From 5864a3dbe5dd6b7a48de273393ef6bea4989eeff Mon Sep 17 00:00:00 2001 From: Wangchong Zhou Date: Tue, 14 Sep 2021 21:23:18 +0800 Subject: [PATCH] chore(acme) sync upstream features including Vault K8S auth and preferred (#7647) chain selection --- kong/plugins/acme/client.lua | 3 ++- kong/plugins/acme/handler.lua | 16 ++++++++-------- ...ockspec => kong-plugin-acme-0.3.0-1.rockspec} | 6 +++--- kong/plugins/acme/schema.lua | 8 ++++++++ 4 files changed, 21 insertions(+), 12 deletions(-) rename kong/plugins/acme/{kong-plugin-acme-0.2.14-1.rockspec => kong-plugin-acme-0.3.0-1.rockspec} (93%) diff --git a/kong/plugins/acme/client.lua b/kong/plugins/acme/client.lua index bf12ae1486e4..644799bb13ad 100644 --- a/kong/plugins/acme/client.lua +++ b/kong/plugins/acme/client.lua @@ -121,7 +121,8 @@ local function new(conf) " seconds for ACME challenges to propogate") ngx.sleep(wait) return true - end or nil + end or nil, + preferred_chain = conf.preferred_chain, }) end diff --git a/kong/plugins/acme/handler.lua b/kong/plugins/acme/handler.lua index 180371c9b745..93c66bc358f5 100644 --- a/kong/plugins/acme/handler.lua +++ b/kong/plugins/acme/handler.lua @@ -7,13 +7,13 @@ local acme_challenge_path = [[^/\.well-known/acme-challenge/(.+)]] -- cache for dummy cert kong generated (it's a table) local default_cert_key -local LetsencryptHandler = {} +local ACMEHandler = {} -- this has to be higher than auth plugins, -- otherwise acme-challenges endpoints may be blocked by auth plugins -- causing validation failures -LetsencryptHandler.PRIORITY = 1007 -LetsencryptHandler.VERSION = "0.2.14" +ACMEHandler.PRIORITY = 1007 +ACMEHandler.VERSION = "0.3.0" local function build_domain_matcher(domains) local domains_plain = {} @@ -50,15 +50,15 @@ local function build_domain_matcher(domains) end -- expose it for use in api.lua -LetsencryptHandler.build_domain_matcher = build_domain_matcher +ACMEHandler.build_domain_matcher = build_domain_matcher -function LetsencryptHandler:init_worker() +function ACMEHandler:init_worker() local worker_id = ngx.worker.id() kong.log.info("acme renew timer started on worker ", worker_id) ngx.timer.every(86400, client.renew_certificate) end -function LetsencryptHandler:certificate(conf) +function ACMEHandler:certificate(conf) -- we can't check for Host header in this phase local host, err = ngx_ssl.server_name() if err then @@ -148,7 +148,7 @@ function LetsencryptHandler:certificate(conf) end -- access phase is to terminate the http-01 challenge request if necessary -function LetsencryptHandler:access(conf) +function ACMEHandler:access(conf) local protocol = kong.client.get_protocol() @@ -192,4 +192,4 @@ function LetsencryptHandler:access(conf) end -return LetsencryptHandler +return ACMEHandler diff --git a/kong/plugins/acme/kong-plugin-acme-0.2.14-1.rockspec b/kong/plugins/acme/kong-plugin-acme-0.3.0-1.rockspec similarity index 93% rename from kong/plugins/acme/kong-plugin-acme-0.2.14-1.rockspec rename to kong/plugins/acme/kong-plugin-acme-0.3.0-1.rockspec index 64ec9858b6e0..6adbc8e5ca4c 100644 --- a/kong/plugins/acme/kong-plugin-acme-0.2.14-1.rockspec +++ b/kong/plugins/acme/kong-plugin-acme-0.3.0-1.rockspec @@ -1,8 +1,8 @@ package = "kong-plugin-acme" -version = "0.2.14-1" +version = "0.3.0-1" source = { url = "git+https://github.com/Kong/kong-plugin-acme.git", - tag = "0.2.14", + tag = "0.3.0", } description = { homepage = "https://github.com/Kong/kong-plugin-acme", @@ -24,5 +24,5 @@ build = { } dependencies = { --"kong >= 1.2.0", - "lua-resty-acme ~> 0.6" + "lua-resty-acme ~> 0.7" } diff --git a/kong/plugins/acme/schema.lua b/kong/plugins/acme/schema.lua index ce4540a110f2..0861e909ba8b 100644 --- a/kong/plugins/acme/schema.lua +++ b/kong/plugins/acme/schema.lua @@ -41,6 +41,11 @@ local VAULT_STORAGE_SCHEMA = { { token = { type = "string", }, }, { tls_verify = { type = "boolean", default = true, }, }, { tls_server_name = { type = "string" }, }, + -- TODO: add default = "token", one_of = { "token", "kubernetes" } in 2.8 or 3.0 + { auth_method = { type = "string" } }, + { auth_path = { type = "string" }, }, + { auth_role = { type = "string" }, }, + { jwt_path = { type = "string" }, }, } local schema = { @@ -102,6 +107,9 @@ local schema = { { vault = { type = "record", fields = VAULT_STORAGE_SCHEMA, } }, }, }, }, + { preferred_chain = { + type = "string", + }, }, }, }, }, },