This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new c0a46e9a7 feat(deployment): support mTLS in traditional mode (#7331)
c0a46e9a7 is described below
commit c0a46e9a796a07f0521cffd1a9ea49a7448a2409
Author: 罗泽轩 <[email protected]>
AuthorDate: Thu Jun 30 10:06:33 2022 +0800
feat(deployment): support mTLS in traditional mode (#7331)
Signed-off-by: spacewander <[email protected]>
---
apisix/cli/file.lua | 7 +++++
apisix/cli/snippet.lua | 16 +++++++++++
t/cli/test_deployment_traditional.sh | 53 ++++++++++++++++++++++++++++++++++++
3 files changed, 76 insertions(+)
diff --git a/apisix/cli/file.lua b/apisix/cli/file.lua
index 66600b54b..9c528005e 100644
--- a/apisix/cli/file.lua
+++ b/apisix/cli/file.lua
@@ -251,6 +251,13 @@ function _M.read_yaml_conf(apisix_home)
end
end
+ if default_conf.deployment
+ and default_conf.deployment.role == "traditional"
+ and default_conf.deployment.etcd
+ then
+ default_conf.etcd = default_conf.deployment.etcd
+ end
+
return default_conf
end
diff --git a/apisix/cli/snippet.lua b/apisix/cli/snippet.lua
index 24fa7e915..bfaf973a0 100644
--- a/apisix/cli/snippet.lua
+++ b/apisix/cli/snippet.lua
@@ -15,6 +15,7 @@
-- limitations under the License.
--
local template = require("resty.template")
+local pl_path = require("pl.path")
local ipairs = ipairs
@@ -77,6 +78,10 @@ function _M.generate_conf_server(env, conf)
proxy_ssl_name $upstream_host;
{% end %}
proxy_ssl_protocols TLSv1.2 TLSv1.3;
+ {% if client_cert then %}
+ proxy_ssl_certificate {* client_cert *};
+ proxy_ssl_certificate_key {* client_cert_key *};
+ {% end %}
{% else %}
proxy_pass http://apisix_conf_backend;
{% end %}
@@ -92,10 +97,21 @@ function _M.generate_conf_server(env, conf)
}
}
]])
+
+ local tls = etcd.tls
+ local client_cert
+ local client_cert_key
+ if tls and tls.cert then
+ client_cert = pl_path.abspath(tls.cert)
+ client_cert_key = pl_path.abspath(tls.key)
+ end
+
return conf_render({
sni = etcd.tls and etcd.tls.sni,
enable_https = enable_https,
home = env.apisix_home or ".",
+ client_cert = client_cert,
+ client_cert_key = client_cert_key,
})
end
diff --git a/t/cli/test_deployment_traditional.sh
b/t/cli/test_deployment_traditional.sh
index 895675118..6a89ca0a6 100755
--- a/t/cli/test_deployment_traditional.sh
+++ b/t/cli/test_deployment_traditional.sh
@@ -104,6 +104,7 @@ deployment:
make run
sleep 1
+make stop
if grep '\[error\]' logs/error.log; then
echo "failed: could not connect to etcd with stream enabled"
@@ -131,3 +132,55 @@ if ! echo "$out" | grep 'all nodes in the etcd cluster
should enable/disable TLS
fi
echo "passed: validate etcd host"
+
+# The 'admin.apisix.dev' is injected by ci/common.sh@set_coredns
+
+# etcd mTLS verify
+echo '
+deployment:
+ role: traditional
+ role_traditional:
+ config_provider: etcd
+ etcd:
+ host:
+ - "https://admin.apisix.dev:22379";
+ prefix: "/apisix"
+ tls:
+ cert: t/certs/mtls_client.crt
+ key: t/certs/mtls_client.key
+ verify: false
+ ' > conf/config.yaml
+
+make run
+sleep 1
+
+code=$(curl -o /dev/null -s -w %{http_code}
http://127.0.0.1:9080/apisix/admin/routes -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1')
+make stop
+
+if [ ! $code -eq 200 ]; then
+ echo "failed: could not work when mTLS is enabled"
+ exit 1
+fi
+
+echo "passed: etcd enables mTLS successfully"
+
+echo '
+deployment:
+ role: traditional
+ role_traditional:
+ config_provider: etcd
+ etcd:
+ host:
+ - "https://admin.apisix.dev:22379";
+ prefix: "/apisix"
+ tls:
+ verify: false
+ ' > conf/config.yaml
+
+out=$(make init 2>&1 || echo "ouch")
+if ! echo "$out" | grep "bad certificate"; then
+ echo "failed: apisix should echo \"bad certificate\""
+ exit 1
+fi
+
+echo "passed: certificate verify fail expectedly"
