ingress-nginx-helm/docs/examples/customization/ssl-dh-param/README.md

# Custom DH parameters for perfect forward secrecy

This example aims to demonstrate the deployment of an Ingress-Nginx Controller and
use a ConfigMap to configure a custom Diffie-Hellman parameters file to help with
"Perfect Forward Secrecy".

## Custom configuration

```console
$ cat configmap.yaml
apiVersion: v1
data:
  ssl-dh-param: "ingress-nginx/lb-dhparam"
kind: ConfigMap
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
```

```console
$ kubectl create -f configmap.yaml
```

## Custom DH parameters secret

```console
$ openssl dhparam 4096 2> /dev/null | base64
LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ...
```

```console
$ cat ssl-dh-param.yaml
apiVersion: v1
data:
  dhparam.pem: "LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ..."
kind: Secret
metadata:
  name: lb-dhparam
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
```

```console
$ kubectl create -f ssl-dh-param.yaml
```

## Test

Check the contents of the configmap is present in the nginx.conf file using:
```console
$ kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf
```
Index all examples and fix their titles 2018-05-03 10:41:12 +00:00			`# Custom DH parameters for perfect forward secrecy`
allow specifying custom dh param fixes #162 2017-03-08 13:41:55 +00:00
Keep project name display aligned (#9920) 2023-05-05 16:31:13 +00:00			`This example aims to demonstrate the deployment of an Ingress-Nginx Controller and`
Minor documentation cleanup (#7826) * clarify link * Add section headers * console blocks * grpc example json was not valid * multi-tls update text The preceding point 1 related to https://github.com/kubernetes-retired/contrib/blob/4f2cb51ef82b4dddb625f6053ad132c1faf07aa1/ingress/controllers/nginx/examples/ingress.yaml and the deployments referenced in https://github.com/kubernetes-retired/contrib/blob/4f2cb51ef82b4dddb625f6053ad132c1faf07aa1/ingress/controllers/nginx/examples/README.md They are not relevant to the current instructions. * add whitespace around parens * grammar setup would be a proper noun, but it is not the intended concept, which is a state * grammar * is-only * via * Use bullets for choices * ingress-controller nginx is a distinct brand. generally this repo talks about ingress-controller, although it is quite inconsistent about how... * drop stray paren * OAuth is a brand and needs an article here also GitHub is a brand * Indent text under numbered lists * use e.g. * Document that customer header config maps changes do not trigger updates This should be removed if https://github.com/kubernetes/ingress-nginx/issues/5238 is fixed. * article * period * infinitive verb + period * clarify that the gRPC server is responsible for listening for TCP traffic and not some other part of the backend application * avoid using ; and reword * whitespace * brand: gRPC * only-does is the right form `for` adds nothing here * spelling: GitHub * punctuation `;` is generally not the right punctuation... * drop stray `to` * sentence * backticks * fix link * Improve readability of compare/vs * Renumber list * punctuation * Favor Ingress-NGINX and Ingress NGINX * Simplify custom header restart text * Undo typo damage Co-authored-by: Josh Soref <jsoref@users.noreply.github.com> 2022-01-17 00:57:28 +00:00			`use a ConfigMap to configure a custom Diffie-Hellman parameters file to help with`
allow specifying custom dh param fixes #162 2017-03-08 13:41:55 +00:00			`"Perfect Forward Secrecy".`

			`## Custom configuration`

			```console
Update documentation and examples [ci skip] 2017-10-16 12:55:46 +00:00			`$ cat configmap.yaml`
allow specifying custom dh param fixes #162 2017-03-08 13:41:55 +00:00			`apiVersion: v1`
			`data:`
Update documentation and examples [ci skip] 2017-10-16 12:55:46 +00:00			`ssl-dh-param: "ingress-nginx/lb-dhparam"`
allow specifying custom dh param fixes #162 2017-03-08 13:41:55 +00:00			`kind: ConfigMap`
			`metadata:`
Use ingress-nginx-* naming in docs to match the default deployment 2020-05-17 18:27:56 +00:00			`name: ingress-nginx-controller`
Update documentation and examples [ci skip] 2017-10-16 12:55:46 +00:00			`namespace: ingress-nginx`
			`labels:`
Fixup #2970: Add Missing Label `app.kubernetes.io/part-of: ingress-nginx` - Add missing label `app.kubernetes.io/part-of: ingress-nginx` for deploy example - Update new labels for docs/deploy and docs/examples - Update new labels for test/e2e and test/manifests - Update new labels for images/nginx Also close #3001 2018-09-04 03:25:30 +00:00			`app.kubernetes.io/name: ingress-nginx`
			`app.kubernetes.io/part-of: ingress-nginx`
allow specifying custom dh param fixes #162 2017-03-08 13:41:55 +00:00			```

			```console
Update documentation and examples [ci skip] 2017-10-16 12:55:46 +00:00			`$ kubectl create -f configmap.yaml`
allow specifying custom dh param fixes #162 2017-03-08 13:41:55 +00:00			```

			`## Custom DH parameters secret`

			```console
Minor documentation cleanup (#7826) * clarify link * Add section headers * console blocks * grpc example json was not valid * multi-tls update text The preceding point 1 related to https://github.com/kubernetes-retired/contrib/blob/4f2cb51ef82b4dddb625f6053ad132c1faf07aa1/ingress/controllers/nginx/examples/ingress.yaml and the deployments referenced in https://github.com/kubernetes-retired/contrib/blob/4f2cb51ef82b4dddb625f6053ad132c1faf07aa1/ingress/controllers/nginx/examples/README.md They are not relevant to the current instructions. * add whitespace around parens * grammar setup would be a proper noun, but it is not the intended concept, which is a state * grammar * is-only * via * Use bullets for choices * ingress-controller nginx is a distinct brand. generally this repo talks about ingress-controller, although it is quite inconsistent about how... * drop stray paren * OAuth is a brand and needs an article here also GitHub is a brand * Indent text under numbered lists * use e.g. * Document that customer header config maps changes do not trigger updates This should be removed if https://github.com/kubernetes/ingress-nginx/issues/5238 is fixed. * article * period * infinitive verb + period * clarify that the gRPC server is responsible for listening for TCP traffic and not some other part of the backend application * avoid using ; and reword * whitespace * brand: gRPC * only-does is the right form `for` adds nothing here * spelling: GitHub * punctuation `;` is generally not the right punctuation... * drop stray `to` * sentence * backticks * fix link * Improve readability of compare/vs * Renumber list * punctuation * Favor Ingress-NGINX and Ingress NGINX * Simplify custom header restart text * Undo typo damage Co-authored-by: Josh Soref <jsoref@users.noreply.github.com> 2022-01-17 00:57:28 +00:00			`$ openssl dhparam 4096 2> /dev/null \| base64`
allow specifying custom dh param fixes #162 2017-03-08 13:41:55 +00:00			`LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ...`
			```

			```console
			`$ cat ssl-dh-param.yaml`
			`apiVersion: v1`
			`data:`
			`dhparam.pem: "LS0tLS1CRUdJTiBESCBQQVJBTUVURVJ..."`
Fix ssl-dh-param example (#4946) 2020-01-17 19:17:39 +00:00			`kind: Secret`
allow specifying custom dh param fixes #162 2017-03-08 13:41:55 +00:00			`metadata:`
Fix reference to DH param secret, recommend larger parameter size 2020-03-18 17:06:24 +00:00			`name: lb-dhparam`
Update documentation and examples [ci skip] 2017-10-16 12:55:46 +00:00			`namespace: ingress-nginx`
			`labels:`
Fixup #2970: Add Missing Label `app.kubernetes.io/part-of: ingress-nginx` - Add missing label `app.kubernetes.io/part-of: ingress-nginx` for deploy example - Update new labels for docs/deploy and docs/examples - Update new labels for test/e2e and test/manifests - Update new labels for images/nginx Also close #3001 2018-09-04 03:25:30 +00:00			`app.kubernetes.io/name: ingress-nginx`
			`app.kubernetes.io/part-of: ingress-nginx`
allow specifying custom dh param fixes #162 2017-03-08 13:41:55 +00:00			```

			```console
			`$ kubectl create -f ssl-dh-param.yaml`
			```

			`## Test`

			`Check the contents of the configmap is present in the nginx.conf file using:`
Minor documentation cleanup (#7826) * clarify link * Add section headers * console blocks * grpc example json was not valid * multi-tls update text The preceding point 1 related to https://github.com/kubernetes-retired/contrib/blob/4f2cb51ef82b4dddb625f6053ad132c1faf07aa1/ingress/controllers/nginx/examples/ingress.yaml and the deployments referenced in https://github.com/kubernetes-retired/contrib/blob/4f2cb51ef82b4dddb625f6053ad132c1faf07aa1/ingress/controllers/nginx/examples/README.md They are not relevant to the current instructions. * add whitespace around parens * grammar setup would be a proper noun, but it is not the intended concept, which is a state * grammar * is-only * via * Use bullets for choices * ingress-controller nginx is a distinct brand. generally this repo talks about ingress-controller, although it is quite inconsistent about how... * drop stray paren * OAuth is a brand and needs an article here also GitHub is a brand * Indent text under numbered lists * use e.g. * Document that customer header config maps changes do not trigger updates This should be removed if https://github.com/kubernetes/ingress-nginx/issues/5238 is fixed. * article * period * infinitive verb + period * clarify that the gRPC server is responsible for listening for TCP traffic and not some other part of the backend application * avoid using ; and reword * whitespace * brand: gRPC * only-does is the right form `for` adds nothing here * spelling: GitHub * punctuation `;` is generally not the right punctuation... * drop stray `to` * sentence * backticks * fix link * Improve readability of compare/vs * Renumber list * punctuation * Favor Ingress-NGINX and Ingress NGINX * Simplify custom header restart text * Undo typo damage Co-authored-by: Josh Soref <jsoref@users.noreply.github.com> 2022-01-17 00:57:28 +00:00			```console
			`$ kubectl exec ingress-nginx-controller-873061567-4n3k2 -n kube-system -- cat /etc/nginx/nginx.conf`
			```