Stapling annotations for Ingresses


It would be great to support stapling with ingress annotations to something like this:

apiVersion: extensions/v1beta1
kind: Ingress
  annotations: kong |
      ssl_stapling on;
      ssl_stapling_verify on;
  name: test-app
  - host:
      - backend:
          serviceName: test-app
          servicePort: 8080
        path: /
  - hosts:
    secretName: test-app-tls

If you’re okay applying this globally, you’d want to add these via injected proxy directives:

If you need to be able to control this on a per-service basis, it’d need support in Kong itself–the controller alone can’t do it. You’d have to modify the template to add those directives with a variable value, and then have a plugin or service-level setting set the variable.

You might be able to inject a directive with a variable value and then set the value using a serverless access function, but I haven’t tested that myself.

Given the template change required, if you want to have this available as first-party/official functionality, you’ll want to raise it in the Kong feature request forum for review by the core developers.

Yes actually, I tried to do this but unfortunately the certs are mounted by the ingresses so the stapling is ignored since nains could not locate the TLS certificates. Do you know how to locate the dynamic certificates ?
They are NOT generated/managed by a cert manager, it’s a secret and mounted like in my ingress sample. For me they are in memory, it was the main reason why it should be more convenient to add the stapling in the annotation. Just my opinion :slight_smile:

To clarify, there’s very little in the controller that exists independent of Kong–what controller-specific stuff does exist is more switching between different modes of generating Kong configuration. You generally can’t just add an annotation; the annotation needs to correspond to something in Kong configuration down the line, and is more an alternate means of expressing that configuration rather than a standalone thing.

Can you elaborate a bit more on what you want to do, and do you know of a way you can configure this as desired without the controller involved? If the answer to the latter is no, this would definitely require additional core functionality.

I’m not that familiar with OCSP, and am not entirely sure what should happen here. I’m a bit confused by your reference to mounting certificates–any certificate specified at the Ingress level isn’t mounted on the filesystem, but rather stored in Kong’s database or in-memory config. If you’d need ssl_stapling_file as well that’s almost certainly not possible, since those certs are never files, and TLS operations on them generally must be handled in Lua rather than using NGINX directives, which typically expect files.