Add OCSP support

[aledbf]

This PR adds support for OCSP transparently. This means the ingress controller will check the configured SSL certificate for missing intermediate certs and generate PEM file with the complete chain (this is required in NGINX to support OCSP)

No change is required in the existing certificates

fixes #416
fixes kubernetes-retired/contrib#1949

Test image: quay.io/aledbf/nginx-ingress-controller:0.253

[k8s-reviewable]

This change is 

[ConnorJC3]

I can confirm this works with kube-lego; however, I'm going to copy-paste my potential concerns from Slack:

Although, is there a fallback to not staple?
As if the ca doesn't support ocsp it can't be stapled

It's kinda hard for me to test that, because all my certs are let's encrypt, but I can see that being a problem

[aledbf]

As if the ca doesn't support ocsp it can't be stapled

In that case nginx disables ocsp.

[coveralls]

Coverage decreased (-0.1%) to 43.413% when pulling e7f8488ed44fc8e08177beb47e44b638045df79e on aledbf:ocsp into 1c6ff88 on kubernetes:master.

[coveralls]

Coverage increased (+0.08%) to 43.616% when pulling f6ba3ab on aledbf:ocsp into 1c6ff88 on kubernetes:master.

[rikatz]

How this impacts in the following situations:

1. Ingress machine (as we use bare metal) accepts incoming connections, but doesn't accepts outgoing connections? Everytime an SSL connection is made, NGINX tries to fetch SSL stapling from server?

2. What happens if the user uses only the Key and Cert, and not the full chain?

3. Is that possible we make this configurable through ConfigMap? Is this the case? So we do not have a new unexpected behaviour with this new feature.

@mrrandrade @jcmoraisjr please be advised of this before upgrading our Ingress Controller.

[aledbf]

1. Ingress machine (as we use bare metal) accepts incoming connections, but doesn't accepts outgoing connections?

Good point. I think we need this http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_file to avoid the request

2. What happens if the user uses only the Key and Cert, and not the full chain?

The controller inspect the certificate and downloads the missing intermediate certificates. In case of errors the ocsp stapling is disabled by nginx.

[rikatz]

But using a file requires that you download or made it available for the server, and assumes that you update it each hour (as it happens with CRL). Probably it would be better to make this not available, and enable it through ConfigMap.

The usage of a Responder is the best approach anyway, I'm just trying to figure out if there's some more impact in this change :)

[rossedman]

@aledbf @rikatz attempting to implement this. appears docs weren't updated with these changes, but if I understand the changes correctly you still use --default-ssl-certificate flag for ingress-controller but the file must be named namespace/*-full-chain.pem. Is this correct?

[aledbf]

@rossedman please check https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/cli-arguments.md

--default-ssl-certificate string Name of the secret that contains a SSL certificate to be used as default for a HTTPS catch-all server. Takes the form <namespace>/<secret name>.

[rossedman]

@aledbf thanks for the follow up, is there a way to do this on a specific endpoint through ingress rules or is it at the controller level only

[aledbf]

@rossedman what part? disable the ocsp?
The next version will include a flag to disable the intermediate CA certificate resolution #1699

[leonklingele]

Has anyone managed to get this working with Let's Encrypt (certs issued by cert-manager-v0.13.0) on v0.28.0?

I've tried to inject the OCSP directives directly to an Ingress with:

  annotations:
    nginx.ingress.kubernetes.io/server-snippet: |
      ssl_stapling on;
      ssl_stapling_verify on;

and using the Helm values.yaml file:

controller:
  config:
    http-snippet: |
      ssl_stapling on;
      ssl_stapling_verify on;

but to no avail :/ OCSP simply isn't offered. Any idea?

It seems that this is working as expected (see #4651 (comment)). Also, --enable-dynamic-certificates has been deprecated (always enabled) which breaks OCSP stapling (Currently does not support OCSP stapling, https://kubernetes.github.io/ingress-nginx/user-guide/cli-arguments/)
Seriously?!

EDIT:
This is currently being worked on! 🎉 #4758 / #4868