diff --git a/changelog/unreleased/kong/services_certificate_support_grpcs.yml b/changelog/unreleased/kong/services_certificate_support_grpcs.yml new file mode 100644 index 000000000000..01f408ddc251 --- /dev/null +++ b/changelog/unreleased/kong/services_certificate_support_grpcs.yml @@ -0,0 +1,3 @@ +message: Added the service's certificate to support the `grpcs` protocol. +scope: Core +type: feature \ No newline at end of file diff --git a/kong/clustering/compat/checkers.lua b/kong/clustering/compat/checkers.lua index 331994009235..da1a6b2ad6d7 100644 --- a/kong/clustering/compat/checkers.lua +++ b/kong/clustering/compat/checkers.lua @@ -39,6 +39,38 @@ do end local compatible_checkers = { + { + 3009000000, -- [[ 3.9.0.0 ]] + function(config_table, dp_version, log_suffix) + -- remove tls_verify, ca_certificates, tls_verify_depth fields for core entity services + local config_services = config_table["services"] + + local has_update + for _, t in ipairs(config_services or {}) do + if t["protocol"] == "grpcs" then + if t["tls_verify"] or + t["tls_verify_depth"] or + t["ca_certificates"] then + t["tls_verify"] = nil + t["tls_verify_depth"] = nil + t["ca_certificates"] = nil + + has_update = true + + if has_update then + log_warn_message("grpcs protocol service contains configuration 'service.tls_verify'" .. + "or 'service.tls_verify_depth' or 'service.ca_certificates'", + "be removed", + dp_version, + log_suffix) + end + end + end + end + + return has_update + end + }, { 3008000000, --[[ 3.8.0.0 ]] function (config_table, dp_version, log_suffix) local has_update diff --git a/kong/db/schema/entities/services.lua b/kong/db/schema/entities/services.lua index 71a152e96973..f2faf03186ef 100644 --- a/kong/db/schema/entities/services.lua +++ b/kong/db/schema/entities/services.lua @@ -59,15 +59,15 @@ return { then_field = "client_certificate", then_match = { eq = null }}}, { conditional = { if_field = "protocol", - if_match = { not_one_of = {"https", "tls"} }, + if_match = { not_one_of = { "https", "tls", "grpcs" } }, then_field = "tls_verify", then_match = { eq = null }}}, { conditional = { if_field = "protocol", - if_match = { not_one_of = {"https", "tls"} }, + if_match = { not_one_of = { "https", "tls", "grpcs" } }, then_field = "tls_verify_depth", then_match = { eq = null }}}, { conditional = { if_field = "protocol", - if_match = { not_one_of = {"https", "tls"} }, + if_match = { not_one_of = { "https", "tls", "grpcs" } }, then_field = "ca_certificates", then_match = { eq = null }}}, }, diff --git a/spec/01-unit/01-db/01-schema/05-services_spec.lua b/spec/01-unit/01-db/01-schema/05-services_spec.lua index 85e823b527b7..6fe0d21f2965 100644 --- a/spec/01-unit/01-db/01-schema/05-services_spec.lua +++ b/spec/01-unit/01-db/01-schema/05-services_spec.lua @@ -579,6 +579,20 @@ describe("services", function() assert.is_true(ok) end) + it("'protocol' accepts 'grpcs' with tls_verify and ca_certificates", function() + local service = { + protocol = "grpcs", + host = "x.y", + port = 80, + enabled = true, + tls_verify = true, + ca_certificates = { "41f484e9-7888-495d-9283-1d4ce2168172" }, + } + local ok, err = Services:validate(service) + assert.is_nil(err) + assert.is_true(ok) + end) + it("if 'protocol = tcp/tls/udp/grpc/grpcs', then 'path' is empty", function() for _, v in ipairs({ "tcp", "tls", "udp", "grpc", "grpcs" }) do local service = {