DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #4351 from aledbf/static-mode

Browse source 
KEP: Remove static SSL configuration mode
This commit is contained in:
Kubernetes Prow Robot 2019-08-14 21:26:33 -07:00 committed by GitHub
commit 6948cd7d65
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 68 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
build/cover.sh
View file

@ -27,6 +27,9 @@ if [ -z "${PKG}" ]; then
exit 1
fi
export CGO_ENABLED=1
export GODEBUG=netdns=go+2
rm -rf coverage.txt
for d in $(go list "${PKG}/..." | grep -v vendor | grep -v '/test/e2e' | grep -v images); do
t=$(date +%s);

3
build/test.sh
View file

@ -30,6 +30,7 @@ fi
# enabled to use host dns resolver
export CGO_ENABLED=1
export GODEBUG=netdns=go+2
go test -v -race -tags "cgo" \
go test -v -race \
$(go list "${PKG}/..." | grep -v vendor | grep -v '/test/e2e' | grep -v images | grep -v "docs/examples")

63
docs/enhancements/20190724-only-dynamic-ssl.md Normal file
View file

@ -0,0 +1,63 @@
---
title: Remove static SSL configuration mode
authors:
- "@aledbf"
reviewers:
- "@ElvinEfendi"
approvers:
- "@ElvinEfendi"
editor: TBD
creation-date: 2019-07-24
last-updated: 2019-07-24
status: implementable
see-also:
replaces:
superseded-by:
---
# Remove static SSL configuration mode
## Table of Contents
<!-- toc -->
- [Summary](#summary)
- [Motivation](#motivation)
- [Goals](#goals)
- [Non-Goals](#non-goals)
- [Proposal](#proposal)
- [Implementation Details/Notes/Constraints](#implementation-detailsnotesconstraints)
- [Drawbacks](#drawbacks)
- [Alternatives](#alternatives)
<!-- /toc -->
## Summary
Since release [0.19.0](https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.19.0) is possible to configure SSL certificates without the need of NGINX reloads (thanks to lua) and after release [0.24.0](https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.19.0) the default enabled mode is dynamic.
## Motivation
The static configuration implies reloads, something that affects the majority of the users.
### Goals
- Deprecation of the flag `--enable-dynamic-certificates`.
- Cleanup of the codebase.
### Non-Goals
- Features related to certificate authentication are not changed in any way.
## Proposal
- Remove static SSL configuration
### Implementation Details/Notes/Constraints
- Deprecate the flag Move the directives `ssl_certificate` and `ssl_certificate_key` from each server block to the `http` section. These settings are required to avoid NGINX errors in the logs.
- Remove any action of the flag `--enable-dynamic-certificates`
## Drawbacks
## Alternatives
Keep both implementations