Automate OCSP Staple/Response Fetching

[inFocus7]

Version

None

Is your feature request related to a problem? Please describe.

We've exposed the configuration needed to have an OCSP response stapled to a TLS request, but we do not handle automating the OCSP response fetched. Currently, a customer would have to manually rotate secrets every time they want to update the OCSP response stapled.

Envoy is currently not capable of fetching OCSP responses directly. However, a control plane or an operator may configure Envoy to use pre-computed OCSP responses.

- guydc, from original issue

Describe the solution you'd like

We'd like to automate the OCSP response fetching process so users won't have to manually do so.

We could do so by adding logic (ex. updating our control plane, and/or creating a service like ext-auth?) which automatically fetches an updated OCSP response every X {time_unit}.

Describe alternatives you've considered

No response

Additional Context

• The initial work exposing Envoy's OCSP stapling in Gloo was done in #5605
• A design document for the initial Envoy exposure work can be found here - it also slightly touches on the automation portion and what we can look for.
• Certificates that produce OCSP responses tend to (/always?) have an Authority Information Access extension which can hold the OCSP server's address. more info
  • Through Go, we should be able to convert the certificate string stored into an x509.Certificate ( example ) and get the server through certificate.OCSPStaple to then ping for an updated OCSP response.
  • A great example of OCSP response fetching is found in cert-manager's WIP OCSP PR

[github-actions[bot]]

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.