ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Allow supplying ssl-session-ticket-key via secret.

Open ksa-real opened this issue 3 years ago • 3 comments

To allow SSL session tickets it is necessary to use the same SSL session ticket secret key across all ingress pods. Ingress controller takes .Values.controller.ssl-session-ticket-key, puts it into /etc/nginx/tickets.key key file, and adds ssl_session_ticket_key /etc/nginx/tickets.key to nginx config. The values.yaml file is often stored in git repository and is typically not considered secret. Having ssl-session-ticket-key in values.yaml makes it secret. The ask is to allow specifying a K8s secret that holds the SSL ticket key(s). The keys are put into config in reverse alphabetical order to allow easy key rotation. The first key would be the most recent and have the largest index.

This could be enhanced by allowing ingest controller to rotate keys automatically. Depending on TTL and rotation period, two or more keys could be written to a secret which would a way to distribute keys real-time. SSL session key wouldn't need to be configured manually in this case.

values.yaml:

controller:
  sesionKeysSecretName: ingress-nginx-session-keys

ingress-nginx-session-keys.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: ingress-nginx-session-keys
stringData:
  key1: <some random key>
  key2: <other key>
  ...
type: Opaque

ksa-real avatar May 09 '22 03:05 ksa-real

@ksa-real: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar May 09 '22 03:05 k8s-ci-robot

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Aug 07 '22 04:08 k8s-triage-robot

/remove-lifecycle stale

ksa-real avatar Aug 07 '22 06:08 ksa-real

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 05 '22 06:11 k8s-triage-robot

/remove-lifecycle stale

ksa-real avatar Nov 07 '22 07:11 ksa-real