Skip to content

Dynamic OCSP cache invalidation

Placeholder Adam Richter requested to merge github/fork/Vexali0n/main into main

What this PR does / why we need it:

OpenResty Lua library supports for about a year new field for OCSP (next_update) which provides exact value retrieved directly from OCSP server until when the response is valid. Here is the updated function in their repo: (https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ocsp.lua#L126)

This feature is able to be used since those versions of libraries: export LUA_NGX_VERSION=v0.10.27 export LUA_STREAM_NGX_VERSION=v0.0.15 export LUA_RESTY_CORE=v0.1.29

Currently main branch contains higher versions than this so this feature is available to be used: export LUA_NGX_VERSION=v0.10.28 export LUA_STREAM_NGX_VERSION=v0.0.16 export LUA_RESTY_CORE=v0.1.31

Current solution caches OCSP response for fixed 3 days, this PR is able to set cache properly based on the real value provided by OCSP response, if OCSP response does not contain next_update field (its optional), we fallback to the original logic of fixed 3 days

This helps with better OCSP cache invalidation. Fixed 3 days no longer needed as the only option.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • CVE Report (Scanner found CVE and adding report)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation only

How Has This Been Tested?

I received request to create proper cache invalidation for our nginx ingress controllers which are basically fork of your repo from which we are building the image of nginx controller. So tests were done in our own k8s clusters across 2 stages. Thanks to the log messages introduced in this PR, we were able to see what value has been used for cache invalidation directly in the nginx controller pods and it has matched with the OCSP response provided from OCSP server and hence we got much better cache invalidation.

K8s cluster 1.31.9 Nginx controller image built from your repo + changes introduced in this PR

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have added unit and/or e2e tests to cover my changes.
  • All new and existing tests passed.

Please, point out any issue you see with this PR. It is first time I am trying to merge code changes into your repo.

Merge request reports