From a929eb0144afc30aa382406edf25ce229f60d1d8 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Mon, 6 Nov 2023 15:36:53 +0800 Subject: [PATCH 01/12] feat(cp): add dp cert details support for exposing dataplane certificate expiry date to `/clustering/data-planes` endpoint Fix: [FTI-5530](https://konghq.atlassian.net/browse/FTI-5530) Signed-off-by: tzssangglass --- kong/clustering/control_plane.lua | 4 +- kong/clustering/tls.lua | 23 ++++ kong/db/migrations/core/022_350_to_360.lua | 13 ++ kong/db/migrations/core/init.lua | 1 + .../entities/clustering_data_planes.lua | 8 ++ .../01-schema/13-cluster_status_spec.lua | 12 ++ .../03-db/13-cluster_status_spec.lua | 26 ++++ .../09-hybrid_mode/01-sync_spec.lua | 116 ++++++++++++++++++ .../migrations/core/022_350_to_360_spec.lua | 7 ++ 9 files changed, 209 insertions(+), 1 deletion(-) create mode 100644 kong/db/migrations/core/022_350_to_360.lua create mode 100644 spec/05-migration/db/migrations/core/022_350_to_360_spec.lua diff --git a/kong/clustering/control_plane.lua b/kong/clustering/control_plane.lua index a2696f9a3eb..ca924eb3ed0 100644 --- a/kong/clustering/control_plane.lua +++ b/kong/clustering/control_plane.lua @@ -11,7 +11,7 @@ local compat = require("kong.clustering.compat") local constants = require("kong.constants") local events = require("kong.clustering.events") local calculate_config_hash = require("kong.clustering.config_helper").calculate_config_hash - +local extract_dp_cert = require("kong.clustering.tls").extract_dp_cert local string = string local setmetatable = setmetatable @@ -220,6 +220,7 @@ function _M:handle_cp_websocket() return ngx_exit(ngx_CLOSE) end + local dp_cert_details = extract_dp_cert(ngx_var.ssl_client_raw_cert) local dp_plugins_map = plugins_list_to_map(data.plugins) local config_hash = DECLARATIVE_EMPTY_CONFIG_HASH -- initial hash local last_seen = ngx_time() @@ -235,6 +236,7 @@ function _M:handle_cp_websocket() version = dp_version, sync_status = sync_status, -- TODO: import may have been failed though labels = data.labels, + cert_details = dp_cert_details, }, { ttl = purge_delay }) if not ok then ngx_log(ngx_ERR, _log_prefix, "unable to update clustering data plane status: ", err, log_suffix) diff --git a/kong/clustering/tls.lua b/kong/clustering/tls.lua index 03e4f4205a9..83630336362 100644 --- a/kong/clustering/tls.lua +++ b/kong/clustering/tls.lua @@ -13,6 +13,8 @@ local constants = require("kong.constants") local ngx_log = ngx.log local WARN = ngx.WARN +local tostring = tostring + local OCSP_TIMEOUT = constants.CLUSTERING_OCSP_TIMEOUT @@ -230,4 +232,25 @@ function tls.validate_client_cert(kong_config, cp_cert, dp_cert_pem) end +--- Extract certificate details from the data plane certificate. +--- +---@param dp_cert_pem string # data plane cert text +--- +---@return table? cert_details # certificate details +function tls.extract_dp_cert(dp_cert_pem) + local cert, err = openssl_x509.new(dp_cert_pem, "PEM") + if not cert then + return nil, "unable to load data plane client certificate during connection established: " .. err + end + + local expiry_timestamp = cert:get_not_after() + -- values in cert_details must be strings + local cert_details = { + expiry_timestamp = expiry_timestamp, + } + + return cert_details +end + + return tls diff --git a/kong/db/migrations/core/022_350_to_360.lua b/kong/db/migrations/core/022_350_to_360.lua new file mode 100644 index 00000000000..364632a1cd5 --- /dev/null +++ b/kong/db/migrations/core/022_350_to_360.lua @@ -0,0 +1,13 @@ +return { + postgres = { + up = [[ + DO $$ + BEGIN + ALTER TABLE IF EXISTS ONLY "clustering_data_planes" ADD "cert_details" JSONB; + EXCEPTION WHEN DUPLICATE_COLUMN THEN + -- Do nothing, accept existing state + END; + $$; + ]] + } +} diff --git a/kong/db/migrations/core/init.lua b/kong/db/migrations/core/init.lua index b61c1f698c7..b19a271ce7a 100644 --- a/kong/db/migrations/core/init.lua +++ b/kong/db/migrations/core/init.lua @@ -19,4 +19,5 @@ return { "019_320_to_330", "020_330_to_340", "021_340_to_350", + "022_350_to_360", } diff --git a/kong/db/schema/entities/clustering_data_planes.lua b/kong/db/schema/entities/clustering_data_planes.lua index 7d85ecf9fec..abb6612b898 100644 --- a/kong/db/schema/entities/clustering_data_planes.lua +++ b/kong/db/schema/entities/clustering_data_planes.lua @@ -38,5 +38,13 @@ return { description = "Custom key value pairs as meta-data for DPs.", }, }, + { cert_details = { + type = "record", + fields = { + { expiry_timestamp = typedefs.auto_timestamp_s } + }, + description = "Certificate details of the data plane.", + }, + }, }, } diff --git a/spec/01-unit/01-db/01-schema/13-cluster_status_spec.lua b/spec/01-unit/01-db/01-schema/13-cluster_status_spec.lua index 81e621846eb..30f14671d2a 100644 --- a/spec/01-unit/01-db/01-schema/13-cluster_status_spec.lua +++ b/spec/01-unit/01-db/01-schema/13-cluster_status_spec.lua @@ -66,4 +66,16 @@ describe("plugins", function() assert.is_true(ok) assert.is_nil(err) end) + + it("accepts cetr details", function() + local ok, err = validate({ + ip = "127.0.0.1", + hostname = "dp.example.com", + cert_details = { + expiry_timestamp = 1897136778, + } + }) + assert.is_true(ok) + assert.is_nil(err) + end) end) diff --git a/spec/02-integration/03-db/13-cluster_status_spec.lua b/spec/02-integration/03-db/13-cluster_status_spec.lua index f486b763ec3..d6faf9824ec 100644 --- a/spec/02-integration/03-db/13-cluster_status_spec.lua +++ b/spec/02-integration/03-db/13-cluster_status_spec.lua @@ -71,5 +71,31 @@ for _, strategy in helpers.each_strategy() do assert.is_nil(err) end) end) + + describe("cert_details", function() + it(":upsert()", function() + local p, err = db.clustering_data_planes:upsert({ id = "eb51145a-aaaa-bbbb-cccc-22087fb081db", }, + { config_hash = "a9a166c59873245db8f1a747ba9a80a7", + hostname = "localhost", + ip = "127.0.0.1", + cert_details = { + expiry_timestamp = 1897136778, + } + }) + + assert.is_truthy(p) + assert.is_nil(err) + end) + + it(":update()", function() + -- this time update instead of insert + local p, err = db.clustering_data_planes:update({ id = "eb51145a-aaaa-bbbb-cccc-22087fb081db", }, + { config_hash = "a9a166c59873245db8f1a747ba9a80a7", + cert_details = { expiry_timestamp = 1888983905, } + }) + assert.is_truthy(p) + assert.is_nil(err) + end) + end) end) -- kong.db [strategy] end diff --git a/spec/02-integration/09-hybrid_mode/01-sync_spec.lua b/spec/02-integration/09-hybrid_mode/01-sync_spec.lua index d29f0fc614e..8647c3b4566 100644 --- a/spec/02-integration/09-hybrid_mode/01-sync_spec.lua +++ b/spec/02-integration/09-hybrid_mode/01-sync_spec.lua @@ -784,4 +784,120 @@ describe("CP/DP labels #" .. strategy, function() end) end) +describe("CP/DP cert details(cluster_mtls = shared) #" .. strategy, function() + lazy_setup(function() + helpers.get_db_utils(strategy) -- runs migrations + + assert(helpers.start_kong({ + role = "control_plane", + cluster_cert = "spec/fixtures/kong_clustering.crt", + cluster_cert_key = "spec/fixtures/kong_clustering.key", + database = strategy, + db_update_frequency = 0.1, + cluster_listen = "127.0.0.1:9005", + nginx_conf = "spec/fixtures/custom_nginx.template", + })) + + assert(helpers.start_kong({ + role = "data_plane", + database = "off", + prefix = "servroot2", + cluster_cert = "spec/fixtures/kong_clustering.crt", + cluster_cert_key = "spec/fixtures/kong_clustering.key", + cluster_control_plane = "127.0.0.1:9005", + proxy_listen = "0.0.0.0:9002", + nginx_conf = "spec/fixtures/custom_nginx.template", + cluster_dp_labels="deployment:mycloud,region:us-east-1", + })) + end) + + lazy_teardown(function() + helpers.stop_kong("servroot2") + helpers.stop_kong() + end) + + describe("status API", function() + it("shows DP cert details", function() + helpers.wait_until(function() + local admin_client = helpers.admin_client() + finally(function() + admin_client:close() + end) + + local res = assert(admin_client:get("/clustering/data-planes")) + local body = assert.res_status(200, res) + local json = cjson.decode(body) + + for _, v in pairs(json.data) do + if v.ip == "127.0.0.1" then + assert.equal(1888983905, v.cert_details.expiry_timestamp) + return true + end + end + end, 3) + end) + end) +end) + +describe("CP/DP cert details(cluster_mtls = pki) #" .. strategy, function() + lazy_setup(function() + helpers.get_db_utils(strategy) -- runs migrations + + assert(helpers.start_kong({ + role = "control_plane", + cluster_cert = "spec/fixtures/kong_clustering.crt", + cluster_cert_key = "spec/fixtures/kong_clustering.key", + db_update_frequency = 0.1, + database = strategy, + cluster_listen = "127.0.0.1:9005", + nginx_conf = "spec/fixtures/custom_nginx.template", + -- additional attributes for PKI: + cluster_mtls = "pki", + cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt", + })) + + assert(helpers.start_kong({ + role = "data_plane", + nginx_conf = "spec/fixtures/custom_nginx.template", + database = "off", + prefix = "servroot2", + cluster_cert = "spec/fixtures/kong_clustering_client.crt", + cluster_cert_key = "spec/fixtures/kong_clustering_client.key", + cluster_control_plane = "127.0.0.1:9005", + proxy_listen = "0.0.0.0:9002", + -- additional attributes for PKI: + cluster_mtls = "pki", + cluster_server_name = "kong_clustering", + cluster_ca_cert = "spec/fixtures/kong_clustering.crt", + })) + end) + + lazy_teardown(function() + helpers.stop_kong("servroot2") + helpers.stop_kong() + end) + + describe("status API", function() + it("shows DP cert details", function() + helpers.wait_until(function() + local admin_client = helpers.admin_client() + finally(function() + admin_client:close() + end) + + local res = assert(admin_client:get("/clustering/data-planes")) + local body = assert.res_status(200, res) + local json = cjson.decode(body) + + for _, v in pairs(json.data) do + if v.ip == "127.0.0.1" then + assert.equal(1897136778, v.cert_details.expiry_timestamp) + return true + end + end + end, 3) + end) + end) +end) + end diff --git a/spec/05-migration/db/migrations/core/022_350_to_360_spec.lua b/spec/05-migration/db/migrations/core/022_350_to_360_spec.lua new file mode 100644 index 00000000000..572d139140f --- /dev/null +++ b/spec/05-migration/db/migrations/core/022_350_to_360_spec.lua @@ -0,0 +1,7 @@ +local uh = require "spec/upgrade_helpers" + +describe("database migration", function() + uh.old_after_up("has created the expected new columns", function() + assert.table_has_column("clustering_data_planes", "cert_details", "jsonb") + end) +end) From 1f31244fbf7ae869f9e330d899998f5665933e11 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Mon, 6 Nov 2023 15:54:17 +0800 Subject: [PATCH 02/12] add changelog Signed-off-by: tzssangglass --- changelog/unreleased/kong/cp-expose-dp-cert-details.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelog/unreleased/kong/cp-expose-dp-cert-details.yml diff --git a/changelog/unreleased/kong/cp-expose-dp-cert-details.yml b/changelog/unreleased/kong/cp-expose-dp-cert-details.yml new file mode 100644 index 00000000000..21f3803cc82 --- /dev/null +++ b/changelog/unreleased/kong/cp-expose-dp-cert-details.yml @@ -0,0 +1,5 @@ +message: | + **Clustering**: Expose data plane certificate details on the control plane API. +type: feature +scope: Clustering + From b184c7996b9b86b017e1d8f0ea923511401ca0df Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Mon, 6 Nov 2023 18:11:52 +0800 Subject: [PATCH 03/12] add migration script to rockspec Signed-off-by: tzssangglass --- kong-3.6.0-0.rockspec | 1 + 1 file changed, 1 insertion(+) diff --git a/kong-3.6.0-0.rockspec b/kong-3.6.0-0.rockspec index fb706d21b57..6301320fd0a 100644 --- a/kong-3.6.0-0.rockspec +++ b/kong-3.6.0-0.rockspec @@ -271,6 +271,7 @@ build = { ["kong.db.migrations.core.019_320_to_330"] = "kong/db/migrations/core/019_320_to_330.lua", ["kong.db.migrations.core.020_330_to_340"] = "kong/db/migrations/core/020_330_to_340.lua", ["kong.db.migrations.core.021_340_to_350"] = "kong/db/migrations/core/021_340_to_350.lua", + ["kong.db.migrations.core.022_360_to_360"] = "kong/db/migrations/core/022_350_to_360.lua", ["kong.db.migrations.operations.200_to_210"] = "kong/db/migrations/operations/200_to_210.lua", ["kong.db.migrations.operations.212_to_213"] = "kong/db/migrations/operations/212_to_213.lua", ["kong.db.migrations.operations.280_to_300"] = "kong/db/migrations/operations/280_to_300.lua", From b236139b2870198dc9353a5c4f391992dff5dcbc Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Mon, 6 Nov 2023 20:24:11 +0800 Subject: [PATCH 04/12] fix typo Signed-off-by: tzssangglass --- kong-3.6.0-0.rockspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kong-3.6.0-0.rockspec b/kong-3.6.0-0.rockspec index e924e006785..6e35969df19 100644 --- a/kong-3.6.0-0.rockspec +++ b/kong-3.6.0-0.rockspec @@ -272,7 +272,7 @@ build = { ["kong.db.migrations.core.019_320_to_330"] = "kong/db/migrations/core/019_320_to_330.lua", ["kong.db.migrations.core.020_330_to_340"] = "kong/db/migrations/core/020_330_to_340.lua", ["kong.db.migrations.core.021_340_to_350"] = "kong/db/migrations/core/021_340_to_350.lua", - ["kong.db.migrations.core.022_360_to_360"] = "kong/db/migrations/core/022_350_to_360.lua", + ["kong.db.migrations.core.022_350_to_360"] = "kong/db/migrations/core/022_350_to_360.lua", ["kong.db.migrations.operations.200_to_210"] = "kong/db/migrations/operations/200_to_210.lua", ["kong.db.migrations.operations.212_to_213"] = "kong/db/migrations/operations/212_to_213.lua", ["kong.db.migrations.operations.280_to_300"] = "kong/db/migrations/operations/280_to_300.lua", From 32bc41115959b4603ead22eded88c7737ee352bf Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Wed, 8 Nov 2023 11:11:17 +0800 Subject: [PATCH 05/12] apply comments Signed-off-by: tzssangglass --- spec/01-unit/19-hybrid/02-clustering_spec.lua | 8 +++++++- spec/02-integration/09-hybrid_mode/01-sync_spec.lua | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/spec/01-unit/19-hybrid/02-clustering_spec.lua b/spec/01-unit/19-hybrid/02-clustering_spec.lua index f134aeab5af..97b7ddf1074 100644 --- a/spec/01-unit/19-hybrid/02-clustering_spec.lua +++ b/spec/01-unit/19-hybrid/02-clustering_spec.lua @@ -1,6 +1,7 @@ local calculate_config_hash = require("kong.clustering.config_helper").calculate_config_hash local version = require("kong.clustering.compat.version") - +local extract_dp_cert = require("kong.clustering.tls").extract_dp_cert +local ssl_fixtures = require "spec.fixtures.ssl" describe("kong.clustering.compat.version", function() it("correctly parses 3 or 4 digit version numbers", function() @@ -288,5 +289,10 @@ describe("kong.clustering", function() end) end) + it("extract expiry_timestamp from dp cert ", function() + local dp_cert_details = extract_dp_cert(ssl_fixtures.cert) + assert.table(dp_cert_details) + assert.equal(10227738989, dp_cert_details.expiry_timestamp) + end) end) end) diff --git a/spec/02-integration/09-hybrid_mode/01-sync_spec.lua b/spec/02-integration/09-hybrid_mode/01-sync_spec.lua index 8647c3b4566..a27d02faf78 100644 --- a/spec/02-integration/09-hybrid_mode/01-sync_spec.lua +++ b/spec/02-integration/09-hybrid_mode/01-sync_spec.lua @@ -885,7 +885,7 @@ describe("CP/DP cert details(cluster_mtls = pki) #" .. strategy, function() admin_client:close() end) - local res = assert(admin_client:get("/clustering/data-planes")) + local res = admin_client:get("/clustering/data-planes") local body = assert.res_status(200, res) local json = cjson.decode(body) From beefe2c9fa497ccb1c36cadf16c1b9cc55706fdb Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Thu, 9 Nov 2023 14:56:12 +0800 Subject: [PATCH 06/12] apply comments Signed-off-by: tzssangglass --- kong/clustering/control_plane.lua | 16 +++++++++++++--- kong/clustering/init.lua | 6 +++--- kong/clustering/tls.lua | 23 +---------------------- 3 files changed, 17 insertions(+), 28 deletions(-) diff --git a/kong/clustering/control_plane.lua b/kong/clustering/control_plane.lua index 2203fa1f683..f45353f4904 100644 --- a/kong/clustering/control_plane.lua +++ b/kong/clustering/control_plane.lua @@ -11,7 +11,6 @@ local compat = require("kong.clustering.compat") local constants = require("kong.constants") local events = require("kong.clustering.events") local calculate_config_hash = require("kong.clustering.config_helper").calculate_config_hash -local extract_dp_cert = require("kong.clustering.tls").extract_dp_cert local string = string @@ -78,6 +77,17 @@ local function is_timeout(err) end +local function extract_dp_cert() + local expiry_timestamp = cert:get_not_after() + -- values in cert_details must be strings + local cert_details = { + expiry_timestamp = expiry_timestamp, + } + + return cert_details +end + + function _M.new(clustering) assert(type(clustering) == "table", "kong.clustering is not instantiated") @@ -174,7 +184,7 @@ _M.check_version_compatibility = compat.check_version_compatibility _M.check_configuration_compatibility = compat.check_configuration_compatibility -function _M:handle_cp_websocket() +function _M:handle_cp_websocket(cert) local dp_id = ngx_var.arg_node_id local dp_hostname = ngx_var.arg_node_hostname local dp_ip = ngx_var.remote_addr @@ -221,7 +231,7 @@ function _M:handle_cp_websocket() return ngx_exit(ngx_CLOSE) end - local dp_cert_details = extract_dp_cert(ngx_var.ssl_client_raw_cert) + local dp_cert_details = extract_dp_cert(cert) local dp_plugins_map = plugins_list_to_map(data.plugins) local config_hash = DECLARATIVE_EMPTY_CONFIG_HASH -- initial hash local last_seen = ngx_time() diff --git a/kong/clustering/init.lua b/kong/clustering/init.lua index a661a8c4eea..0d5570badd5 100644 --- a/kong/clustering/init.lua +++ b/kong/clustering/init.lua @@ -63,13 +63,13 @@ end function _M:handle_cp_websocket() - local ok, err = self:validate_client_cert() - if not ok then + local cert, err = self:validate_client_cert() + if not cert then ngx_log(ngx_ERR, _log_prefix, err) return ngx_exit(444) end - return self.instance:handle_cp_websocket() + return self.instance:handle_cp_websocket(cert) end diff --git a/kong/clustering/tls.lua b/kong/clustering/tls.lua index 83630336362..e75a86d1b05 100644 --- a/kong/clustering/tls.lua +++ b/kong/clustering/tls.lua @@ -228,28 +228,7 @@ function tls.validate_client_cert(kong_config, cp_cert, dp_cert_pem) return nil, err end - return true -end - - ---- Extract certificate details from the data plane certificate. ---- ----@param dp_cert_pem string # data plane cert text ---- ----@return table? cert_details # certificate details -function tls.extract_dp_cert(dp_cert_pem) - local cert, err = openssl_x509.new(dp_cert_pem, "PEM") - if not cert then - return nil, "unable to load data plane client certificate during connection established: " .. err - end - - local expiry_timestamp = cert:get_not_after() - -- values in cert_details must be strings - local cert_details = { - expiry_timestamp = expiry_timestamp, - } - - return cert_details + return cert end From 7208352ebccf0b2b25900a56f1c0870a808dc122 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Thu, 9 Nov 2023 14:57:00 +0800 Subject: [PATCH 07/12] chore Signed-off-by: tzssangglass --- kong/clustering/control_plane.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kong/clustering/control_plane.lua b/kong/clustering/control_plane.lua index f45353f4904..847c15c282a 100644 --- a/kong/clustering/control_plane.lua +++ b/kong/clustering/control_plane.lua @@ -77,7 +77,7 @@ local function is_timeout(err) end -local function extract_dp_cert() +local function extract_dp_cert(cert) local expiry_timestamp = cert:get_not_after() -- values in cert_details must be strings local cert_details = { From 4c037d6d3766634d757fe0aa7bac425bea909ebb Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Fri, 10 Nov 2023 10:39:22 +0800 Subject: [PATCH 08/12] apply coments Signed-off-by: tzssangglass --- kong/clustering/control_plane.lua | 2 +- kong/db/schema/entities/clustering_data_planes.lua | 2 +- spec/01-unit/01-db/01-schema/13-cluster_status_spec.lua | 2 +- spec/01-unit/19-hybrid/02-clustering_spec.lua | 7 ------- 4 files changed, 3 insertions(+), 10 deletions(-) diff --git a/kong/clustering/control_plane.lua b/kong/clustering/control_plane.lua index 847c15c282a..fc6d4e94212 100644 --- a/kong/clustering/control_plane.lua +++ b/kong/clustering/control_plane.lua @@ -81,7 +81,7 @@ local function extract_dp_cert(cert) local expiry_timestamp = cert:get_not_after() -- values in cert_details must be strings local cert_details = { - expiry_timestamp = expiry_timestamp, + expiry_timestamp = expiry_timestamp or "unknown", } return cert_details diff --git a/kong/db/schema/entities/clustering_data_planes.lua b/kong/db/schema/entities/clustering_data_planes.lua index abb6612b898..a98e3487d8a 100644 --- a/kong/db/schema/entities/clustering_data_planes.lua +++ b/kong/db/schema/entities/clustering_data_planes.lua @@ -43,7 +43,7 @@ return { fields = { { expiry_timestamp = typedefs.auto_timestamp_s } }, - description = "Certificate details of the data plane.", + description = "Certificate details of the DPs.", }, }, }, diff --git a/spec/01-unit/01-db/01-schema/13-cluster_status_spec.lua b/spec/01-unit/01-db/01-schema/13-cluster_status_spec.lua index 30f14671d2a..b42f1ae5a8c 100644 --- a/spec/01-unit/01-db/01-schema/13-cluster_status_spec.lua +++ b/spec/01-unit/01-db/01-schema/13-cluster_status_spec.lua @@ -67,7 +67,7 @@ describe("plugins", function() assert.is_nil(err) end) - it("accepts cetr details", function() + it("accepts cert details", function() local ok, err = validate({ ip = "127.0.0.1", hostname = "dp.example.com", diff --git a/spec/01-unit/19-hybrid/02-clustering_spec.lua b/spec/01-unit/19-hybrid/02-clustering_spec.lua index 97b7ddf1074..d2d54f10d83 100644 --- a/spec/01-unit/19-hybrid/02-clustering_spec.lua +++ b/spec/01-unit/19-hybrid/02-clustering_spec.lua @@ -1,7 +1,5 @@ local calculate_config_hash = require("kong.clustering.config_helper").calculate_config_hash local version = require("kong.clustering.compat.version") -local extract_dp_cert = require("kong.clustering.tls").extract_dp_cert -local ssl_fixtures = require "spec.fixtures.ssl" describe("kong.clustering.compat.version", function() it("correctly parses 3 or 4 digit version numbers", function() @@ -289,10 +287,5 @@ describe("kong.clustering", function() end) end) - it("extract expiry_timestamp from dp cert ", function() - local dp_cert_details = extract_dp_cert(ssl_fixtures.cert) - assert.table(dp_cert_details) - assert.equal(10227738989, dp_cert_details.expiry_timestamp) - end) end) end) From 2c4b4e5f93c4ab9cf518f662e705cd33ed54bc58 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Mon, 13 Nov 2023 16:40:35 +0800 Subject: [PATCH 09/12] apply comments --- kong/clustering/tls.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kong/clustering/tls.lua b/kong/clustering/tls.lua index e75a86d1b05..cc528ff24d1 100644 --- a/kong/clustering/tls.lua +++ b/kong/clustering/tls.lua @@ -228,7 +228,7 @@ function tls.validate_client_cert(kong_config, cp_cert, dp_cert_pem) return nil, err end - return cert + return cert, nil end From 41b262c5d6c757366bc6ed07c9485029d3d9ee3f Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Wed, 15 Nov 2023 09:56:17 +0800 Subject: [PATCH 10/12] apply comments Signed-off-by: tzssangglass --- kong/clustering/control_plane.lua | 2 +- kong/db/schema/entities/clustering_data_planes.lua | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kong/clustering/control_plane.lua b/kong/clustering/control_plane.lua index fc6d4e94212..847c15c282a 100644 --- a/kong/clustering/control_plane.lua +++ b/kong/clustering/control_plane.lua @@ -81,7 +81,7 @@ local function extract_dp_cert(cert) local expiry_timestamp = cert:get_not_after() -- values in cert_details must be strings local cert_details = { - expiry_timestamp = expiry_timestamp or "unknown", + expiry_timestamp = expiry_timestamp, } return cert_details diff --git a/kong/db/schema/entities/clustering_data_planes.lua b/kong/db/schema/entities/clustering_data_planes.lua index a98e3487d8a..fb1f43db099 100644 --- a/kong/db/schema/entities/clustering_data_planes.lua +++ b/kong/db/schema/entities/clustering_data_planes.lua @@ -41,7 +41,7 @@ return { { cert_details = { type = "record", fields = { - { expiry_timestamp = typedefs.auto_timestamp_s } + { expiry_timestamp = { type = "number", timestamp = true, required = false } } }, description = "Certificate details of the DPs.", }, From 2e8e1f97bc3023d1be266aef93bb202de1f66005 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Thu, 16 Nov 2023 10:38:02 +0800 Subject: [PATCH 11/12] formatting Signed-off-by: tzssangglass --- .../03-db/13-cluster_status_spec.lua | 39 +++++++++++++------ 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/spec/02-integration/03-db/13-cluster_status_spec.lua b/spec/02-integration/03-db/13-cluster_status_spec.lua index 8a0b5023e24..34ffbed2560 100644 --- a/spec/02-integration/03-db/13-cluster_status_spec.lua +++ b/spec/02-integration/03-db/13-cluster_status_spec.lua @@ -74,14 +74,20 @@ for _, strategy in helpers.each_strategy() do describe("cert_details", function() it(":upsert()", function() - local p, err = db.clustering_data_planes:upsert({ id = "eb51145a-aaaa-bbbb-cccc-22087fb081db", }, - { config_hash = "a9a166c59873245db8f1a747ba9a80a7", - hostname = "localhost", - ip = "127.0.0.1", - cert_details = { - expiry_timestamp = 1897136778, - } - }) + local p, err = + db.clustering_data_planes:upsert( + { + id = "eb51145a-aaaa-bbbb-cccc-22087fb081db", + }, + { + config_hash = "a9a166c59873245db8f1a747ba9a80a7", + hostname = "localhost", + ip = "127.0.0.1", + cert_details = { + expiry_timestamp = 1897136778, + } + } + ) assert.is_truthy(p) assert.is_nil(err) @@ -89,10 +95,19 @@ for _, strategy in helpers.each_strategy() do it(":update()", function() -- this time update instead of insert - local p, err = db.clustering_data_planes:update({ id = "eb51145a-aaaa-bbbb-cccc-22087fb081db", }, - { config_hash = "a9a166c59873245db8f1a747ba9a80a7", - cert_details = { expiry_timestamp = 1888983905, } - }) + local p, err = + db.clustering_data_planes:update( + { + id = "eb51145a-aaaa-bbbb-cccc-22087fb081db", + }, + { + config_hash = "a9a166c59873245db8f1a747ba9a80a7", + cert_details = { + expiry_timestamp = 1888983905, + } + } + ) + assert.is_truthy(p) assert.is_nil(err) end) From 214bfa06590b1bb559501ae2430b65bd093418e3 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Thu, 16 Nov 2023 16:05:28 +0800 Subject: [PATCH 12/12] update changelog Signed-off-by: tzssangglass --- changelog/unreleased/kong/cp-expose-dp-cert-details.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/unreleased/kong/cp-expose-dp-cert-details.yml b/changelog/unreleased/kong/cp-expose-dp-cert-details.yml index 21f3803cc82..4863a932f1d 100644 --- a/changelog/unreleased/kong/cp-expose-dp-cert-details.yml +++ b/changelog/unreleased/kong/cp-expose-dp-cert-details.yml @@ -1,5 +1,5 @@ message: | - **Clustering**: Expose data plane certificate details on the control plane API. + **Clustering**: Expose data plane certificate expiry date on the control plane API. type: feature scope: Clustering