如何在configmap-kubernetes中设置ssl-session-cache值? [英] How to set the ssl-session-cache values in configmap - kubernetes?

问题描述

我尝试在configmap中为ingress-controller设置ssl-session-cache的值，

I try to set the value of the ssl-session-cache in my configmap for ingress-controller,

问题是，我找不到正确的书写方式.

the problem is, that i can't find how to write it correct.

我需要对nginx配置进行以下更改:

I need following changes in the nginx config:

ssl-session-cache builtin:3000 shared:SSL:100m

ssl-session-timeout: 3000

当我添加时 ssl-session-timeout: "3000"到配置映射，它可以正确运行-几秒钟后，我可以在nginx-config中看到它.

when i add ssl-session-timeout: "3000" to the config map, it works correct - this i can see in nginx-config few seconds later.

但是我应该如何写ssl-session-cache?

but how i should write ssl-session-cache?

ssl-session-cache: builtin:"3000" shared:SSL:"100m"进行得很好，但是nginx中没有任何变化

ssl-session-cache: builtin:"3000" shared:SSL:"100m" goes well, but no changes in nginx

ssl-session-cache: "builtin:3000 shared:SSL:100m"进行得很好，但是nginx中没有任何变化

ssl-session-cache: "builtin:3000 shared:SSL:100m" goes well, but no changes in nginx

ssl-session-cache "builtin:3000 shared:SSL:100m"语法错误-无法更改configmap

ssl-session-cache "builtin:3000 shared:SSL:100m" syntax error - can't change the configmap

ssl-session-cache builtin:"3000 shared:SSL:100m"语法错误-无法更改configmap

ssl-session-cache builtin:"3000 shared:SSL:100m" syntax error - can't change the configmap

有人知道如何在configmap中正确设置ssl-session-cache吗?

Do someone have the idea, how to set ssl-session-cache in configmap correct?

谢谢！

推荐答案

TL; DR

在我的实验室中进行挖掘并测试了相同的场景之后，我发现了如何使其发挥作用.

TL;DR

After digging around and test the same scenario in my lab, I've found how to make it work.

您可以看到

As you can see here the parameter ssl-session-cache requires a boolean value to specify if it will be enabled or not.

您需要的更改由参数ssl_session_cache_size处理并需要一个字符串，然后正确地假设它将值更改为builtin:3000 shared:SSL:100m可以正常工作，但是在复制并深入到nginx配置之后，我得出结论因为选项builtin:1000是 硬编码 而无法使用.

The changes you need is handled by the parameter ssl_session_cache_size and requires a string, then is correct to suppose that it would work changing the value to builtin:3000 shared:SSL:100m but after reproduction and dive into the nginx configuration, I've concluded that it will not work because the option builtin:1000 is hardcoded.

为了使其按预期工作，我找到了一种使用nginx模板作为configMap的解决方案，该模板作为卷安装在nginx-controller pod和其他configMap中，用于更改参数ssl_session_cache_size

In order to make it work as expected I've found a solution using a nginx template as a configMap mounted as a volume into nginx-controller pod and other configMap for make the changes in the parameter ssl_session_cache_size.

在nginx-ingress-controller窗格中的文件/etc/nginx/template中的 343 行中查看:

Take a look in the line 343 from the file /etc/nginx/template in the nginx-ingress-controller pod:

bash-5.0$ grep -n 'builtin:' nginx.tmpl 
343:    ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.SSLSessionCacheSize }};

如您所见，选项builtin:1000是硬编码的，并且无法使用您自己的方法使用自定义数据进行更改.

As you can see, the option builtin:1000 is hardcoded and cannot be change using custom data on yout approach.

但是，有一些方法可以使它起作用，您可以将模板文件直接更改为pod，但是如果pod由于某种原因而死亡，这些更改将丢失...或者您可以使用自定义模板作为configMap安装到nginx-controller pod中.

However, there are some ways to make it work, you could directly change the template file into the pod, but theses changes will be lost if the pod die for some reason... or you could use a custom template mounted as configMap into nginx-controller pod.

在这种情况下，让我们用nginx.tmpl内容创建一个configMap，将第343行的值更改为所需的值.

In this case, let's create a configMap with nginx.tmpl content changing the value of the line 343 for the desired value.

1. 从nginx-ingress-controller容器中获取模板文件，它将在本地创建一个名为nginx.tmpl的文件:

1. Get template file from nginx-ingress-controller pod, it will create a file callednginx.tmpl locally:

注意:确保名称空间正确.

NOTE: Make sure the namespace is correct.

$ NGINX_POD=$(kubectl get pods -n ingress-nginx -l=app.kubernetes.io/component=controller -ojsonpath='{.items[].metadata.name}')

$ kubectl exec $NGINX_POD -n ingress-nginx -- cat template/nginx.tmpl > nginx.tmpl

1. 将第343行的值从builtin:1000更改为builtin:3000:

1. Change the value of the line 343 from builtin:1000 to builtin:3000:

$ sed -i '343s/builtin:1000/builtin:3000/' nginx.tmpl

检查一切是否正常:

$ grep builtin nginx.tmpl 
ssl_session_cache builtin:3000 shared:SSL:{{ $cfg.SSLSessionCacheSize }};

好吧，这时我们有了一个nginx.tmpl文件，其中所需的参数已更改.

Ok, at this point we have a nginx.tmpl file with the desired parameter changed.

让我们继续使用自定义nginx.tmpl文件创建configMap:

Let's move on and create a configMap with the custom nginx.tmpl file:

$ kubectl create cm nginx.tmpl --from-file=nginx.tmpl
configmap/nginx.tmpl created

这将在ingress-nginx命名空间中创建一个名为nginx.tmpl的configMap，如果您的入口的命名空间不同，请在应用之前进行适当的更改.

This will create a configMap called nginx.tmpl in the ingress-nginx namespace, if your ingress' namespace is different, make the proper changes before apply.

此后，我们需要编辑nginx-ingress部署，并在容器规范中添加新的volume和volumeMount.就我而言，是ingress-nginx名称空间中的nginx-ingress部署名称ingress-nginx-controller.

After that, we need to edit the nginx-ingress deployment and add a new volume and a volumeMount to the containers spec. In my case, the nginx-ingress deployment name ingress-nginx-controller in the ingress-nginx namespace.

编辑部署文件:

$ kubectl edit deployment -n ingress-nginx ingress-nginx-controller

并在正确的位置添加以下配置:

And add the following configuration in the correct places:

...
        volumeMounts:
        - mountPath: /etc/nginx/template
          name: nginx-template-volume
          readOnly: true
...
      volumes:
      - name: nginx-template-volume
        configMap:
          name: nginx.tmpl
          items:
          - key: nginx.tmpl
            path: nginx.tmpl
...

保存文件后，将重新创建nginx控制器容器，并将configMap作为文件安装到容器中.

After save the file, the nginx controller pod will be recreated with the configMap mounted as a file into the pod.

让我们检查一下更改是否已传播:

Let's check if the changes was propagated:

$ kubectl exec -n ingress-nginx $NGINX_POD -- cat nginx.conf | grep -n ssl_session_cache
223:    ssl_session_cache builtin:3000 shared:SSL:10m;

太好了，第一部分完成了！

Great, the first part is done!

现在对于shared:SSL:10m，我们可以使用与您已经使用的相同的方法:configMap，具有本

Now for the shared:SSL:10m we can use the same approach you already was used: configMap with the specific parameters as mentioned in this doc.

如果您还记得nginx.tmpl中的shared:SSL，则在

If you remember in the nginx.tmpl, for shared:SSL there is a variable called SSLSessionCache ({{ $cfg.SSLSessionCacheSize }}), in the source code is possible to check that the variable is represented by the option ssl-session-cache-size:

340  // Size of the SSL shared cache between all worker processes.
341  // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
342  SSLSessionCacheSize string `json:"ssl-session-cache-size,omitempty"`

因此，我们要做的就是使用此参数和所需的值创建一个configMap:

So, all we need to do is create a configMap with this parameter and the desired value:

kind: ConfigMap
apiVersion: v1
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
  ssl-session-cache-size: "100m"

注意:调整名称空间和configMap名称，使其与您的环境等效.

Note: Adjust the namespace and configMap name for the equivalent of your environment.

应用此configMap NGINX将重新加载配置并在配置文件中进行更改.

Applying this configMap NGINX will reload the configuration and make the changes in the configuration file.

检查结果:

$ NGINX_POD=$(kubectl get pods -n ingress-nginx -l=app.kubernetes.io/component=controller -ojsonpath='{.items[].metadata.name}')

$ kubectl exec -n ingress-nginx $NGINX_POD -- cat nginx.conf | grep -n ssl_session_cache
223:    ssl_session_cache builtin:3000 shared:SSL:100m;

结论

它可以按预期工作，很遗憾，我找不到在builtin:中添加变量的方法，因此我们将继续使用硬编码，但此时它将是一个configMap，您可以根据需要轻松进行更改.

Conclusion

It would work as expected, unfortunately, I can't find a way to add a variable in the builtin:, so we will continue using it hardcoded but at this time it will be a configMap that you can easily make changes if needed.

NGINX入口自定义模板

NGINX入口源代码

这篇关于如何在configmap-kubernetes中设置ssl-session-cache值?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！