Skip to content

Commit

Permalink
fix: tlshandshake with the client cert and key
Browse files Browse the repository at this point in the history
  • Loading branch information
@e1ijah1
e1ijah1 committed Jan 21, 2023
1 parent 2125126 commit 9bca96e
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 27 deletions.
22 changes: 14 additions & 8 deletions apisix/discovery/kubernetes/informer_factory.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ local math = math
local type = type
local core = require("apisix.core")
local http = require("resty.http")
local patch = require("apisix.patch")

if not http.tls_handshake then
error("Bad http library. Should use api7-lua-resty-http instead")
Expand Down Expand Up @@ -49,15 +50,18 @@ end


local function list(httpc, apiserver, informer)
local headers = {
["Host"] = apiserver.host .. ":" .. apiserver.port,
["Accept"] = "application/json",
["Connection"] = "keep-alive"
}
if apiserver.token ~= "" then
headers["Authorization"] = "Bearer " .. apiserver.token
end
local response, err = httpc:request({
path = informer.path,
query = list_query(informer),
headers = {
["Host"] = apiserver.host .. ":" .. apiserver.port,
["Authorization"] = "Bearer " .. apiserver.token,
["Accept"] = "application/json",
["Connection"] = "keep-alive"
}
headers = headers
})

core.log.info("--raw=", informer.path, "?", list_query(informer))
Expand Down Expand Up @@ -279,10 +283,12 @@ local function list_watch(informer, apiserver)
port = apiserver.port,
ssl_verify = apiserver.ssl_verify,
}
if apiserver.schema == "https" and apiserver.certificate ~= "" and apiserver.key ~= "" then
opt.ssl_cert_path = apiserver.certificate
if apiserver.schema == "https" and apiserver.cert ~= "" and apiserver.key ~= "" then
opt.ssl_cert_path = apiserver.cert
opt.ssl_key_path = apiserver.key
opt.ssl_server_name = apiserver.host
-- replace tcp socket of http client to support mtls
httpc.sock = patch.lua_tcp_socket()
end
ok, message = httpc:connect(opt)

Expand Down
23 changes: 7 additions & 16 deletions apisix/discovery/kubernetes/init.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,31 +270,22 @@ local function get_apiserver(conf)
if err then
return nil, err
end
elseif conf.client.certificate and conf.client.key then
apiserver.certificate, err = read_env(conf.client.certificate)
elseif conf.client.cert_file and conf.client.key_file then
apiserver.cert, err = read_env(conf.client.cert_file)
if err then
return nil, err
end
apiserver.key, err = read_env(conf.client.key)
apiserver.key, err = read_env(conf.client.key_file)
if err then
return nil, err
end
else
return nil, "one of [client.token,client.token_file, (client.certificate, client.key)] should be set but none"
return nil, "one of [client.token,client.token_file,(client.cert_file,client.key_file)] should be set but none"
end

apiserver.ssl_verify = false
if conf.client.ssl_verify then
apiserver.ssl_verify, err = read_env(conf.client.ssl_verify)
if err then
return nil, err
end
if apiserver.ssl_verify ~= "true" and apiserver.ssl_verify ~= "false" then
return nil, "client.ssl_verify should be set to one of [true,false] but " .. apiserver.ssl_verify
end
if apiserver.ssl_verify == "true" then
apiserver.ssl_verify = true
end
apiserver.ssl_verify = conf.client.ssl_verify
end

-- remove possible extra whitespace
Expand All @@ -303,8 +294,8 @@ local function get_apiserver(conf)
apiserver.key = apiserver.key:gsub("%s+", "")

if apiserver.schema == "https" then
if (apiserver.token == "" or apiserver.certificate == "" or apiserver.key == "") then
return nil, "apiserver.token or (apiserver.certificate and apiserver.key) should set to non-empty string when service.schema is https"
if apiserver.token == "" and (apiserver.cert == "" or apiserver.key == "") then
return nil, "apiserver.token or (apiserver.cert and apiserver.key) should set to non-empty string when service.schema is https"
end
end

Expand Down
19 changes: 16 additions & 3 deletions apisix/discovery/kubernetes/schema.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,18 @@ local token_schema = {
oneOf = token_patterns,
}

local token_file_schema = {
local file_schema = {
type = "string",
pattern = [[^[^\:*?"<>|]*$]],
minLength = 1,
maxLength = 500,
}

local default_ssl_verify_schema = {
type = "boolean",
default = false,
}

local namespace_pattern = [[^[a-z0-9]([-a-z0-9_.]*[a-z0-9])?$]]

local namespace_regex_pattern = [[^[\x21-\x7e]*$]]
Expand Down Expand Up @@ -135,7 +140,10 @@ return {
type = "object",
properties = {
token = token_schema,
token_file = token_file_schema,
token_file = file_schema,
cert_file = file_schema,
key_file = file_schema,
ssl_verify = default_ssl_verify_schema,
},
default = {
token_file = "/var/run/secrets/kubernetes.io/serviceaccount/token"
Expand All @@ -145,6 +153,7 @@ return {
anyOf = {
{ required = { "token" } },
{ required = { "token_file" } },
{ required = { "cert_file", "key_file" } },
}
}
},
Expand Down Expand Up @@ -191,11 +200,15 @@ return {
type = "object",
properties = {
token = token_schema,
token_file = token_file_schema,
token_file = file_schema,
cert_file = file_schema,
key_file = file_schema,
ssl_verify = default_ssl_verify_schema,
},
oneOf = {
{ required = { "token" } },
{ required = { "token_file" } },
{ required = { "cert_file", "key_file" } },
},
},
namespace_selector = namespace_selector_schema,
Expand Down
3 changes: 3 additions & 0 deletions apisix/patch.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -380,5 +380,8 @@ function _M.patch()
end
end

function _M.lua_tcp_socket()
return luasocket_tcp()
end

return _M

0 comments on commit 9bca96e

Please sign in to comment.