Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(config) default lua_ssl_trusted_certificate to system #8602

Merged
merged 13 commits into from
Apr 6, 2022
Merged

feat(config) default lua_ssl_trusted_certificate to system #8602

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
6e973bd
Update kong_defaults.lua
ADD-SP Mar 29, 2022
73730b4
fix ci
ADD-SP Mar 29, 2022
b7deab6
add comments for new assertion
ADD-SP Mar 29, 2022
afb9e56
docs(CHANGELOG) update
ADD-SP Mar 29, 2022
d6202c2
roll back one line of `spec/01-unit/04-prefix_handler_spec.lua`
ADD-SP Mar 30, 2022
6e88a88
roll back `spec/helpers.lua`
ADD-SP Mar 31, 2022
ad5ccfa
update `spec/01-unit/03-conf_loader_spec.lua`
ADD-SP Mar 31, 2022
f3e81d4
update CHANGELOG
ADD-SP Mar 31, 2022
959686a
Merge branch 'master' into add_sp/feat/default_trusted_cert
ADD-SP Apr 2, 2022
2f15d8a
update file `kong.conf.default`
ADD-SP Apr 6, 2022
039224b
fix changelog
ADD-SP Apr 6, 2022
b69546f
Update CHANGELOG.md
ADD-SP Apr 6, 2022
2e8cf3b
Update CHANGELOG.md
dndx Apr 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,15 @@
- Bumped inspect from 3.1.2 to 3.1.3
[#8589](https://github.com/Kong/kong/pull/8589)


### Breaking Changes

##### Configuration

- Change the default of `lua_ssl_trusted_certificate` to `system`
[#8602](https://github.com/Kong/kong/pull/8602). If you are upgrading from 2.x and want this variable to keep
working as before, please manually set it to `NONE` before upgrading.

### Additions

#### Plugins
Expand Down
2 changes: 1 addition & 1 deletion kong/templates/kong_defaults.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ worker_consistency = strict
worker_state_update_frequency = 5

lua_socket_pool_size = 30
lua_ssl_trusted_certificate = NONE
lua_ssl_trusted_certificate = system
lua_ssl_verify_depth = 1
lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
lua_package_path = ./?.lua;./?/init.lua;
Expand Down
15 changes: 10 additions & 5 deletions spec/01-unit/03-conf_loader_spec.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -851,9 +851,10 @@ describe("Configuration loader", function()
cluster_cert_key = "spec/fixtures/kong_clustering.key",
})
assert.is_nil(errors)
assert.same({
assert.contains(
pl_path.abspath("spec/fixtures/kong_clustering.crt"),
}, conf.lua_ssl_trusted_certificate)
conf.lua_ssl_trusted_certificate
)
assert.matches(".ca_combined", conf.lua_ssl_trusted_certificate_combined)

local conf, _, errors = conf_loader(nil, {
Expand All @@ -865,9 +866,10 @@ describe("Configuration loader", function()
cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt",
})
assert.is_nil(errors)
assert.same({
assert.contains(
pl_path.abspath("spec/fixtures/kong_clustering_ca.crt"),
}, conf.lua_ssl_trusted_certificate)
conf.lua_ssl_trusted_certificate
)
assert.matches(".ca_combined", conf.lua_ssl_trusted_certificate_combined)
end)
it("doen't overwrite lua_ssl_trusted_certificate when autoload cluster_cert or cluster_ca_cert", function()
Expand Down Expand Up @@ -911,7 +913,10 @@ describe("Configuration loader", function()
cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt",
})
assert.is_nil(errors)
assert.same({}, conf.lua_ssl_trusted_certificate)
assert.not_contains(
pl_path.abspath("spec/fixtures/kong_clustering_ca.crt"),
conf.lua_ssl_trusted_certificate
)
end)
it("resolves SSL cert/key to absolute path", function()
local conf, err = conf_loader(nil, {
Expand Down
6 changes: 3 additions & 3 deletions spec/01-unit/04-prefix_handler_spec.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ describe("NGINX conf compiler", function()
assert.matches("listen%s+127%.0%.0%.1:9001;", kong_nginx_conf)
assert.matches("server_name%s+kong;", kong_nginx_conf)
assert.matches("server_name%s+kong_admin;", kong_nginx_conf)
assert.not_matches("lua_ssl_trusted_certificate", kong_nginx_conf, nil, true)
assert.matches("lua_ssl_trusted_certificate.+;", kong_nginx_conf)
end)
it("compiles with custom conf", function()
local conf = assert(conf_loader(helpers.test_conf_path, {
Expand Down Expand Up @@ -235,10 +235,10 @@ describe("NGINX conf compiler", function()
local kong_nginx_conf = prefix_handler.compile_kong_conf(conf)
assert.matches("lua_ssl_verify_depth%s+1;", kong_nginx_conf)
end)
it("does not include lua_ssl_trusted_certificate by default", function()
it("includes default lua_ssl_trusted_certificate", function()
local conf = assert(conf_loader(helpers.test_conf_path))
local kong_nginx_conf = prefix_handler.compile_kong_conf(conf)
assert.not_matches("lua_ssl_trusted_certificate", kong_nginx_conf, nil, true)
assert.matches("lua_ssl_trusted_certificate.+;", kong_nginx_conf)
end)
it("sets lua_ssl_trusted_certificate to a combined file (single entry)", function()
local conf = assert(conf_loader(helpers.test_conf_path, {
Expand Down
1 change: 0 additions & 1 deletion spec/helpers.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1909,7 +1909,6 @@ luassert:register("assertion", "cn", assert_cn,
"assertion.cn.negative",
"assertion.cn.positive")


do
--- Generic modifier "logfile"
-- Will set an "errlog_path" value in the assertion state.
Expand Down