Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: set default value of ssl_trusted_certificate to system #11993

Open
wants to merge 25 commits into
base: master
Choose a base branch
from
+19 −61
Open

feat: set default value of ssl_trusted_certificate to system #11993

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
541ebd6
feat: use "system" as default when ssl_trusted_certificate not passed
Revolyssup Feb 25, 2025
3e8ba20
set in schema
Revolyssup Feb 25, 2025
04be7b3
update config example
Revolyssup Feb 25, 2025
58287b9
create combined file path if doesnt exist
Revolyssup Feb 25, 2025
b75a794
fix lint
Revolyssup Feb 25, 2025
b7c2140
lowercase
Revolyssup Feb 25, 2025
5877450
add ssl_trusted_combined in apisix.home
Revolyssup Feb 25, 2025
b4b8919
remove cli test
Revolyssup Feb 25, 2025
1bc7c63
modify test
Revolyssup Feb 25, 2025
d67727e
Merge branch 'master' of github.com:apache/apisix into revolyssup/sys…
Revolyssup Feb 25, 2025
0829c9e
set in config.lua
Revolyssup Feb 27, 2025
34c342c
Merge branch 'revolyssup/system-default-cert' of github.com:Revolyssu…
Revolyssup Feb 27, 2025
3f43726
fix
Revolyssup Feb 27, 2025
a26d8dc
Merge branch 'revolyssup/system-default-cert' of github.com:Revolyssu…
Revolyssup Feb 27, 2025
b760859
revert cli test
Revolyssup Feb 27, 2025
c55c860
apply suggestion
Revolyssup Feb 28, 2025
24de38f
Merge branch 'revolyssup/system-default-cert' of github.com:Revolyssu…
Revolyssup Feb 28, 2025
c3f3210
fix lint
Revolyssup Feb 28, 2025
9da0380
Merge branch 'master' of github.com:apache/apisix into revolyssup/sys…
Revolyssup Mar 5, 2025
300f399
remove combined_path
Revolyssup Mar 5, 2025
6aca366
fix litn
Revolyssup Mar 5, 2025
58be71b
remove unwanted test
Revolyssup Mar 5, 2025
10d6526
remove system
Revolyssup Mar 5, 2025
e9aadc6
remove redundant check
Revolyssup Mar 6, 2025
e1a3374
apply suggestions
Revolyssup Mar 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion apisix/cli/config.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@ local _M = {
"ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256", "DHE-RSA-AES256-GCM-SHA384",
}, ":"),
ssl_session_tickets = false
ssl_session_tickets = false,
ssl_trusted_certificate = "system"
},
enable_control = true,
disable_sync_configuration_during_start = false,
Expand Down
46 changes: 15 additions & 31 deletions apisix/cli/ops.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,6 @@ local str_find = string.find
local str_byte = string.byte
local str_sub = string.sub
local str_format = string.format
local string = string
local table = table


local _M = {}
Expand Down Expand Up @@ -503,38 +501,24 @@ Please modify "admin_key" in conf/config.yaml .
yaml_conf.apisix.ssl.listen = ssl_listen
yaml_conf.apisix.enable_http3_in_server_context = enable_http3_in_server_context


if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then
local cert_paths = {}
local ssl_certificates = yaml_conf.apisix.ssl.ssl_trusted_certificate
for cert_path in string.gmatch(ssl_certificates, '([^,]+)') do
cert_path = util.trim(cert_path)
if cert_path == "system" then
local trusted_certs_path, err = util.get_system_trusted_certs_filepath()
if not trusted_certs_path then
util.die(err)
end
table.insert(cert_paths, trusted_certs_path)
else
-- During validation, the path is relative to PWD
-- When Nginx starts, the path is relative to conf
-- Therefore we need to check the absolute version instead
cert_path = pl_path.abspath(cert_path)
if not pl_path.exists(cert_path) then
util.die("certificate path", cert_path, "doesn't exist\n")
end

table.insert(cert_paths, cert_path)
end
if yaml_conf.apisix.ssl.ssl_trusted_certificate == "system" then
local trusted_certs_path, err = util.get_system_trusted_certs_filepath()
if not trusted_certs_path then
util.die(err)
end

local combined_cert_filepath = yaml_conf.apisix.ssl.ssl_trusted_combined_path
or "/usr/local/apisix/conf/ssl_trusted_combined.pem"
util.gen_trusted_certs_combined_file(combined_cert_filepath, cert_paths)

yaml_conf.apisix.ssl.ssl_trusted_certificate = combined_cert_filepath
yaml_conf.apisix.ssl.ssl_trusted_certificate = trusted_certs_path
else
-- During validation, the path is relative to PWD
-- When Nginx starts, the path is relative to conf
-- Therefore we need to check the absolute version instead
local cert_path = pl_path.abspath(yaml_conf.apisix.ssl.ssl_trusted_certificate)
if not pl_path.exists(cert_path) then
util.die("certificate path", cert_path, "doesn't exist\n")
end
yaml_conf.apisix.ssl.ssl_trusted_certificate = cert_path
end


-- enable ssl with place holder crt&key
yaml_conf.apisix.ssl.ssl_cert = "cert/ssl_PLACE_HOLDER.crt"
yaml_conf.apisix.ssl.ssl_cert_key = "cert/ssl_PLACE_HOLDER.key"
Expand Down
3 changes: 0 additions & 3 deletions apisix/cli/schema.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,9 +209,6 @@ local config_schema = {
ssl_trusted_certificate = {
type = "string",
Copy link
Contributor

@bzp2010 bzp2010 Mar 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also need to set system to the json schema default?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if we add it to apisix/cli/config.lua. Its fine to not add this here.

Copy link
Contributor

@bzp2010 bzp2010 Mar 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although we don't need it to fill with default values, as a specification it should fit the status quo.
I still recommend adding it so that we can explore the feasibility of generating documents for it in the future.

},
ssl_trusted_combined_path = {
type = "string",
},
listen = {
type = "array",
items = {
Expand Down
4 changes: 1 addition & 3 deletions conf/config.yaml.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,9 +99,7 @@ apisix:
# - ip: 127.0.0.3 # If not set, default to `0.0.0.0`.
# port: 9445
# enable_http3: true
ssl_trusted_combined_path: /usr/local/apisix/conf/ssl_trusted_combined.pem # All the trusted certificates will be combined into a single file
#ssl_trusted_certificate: system # Specifies comma separated list of trusted CA. Value can be either "system"(for using system available ca certs) or
# a file path with trusted CA certificates in the PEM format
#ssl_trusted_certificate: system # Specifies a file path with trusted CA certificates in the PEM format. The default value is "system".
ssl_protocols: TLSv1.2 TLSv1.3 # TLS versions supported.
ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_session_tickets: false # If true, session tickets are used for SSL/TLS connections.
Expand Down
20 changes: 0 additions & 20 deletions t/cli/test_stream_config.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,26 +74,6 @@ fi

echo "passed: enable stream proxy and http proxy"

echo "
apisix:
ssl:
ssl_trusted_certificate: t/certs/mtls_ca.crt
ssl_trusted_combined_path: t/certs/mtls_ca_combined.crt
proxy_mode: http&stream
stream_proxy:
tcp:
- addr: 9100
" > conf/config.yaml

make init

if ! grep "t/certs/mtls_ca_combined.crt;" conf/nginx.conf > /dev/null; then
echo "failed: failed to set trust certificate"
exit 1
fi

echo "passed: set trust certificate"

echo "
apisix:
proxy_mode: http&stream
Expand Down
2 changes: 1 addition & 1 deletion t/cli/test_upstream_mtls.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ echo "passed: when proxy_ssl_verify is enabled and ssl_trusted_certificate is wr
echo '
apisix:
ssl:
ssl_trusted_certificate: system, t/certs/apisix.crt
ssl_trusted_certificate: t/certs/apisix.crt
nginx_config:
http_configuration_snippet: |
server {
Expand Down
2 changes: 0 additions & 2 deletions t/core/config_etcd.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,6 @@ qr/(connection refused){1,}/
--- yaml_config
apisix:
node_listen: 1984
ssl:
ssl_trusted_combined_path: t/servroot/conf/cert/etcd.pem
deployment:
role: traditional
role_traditional:
Expand Down
Loading