feat(charts): switching nginx dhparam to 4096 bits

[Cryptophobia]

This is to provide perfect forward secrecy of new Hephy project and stronger 4096 bit dhparam. Users should change this key if using hephy-router in production.

EDIT: Generating dhparam involves finding a perfect prime that is generally a CPU-intensive task. Users should only generate a perfect prime on a machine they trust fully. That is why I would only do such a thing on my M68000-chip Sega Genesis from 1997. The last CPU I ever trusted fully. :smiley_cat:

[Cryptophobia]

@kingdonb : Yes, but only in our CI e2e testing environment. For production and final production charts, this dhparam should not be change across versions of hephy-router image. It is meant to be generated once and ideally production users should generate their own based on the bits and cipher lengths that they feel confident in using in production.

[kingdonb]

OK, I'd like to find a place to mention this in the documentation, since I don't see anything that actually says this in Deis docs right now.

This is something that production admins should probably already know, but at the same time I didn't know.

[kingdonb]

The chart hook should only run once on "install" (not on upgrade) so I still think it might be an appropriate place to generate the dhparams. This is already how database passwords are generated as I understand it.

The points about generating them on a machine you trust, and primes taking a long time to find, are both valid points. I just want to make sure it's easy for users installing production clusters for the first time, to do the right thing. (A flag such as "generate_dhparams" in the values.yaml might be a nice addition.)

[kingdonb]

See for example:

charts/database/templates/database-secret-creds.yaml
charts/builder/templates/builder-secret-ssh-private-keys.yaml

[Cryptophobia]

Yes, I agree a flag on the master hephy workflow charts to generate_dhparams would be nice to have. Generating unique dhparams on chart install would be an improvement.

[Cryptophobia]

The chart hook should only run once on "install" (not on upgrade) so I still think it might be an appropriate place to generate the dhparams. This is already how database passwords are generated as I understand it.

Yes, the examples for database passwords and ssh keys for builder are good examples and we can follow the same model. However, we need to test with different bit lengths as finding a prime can sometimes take hours. How long would downstream systems like kubernetes, helm, tiller be waiting for this secret to be generated...

[Cryptophobia]

For now, let's merge this in for forward secrecy and 4096-bit length improvement. :+1: