You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/10/26 10:35:05 UTC

[GitHub] [apisix] tokers opened a new pull request #2519: feature: support injecting lua_ssl_trusted_certificate.

tokers opened a new pull request #2519:
URL: https://github.com/apache/apisix/pull/2519


   ### What this PR does / why we need it:
   
   Support to configure `lua_ssl_trusted_certificate` in configuration, so that one can use the certs signed by their own CA as an external dependency of APISIX, like ETCD.
   
   This PR is necessary for the subsequent TLS for ETCD connection feature.
   
   ### Pre-submission checklist:
   
   * [x] Did you explain what problem does this PR solve? Or what new features have been added?
   * [ ] Have you added corresponding test cases?
   * [ ] Have you modified the corresponding document?
   * [x] Is this PR backward compatible?
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] moonming merged pull request #2519: feature: support injecting lua_ssl_trusted_certificate.

Posted by GitBox <gi...@apache.org>.

moonming merged pull request #2519:
URL: https://github.com/apache/apisix/pull/2519


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] moonming commented on pull request #2519: feature: support injecting lua_ssl_trusted_certificate.

Posted by GitBox <gi...@apache.org>.

moonming commented on pull request #2519:
URL: https://github.com/apache/apisix/pull/2519#issuecomment-716531667


   Is this also work for vault?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on a change in pull request #2519: feature: support injecting lua_ssl_trusted_certificate.

Posted by GitBox <gi...@apache.org>.

tokers commented on a change in pull request #2519:
URL: https://github.com/apache/apisix/pull/2519#discussion_r512378103



##########
File path: bin/apisix
##########
@@ -389,6 +389,10 @@ http {
         ssl_session_cache    shared:SSL:20m;
         ssl_session_timeout 10m;
 
+        {% if ssl.ssl_trusted_certificate ~= nil then %}
+        lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *};

Review comment:
       Added.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on pull request #2519: feature: support injecting lua_ssl_trusted_certificate.

Posted by GitBox <gi...@apache.org>.

tokers commented on pull request #2519:
URL: https://github.com/apache/apisix/pull/2519#issuecomment-716929152


   > Is this also work for vault?
   
   Yes, actually for all the external services.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on a change in pull request #2519: feature: support injecting lua_ssl_trusted_certificate.

Posted by GitBox <gi...@apache.org>.

spacewander commented on a change in pull request #2519:
URL: https://github.com/apache/apisix/pull/2519#discussion_r511967114



##########
File path: bin/apisix
##########
@@ -389,6 +389,10 @@ http {
         ssl_session_cache    shared:SSL:20m;
         ssl_session_timeout 10m;
 
+        {% if ssl.ssl_trusted_certificate ~= nil then %}
+        lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *};

Review comment:
       Better to check if the certificate exists before generating the configuration.

##########
File path: conf/config-default.yaml
##########
@@ -101,6 +101,9 @@ apisix:
     enable: true
     enable_http2: true
     listen_port: 9443
+    ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format
+                                              # used to verify the certificate when APISIX needs to do SSL/TLS handshaking
+                                              # with external services (e.g. ETCD)

Review comment:
       ETCD => etcd




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on a change in pull request #2519: feature: support injecting lua_ssl_trusted_certificate.

Posted by GitBox <gi...@apache.org>.

tokers commented on a change in pull request #2519:
URL: https://github.com/apache/apisix/pull/2519#discussion_r512371767



##########
File path: conf/config-default.yaml
##########
@@ -101,6 +101,9 @@ apisix:
     enable: true
     enable_http2: true
     listen_port: 9443
+    ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format
+                                              # used to verify the certificate when APISIX needs to do SSL/TLS handshaking
+                                              # with external services (e.g. ETCD)

Review comment:
       Is this the conventional way in APISIX?

##########
File path: bin/apisix
##########
@@ -389,6 +389,10 @@ http {
         ssl_session_cache    shared:SSL:20m;
         ssl_session_timeout 10m;
 
+        {% if ssl.ssl_trusted_certificate ~= nil then %}
+        lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *};

Review comment:
       OK




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org