feat(config) default lua_ssl_trusted_certificate to system
#8602
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ADD-SP
changed the title
lua_ssl_trusted_certificate to systemlua_ssl_trusted_certificate to system
ADD-SP
changed the title
lua_ssl_trusted_certificate to systemlua_ssl_trusted_certificate to system
dndx
reviewed
Mar 30, 2022
kikito
previously requested changes
Mar 30, 2022
ADD-SP
changed the title
lua_ssl_trusted_certificate to systemlua_ssl_trusted_certificate to system
bungle
requested changes
Apr 6, 2022
There was a problem hiding this comment.
@ADD-SP, please update this too:
https://github.com/Kong/kong/blob/master/kong.conf.default#L1382
To reflect that system is default.
bungle
approved these changes
Apr 6, 2022
dndx
reviewed
Apr 6, 2022
CHANGELOG.md
Outdated
Comment on lines
100
to
102
| [#8602](https://github.com/Kong/kong/pull/8602). If you are upgrading from 2.x and want this variable to keep | ||
| working as before, please manually set it to empty | ||
| (`lua_ssl_trusted_certificate = [nothing in here]`) before upgrading. |
There was a problem hiding this comment.
Suggested change
| [#8602](https://github.com/Kong/kong/pull/8602). If you are upgrading from 2.x and want this variable to keep | |
| working as before, please manually set it to empty | |
| (`lua_ssl_trusted_certificate = [nothing in here]`) before upgrading. | |
| [#8602](https://github.com/Kong/kong/pull/8602). |
Is probably enough.
We generally don't explain how to get it working like the 2.x in the CHANGELOG, plus in this case the behavior is not dangerous nor difficult for user to figure out by reading the kong.conf.default docs.
There was a problem hiding this comment.
Where do we usually mention these things?
Co-authored-by: Datong Sun <datong.sun@konghq.com>
dndx
reviewed
Apr 6, 2022
dndx
approved these changes
Apr 6, 2022
ADD-SP
added
pr/ready
kikito
added a commit
that referenced
this pull request
Apr 8, 2022
When `system` was opt-in, it made sense to "fail noisily" if the current system didn't have certs in any of the usual places and the user had opted in to system. Now that we look for them by default, the noisy behavior is incorrect, because it makes kong unable to start in places with no system certs. Instead, the abstence of default certificates gets logged, but Kong can continue without them. Related with #8602
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Change the default of
lua_ssl_trusted_certificatetosystem.Full changelog
kong/templates/kong_defaults.luato change the default value oflua_ssl_trusted_certificatetosystem.spec/helpers.luato add a register a new assert functionhas_value(table, value).spec/01-unit/03-conf_loader_spec.luaandspec/01-unit/04-prefix_handler_spec.luato adjust this changes.