Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(conf): allow *_cert and *_cert_key to be stored in environment variables and vaults #9253

Merged
merged 7 commits into from
Oct 4, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,14 @@

## Unreleased

### Additions

#### Core
- Allow `kong.conf` ssl properties to be stored in vaults or environment
variables. Allow such properties to be configured directly as content
or base64 encoded content.
[#9253](https://github.com/Kong/kong/pull/9253)

### Fixes

#### Core
Expand Down
88 changes: 66 additions & 22 deletions kong.conf.default
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,7 @@
# DP node, but issued by a cluster-wide
# common CA certificate: `cluster_ca_cert`.

#cluster_cert = # Filename of the cluster certificate to use
#cluster_cert = # Cluster certificate to use
# when establishing secure communication
# between control and data plane nodes.
# You can use the `kong hybrid` command to
Expand All @@ -270,8 +270,14 @@
# for all nodes. Under `pki` mode it
# should be a different certificate for each
# DP node.
#
# The certificate can be configured on this
# property with either of the following values:
# * absolute path to the certificate
# * certificate content
# * base64 encoded certificate content
bungle marked this conversation as resolved.
Show resolved Hide resolved

#cluster_cert_key = # Filename of the cluster certificate key to
#cluster_cert_key = # Cluster certificate key to
# use when establishing secure communication
# between control and data plane nodes.
# You can use the `kong hybrid` command to
Expand All @@ -280,6 +286,12 @@
# for all nodes. Under `pki` mode it
# should be a different certificate for each
# DP node.
#
# The certificate key can be configured on this
# property with either of the following values:
# * absolute path to the certificate key
# * certificate key content
# * base64 encoded certificate key content

#cluster_ca_cert = # The trusted CA certificate file in PEM
# format used for Control Plane to verify
Expand All @@ -294,6 +306,12 @@
#
# This field is ignored if `cluster_mtls` is
# set to `shared`.
#
# The certificate can be configured on this property
# with either of the following values:
# * absolute path to the certificate
# * certificate content
# * base64 encoded certificate content

#------------------------------------------------------------------------------
# HYBRID MODE DATA PLANE
Expand Down Expand Up @@ -654,8 +672,9 @@

#ssl_dhparam = # Defines DH parameters for DHE ciphers from the
# predefined groups: `ffdhe2048`, `ffdhe3072`,
# `ffdhe4096`, `ffdhe6144`, `ffdhe8192`, or
# from the absolute path to a parameters file.
# `ffdhe4096`, `ffdhe6144`, `ffdhe8192`,
# from the absolute path to a parameters file, or
# directly from the parameters content.
#
# This value is ignored if `ssl_cipher_suite`
# is `modern` or `intermediate`. The reason is
Expand All @@ -680,8 +699,7 @@
#
# See http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout

#ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `proxy_listen` values with TLS enabled.
#ssl_cert = # Comma-separated list of certificates for `proxy_listen` values with TLS enabled.
#
# If more than one certificates are specified, it can be used to provide
# alternate type of certificate (for example, ECC certificate) that will be served
Expand All @@ -692,9 +710,14 @@
# Unless this option is explicitly set, Kong will auto-generate
# a pair of default certificates (RSA + ECC) first time it starts up and use
# it for serving TLS requests.
#
# Certificates can be configured on this property with either of the following
# values:
# * absolute path to the certificate
# * certificate content
# * base64 encoded certificate content

#ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `proxy_listen` values with TLS enabled.
#ssl_cert_key = # Comma-separated list of keys for `proxy_listen` values with TLS enabled.
#
# If more than one certificate was specified for `ssl_cert`, then this
# option should contain the corresponding key for all certificates
Expand All @@ -703,40 +726,54 @@
# Unless this option is explicitly set, Kong will auto-generate
# a pair of default private keys (RSA + ECC) first time it starts up and use
# it for serving TLS requests.
#
# Keys can be configured on this property with either of the following
# values:
# * absolute path to the certificate key
# * certificate key content
# * base64 encoded certificate key content

#client_ssl = off # Determines if Nginx should attempt to send client-side
# TLS certificates and perform Mutual TLS Authentication
# with upstream service when proxying requests.

#client_ssl_cert = # If `client_ssl` is enabled, the absolute
# path to the client certificate for the `proxy_ssl_certificate` directive.
#client_ssl_cert = # If `client_ssl` is enabled, the client certificate
# for the `proxy_ssl_certificate` directive.
#
# This value can be overwritten dynamically with the `client_certificate`
# attribute of the `Service` object.
#
# The certificate can be configured on this property with either of the following
# values:
# * absolute path to the certificate
# * certificate content
# * base64 encoded certificate content

#client_ssl_cert_key = # If `client_ssl` is enabled, the absolute
# path to the client TLS key for the `proxy_ssl_certificate_key` directive.
#client_ssl_cert_key = # If `client_ssl` is enabled, the client TLS key
# for the `proxy_ssl_certificate_key` directive.
#
# This value can be overwritten dynamically with the `client_certificate`
# attribute of the `Service` object.
#
# The certificate key can be configured on this property with either of the following
# values:
# * absolute path to the certificate key
# * certificate key content
# * base64 encoded certificate key content

#admin_ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `admin_listen` values with TLS enabled.
#admin_ssl_cert = # Comma-separated list of certificates for `admin_listen` values with TLS enabled.
#
# See docs for `ssl_cert` for detailed usage.

#admin_ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `admin_listen` values with TLS enabled.
#admin_ssl_cert_key = # Comma-separated list of keys for `admin_listen` values with TLS enabled.
#
# See docs for `ssl_cert_key` for detailed usage.

#status_ssl_cert = # Comma-separated list of the absolute path to the certificates for
# `status_listen` values with TLS enabled.
#status_ssl_cert = # Comma-separated list of certificates for `status_listen` values with TLS enabled.
#
# See docs for `ssl_cert` for detailed usage.

#status_ssl_cert_key = # Comma-separated list of the absolute path to the keys for
# `status_listen` values with TLS enabled.
#status_ssl_cert_key = # Comma-separated list of keys for `status_listen` values with TLS enabled.
#
# See docs for `ssl_cert_key` for detailed usage.

Expand Down Expand Up @@ -1492,8 +1529,8 @@
# https://github.com/openresty/lua-nginx-module


#lua_ssl_trusted_certificate = system # Comma-separated list of paths to certificate
# authority files for Lua cosockets in PEM format.
#lua_ssl_trusted_certificate = system # Comma-separated list of certificate authorities
# for Lua cosockets in PEM format.
#
# The special value `system` attempts to search for the
# "usual default" provided by each distro, according
Expand All @@ -1515,6 +1552,13 @@
# are enabled, these certificate authority files will be
# used for verifying Kong's database connections.
#
# Certificates can be configured on this property
# with either of the following values:
# * `system`
# * absolute path to the certificate
# * certificate content
# * base64 encoded certificate content
#
# See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate

#lua_ssl_verify_depth = 1 # Sets the verification depth in the server
Expand Down
Loading