api: client tls session resumption

[guydc]

What type of PR is this?

What this PR does / why we need it:

Introduces an API for TLS session management:

• Session Timeout
• Resumption opt-out option for stateless and stateful methods
• Allow users to configure a TLS session ticket encryption keys from k8s secrets

Envoy recommends rotating ticket encryption keys frequently. Multiple keys should be managed: a primary encryption key and one or more (previously rotated) decryption keys. Due to the complexity involved, Envoy-Gateway managed encryption keys are left out as future improvement.

Which issue(s) this PR fixes:
related #4268

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 66.00%. Comparing base (6eefb28) to head (8c33695).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4293      +/-   ##
==========================================
+ Coverage   65.98%   66.00%   +0.02%     
==========================================
  Files         197      197              
  Lines       23964    23964              
==========================================
+ Hits        15813    15818       +5     
+ Misses       7025     7022       -3     
+ Partials     1126     1124       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zhaohuabing]

Could we explain here what is the default strategy used by Envoy/EG - no TLS resumption, stateless TLS resumption, or Ssateful TLS resumption?

[zhaohuabing]

Could we add an intermediate layer SessionResumption here to group all the session-related parameters? This approach looks more intuitive to me.

[guydc]

Added a list of "typed" resumption settings and included docs explaining the default EG behavior.

[zhaohuabing]

Should we mention the risks of the shared ticket secret and suggestions to mitigate the risks? Like Envoy does: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-msg-extensions-transport-sockets-tls-v3-tlssessionticketkeys

[guydc]

after discussion yesterday, I reduced the scope of this PR to only deal with enable/disable of resumption. The types now include an explanation of performance, HA, functional and security impacts of different resumption methods.

[zhaohuabing]

If we add an intermediate layer, Enabled can replaced with a Type, aligning it with other EG APIs.

SessionResumption:
  Type: Stateless
  keys:
  - ...

[guydc]

Good input, I adopted this format.

[zhaohuabing]

Rethink on this, a fixed list of 2 elements seems a bit strange, what about the following structure? cc @arkodg as he always has great idea on how to shape the API :-)

SessionResumptionSettings:
   stateful: {}
   stateless: {}

[guydc]

Following yesterday's community meeting, some additional industry context.

Currently, Mozilla's SSL config generator recommends disabling stateless resumption (session tickets) for nginx, apache and haproxy for security reasons.

• https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1k&guideline=5.7
• https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=modern&openssl=1.1.1k&guideline=5.7
• https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.7

This is mostly due to insufficient rotation of session ticket encryption keys in these projects. There is an ongoing discussion on changing the recommendation for newer versions of nginx where keys are rotated: mozilla/server-side-tls#135.

BoringSSL rotates encryption keys by default every 48 hours: https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets. Envoy doesn't change this behavior or make the rotation schedule configurable. Industry leaders like cloudflare rotate session ticket encryption keys every hour: https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/.

There is no security recommendation to disable stateful session resumption. However:

• Stateful resumption is no longer supported in TLSv1.3: https://www.wolfssl.com/tls-1-3-performance-resumption/
• Envoy has a well-known issue that can only be mitigated by disabling stateful session resumption: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions
• There is no way to synchronize session caches across proxy instances. The effort to support synchronization is significant: RFC: Enable TLS external session cache envoy#14553

nginx ingress by default disables stateful and stateless session resumption, but makes it possible to opt-in:

• https://github.com/kubernetes/ingress-nginx/blob/a9c9a9d51e48f50edd5e8e3084a5c485366ba6c4/rootfs/etc/nginx/template/nginx.tmpl#L426
• https://github.com/kubernetes/ingress-nginx/blob/a9c9a9d51e48f50edd5e8e3084a5c485366ba6c4/rootfs/etc/nginx/template/nginx.tmpl#L432

I propose that we change the current behavior and disable both resumption methods by default, but allow users to opt-in similar to nginx ingress.