问题
I try to set the value of the ssl-session-cache in my configmap for ingress-controller,
the problem is, that i can't find how to write it correct.
I need following changes in the nginx config:
ssl-session-cache builtin:3000 shared:SSL:100m
ssl-session-timeout: 3000
when i add
ssl-session-timeout: "3000" to the config map, it works correct - this i can see in nginx-config few seconds later.
but how i should write ssl-session-cache?
ssl-session-cache: builtin:"3000" shared:SSL:"100m" goes well, but no changes in nginx
ssl-session-cache: "builtin:3000 shared:SSL:100m" goes well, but no changes in nginx
ssl-session-cache "builtin:3000 shared:SSL:100m" syntax error - can't change the configmap
ssl-session-cache builtin:"3000 shared:SSL:100m" syntax error - can't change the configmap
Do someone have the idea, how to set ssl-session-cache in configmap correct?
Thank you!
回答1:
TL;DR
After digging around and test the same scenario in my lab, I've found how to make it work.
As you can see here the parameter ssl-session-cache requires a boolean value to specify if it will be enabled or not.
The changes you need is handled by the parameter ssl_session_cache_size and requires a string, then is correct to suppose that it would work changing the value to builtin:3000 shared:SSL:100m but after reproduction and dive into the nginx configuration, I've concluded that it will not work because the option builtin:1000 is hardcoded.
In order to make it work as expected I've found a solution using a nginx template as a configMap mounted as a volume into nginx-controller pod and other configMap for make the changes in the parameter ssl_session_cache_size.
Workaround
Take a look in the line 343 from the file /etc/nginx/template in the nginx-ingress-controller pod:
bash-5.0$ grep -n 'builtin:' nginx.tmpl
343: ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.SSLSessionCacheSize }};
As you can see, the option builtin:1000 is hardcoded and cannot be change using custom data on yout approach.
However, there are some ways to make it work, you could directly change the template file into the pod, but theses changes will be lost if the pod die for some reason... or you could use a custom template mounted as configMap into nginx-controller pod.
In this case, let's create a configMap with nginx.tmpl content changing the value of the line 343 for the desired value.
- Get template file from nginx-ingress-controller pod, it will create a file called
nginx.tmpllocally:
NOTE: Make sure the namespace is correct.
$ NGINX_POD=$(kubectl get pods -n ingress-nginx -l=app.kubernetes.io/component=controller -ojsonpath='{.items[].metadata.name}')
$ kubectl exec $NGINX_POD -n ingress-nginx -- cat template/nginx.tmpl > nginx.tmpl
- Change the value of the line 343 from
builtin:1000tobuiltin:3000:
$ sed -i '343s/builtin:1000/builtin:3000/' nginx.tmpl
Checking if evething is ok:
$ grep builtin nginx.tmpl
ssl_session_cache builtin:3000 shared:SSL:{{ $cfg.SSLSessionCacheSize }};
Ok, at this point we have a nginx.tmpl file with the desired parameter changed.
Let's move on and create a configMap with the custom nginx.tmpl file:
$ kubectl create cm nginx.tmpl --from-file=nginx.tmpl
configmap/nginx.tmpl created
This will create a configMap called nginx.tmpl in the ingress-nginx namespace, if your ingress' namespace is different, make the proper changes before apply.
After that, we need to edit the nginx-ingress deployment and add a new volume and a volumeMount to the containers spec. In my case, the nginx-ingress deployment name ingress-nginx-controller in the ingress-nginx namespace.
Edit the deployment file:
$ kubectl edit deployment -n ingress-nginx ingress-nginx-controller
And add the following configuration in the correct places:
...
volumeMounts:
- mountPath: /etc/nginx/template
name: nginx-template-volume
readOnly: true
...
volumes:
- name: nginx-template-volume
configMap:
name: nginx.tmpl
items:
- key: nginx.tmpl
path: nginx.tmpl
...
After save the file, the nginx controller pod will be recreated with the configMap mounted as a file into the pod.
Let's check if the changes was propagated:
$ kubectl exec -n ingress-nginx $NGINX_POD -- cat nginx.conf | grep -n ssl_session_cache
223: ssl_session_cache builtin:3000 shared:SSL:10m;
Great, the first part is done!
Now for the shared:SSL:10m we can use the same approach you already was used: configMap with the specific parameters as mentioned in this doc.
If you remember in the nginx.tmpl, for shared:SSL there is a variable called SSLSessionCache ({{ $cfg.SSLSessionCacheSize }}), in the source code is possible to check that the variable is represented by the option ssl-session-cache-size:
340 // Size of the SSL shared cache between all worker processes.
341 // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
342 SSLSessionCacheSize string `json:"ssl-session-cache-size,omitempty"`
So, all we need to do is create a configMap with this parameter and the desired value:
kind: ConfigMap
apiVersion: v1
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
data:
ssl-session-cache-size: "100m"
Note: Adjust the namespace and configMap name for the equivalent of your environment.
Applying this configMap NGINX will reload the configuration and make the changes in the configuration file.
Checking the results:
$ NGINX_POD=$(kubectl get pods -n ingress-nginx -l=app.kubernetes.io/component=controller -ojsonpath='{.items[].metadata.name}')
$ kubectl exec -n ingress-nginx $NGINX_POD -- cat nginx.conf | grep -n ssl_session_cache
223: ssl_session_cache builtin:3000 shared:SSL:100m;
Conclusion
It would work as expected, unfortunately, I can't find a way to add a variable in the builtin:, so we will continue using it hardcoded but at this time it will be a configMap that you can easily make changes if needed.
References:
NGINX INgress Custom template
NGINX Ingress Source Code
来源:https://stackoverflow.com/questions/61272743/how-to-set-the-ssl-session-cache-values-in-configmap-kubernetes