Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(conf): allow *_cert and *_cert_key to be stored in environment variables and vaults #9253

Merged
merged 7 commits into from
Oct 4, 2022

Conversation

bungle
Copy link
Member

@bungle bungle commented Aug 16, 2022

Summary

Allow several kong.conf values to be stored in vaults or environment variables:

  • ssl_cert
  • ssl_cert_key
  • admin_ssl_cert
  • admin_ssl_cert_key
  • status_ssl_cert
  • status_ssl_cert_key
  • cluster_cert
  • cluster_cert_key
  • client_ssl_cert
  • client_ssl_cert_key
  • cluster_ca_cert
  • ssl_dhparam
  • lua_ssl_trusted_certificate

Usage

The following is possible after this is commit is merged:

CERT=$(<cert.crt)                  \ # normal environment variable intialized from file
KONG_SSL_CERT="{vault://env/cert}" \ # a secret reference using env vault
KONG_SSL_CERT_KEY="$(<cert.key)"   \ # reading content of file to env var
kong start

(FT-3244)

@bungle bungle added the pr/wip A work in progress PR opened to receive feedback label Aug 16, 2022
@bungle bungle force-pushed the feat/conf-certs-env-and-vaults branch from ef340f5 to 1c17b18 Compare August 19, 2022 10:50
@bungle bungle force-pushed the feat/conf-certs-env-and-vaults branch from 1c17b18 to d13f432 Compare August 26, 2022 10:50
@bungle bungle force-pushed the feat/conf-certs-env-and-vaults branch from 2990779 to 2f595c2 Compare September 2, 2022 13:18
@bungle bungle force-pushed the feat/conf-certs-env-and-vaults branch from 1fc5f70 to 78ab363 Compare September 13, 2022 06:52
@bungle bungle marked this pull request as ready for review September 13, 2022 08:25
@bungle bungle requested a review from a team as a code owner September 13, 2022 08:25
@bungle bungle removed the pr/wip A work in progress PR opened to receive feedback label Sep 13, 2022
@bungle bungle added this to the 3.1 milestone Sep 13, 2022
@bungle bungle force-pushed the feat/conf-certs-env-and-vaults branch from 9ab96cf to fd0df1e Compare September 13, 2022 08:32
@bungle bungle changed the title feat(conf) allow *_cert and *_cert_key to be stored in environment variables and vaults feat(conf): allow *_cert and *_cert_key to be stored in environment variables and vaults Sep 23, 2022
bungle and others added 7 commits October 4, 2022 13:57
…ariables and vaults

### Summary

Allow several `kong.conf` values to be stored in vaults or environment variables:

- `ssl_cert`
- `ssl_cert_key`
- `admin_ssl_cert`
- `admin_ssl_cert_key`
- `status_ssl_cert`
- `status_ssl_cert_key`
- `cluster_cert`
- `cluster_cert_key`
- `client_ssl_cert`
- `client_ssl_cert_key`

#### Usage

The following is possible after this is commit is merged:

```bash
CERT=$(<cert.crt)                  \ # normal environment variable intialized from file
KONG_SSL_CERT="{vault://env/cert}" \ # a secret reference using env vault
KONG_SSL_CERT_KEY="$(<cert.key)"   \ # reading content of file to env var
kong start
```
* move creation of certificate and key files in a separate block
* add file creation for the remaining certs and keys: cluster_ and client_
* update configuration with generated path for cluster_* and client_*
* support base64 encoded *_cert and *_cert_key
* support base64url encoding

This adds a test case to ensure base64 encoded properties are corectly
parsed and decoded.
…cate

This adds  to
the supported properties that can be assigned via environment variables
or vault.
* test all base64 decodings
* test that properties passed as content result in files being stored
* base64 conversion is moved later in the flow in order to make
  it safer, so that values like system are not attempted to
  be decoded
* test coverage for the content of the created files
* refactoring
Update kong.conf.default to reflect the fact some properties
can be configured directly via content or base64
@bungle bungle force-pushed the feat/conf-certs-env-and-vaults branch from fd0df1e to f87af24 Compare October 4, 2022 10:57
Copy link
Member Author

@bungle bungle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, cannot approve this as I originally opened it.

@yzyyi
Copy link

yzyyi commented Oct 4, 2022

Would you also cherrypick this to EE for parity? thanks

@bungle bungle merged commit 5648024 into master Oct 4, 2022
@bungle bungle deleted the feat/conf-certs-env-and-vaults branch October 4, 2022 15:29
locao pushed a commit that referenced this pull request Jun 21, 2024
…group is absent (#9253)

Cherry-picked from #13024

Fix #13014, https://konghq.atlassian.net/browse/KAG-4474

Co-authored-by: hulk <hulk.website@gmail.com>
Co-authored-by: Xumin <100666470+StarlightIbuki@users.noreply.github.com>
Co-authored-by: Chrono <chronolaw@gmail.com>
Co-authored-by: Mikołaj Nowak <mikolaj.nowak93@gmail.com>
Co-authored-by: xumin <xumin.zhou@konghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants