feat(conf) add support for remaining variables (#9352)

* move creation of certificate and key files in a separate block
* add file creation for the remaining certs and keys: cluster_ and client_
* update configuration with generated path for cluster_* and client_*

kong/cmd/utils/prefix_handler.lua

@@ -461,24 +461,74 @@ local function prepare_prefix(kong_config, nginx_custom_template_path, skip_writ
         ssl_cert_key[1] = kong_config[prefix .. "ssl_cert_key_default"]
         ssl_cert[2]     = kong_config[prefix .. "ssl_cert_default_ecdsa"]
         ssl_cert_key[2] = kong_config[prefix .. "ssl_cert_key_default_ecdsa"]
+      end
+    end
+  end
 
-      else
-        local ssl_path = join(kong_config.prefix, "ssl")
-        makepath(ssl_path)
+  -- create certs files and assign paths if needed
+  do
 
-        for i, cert in ipairs(ssl_cert) do
-          local path = join(ssl_path, target .. "-" .. i .. ".crt")
-          write_ssl_cert(path, cert)
-          ssl_cert[i] = path
+    local function write_file_set_path(
+      file,
+      format,
+      write_func,
+      ssl_path,
+      target,
+      config_key
+    )
+      if type(file) == "string" then
+        if not exists(file) then
+          if not exists(ssl_path) then
+            makepath(ssl_path)
+          end
+          local path = join(ssl_path, target .. format)
+          write_func(path, file)
+          kong_config[config_key] = path
         end
 
-        for i, cert_key in ipairs(ssl_cert_key) do
-          local path = join(ssl_path, target .. "-" .. i .. ".key")
-          write_ssl_cert_key(path, cert_key)
-          ssl_cert_key[i] = path
+      else
+        for i, cert_key in ipairs(file) do
+          if not exists(cert_key) then
+            if not exists(ssl_path) then
+              makepath(ssl_path)
+            end
+            local path = join(ssl_path, target .. "-" .. i .. format)
+            write_func(path, cert_key)
+            file[i] = path
+          end
         end
       end
     end
+
+    for _, target in ipairs({
+      "proxy",
+      "admin",
+      "status",
+      "client",
+      "cluster"
+    }) do
+
+      local prefix
+      if target == "proxy" then
+        prefix = "ssl"
+      elseif target == "cluster" then
+        prefix = target
+      else
+        prefix = target .. "_ssl"
+      end
+
+      local cert_k = prefix .. "_cert"
+      local key_k = prefix .. "_cert_key"
+      local ssl_cert = kong_config[cert_k]
+      local ssl_cert_key = kong_config[key_k]
+
+      if ssl_cert and ssl_cert_key and #ssl_cert > 0 and #ssl_cert_key > 0 then
+        local ssl_path = join(kong_config.prefix, "ssl")
+
+        write_file_set_path(ssl_cert, ".crt", write_ssl_cert, ssl_path, target, cert_k)
+        write_file_set_path(ssl_cert_key, ".key", write_ssl_cert_key, ssl_path, target, key_k)
+      end
+    end
   end
 
   if kong_config.lua_ssl_trusted_certificate_combined then

kong/conf_loader/init.lua

@@ -752,7 +752,7 @@ local function check_and_infer(conf, opts)
           if not exists(cert) then
             local _, err = openssl_x509.new(cert)
             if err then
-              errors[#errors + 1] = prefix .. "ssl_cert: no such file at " .. cert
+              errors[#errors + 1] = prefix .. "ssl_cert: failed loading certificate from " .. cert
             end
           end
         end
@@ -763,7 +763,7 @@ local function check_and_infer(conf, opts)
           if not exists(cert_key) then
             local _, err = openssl_pkey.new(cert_key)
             if err then
-              errors[#errors + 1] = prefix .. "ssl_cert_key: no such file at " .. cert_key
+              errors[#errors + 1] = prefix .. "ssl_cert_key: failed loading key from " .. cert_key
             end
           end
         end
@@ -785,14 +785,14 @@ local function check_and_infer(conf, opts)
     if client_ssl_cert and not exists(client_ssl_cert) then
       local _, err = openssl_x509.new(client_ssl_cert)
       if err then
-        errors[#errors + 1] = "client_ssl_cert: no such file at " .. client_ssl_cert
+        errors[#errors + 1] = "client_ssl_cert: failed loading certificate from " .. client_ssl_cert
       end
     end
 
     if client_ssl_cert_key and not exists(client_ssl_cert_key) then
       local _, err = openssl_pkey.new(client_ssl_cert_key)
       if err then
-        errors[#errors + 1] = "client_ssl_cert_key: no such file at " ..
+        errors[#errors + 1] = "client_ssl_cert_key: failed loading key from " ..
                                client_ssl_cert_key
       end
     end
@@ -1013,14 +1013,14 @@ local function check_and_infer(conf, opts)
       if not exists(cluster_cert) then
         local _, err = openssl_x509.new(cluster_cert)
         if err then
-          errors[#errors + 1] = "cluster_cert: no such file at " .. cluster_cert
+          errors[#errors + 1] = "cluster_cert: failed loading certificate from " .. cluster_cert
         end
       end
 
       if not exists(cluster_cert_key) then
         local _, err = openssl_pkey.new(cluster_cert_key)
         if err then
-          errors[#errors + 1] = "cluster_cert_key: no such file at " .. cluster_cert_key
+          errors[#errors + 1] = "cluster_cert_key: failed loading key from " .. cluster_cert_key
         end
       end
     end

spec/01-unit/03-conf_loader_spec.lua

@@ -770,16 +770,16 @@ describe("Configuration loader", function()
             ssl_cert_key = "/path/cert_key.pem"
           })
           assert.equal(2, #errors)
-          assert.contains("ssl_cert: no such file at /path/cert.pem", errors)
-          assert.contains("ssl_cert_key: no such file at /path/cert_key.pem", errors)
+          assert.contains("ssl_cert: failed loading certificate from /path/cert.pem", errors)
+          assert.contains("ssl_cert_key: failed loading key from /path/cert_key.pem", errors)
           assert.is_nil(conf)
 
           conf, _, errors = conf_loader(nil, {
             ssl_cert = "spec/fixtures/kong_spec.crt",
             ssl_cert_key = "/path/cert_key.pem"
           })
           assert.equal(1, #errors)
-          assert.contains("ssl_cert_key: no such file at /path/cert_key.pem", errors)
+          assert.contains("ssl_cert_key: failed loading key from /path/cert_key.pem", errors)
           assert.is_nil(conf)
         end)
         it("requires SSL DH param file to exist", function()
@@ -1050,8 +1050,8 @@ describe("Configuration loader", function()
             client_ssl_cert_key = "/path/cert_key.pem"
           })
           assert.equal(2, #errors)
-          assert.contains("client_ssl_cert: no such file at /path/cert.pem", errors)
-          assert.contains("client_ssl_cert_key: no such file at /path/cert_key.pem", errors)
+          assert.contains("client_ssl_cert: failed loading certificate from /path/cert.pem", errors)
+          assert.contains("client_ssl_cert_key: failed loading key from /path/cert_key.pem", errors)
           assert.is_nil(conf)
 
           conf, _, errors = conf_loader(nil, {
@@ -1060,7 +1060,7 @@ describe("Configuration loader", function()
             client_ssl_cert_key = "/path/cert_key.pem"
           })
           assert.equal(1, #errors)
-          assert.contains("client_ssl_cert_key: no such file at /path/cert_key.pem", errors)
+          assert.contains("client_ssl_cert_key: failed loading key from /path/cert_key.pem", errors)
           assert.is_nil(conf)
         end)
         it("resolves SSL cert/key to absolute path", function()
@@ -1117,16 +1117,16 @@ describe("Configuration loader", function()
             admin_ssl_cert_key = "/path/cert_key.pem"
           })
           assert.equal(2, #errors)
-          assert.contains("admin_ssl_cert: no such file at /path/cert.pem", errors)
-          assert.contains("admin_ssl_cert_key: no such file at /path/cert_key.pem", errors)
+          assert.contains("admin_ssl_cert: failed loading certificate from /path/cert.pem", errors)
+          assert.contains("admin_ssl_cert_key: failed loading key from /path/cert_key.pem", errors)
           assert.is_nil(conf)
 
           conf, _, errors = conf_loader(nil, {
             admin_ssl_cert = "spec/fixtures/kong_spec.crt",
             admin_ssl_cert_key = "/path/cert_key.pem"
           })
           assert.equal(1, #errors)
-          assert.contains("admin_ssl_cert_key: no such file at /path/cert_key.pem", errors)
+          assert.contains("admin_ssl_cert_key: failed loading key from /path/cert_key.pem", errors)
           assert.is_nil(conf)
         end)
         it("resolves SSL cert/key to absolute path", function()
@@ -1188,8 +1188,8 @@ describe("Configuration loader", function()
             status_ssl_cert_key = "/path/cert_key.pem"
           })
           assert.equal(2, #errors)
-          assert.contains("status_ssl_cert: no such file at /path/cert.pem", errors)
-          assert.contains("status_ssl_cert_key: no such file at /path/cert_key.pem", errors)
+          assert.contains("status_ssl_cert: failed loading certificate from /path/cert.pem", errors)
+          assert.contains("status_ssl_cert_key: failed loading key from /path/cert_key.pem", errors)
           assert.is_nil(conf)
 
           conf, _, errors = conf_loader(nil, {
@@ -1198,7 +1198,7 @@ describe("Configuration loader", function()
             status_ssl_cert_key = "/path/cert_key.pem"
           })
           assert.equal(1, #errors)
-          assert.contains("status_ssl_cert_key: no such file at /path/cert_key.pem", errors)
+          assert.contains("status_ssl_cert_key: failed loading key from /path/cert_key.pem", errors)
           assert.is_nil(conf)
         end)
         it("resolves SSL cert/key to absolute path", function()