-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #4351 from aledbf/static-mode
KEP: Remove static SSL configuration mode
- Loading branch information
Showing
3 changed files
with
68 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| --- | ||
| title: Remove static SSL configuration mode | ||
| authors: | ||
| - "@aledbf" | ||
| reviewers: | ||
| - "@ElvinEfendi" | ||
| approvers: | ||
| - "@ElvinEfendi" | ||
| editor: TBD | ||
| creation-date: 2019-07-24 | ||
| last-updated: 2019-07-24 | ||
| status: implementable | ||
| see-also: | ||
| replaces: | ||
| superseded-by: | ||
| --- | ||
|
|
||
| # Remove static SSL configuration mode | ||
|
|
||
| ## Table of Contents | ||
|
|
||
| <!-- toc --> | ||
| - [Summary](#summary) | ||
| - [Motivation](#motivation) | ||
| - [Goals](#goals) | ||
| - [Non-Goals](#non-goals) | ||
| - [Proposal](#proposal) | ||
| - [Implementation Details/Notes/Constraints](#implementation-detailsnotesconstraints) | ||
| - [Drawbacks](#drawbacks) | ||
| - [Alternatives](#alternatives) | ||
| <!-- /toc --> | ||
|
|
||
| ## Summary | ||
|
|
||
| Since release [0.19.0](https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.19.0) is possible to configure SSL certificates without the need of NGINX reloads (thanks to lua) and after release [0.24.0](https://github.com/kubernetes/ingress-nginx/releases/tag/nginx-0.19.0) the default enabled mode is dynamic. | ||
|
|
||
| ## Motivation | ||
|
|
||
| The static configuration implies reloads, something that affects the majority of the users. | ||
|
|
||
| ### Goals | ||
|
|
||
| - Deprecation of the flag `--enable-dynamic-certificates`. | ||
| - Cleanup of the codebase. | ||
|
|
||
| ### Non-Goals | ||
|
|
||
| - Features related to certificate authentication are not changed in any way. | ||
|
|
||
| ## Proposal | ||
|
|
||
| - Remove static SSL configuration | ||
|
|
||
| ### Implementation Details/Notes/Constraints | ||
|
|
||
| - Deprecate the flag Move the directives `ssl_certificate` and `ssl_certificate_key` from each server block to the `http` section. These settings are required to avoid NGINX errors in the logs. | ||
| - Remove any action of the flag `--enable-dynamic-certificates` | ||
|
|
||
| ## Drawbacks | ||
|
|
||
| ## Alternatives | ||
|
|
||
| Keep both implementations |