search

kubernetes / ingress-nginx

Ingress-NGINX Controller for Kubernetes
https://kubernetes.github.io/ingress-nginx/
Apache License 2.0
17.28k stars 8.21k forks source link

OCSP response cache is not updated in a timely manner #10632

Open VWDude opened 10 months ago

VWDude commented 10 months ago

What happened:

We are using ingress-nginx with the config value "enable-ocsp": true. In the beginning this works as expected, but the OCSP cache is not updated, when the response expires after 2 days: Taken from openssl response on 08.Nov.2023 13:53 GMT: image

What you expected to happen: OCSP cache is updated before the expiry and the response is still valid.

NGINX Ingress controller version:

NGINX Ingress controller
  Release:       v1.7.0
  Build:         72ff21ed9e26cb969052c753633049ba8a87ecf9
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.21.6

Kubernetes version:

Client Version: v1.27.2
Kustomize Version: v5.0.1
Server Version: v1.26.6

Environment:

How to reproduce this issue: (Re-)Start Ingress-Nginx pods and wait until the OCSP response is expired.

Anything else we need to know: Certificate provider: QuoVadis

It seems like the OSCP response is refreshed some time after the expiry (like a day after the expiry). As we just detected this issue I don't have an exact time so far.

k8s-ci-robot commented 10 months ago

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
VWDude commented 10 months ago

Update: It seems like the update is fetched a day and some minutes later than expected: image

So instead of the expected Nov 8. 5:14:33 GMT, the answer is fetched on Nov 9. 5:17:00 GMT...

github-actions[bot] commented 9 months ago

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.

VWDude commented 8 months ago

Any updates here?

MrWusa commented 1 month ago

Would be interesting to know since we are facing the same problem since we use this feature. We are restarting our ingress very regularly because of this which is kind of annoying...