Lua OCSP stapling

[ElvinEfendi]

For #4758

In order to avoid Nginx reload we have moved to dynamically handling TLS certificate serving using Lua a while ago. That also meant things like ssl_stapling directives became useless. This PR implements alternative to Nginx's ssl_stapling using Lua.

This is bare minimum implementation, expect a lot of rough edges.

The implementation tries to follow advice from https://gist.github.com/sleevi/5efe9ef98961ecfb4da8, but it is not even close to all the best practices mentioned there.

Another important shortcoming of this implementation to keep in mind is that Lua OCSP API does not provide API for thisUpdate and nextUpdate, therefore we are just caching responses for 3 days. This might and might not be acceptable by some users.

Also keep in mind that our implementation deos its best at stapling, vs vanilla Nginx staples only when the response is "good".

With all these in consideration, give it a try and let us know what can be improved, even better improve it yourself - patches are always welcome.

[ElvinEfendi]

Maybe it's worth to check how Nginx implements OCSP stapling.

[codecov-io]

Codecov Report

Merging #5133 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #5133   +/-   ##
=======================================
  Coverage   58.64%   58.64%           
=======================================
  Files          88       88           
  Lines        6913     6913           
=======================================
  Hits         4054     4054           
  Misses       2414     2414           
  Partials      445      445           

Impacted Files	Coverage Δ
internal/ingress/controller/template/configmap.go	76.41% <ø> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 42b3a1e...1dab12f. Read the comment docs.

[aledbf]

@ElvinEfendi please rebase

[k8s-ci-robot]

@ElvinEfendi: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-ingress-nginx-chart-lint	abad391644e398d7084c05e08fa1b409c6f3c218	link	/test pull-ingress-nginx-chart-lint

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[aledbf]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, ElvinEfendi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ElvinEfendi,aledbf]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[logopk]

I would like to reopen this:
Apparently the config works, but OCSP responses for revoked certs fail.

Today I wanted to switch certificates from RSA to ECC and revoked the RSA certs prior to installing the ECCs.

My OCSP-responder clearly indicated that the cert was revoked, but the browser, curl and openssl were happy.
So I first thought the config was wrong. But the option was still enabled.

So I looked at the logfiles and found the following line:

2021/11/03 16:54:31 [notice] 184#184: *10735 [lua] certificate.lua:171: fetch_and_cache_ocsp_response(): OCSP response validation failed: certificate status "revoked" in the OCSP response, context: ngx.timer, client: 192.168.1.19, server: 0.0.0.0:443

and openssl output was:

> openssl s_client -servername myserver.example.com -connect myserver.example.com:443 -status ' | grep"OCSP"
...
OCSP response: no response sent

My system is:

😄  minikube v1.23.2 auf Darwin 11.6.1
✨  Using the vmware driver based on existing profile
👍  Starting control plane node minikube in cluster minikube
🔄  Restarting existing vmware VM for "minikube" ...
🐳  Vorbereiten von Kubernetes v1.22.2 auf Docker 20.10.8.../ 
\ 
/ 

🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
    ▪ Using image k8s.gcr.io/metrics-server/metrics-server:v0.4.2
    ▪ Using image kubernetesui/dashboard:v2.3.1
    ▪ Using image k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3
    ▪ Using image kubernetesui/metrics-scraper:v1.0.7
    ▪ Using image k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0
    ▪ Using image k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0
🔎  Verifying ingress addon...
🌟  Enabled addons: storage-provisioner, ingress, metrics-server, default-storageclass, dashboard
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
configmap/ingress-nginx-controller configured

[logopk]

I just read the comment @ElvinEfendi at https://github.com/kubernetes/ingress-nginx/blob/30809c066cd027079cbb32dccc8a101d6fbffdcb/rootfs/etc/nginx/lua/certificate.lua
Lines 149ff

Well: "revoked" should be handled, as this is the purpose of OCSP in the first place :-(