From 2d9c56f659fd83002b165df4090ab987a7fdfa84 Mon Sep 17 00:00:00 2001 From: Keery Nie Date: Fri, 29 Nov 2024 15:25:50 +0800 Subject: [PATCH] fix(vault): support array type config reference and multiple nginx subsystem (#13855) * fix(vault): allow arrays in conf loader to be referenced ### Summary The commit includes the following fix for vault: Fix the issue that array-type configuration's element cannot be referenced. conf_loader now supports iterate through array-like configuration field and deref the secrets one by one. Enable the vault to dereference secrets using partial SSL configurations, for example, lua_ssl_trusted_certificate=system, {vault://abc/def}. This is implemented especially for resty environments that execute the actual kong command, with the opts pre_cmd = true. Vault related functionalities can work normally by using valid partial configuration generated in the pre_cmd environment. This change does not have a separate changelog entry because it is part of the previous "array-type config vault ref" fix and is more inline with user's intuition. Fix the issue that vault reference cannot work well when multiple subsystems(http/stream) are enabled. The kong_processed_secrets environment variable/file are now generated by subsystems, so enabling multiple subsystem will generates multiple env var/secret file for storing vault deref result. * fix(vault): allow arrays in conf loader to be referenced (https://github.com/Kong/kong/pull/12672) * fix(*): special treatment for pre_cmd * fix(cmd): fix vault refs when both http and stream are enabled * tests(*): fix prepare cmd test * tests(*): add vault related cmd tests * docs(changelog): add changelog * test(*): try to fix test * fix(*): unsetenv unconditionally clean http/stream env --------- Signed-off-by: Aapo Talvensaari Co-authored-by: Aapo Talvensaari (cherry picked from commit bc0acea5bf266ab00476ed777f78cb0b1f47501d) --- .../kong/fix-vault-array-config.yml | 4 + .../kong/fix-vault-stream-subsystem.yml | 4 + kong/cmd/stop.lua | 2 +- kong/cmd/utils/inject_confs.lua | 4 +- kong/cmd/utils/nginx_signals.lua | 16 +- kong/cmd/utils/prefix_handler.lua | 108 +++++++----- kong/cmd/utils/process_secrets.lua | 3 +- kong/conf_loader/constants.lua | 1 + kong/conf_loader/init.lua | 155 +++++++++++++----- kong/conf_loader/parse.lua | 24 +-- kong/pdk/vault.lua | 1 + .../02-cmd/02-start_stop_spec.lua | 96 +++++++++++ .../02-integration/02-cmd/09-prepare_spec.lua | 82 ++++++++- .../02-integration/13-vaults/03-mock_spec.lua | 4 +- 14 files changed, 405 insertions(+), 99 deletions(-) create mode 100644 changelog/unreleased/kong/fix-vault-array-config.yml create mode 100644 changelog/unreleased/kong/fix-vault-stream-subsystem.yml diff --git a/changelog/unreleased/kong/fix-vault-array-config.yml b/changelog/unreleased/kong/fix-vault-array-config.yml new file mode 100644 index 00000000000..cb215508212 --- /dev/null +++ b/changelog/unreleased/kong/fix-vault-array-config.yml @@ -0,0 +1,4 @@ +message: | + **Vault**: Fixed an issue where array-like configuration fields cannot contain vault reference. +type: bugfix +scope: Core diff --git a/changelog/unreleased/kong/fix-vault-stream-subsystem.yml b/changelog/unreleased/kong/fix-vault-stream-subsystem.yml new file mode 100644 index 00000000000..2531ae785a9 --- /dev/null +++ b/changelog/unreleased/kong/fix-vault-stream-subsystem.yml @@ -0,0 +1,4 @@ +message: | + **Vault**: Fixed an issue where vault reference in kong configuration cannot be dereferenced when both http and stream subsystems are enabled. +type: bugfix +scope: Core diff --git a/kong/cmd/stop.lua b/kong/cmd/stop.lua index d31ff4f6882..0fe9df1a324 100644 --- a/kong/cmd/stop.lua +++ b/kong/cmd/stop.lua @@ -22,7 +22,7 @@ local function execute(args, opts) -- load /kong.conf containing running node's config local conf = assert(conf_loader(default_conf.kong_env, { prefix = args.prefix - })) + }, { stopping = true })) assert(nginx_signals.stop(conf)) if opts.quiet then diff --git a/kong/cmd/utils/inject_confs.lua b/kong/cmd/utils/inject_confs.lua index 90a478df3e4..16e4875098d 100644 --- a/kong/cmd/utils/inject_confs.lua +++ b/kong/cmd/utils/inject_confs.lua @@ -20,7 +20,9 @@ local function load_conf(args) if pl_path.exists(conf.kong_env) then -- load /kong.conf containing running node's config - conf = assert(conf_loader(conf.kong_env)) + conf = assert(conf_loader(conf.kong_env, { + prefix = conf.prefix + })) end -- make sure necessary files like `.ca_combined` exist diff --git a/kong/cmd/utils/nginx_signals.lua b/kong/cmd/utils/nginx_signals.lua index 80f3e8643a1..666973b4db7 100644 --- a/kong/cmd/utils/nginx_signals.lua +++ b/kong/cmd/utils/nginx_signals.lua @@ -84,13 +84,25 @@ local function set_process_secrets_env(kong_conf) return nil, err end - return C.setenv("KONG_PROCESS_SECRETS", secrets, 1) == 0 + local ok_sub_http + if kong_conf.role == "control_plane" or #kong_conf.proxy_listeners > 0 + or #kong_conf.admin_listeners > 0 or #kong_conf.status_listeners > 0 then + ok_sub_http = C.setenv("KONG_PROCESS_SECRETS_HTTP", secrets, 1) == 0 + end + + local ok_sub_stream + if #kong_conf.stream_listeners > 0 then + ok_sub_stream = C.setenv("KONG_PROCESS_SECRETS_STREAM", secrets, 1) == 0 + end + + return ok_sub_http or ok_sub_stream end local function unset_process_secrets_env(has_process_secrets) if has_process_secrets then - C.unsetenv("KONG_PROCESS_SECRETS") + C.unsetenv("KONG_PROCESS_SECRETS_HTTP") + C.unsetenv("KONG_PROCESS_SECRETS_STREAM") end end diff --git a/kong/cmd/utils/prefix_handler.lua b/kong/cmd/utils/prefix_handler.lua index 74268b139bb..a51f6d8d05d 100644 --- a/kong/cmd/utils/prefix_handler.lua +++ b/kong/cmd/utils/prefix_handler.lua @@ -28,6 +28,7 @@ local nginx_signals = require "kong.cmd.utils.nginx_signals" local strip = require("kong.tools.string").strip local split = require("kong.tools.string").split +local shallow_copy = require("kong.tools.table").shallow_copy local getmetatable = getmetatable @@ -373,40 +374,62 @@ local function write_env_file(path, data) return true end -local function write_process_secrets_file(path, data) - os.remove(path) +local function write_process_secrets_file(kong_conf, data) + local path = kong_conf.kong_process_secrets - local flags = bit.bor(system_constants.O_RDONLY(), - system_constants.O_CREAT()) + local function write_single_secret_file(path, data) + os.remove(path) - local mode = ffi.new("int", bit.bor(system_constants.S_IRUSR(), - system_constants.S_IWUSR())) + local flags = bit.bor(system_constants.O_RDONLY(), + system_constants.O_CREAT()) - local fd = ffi.C.open(path, flags, mode) - if fd < 0 then - local errno = ffi.errno() - return nil, "unable to open process secrets path " .. path .. " (" .. - ffi.string(ffi.C.strerror(errno)) .. ")" - end + local mode = ffi.new("int", bit.bor(system_constants.S_IRUSR(), + system_constants.S_IWUSR())) - local ok = ffi.C.close(fd) - if ok ~= 0 then - local errno = ffi.errno() - return nil, "failed to close fd (" .. - ffi.string(ffi.C.strerror(errno)) .. ")" - end + local fd = ffi.C.open(path, flags, mode) + if fd < 0 then + local errno = ffi.errno() + return nil, "unable to open process secrets path " .. path .. " (" .. + ffi.string(ffi.C.strerror(errno)) .. ")" + end - local file, err = io.open(path, "w+b") - if not file then - return nil, "unable to open process secrets path " .. path .. " (" .. err .. ")" - end + local ok = ffi.C.close(fd) + if ok ~= 0 then + local errno = ffi.errno() + return nil, "failed to close fd (" .. + ffi.string(ffi.C.strerror(errno)) .. ")" + end - local ok, err = file:write(data) + local file, err = io.open(path, "w+b") + if not file then + return nil, "unable to open process secrets path " .. path .. " (" .. err .. ")" + end - file:close() + local ok, err = file:write(data) - if not ok then - return nil, "unable to write process secrets path " .. path .. " (" .. err .. ")" + file:close() + + if not ok then + return nil, "unable to write process secrets path " .. path .. " (" .. err .. ")" + end + + return true + + end + + if kong_conf.role == "control_plane" or #kong_conf.proxy_listeners > 0 + or #kong_conf.admin_listeners > 0 or #kong_conf.status_listeners > 0 then + local ok, err = write_single_secret_file(path .. "_http", data) + if not ok then + return nil, err + end + end + + if #kong_conf.stream_listeners > 0 then + local ok, err = write_single_secret_file(path .. "_stream", data) + if not ok then + return nil, err + end end return true @@ -829,21 +852,32 @@ local function prepare_prefix(kong_config, nginx_custom_template_path, skip_writ "", } - local refs = kong_config["$refs"] - local has_refs = refs and type(refs) == "table" - - local secrets - if write_process_secrets and has_refs then - secrets = process_secrets.extract(kong_config) - end - local function quote_hash(s) return s:gsub("#", "\\#") end + local refs = kong_config["$refs"] + local has_refs = refs and type(refs) == "table" + local secrets = process_secrets.extract(kong_config) + for k, v in pairs(kong_config) do + -- do not output secrets in .kong_env if has_refs and refs[k] then - v = refs[k] + local ref = refs[k] + if type(ref) == "table" then + if type(v) ~= "table" then + v = { v } + else + v = shallow_copy(v) + end + + for i, r in pairs(ref) do + v[i] = r + end + + elseif ref then + v = ref + end end if type(v) == "table" then @@ -869,13 +903,13 @@ local function prepare_prefix(kong_config, nginx_custom_template_path, skip_writ prepare_prefixed_interface_dir("/usr/local/kong", "gui", kong_config) end - if secrets then + if secrets and write_process_secrets then secrets, err = process_secrets.serialize(secrets, kong_config.kong_env) if not secrets then return nil, err end - ok, err = write_process_secrets_file(kong_config.kong_process_secrets, secrets) + ok, err = write_process_secrets_file(kong_config, secrets) if not ok then return nil, err end diff --git a/kong/cmd/utils/process_secrets.lua b/kong/cmd/utils/process_secrets.lua index 85e54d15c93..e84aa79d476 100644 --- a/kong/cmd/utils/process_secrets.lua +++ b/kong/cmd/utils/process_secrets.lua @@ -11,6 +11,7 @@ local fmt = string.format local sub = string.sub local type = type local pairs = pairs +local shallow_copy = require("kong.tools.table").shallow_copy local CIPHER_ALG = "aes-256-gcm" @@ -64,7 +65,7 @@ local function extract(conf) local secrets = {} for k in pairs(refs) do - secrets[k] = conf[k] + secrets[k] = shallow_copy(conf[k]) end return secrets diff --git a/kong/conf_loader/constants.lua b/kong/conf_loader/constants.lua index ad3d4876ed7..8f1e734160c 100644 --- a/kong/conf_loader/constants.lua +++ b/kong/conf_loader/constants.lua @@ -591,6 +591,7 @@ local CONF_SENSITIVE = { admin_gui_ssl_cert_key = true, status_ssl_cert_key = true, debug_ssl_cert_key = true, + ["$refs"] = true, -- for internal use only, no need to log } diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua index b809821f167..56fb5827826 100644 --- a/kong/conf_loader/init.lua +++ b/kong/conf_loader/init.lua @@ -31,6 +31,7 @@ local sort = table.sort local find = string.find local gsub = string.gsub local lower = string.lower +local upper = string.upper local match = string.match local pairs = pairs local assert = assert @@ -314,7 +315,7 @@ local function load(path, custom_conf, opts) return nil, err end - for k, v in pairs(env_vars) do + for k in pairs(env_vars) do local kong_var = match(lower(k), "^kong_(.+)") if kong_var then -- the value will be read in `overrides()` @@ -361,7 +362,7 @@ local function load(path, custom_conf, opts) -- remove the unnecessary fields if we are still at the very early stage -- before executing the main `resty` cmd, i.e. still in `bin/kong` if opts.pre_cmd then - for k, v in pairs(conf) do + for k in pairs(conf) do if not conf_constants.CONF_BASIC[k] then conf[k] = nil end @@ -397,76 +398,146 @@ local function load(path, custom_conf, opts) loaded_vaults = setmetatable(vaults, conf_constants._NOP_TOSTRING_MT) - if get_phase() == "init" then - local secrets = getenv("KONG_PROCESS_SECRETS") - if secrets then - unsetenv("KONG_PROCESS_SECRETS") - - else - local path = pl_path.join(abspath(ngx.config.prefix()), unpack(conf_constants.PREFIX_PATHS.kong_process_secrets)) - if exists(path) then - secrets, err = pl_file.read(path, true) - pl_file.delete(path) - if not secrets then - return nil, fmt("failed to read process secrets file: %s", err) + -- collect references + local is_reference = require "kong.pdk.vault".is_reference + for k, v in pairs(conf) do + local typ = (conf_constants.CONF_PARSERS[k] or {}).typ + v = parse_value(v, typ == "array" and "array" or "string") + if typ == "array" then + local found + + for i, r in ipairs(v) do + if is_reference(r) then + found = true + if not refs then + refs = setmetatable({}, conf_constants._NOP_TOSTRING_MT) + end + if not refs[k] then + refs[k] = {} + end + refs[k][i] = r end end + + if found then + conf[k] = v + end + + elseif is_reference(v) then + if not refs then + refs = setmetatable({}, conf_constants._NOP_TOSTRING_MT) + end + refs[k] = v end + end - if secrets then - secrets, err = process_secrets.deserialize(secrets, path) + local prefix = abspath(conf.prefix or ngx.config.prefix()) + local secret_env + local secret_file + local secrets_env_var_name = upper("KONG_PROCESS_SECRETS_" .. ngx.config.subsystem) + local secrets = getenv(secrets_env_var_name) + if secrets then + secret_env = secrets_env_var_name + + else + local secrets_path = pl_path.join(prefix, unpack(conf_constants.PREFIX_PATHS.kong_process_secrets)) .. "_" .. ngx.config.subsystem + if exists(secrets_path) then + secrets, err = pl_file.read(secrets_path, true) if not secrets then - return nil, err + pl_file.delete(secrets_path) + return nil, fmt("failed to read process secrets file: %s", err) end + secret_file = secrets_path + end + end - for k, deref in pairs(secrets) do - local v = parse_value(conf[k], "string") - if refs then - refs[k] = v - else - refs = setmetatable({ [k] = v }, conf_constants._NOP_TOSTRING_MT) - end + if secrets then + local env_path = pl_path.join(prefix, unpack(conf_constants.PREFIX_PATHS.kong_env)) + secrets, err = process_secrets.deserialize(secrets, env_path) + if not secrets then + return nil, err + end + + for k, deref in pairs(secrets) do + conf[k] = deref + end + end - conf[k] = deref + if get_phase() == "init" then + if secrets then + if secret_env then + unsetenv(secret_env) + end + if secret_file then + pl_file.delete(secret_file) end end - else + elseif refs then local vault_conf = { loaded_vaults = loaded_vaults } for k, v in pairs(conf) do if sub(k, 1, 6) == "vault_" then vault_conf[k] = parse_value(v, "string") end end - local vault = require("kong.pdk.vault").new({ configuration = vault_conf }) - - for k, v in pairs(conf) do - v = parse_value(v, "string") - if vault.is_reference(v) then - if refs then - refs[k] = v - else - refs = setmetatable({ [k] = v }, conf_constants._NOP_TOSTRING_MT) + for k, v in pairs(refs) do + if type(v) == "table" then + for i, r in pairs(v) do + local deref, deref_err = vault.get(r) + if deref == nil or deref_err then + if opts.starting then + return nil, fmt("failed to dereference '%s': %s for config option '%s[%d]'", r, deref_err, k, i) + end + + -- not that fatal if resolving fails during stopping (e.g. missing environment variables) + if opts.stopping or opts.pre_cmd then + conf[k][i] = "_INVALID_VAULT_KONG_REFERENCE" + end + + else + conf[k][i] = deref + end end + else local deref, deref_err = vault.get(v) if deref == nil or deref_err then if opts.starting then return nil, fmt("failed to dereference '%s': %s for config option '%s'", v, deref_err, k) end + -- not that fatal if resolving fails during stopping (e.g. missing environment variables) + if opts.stopping or opts.pre_cmd then + conf[k] = "" + break + end + else conf[k] = deref end end end + + -- remove invalid references and leave valid ones for + -- pre_cmd or non-fatal stopping scenarios + -- this adds some robustness if the vault reference is + -- inside an array style config field and the config field + -- is also needed by vault, for example the `lua_ssl_trusted_certificate` + if opts.stopping or opts.pre_cmd then + for k, v in pairs(refs) do + if type(v) == "table" then + conf[k] = setmetatable(tablex.filter(conf[k], function(v) + return v ~= "_INVALID_VAULT_KONG_REFERENCE" + end), nil) + end + end + end end end -- validation local ok, err, errors = check_and_parse(conf, opts) - if not opts.starting then log.enable() end @@ -718,12 +789,14 @@ local function load(path, custom_conf, opts) local conf_arr = {} for k, v in pairs(conf) do - local to_print = v - if conf_constants.CONF_SENSITIVE[k] then - to_print = conf_constants.CONF_SENSITIVE_PLACEHOLDER - end + if k ~= "$refs" then + local to_print = v + if conf_constants.CONF_SENSITIVE[k] then + to_print = conf_constants.CONF_SENSITIVE_PLACEHOLDER + end - conf_arr[#conf_arr+1] = k .. " = " .. pl_pretty.write(to_print, "") + conf_arr[#conf_arr+1] = k .. " = " .. pl_pretty.write(to_print, "") + end end sort(conf_arr) diff --git a/kong/conf_loader/parse.lua b/kong/conf_loader/parse.lua index 198913c0a22..8495a4456f5 100644 --- a/kong/conf_loader/parse.lua +++ b/kong/conf_loader/parse.lua @@ -220,22 +220,24 @@ local function check_and_parse(conf, opts) local errors = {} for k, value in pairs(conf) do - local v_schema = conf_constants.CONF_PARSERS[k] or {} + if k ~= "$refs" then + local v_schema = conf_constants.CONF_PARSERS[k] or {} - value = parse_value(value, v_schema.typ) + value = parse_value(value, v_schema.typ) - local typ = v_schema.typ or "string" - if value and not conf_constants.TYP_CHECKS[typ](value) then - errors[#errors + 1] = fmt("%s is not a %s: '%s'", k, typ, - tostring(value)) + local typ = v_schema.typ or "string" + if value and not conf_constants.TYP_CHECKS[typ](value) then + errors[#errors + 1] = fmt("%s is not a %s: '%s'", k, typ, + tostring(value)) - elseif v_schema.enum and not tablex.find(v_schema.enum, value) then - errors[#errors + 1] = fmt("%s has an invalid value: '%s' (%s)", k, - tostring(value), concat(v_schema.enum, ", ")) + elseif v_schema.enum and not tablex.find(v_schema.enum, value) then + errors[#errors + 1] = fmt("%s has an invalid value: '%s' (%s)", k, + tostring(value), concat(v_schema.enum, ", ")) - end + end - conf[k] = value + conf[k] = value + end end --------------------- diff --git a/kong/pdk/vault.lua b/kong/pdk/vault.lua index ed7f421b45a..b7a1adff184 100644 --- a/kong/pdk/vault.lua +++ b/kong/pdk/vault.lua @@ -1707,6 +1707,7 @@ local function new(self) init_worker() end + --- -- Warmups vault caches from config. -- diff --git a/spec/02-integration/02-cmd/02-start_stop_spec.lua b/spec/02-integration/02-cmd/02-start_stop_spec.lua index 6f4a3c32d93..70d7a3bf546 100644 --- a/spec/02-integration/02-cmd/02-start_stop_spec.lua +++ b/spec/02-integration/02-cmd/02-start_stop_spec.lua @@ -1,6 +1,7 @@ local helpers = require "spec.helpers" local constants = require "kong.constants" local pl_file = require("pl.file") +local ssl_fixtures = require "spec.fixtures.ssl" local cjson = require "cjson" @@ -1255,5 +1256,100 @@ describe("kong start/stop #" .. strategy, function() end) end) + describe("start/stop with vault references ", function() + it("resolve array-like configuration", function () + helpers.clean_prefix(PREFIX) + helpers.clean_logfile() + helpers.setenv("PG_PASSWORD", "dummy") + helpers.setenv("CERT", ssl_fixtures.cert) + helpers.setenv("KEY", ssl_fixtures.key) + + finally(function() + helpers.unsetenv("PG_PASSWORD") + helpers.unsetenv("CERT") + helpers.unsetenv("KEY") + end) + + local _, stderr, stdout = assert(kong_exec("start", { + prefix = PREFIX, + database = TEST_CONF.database, + pg_password = "{vault://env/pg_password}", + pg_database = TEST_CONF.pg_database, + lua_ssl_trusted_certificate = "{vault://env/cert}, system", + ssl_cert_key = "{vault://env/key}", + ssl_cert = "{vault://env/cert}", + vaults = "env", + })) + + assert.not_matches("failed to dereference {vault://env/pg_password}", stderr, nil, true) + assert.not_matches("failed to dereference {vault://env/cert}", stderr, nil, true) + assert.not_matches("failed to dereference {vault://env/key}", stderr, nil, true) + assert.logfile().has.no.line("[warn]", true) + assert.logfile().has.no.line("bad value type", true) + assert.logfile().has.no.line("env/pg_password", true) + assert.logfile().has.no.line("env/cert", true) + assert.logfile().has.no.line("env/key", true) + assert.matches("Kong started", stdout, nil, true) + assert(kong_exec("stop", { + prefix = PREFIX, + })) + end) + + it("resolve secrets when both http and stream subsystem are enabled", function () + helpers.clean_prefix(PREFIX) + helpers.clean_logfile() + helpers.setenv("PG_PASSWORD", "dummy") + helpers.setenv("CERT", ssl_fixtures.cert) + helpers.setenv("KEY", ssl_fixtures.key) + helpers.setenv("CERT_ALT", ssl_fixtures.cert_alt) + helpers.setenv("KEY_ALT", ssl_fixtures.key_alt) + helpers.setenv("LOGLEVEL", "error") + + finally(function() + helpers.unsetenv("PG_PASSWORD") + helpers.unsetenv("CERT") + helpers.unsetenv("KEY") + helpers.unsetenv("LOGLEVEL") + end) + + local avail_port = helpers.get_available_port() + + local _, stderr, stdout = assert(kong_exec("start", { + prefix = PREFIX, + database = TEST_CONF.database, + pg_password = "{vault://env/pg_password}", + pg_database = TEST_CONF.pg_database, + loglevel = "{vault://env/loglevel}", + lua_ssl_trusted_certificate = "{vault://env/cert}, system", + ssl_cert_key = "{vault://env/key}, {vault://env/key_alt}", + ssl_cert = "{vault://env/cert}, {vault://env/cert_alt}", + vaults = "env", + stream_listen = "127.0.0.1:" .. avail_port .. " reuseport" + })) + + assert.not_matches("init_by_lua error", stderr, nil, true) + assert.not_matches("failed to dereference {vault://env/pg_password}", stderr, nil, true) + assert.not_matches("failed to dereference {vault://env/cert}", stderr, nil, true) + assert.not_matches("failed to dereference {vault://env/cert_alt}", stderr, nil, true) + assert.not_matches("failed to dereference {vault://env/key}", stderr, nil, true) + assert.not_matches("failed to dereference {vault://env/key_alt}", stderr, nil, true) + assert.not_matches("failed to dereference {vault://env/loglevel}", stderr, nil, true) + + assert.logfile().has.no.line("[warn]", true) + assert.logfile().has.no.line("bad value type", true) + assert.logfile().has.no.line("env/pg_password", true) + assert.logfile().has.no.line("env/cert", true) + assert.logfile().has.no.line("env/cert_alt", true) + assert.logfile().has.no.line("env/key", true) + assert.logfile().has.no.line("env/key_alt", true) + assert.logfile().has.no.line("env/loglevel", true) + + assert.matches("Kong started", stdout, nil, true) + assert(kong_exec("stop", { + prefix = PREFIX, + })) + end) + end) + end) end diff --git a/spec/02-integration/02-cmd/09-prepare_spec.lua b/spec/02-integration/02-cmd/09-prepare_spec.lua index 503b9c5b13c..98b687b7ab4 100644 --- a/spec/02-integration/02-cmd/09-prepare_spec.lua +++ b/spec/02-integration/02-cmd/09-prepare_spec.lua @@ -1,6 +1,7 @@ local helpers = require "spec.helpers" local signals = require "kong.cmd.utils.nginx_signals" local shell = require "resty.shell" +local ssl_fixtures = require "spec.fixtures.ssl" local fmt = string.format @@ -44,7 +45,7 @@ describe("kong prepare", function() })) assert.truthy(helpers.path.exists(TEST_PREFIX)) - local process_secrets = helpers.path.join(TEST_PREFIX, ".kong_process_secrets") + local process_secrets = helpers.path.join(TEST_PREFIX, ".kong_process_secrets_http") local admin_access_log_path = helpers.path.join(TEST_PREFIX, helpers.test_conf.admin_access_log) local admin_error_log_path = helpers.path.join(TEST_PREFIX, helpers.test_conf.admin_error_log) @@ -103,7 +104,7 @@ describe("kong prepare", function() })) assert.truthy(helpers.path.exists(TEST_PREFIX)) - local process_secrets = helpers.path.join(TEST_PREFIX, ".kong_process_secrets") + local process_secrets = helpers.path.join(TEST_PREFIX, ".kong_process_secrets_http") local admin_access_log_path = helpers.path.join(TEST_PREFIX, helpers.test_conf.admin_access_log) local admin_error_log_path = helpers.path.join(TEST_PREFIX, helpers.test_conf.admin_error_log) @@ -137,7 +138,7 @@ describe("kong prepare", function() })) assert.truthy(helpers.path.exists(TEST_PREFIX)) - local process_secrets = helpers.path.join(TEST_PREFIX, ".kong_process_secrets") + local process_secrets = helpers.path.join(TEST_PREFIX, ".kong_process_secrets_http") local admin_access_log_path = helpers.path.join(TEST_PREFIX, helpers.test_conf.admin_access_log) local admin_error_log_path = helpers.path.join(TEST_PREFIX, helpers.test_conf.admin_error_log) @@ -154,6 +155,81 @@ describe("kong prepare", function() assert.matches("kong_tests_unknown", stderr) assert.falsy(ok) end) + + it("prepares a prefix and starts kong with http and stream submodule correctly [#" .. strategy .. "]", function () + helpers.setenv("CERT", ssl_fixtures.cert) + helpers.setenv("KEY", ssl_fixtures.key) + helpers.setenv("CERT_ALT", ssl_fixtures.cert_alt) + helpers.setenv("KEY_ALT", ssl_fixtures.key_alt) + helpers.setenv("LOGLEVEL", "error") + finally(function() + helpers.unsetenv("CERT") + helpers.unsetenv("CERT_ALT") + helpers.unsetenv("KEY") + helpers.unsetenv("KEY_ALT") + helpers.unsetenv("LOGLEVEL") + end) + assert(helpers.kong_exec("prepare -c " .. helpers.test_conf_path, { + prefix = TEST_PREFIX, + database = strategy, + loglevel = "{vault://env/loglevel}", + lua_ssl_trusted_certificate = "{vault://env/cert}, system", + ssl_cert_key = "{vault://env/key}, {vault://env/key_alt}", + ssl_cert = "{vault://env/cert}, {vault://env/cert_alt}", + vaults = "env", + proxy_listen = "127.0.0.1:8000", + stream_listen = "127.0.0.1:9000", + admin_listen = "127.0.0.1:8001", + })) + assert.truthy(helpers.path.exists(TEST_PREFIX)) + + local process_secrets_http = helpers.path.join(TEST_PREFIX, ".kong_process_secrets_http") + local process_secrets_stream = helpers.path.join(TEST_PREFIX, ".kong_process_secrets_stream") + + local admin_access_log_path = helpers.path.join(TEST_PREFIX, helpers.test_conf.admin_access_log) + local admin_error_log_path = helpers.path.join(TEST_PREFIX, helpers.test_conf.admin_error_log) + + assert.truthy(helpers.path.exists(process_secrets_http)) + assert.truthy(helpers.path.exists(process_secrets_stream)) + assert.truthy(helpers.path.exists(admin_access_log_path)) + assert.truthy(helpers.path.exists(admin_error_log_path)) + + local nginx_bin, err = signals.find_nginx_bin() + assert.is_nil(err) + + local cmd = fmt("%s -p %s -c %s", nginx_bin, TEST_PREFIX, "nginx.conf") + local ok, _, stderr = shell.run(cmd, nil, 0) + + assert.equal("", stderr) + assert.truthy(ok) + local error_log_path = helpers.path.join(TEST_PREFIX, "logs/error.log") + assert.logfile(error_log_path).has.no.line("[error]", true, 0) + assert.logfile(error_log_path).has.no.line("[alert]", true, 0) + assert.logfile(error_log_path).has.no.line("[crit]", true, 0) + assert.logfile(error_log_path).has.no.line("[emerg]", true, 0) + assert + .with_timeout(5) + .ignore_exceptions(true) + .eventually(function() + local client = helpers.admin_client(nil, 8001) + local res, err = client:send({ path = "/status", method = "GET" }) + + if res then res:read_body() end + + client:close() + + if not res then + return nil, err + end + + if res.status ~= 200 then + return nil, res + end + + return true + end) + .is_truthy("/status API did not return 200") + end) end) end end) diff --git a/spec/02-integration/13-vaults/03-mock_spec.lua b/spec/02-integration/13-vaults/03-mock_spec.lua index 77508422afe..32ff47c7959 100644 --- a/spec/02-integration/13-vaults/03-mock_spec.lua +++ b/spec/02-integration/13-vaults/03-mock_spec.lua @@ -110,7 +110,7 @@ for _, strategy in helpers.each_strategy() do local body = assert.res_status(200, res) local json = cjson.decode(body) assert.equal(meta._VERSION, json.version) - assert.equal("{vault://mock/admin-listen}", json.configuration.admin_listen) + assert.same({ "{vault://mock/admin-listen}" }, json.configuration.admin_listen) assert.falsy(exists(join(helpers.test_conf.prefix, ".kong_process_secrets"))) end) end) @@ -141,7 +141,7 @@ for _, strategy in helpers.each_strategy() do local body = assert.res_status(200, res) local json = cjson.decode(body) assert.equal(meta._VERSION, json.version) - assert.equal("{vault://mock/listen?prefix=admin_}", json.configuration.admin_listen) + assert.same({ "{vault://mock/listen?prefix=admin_}" }, json.configuration.admin_listen) end) end) end)