.yaml new file mode 100644 index 000000000..9665c0769 --- /dev/null +++ b/ingress/templates/secret-dhparam.yaml @@ -0,0 +1,25 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_dhparam }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: secret-dhparam +type: Opaque +data: + dhparam.pem: {{ .Values.secrets.dhparam.secret_dhparam | b64enc }} +{{- end }} diff --git a/ingress/values.yaml b/ingress/values.yaml index 460a6dafb..a1fc9e07a 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -266,7 +266,8 @@ secrets: # .secrets.tls.ingress.api.public="name of the TLS secret to create for the default cert" # NOTE: The contents of the secret are from .endpoints.ingress.host_fqdn_override.public.tls public: default-tls-public - + dhparam: + secret_dhparam: | conf: controller: # NOTE(portdirect): if left blank this is populated from @@ -282,6 +283,7 @@ conf: bind-address: null enable-vts-status: "true" server-tokens: "false" + ssl-dh-param: openstack/secret-dhparam # This block sets the --default-ssl-certificate option # https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate default_ssl_certificate: @@ -313,6 +315,7 @@ manifests: endpoints_ingress: true ingress: true secret_ingress_tls: false + secret_dhparam: false service_error: true service_ingress: true job_image_repo_sync: true