-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OCSP support #1475
Add OCSP support #1475
Conversation
I can confirm this works with kube-lego; however, I'm going to copy-paste my potential concerns from Slack:
|
In that case nginx disables ocsp. |
Coverage decreased (-0.1%) to 43.413% when pulling e7f8488ed44fc8e08177beb47e44b638045df79e on aledbf:ocsp into 1c6ff88 on kubernetes:master. |
How this impacts in the following situations:
@mrrandrade @jcmoraisjr please be advised of this before upgrading our Ingress Controller. |
Good point. I think we need this http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_file to avoid the request
The controller inspect the certificate and downloads the missing intermediate certificates. In case of errors the ocsp stapling is disabled by nginx. |
But using a file requires that you download or made it available for the server, and assumes that you update it each hour (as it happens with CRL). Probably it would be better to make this not available, and enable it through ConfigMap. The usage of a Responder is the best approach anyway, I'm just trying to figure out if there's some more impact in this change :) |
@rossedman please check https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/cli-arguments.md
|
@aledbf thanks for the follow up, is there a way to do this on a specific endpoint through ingress rules or is it at the controller level only |
@rossedman what part? disable the ocsp? |
Has anyone managed to get this working with Let's Encrypt (certs issued by cert-manager-v0.13.0) on v0.28.0? I've tried to inject the OCSP directives directly to an Ingress with:
and using the Helm
but to no avail :/ OCSP simply isn't offered. Any idea? It seems that this is working as expected (see #4651 (comment)). Also, |
This PR adds support for OCSP transparently. This means the ingress controller will check the configured SSL certificate for missing intermediate certs and generate PEM file with the complete chain (this is required in NGINX to support OCSP)
No change is required in the existing certificates
fixes #416
fixes kubernetes-retired/contrib#1949
Test image:
quay.io/aledbf/nginx-ingress-controller:0.253