Add support to disable session ticket

2025-03-28 05:58:04 -04:00 · 2025-03-28 05:58:04 -04:00 · f0cd6f210b
commit f0cd6f210b
parent bb7ef7b48a
18 changed files with 134 additions and 36 deletions
--- a/pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_options.yml
+++ b/pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_options.yml
@ -30,6 +30,7 @@ spec:
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384
+  disableSessionTickets: true
  clientAuth:
    secretNames:
      - secret-ca1
--- a/pkg/provider/kubernetes/crd/fixtures/with_tls_options.yml
+++ b/pkg/provider/kubernetes/crd/fixtures/with_tls_options.yml
@ -30,6 +30,7 @@ spec:
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384
+  disableSessionTickets: true
  clientAuth:
    secretNames:
      - secret-ca1
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@ -1273,6 +1273,8 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
 			tlsOption.ALPNProtocols = tlsOptionsCRD.Spec.ALPNProtocols
 		}

+		tlsOption.DisableSessionTickets = tlsOptionsCRD.Spec.DisableSessionTickets
+
 		tlsOptions[id] = tlsOption
 	}

--- a/pkg/provider/kubernetes/crd/kubernetes_test.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_test.go
@ -732,7 +732,8 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 								},
 								ClientAuthType: "VerifyClientCertIfGiven",
 							},
-							SniStrict: true,
+							SniStrict:             true,
+							DisableSessionTickets: true,
 							ALPNProtocols: []string{
 								"h2",
 								"http/1.1",
@ -3401,7 +3402,8 @@ func TestLoadIngressRoutes(t *testing.T) {
 								},
 								ClientAuthType: "VerifyClientCertIfGiven",
 							},
-							SniStrict: true,
+							SniStrict:             true,
+							DisableSessionTickets: true,
 							ALPNProtocols: []string{
 								"h2",
 								"http/1.1",
--- a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/tlsoption.go
+++ b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/tlsoption.go
@ -44,7 +44,8 @@ type TLSOptionSpec struct {
 	// ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
 	// More info: https://doc.traefik.io/traefik/v3.3/https/tls/#alpn-protocols
 	ALPNProtocols []string `json:"alpnProtocols,omitempty"`
-
+	// DisableSessionTickets disables TLS session resumption via session tickets.
+	DisableSessionTickets bool `json:"disableSessionTickets,omitempty"`
 	// PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
 	// It is enabled automatically when minVersion or maxVersion is set.
 	// Deprecated: https://github.com/golang/go/issues/45430