Merge pull request #1507 from aledbf/session-tickets

Add tls session ticket key setting
kubernetes · Oct 8, 2017 · 1f269d4 · 1f269d4
2 parents cab6cd2 + 29c0304
commit 1f269d4
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 1 deletion.
diff --git a/configuration.md b/configuration.md
@@ -516,6 +516,11 @@ Default is "true".
 
 **ssl-session-tickets:** Enables or disables session resumption through [TLS session tickets](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets).
 
+**ssl-session-ticket-key:** sets the secret key used to encrypt and decrypt TLS session tickets. The value must be a valid base64 string.
+http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
+By default, a randomly generated key is used.
+To create a ticket: `openssl rand 80 | base64 -w0`
+
 **ssl-session-timeout:** Sets the time during which a client may [reuse the session](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout) parameters stored in a cache.
 
 **upstream-max-fails:** Sets the number of unsuccessful attempts to communicate with the [server](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream) that should happen in the duration set by the `fail_timeout` parameter to consider the server unavailable.

diff --git a/pkg/nginx/config/config.go b/pkg/nginx/config/config.go
@@ -297,6 +297,12 @@ type Configuration struct {
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
 	SSLSessionTickets bool `json:"ssl-session-tickets,omitempty"`
 
+	// Sets the secret key used to encrypt and decrypt TLS session tickets.
+	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
+	// By default, a randomly generated key is used.
+	// Example: openssl rand 80 | base64 -w0
+	SSLSessionTicketKey string `json:"ssl-session-ticket-key,omitempty"`
+
 	// Time during which a client may reuse the session parameters stored in a cache.
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
 	SSLSessionTimeout string `json:"ssl-session-timeout,omitempty"`

diff --git a/pkg/nginx/controller/nginx.go b/pkg/nginx/controller/nginx.go
@@ -18,6 +18,7 @@ package controller
 
 import (
 	"bytes"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -480,7 +481,17 @@ func (n *NGINXController) SetConfig(cmap *apiv1.ConfigMap) {
 		}
 	}
 
-	n.backendDefaults = ngx_template.ReadConfig(m).Backend
+	c := ngx_template.ReadConfig(m)
+	if c.SSLSessionTicketKey != "" {
+		d, err := base64.StdEncoding.DecodeString(c.SSLSessionTicketKey)
+		if err != nil {
+			glog.Warningf("unexpected error decoding key ssl-session-ticket-key: %v", err)
+			c.SSLSessionTicketKey = ""
+		}
+		ioutil.WriteFile("/etc/nginx/tickets.key", d, 0644)
+	}
+
+	n.backendDefaults = c.Backend
 }
 
 // SetListers sets the configured store listers in the generic ingress controller

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -209,6 +209,10 @@ http {
     # allow configuring ssl session tickets
     ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }};
 
+    {{ if not (empty $cfg.SSLSessionTicketKey ) }}
+    ssl_session_ticket_key /etc/nginx/tickets.key;
+    {{ end }}
+
     # slightly reduce the time-to-first-byte
     ssl_buffer_size {{ $cfg.SSLBufferSize }};