Add OCSP stapling

[crabique]

What are you trying to do

HAProxy supports OCSP stapling to provide certificate status along with the server certificate during TLS handshake, this speeds up synchronous clients and also helps protect site visitors' privacy as they are not making OCSP requests themselves.

Certificate requester may even explicitly specify OCSP Must-Staple option as part of the CSR and the certificate will not work unless an OCSP object is provided along with the issued certificate (at least in browsers that properly implement it, e.g. Firefox).

Would be great if HAProxy ingress had some integration to automate OCSP stapling responses for all ingress objects with certificates.

What HAProxy Ingress should do or how it should behave differently

HAProxy allows for configuration of OCSP stapling in two ways: statically via an .ocsp file next to the certificate, and dynamically via the runtime API.

However, those OCSP objects usually have a TTL of about ~7 days, so there would need to be some sort of a background worker that renews them at certain intervals.

Ideally, this feature would be configurable as both global flag and explicit ingress object annotations for some granular control.

Hopefully, this could be implemented 🙂

[crabique]

There seems to be a nice way to do it now: https://www.haproxy.com/documentation/haproxy-configuration-tutorials/ssl-tls/#ocsp-stapling