Add tls session ticket key setting

pkg/nginx/config/config.go

@@ -297,6 +297,12 @@ type Configuration struct {
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
 	SSLSessionTickets bool `json:"ssl-session-tickets,omitempty"`
 
+	// Sets the secret key used to encrypt and decrypt TLS session tickets.
+	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
+	// By default, a randomly generated key is used.
+	// Example: openssl rand 80 | base64 -w0
+	SSLSessionTicketKey string `json:"ssl-session-ticket-key,omitempty"`
+
 	// Time during which a client may reuse the session parameters stored in a cache.
 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout
 	SSLSessionTimeout string `json:"ssl-session-timeout,omitempty"`

pkg/nginx/controller/nginx.go

@@ -18,6 +18,7 @@ package controller
 
 import (
 	"bytes"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -480,7 +481,17 @@ func (n *NGINXController) SetConfig(cmap *apiv1.ConfigMap) {
 		}
 	}
 
-	n.backendDefaults = ngx_template.ReadConfig(m).Backend
+	c := ngx_template.ReadConfig(m)
+	if c.SSLSessionTicketKey != "" {
+		d, err := base64.StdEncoding.DecodeString(c.SSLSessionTicketKey)
+		if err != nil {
+			glog.Warningf("unexpected error decoding key ssl-session-ticket-key: %v", err)
+			c.SSLSessionTicketKey = ""
+		}
+		ioutil.WriteFile("/etc/nginx/tickets.key", d, 0644)
+	}
+
+	n.backendDefaults = c.Backend
 }
 
 // SetListers sets the configured store listers in the generic ingress controller