ConfigMap parameter `ssl-dh-param` produces invalid configuration

[pedrosland]

I noticed this while writing documentation that the ssl_dhparam value in the config is expected to be a base46 string and NGINX expects it to be a file. The controller documentation says:

ssl-dh-param: sets the Base64 string that contains Diffie-Hellman key to help with "Perfect Forward Secrecy".

The nginx documentation says:

Syntax:     ssl_dhparam file;

To verify, I provided the base64 encoded string from openssl dhparam:

apiVersion: v1
data:
  ssl-dh-param: "LS0tLS1CRUdJTiBESCBQQVJBTUVURVJTLS0tLS0KTUlHSEFvR0JBTldRMy84cXYrQTgyek9uN1NGUVl6aHVjK1NmVVB1ZVRWMmd5K3kreEVHZ2pQMjNYbmV3WHcycgpwc0RZVGNrblYzQkVPL3FQMG1WdGppMkN4Z3FRK09yRTBYM1B1SlBaV1pYcjNCbmxzVFd0K0Q2WnpaNnlQNFYvClh2NEkvWVhIZzV2dFhKb28zWlRHZW8zbCtVMXZqNGR1OE02S0M3SGFCSGliMGg3a3FEd2JBZ0VDCi0tLS0tRU5EIERIIFBBUkFNRVRFUlMtLS0tLQo="
kind: ConfigMap
metadata:
  name: nginx-ingress-controller

The logs report:

2017/01/23 14:18:39 [emerg] 11513#11513: BIO_new_file("/tmp/LS0tLS1CRUdJTiBESCBQQVJBTUVURVJTLS0tLS0KTUlHSEFvR0JBTldRMy84cXYrQTgyek9uN1NGUVl6aHVjK1NmVVB1ZVRWMmd5K3kreEVHZ2pQMjNYbmV3WHcycgpwc0RZVGNrblYzQkVPL3FQMG1WdGppMkN4Z3FRK09yRTBYM1B1SlBaV1pYcjNCbmxzVFd0K0Q2WnpaNnlQNFYvClh2NEkvWVhIZzV2dFhKb28zWlRHZW8zbCtVMXZqNGR1OE02S0M3SGFCSGliMGg3a3FEd2JBZ0VDCi0tLS0tRU5EIERIIFBBUkFNRVRFUlMtLS0tLQo=") failed (SSL: error:02001024:system library:fopen:File name too long:fopen('/tmp/LS0tLS1CRUdJTiBESCBQQVJBTUVURVJTLS0tLS0KTUlHSEFvR0JBTldRMy84cXYrQTgyek9uN1NGUVl6aHVjK1NmVVB1ZVRWMmd5K3kreEVHZ2pQMjNYbmV3WHcycgpwc0RZVGNrblYzQkVPL3FQMG1WdGppMkN4Z3FRK09yRTBYM1B1SlBaV1pYcjNCbmxzVFd0K0Q2WnpaNnlQNFYvClh2NEkvWVhIZzV2dFhKb28zWlRHZW8zbCtVMXZqNGR1OE02S0M3SGFCSGliMGg3a3FEd2JBZ0VDCi0tLS0tRU5EIERIIFBBUkFNRVRFUlMtLS0tLQo=','r') error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: [emerg] BIO_new_file("/tmp/LS0tLS1CRUdJTiBESCBQQVJBTUVURVJTLS0tLS0KTUlHSEFvR0JBTldRMy84cXYrQTgyek9uN1NGUVl6aHVjK1NmVVB1ZVRWMmd5K3kreEVHZ2pQMjNYbmV3WHcycgpwc0RZVGNrblYzQkVPL3FQMG1WdGppMkN4Z3FRK09yRTBYM1B1SlBaV1pYcjNCbmxzVFd0K0Q2WnpaNnlQNFYvClh2NEkvWVhIZzV2dFhKb28zWlRHZW8zbCtVMXZqNGR1OE02S0M3SGFCSGliMGg3a3FEd2JBZ0VDCi0tLS0tRU5EIERIIFBBUkFNRVRFUlMtLS0tLQo=") failed (SSL: error:02001024:system library:fopen:File name too long:fopen('/tmp/LS0tLS1CRUdJTiBESCBQQVJBTUVURVJTLS0tLS0KTUlHSEFvR0JBTldRMy84cXYrQTgyek9uN1NGUVl6aHVjK1NmVVB1ZVRWMmd5K3kreEVHZ2pQMjNYbmV3WHcycgpwc0RZVGNrblYzQkVPL3FQMG1WdGppMkN4Z3FRK09yRTBYM1B1SlBaV1pYcjNCbmxzVFd0K0Q2WnpaNnlQNFYvClh2NEkvWVhIZzV2dFhKb28zWlRHZW8zbCtVMXZqNGR1OE02S0M3SGFCSGliMGg3a3FEd2JBZ0VDCi0tLS0tRU5EIERIIFBBUkFNRVRFUlMtLS0tLQo=','r') error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: configuration file /tmp/nginx-cfg866144512 test failed

As I see it, there are three options:

1. Implement what the docs say by writing a file to /etc/nginx or somewhere. Probably a bit like AddOrUpdateCertAndKey.
2. The parameter is the name of a secret that contains the base64 encoded string. Write it to file the same as option 1.
3. Update the docs to reflect that this parameter should be a filename.

Perhaps there are more? Personally, I think option 1 or 2 sounds the best.

I would be willing to attempt a fix for this.

[glerchundi]

I started looking at this. Will send a PR as soon as possible but first I would like to define what is desired.

My opinion is to use ssl-dh-param as a secret name and then render the base64 to a specific path, the config supplied to the template will point to this location if the dh exists and is valid.

WDYT?

/cc @aledbf