Stapling annotations for Ingresses

Paul · July 5, 2020, 11:20pm

Hi,

It would be great to support stapling with ingress annotations to something like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/server-snippet: |
      ssl_stapling on;
      ssl_stapling_verify on;
  name: test-app
spec:
  rules:
  - host: test-app.example.com
    http:
      paths:
      - backend:
          serviceName: test-app
          servicePort: 8080
        path: /
  tls:
  - hosts:
    - test-app.example.com
    secretName: test-app-tls

traines · July 6, 2020, 7:00pm

If you’re okay applying this globally, you’d want to add these via injected proxy directives: https://docs.konghq.com/2.0.x/configuration/#injecting-nginx-directives

If you need to be able to control this on a per-service basis, it’d need support in Kong itself–the controller alone can’t do it. You’d have to modify the template to add those directives with a variable value, and then have a plugin or service-level setting set the variable.

You might be able to inject a directive with a variable value and then set the value using a serverless access function, but I haven’t tested that myself.

Given the template change required, if you want to have this available as first-party/official functionality, you’ll want to raise it in the Kong feature request forum for review by the core developers.

Paul · July 6, 2020, 10:10pm

Yes actually, I tried to do this but unfortunately the certs are mounted by the ingresses so the stapling is ignored since nains could not locate the TLS certificates. Do you know how to locate the dynamic certificates ?
They are NOT generated/managed by a cert manager, it’s a secret and mounted like in my ingress sample. For me they are in memory, it was the main reason why it should be more convenient to add the stapling in the annotation. Just my opinion

traines · July 6, 2020, 11:35pm

To clarify, there’s very little in the controller that exists independent of Kong–what controller-specific stuff does exist is more switching between different modes of generating Kong configuration. You generally can’t just add an annotation; the annotation needs to correspond to something in Kong configuration down the line, and is more an alternate means of expressing that configuration rather than a standalone thing.

Can you elaborate a bit more on what you want to do, and do you know of a way you can configure this as desired without the controller involved? If the answer to the latter is no, this would definitely require additional core functionality.

I’m not that familiar with OCSP, and am not entirely sure what should happen here. I’m a bit confused by your reference to mounting certificates–any certificate specified at the Ingress level isn’t mounted on the filesystem, but rather stored in Kong’s database or in-memory config. If you’d need ssl_stapling_file as well that’s almost certainly not possible, since those certs are never files, and TLS operations on them generally must be handled in Lua rather than using NGINX directives, which typically expect files.

Topic		Replies	Views
Kong Ingress Annotations (Redirect) Kubernetes	5	3743	May 22, 2022
TCPIngress how can I use it?	7	2181	November 17, 2020
Associate a KongIngress custom resource with an Ingress resource Kubernetes	1	1468	March 25, 2019
Ssl ingress controller Questions	3	1624	December 30, 2019
Verify client tls cert on specific endpoints in kubernetes Kubernetes	1	1782	May 27, 2020

Stapling annotations for Ingresses

Related Topics