feat(plugins/acme) sync upstream features including Vault K8S auth an…

…d preferred chain selection
Kong · Sep 2, 2021 · 955cbc4 · 955cbc4
1 parent d7d1cf9
commit 955cbc4
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 12 deletions.
diff --git a/kong/plugins/acme/client.lua b/kong/plugins/acme/client.lua
@@ -121,7 +121,8 @@ local function new(conf)
                     " seconds for ACME challenges to propogate")
       ngx.sleep(wait)
       return true
-    end or nil
+    end or nil,
+    preferred_chain = conf.preferred_chain,
   })
 end
 

diff --git a/kong/plugins/acme/handler.lua b/kong/plugins/acme/handler.lua
@@ -7,13 +7,13 @@ local acme_challenge_path = [[^/\.well-known/acme-challenge/(.+)]]
 -- cache for dummy cert kong generated (it's a table)
 local default_cert_key
 
-local LetsencryptHandler = {}
+local ACMEHandler = {}
 
 -- this has to be higher than auth plugins,
 -- otherwise acme-challenges endpoints may be blocked by auth plugins
 -- causing validation failures
-LetsencryptHandler.PRIORITY = 1007
-LetsencryptHandler.VERSION = "0.2.14"
+ACMEHandler.PRIORITY = 1007
+ACMEHandler.VERSION = "0.3.0"
 
 local function build_domain_matcher(domains)
   local domains_plain = {}
@@ -49,15 +49,15 @@ local function build_domain_matcher(domains)
 end
 
 -- expose it for use in api.lua
-LetsencryptHandler.build_domain_matcher = build_domain_matcher
+ACMEHandler.build_domain_matcher = build_domain_matcher
 
-function LetsencryptHandler:init_worker()
+function ACMEHandler:init_worker()
   local worker_id = ngx.worker.id()
   kong.log.info("acme renew timer started on worker ", worker_id)
   ngx.timer.every(86400, client.renew_certificate)
 end
 
-function LetsencryptHandler:certificate(conf)
+function ACMEHandler:certificate(conf)
   -- we can't check for Host header in this phase
   local host, err = ngx_ssl.server_name()
   if err then
@@ -147,7 +147,7 @@ function LetsencryptHandler:certificate(conf)
 end
 
 -- access phase is to terminate the http-01 challenge request if necessary
-function LetsencryptHandler:access(conf)
+function ACMEHandler:access(conf)
 
   local protocol = kong.client.get_protocol()
 
@@ -191,4 +191,4 @@ function LetsencryptHandler:access(conf)
 end
 
 
-return LetsencryptHandler
+return ACMEHandler
diff --git a/...s/acme/kong-plugin-acme-0.2.14-1.rockspec → ...ns/acme/kong-plugin-acme-0.3.0-1.rockspec b/...s/acme/kong-plugin-acme-0.2.14-1.rockspec → ...ns/acme/kong-plugin-acme-0.3.0-1.rockspec
@@ -1,8 +1,8 @@
 package = "kong-plugin-acme"
-version = "0.2.14-1"
+version = "0.3.0-1"
 source = {
    url = "git+https://github.com/Kong/kong-plugin-acme.git",
-   tag = "0.2.14",
+   tag = "0.3.0",
 }
 description = {
    homepage = "https://github.com/Kong/kong-plugin-acme",
@@ -24,5 +24,5 @@ build = {
 }
 dependencies = {
   --"kong >= 1.2.0",
-  "lua-resty-acme ~> 0.6"
+  "lua-resty-acme ~> 0.7"
 }
diff --git a/kong/plugins/acme/schema.lua b/kong/plugins/acme/schema.lua
@@ -41,6 +41,11 @@ local VAULT_STORAGE_SCHEMA = {
   { token = { type = "string", }, },
   { tls_verify = { type = "boolean", default = true, }, },
   { tls_server_name = { type = "string" }, },
+  -- TODO: add default = "token", one_of = { "token", "kubernetes" } in 2.8 or 3.0
+  { auth_method = { type = "string" } },
+  { auth_path =  { type = "string" }, },
+  { auth_role =  { type = "string" }, },
+  { jwt_path =  { type = "string" }, },
 }
 
 local schema = {
@@ -102,6 +107,9 @@ local schema = {
             { vault = { type = "record", fields = VAULT_STORAGE_SCHEMA, } },
           },
         }, },
+        { preferred_chain = {
+          type = "string",
+        }, },
       },
     }, },
   },