Add option to specify OCSP server #3497

[hugoboos]

What this PR does / why we need it:
Adds option to specify OCSP server on the CA issuer.

Which issue this PR fixes *:
fixes #3497

Special notes for your reviewer:

Release note:

Added the option to specify the OCSP server for certificates issued by the CA issuer

[jetstack-bot]

Hi @hugoboos. Thanks for your PR.

I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hugoboos]

/assign @jakexks

[jakexks]

/ok-to-test

[hugoboos]

/retest

[wallrj]

Thanks @hugoboos

You'll need to rebase and regenerate and update the copyright headers because we just merged a change to the boilerplate header.

If the OCSP value must be a URL, then we could add some API validation to avoid users setting a bad value here. See https://github.com/jetstack/cert-manager/blob/11353f2936c42f3b2bc91d62be969bf7efa9f50e/pkg/internal/apis/certmanager/validation/issuer_test.go

[maelvls]

Not sure what's the status of this PR, can we have it merged for v1.2 or should we bump it to v1.3?

/assign @JoshVanL

[munnerz]

This name is singular, but it's a slice? Should this be ocspServers?

[maelvls]

Aaah I know why it was using a singular name: the standard library's x509.go uses a singular name!

// RFC 5280, 4.2.2.1 (Authority Information Access)
OCSPServer            []string
IssuingCertificateURL []string

The RFC 5280 describe the authority information access field (= analogous to our ocspServer array) as (ASN.1-like syntax):

   id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }

   AuthorityInfoAccessSyntax  ::=
           SEQUENCE SIZE (1..MAX) OF AccessDescription

   AccessDescription  ::=  SEQUENCE {
           accessMethod          OBJECT IDENTIFIER,
           accessLocation        GeneralName  }

   id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }

   id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }

   id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 }

→ I renamed OCSPServer to OCSPServers, is that still OK?

[hugoboos]

Yes, i have reused the naming from x509.go and the certificate.

[munnerz]

We did this previously (reused the names from x509 for some fields) and eventually moved away from it (e.g. 'organization -> organizations').

I think OCSPServers makes sense to me! 😄

[munnerz]

Can we add a test case for this to ensure that it's being properly plumbed through?

[maelvls]

ensure that it's being properly plumbed

@munnerz Where do you think I could add a test? I'm not sure where 😅

[maelvls]

/retest

[maelvls]

/retest

Those pesky Venafi Cloud tests are still failing 😞

[munnerz]

@munnerz Where do you think I could add a test? I'm not sure where 😅

I think a unit test in the CA issuer code that ensures that given an issuer that configures ocspServers, a resulting certificate will contain those OCSP servers would suffice.

I'd expect to see this in pkg/issuer/ca: https://github.com/jetstack/cert-manager/tree/master/pkg/issuer/ca - we are missing explicit tests in here right now, so having this as the first example will pave the way for us to write tests for the existing CA-issuer specified fields (I think there's only one other, CRLDistributionPoints, and that was added recently)

[maelvls]

A unit test in the CA issuer code that ensures that given an issuer that configures ocspServers , a resulting certificate will contain those OCSP servers would suffice.

@munnerz How can I test that ca.CA can issue a certificate? ca.CA does not seem to implement Issue() :(

[maelvls]

I tried writing a new unit test in pkg/controller/certificaterequests/ca but I had no way to check that the oscpServers has been properly set in the resulting certificate.

I started to write a new unit test that does check the created certificate; you can see it on another branch (take a look at ca_test.go).

I have not finished and I really wish we could add this ocspServers feature to v1.2-alpha.2 we are going to release this morning

@munnerz What do you think? I will create a new issue "add unit test for ocspServers and crlDistributionPoints" and point to the existing branch I started

[maelvls]

After a discussion during the 1.2-alpha.2 release meeting, we will skip the 1.2-alpha.2 in order to get the PR properly tested 👍 I will personally make sure to get this unit tested! Tracked here: #3636

[wallrj]

/lgtm

[wallrj]

/lgtm

[jakexks]

/kind feature
/approve

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hugoboos, jakexks, wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jakexks,wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[maelvls]

Another task that I forgot to do as part of this PR: document the ocspServers feature on the website! The crlDistributionPoint feature is already in cert-manager/website#164, we should do the same

Still to be done:

1. Document ocspServers website#425 to document the new ocspServers field,
2. Add a unit test around the new ocspServers and crlDistributionPoints #3636 to unit test crlDistributionPoint and ocspServers.