This is an automated email from the ASF dual-hosted git repository.
bzp2010 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 2881b7f3b feat: set default value of ssl_trusted_certificate to system
(#11993)
2881b7f3b is described below
commit 2881b7f3b0db31a4133d83c51543b9bad990848c
Author: Ashish Tiwari <[email protected]>
AuthorDate: Tue Mar 11 10:16:11 2025 +0530
feat: set default value of ssl_trusted_certificate to system (#11993)
---
apisix/cli/config.lua | 3 ++-
apisix/cli/file.lua | 29 +++++++++++++++++++++++++++++
apisix/cli/ops.lua | 34 ----------------------------------
apisix/cli/schema.lua | 4 +---
apisix/core/config_local.lua | 8 --------
conf/config.yaml.example | 4 +---
t/cli/test_stream_config.sh | 20 --------------------
t/cli/test_upstream_mtls.sh | 2 +-
t/core/config_etcd.t | 2 --
9 files changed, 34 insertions(+), 72 deletions(-)
diff --git a/apisix/cli/config.lua b/apisix/cli/config.lua
index fbd5c0cae..be7694130 100644
--- a/apisix/cli/config.lua
+++ b/apisix/cli/config.lua
@@ -67,7 +67,8 @@ local _M = {
"ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305",
"DHE-RSA-AES128-GCM-SHA256", "DHE-RSA-AES256-GCM-SHA384",
}, ":"),
- ssl_session_tickets = false
+ ssl_session_tickets = false,
+ ssl_trusted_certificate = "system"
},
enable_control = true,
disable_sync_configuration_during_start = false,
diff --git a/apisix/cli/file.lua b/apisix/cli/file.lua
index 86cdd7b85..eb4748efd 100644
--- a/apisix/cli/file.lua
+++ b/apisix/cli/file.lua
@@ -18,8 +18,10 @@
local yaml = require("lyaml")
local profile = require("apisix.core.profile")
local util = require("apisix.cli.util")
+local schema = require("apisix.cli.schema")
local default_conf = require("apisix.cli.config")
local dkjson = require("dkjson")
+local pl_path = require("pl.path")
local pairs = pairs
local type = type
@@ -263,6 +265,11 @@ function _M.read_yaml_conf(apisix_home)
end
end
+ -- fill the default value by the schema
+ local ok, err = schema.validate(default_conf)
+ if not ok then
+ return nil, err
+ end
if default_conf.deployment then
default_conf.deployment.config_provider = "etcd"
if default_conf.deployment.role == "traditional" then
@@ -297,6 +304,28 @@ function _M.read_yaml_conf(apisix_home)
end
end
+ local apisix_ssl = default_conf.apisix.ssl
+ if apisix_ssl and apisix_ssl.ssl_trusted_certificate then
+ -- default value is set to "system" during schema validation
+ if apisix_ssl.ssl_trusted_certificate == "system" then
+ local trusted_certs_path, err =
util.get_system_trusted_certs_filepath()
+ if not trusted_certs_path then
+ util.die(err)
+ end
+
+ apisix_ssl.ssl_trusted_certificate = trusted_certs_path
+ else
+ -- During validation, the path is relative to PWD
+ -- When Nginx starts, the path is relative to conf
+ -- Therefore we need to check the absolute version instead
+ local cert_path =
pl_path.abspath(apisix_ssl.ssl_trusted_certificate)
+ if not pl_path.exists(cert_path) then
+ util.die("certificate path", cert_path, "doesn't exist\n")
+ end
+ apisix_ssl.ssl_trusted_certificate = cert_path
+ end
+ end
+
replace_by_reserved_env_vars(default_conf)
return default_conf
diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
index c10bcfaa7..b73fa6701 100644
--- a/apisix/cli/ops.lua
+++ b/apisix/cli/ops.lua
@@ -49,8 +49,6 @@ local str_find = string.find
local str_byte = string.byte
local str_sub = string.sub
local str_format = string.format
-local string = string
-local table = table
local _M = {}
@@ -503,38 +501,6 @@ Please modify "admin_key" in conf/config.yaml .
yaml_conf.apisix.ssl.listen = ssl_listen
yaml_conf.apisix.enable_http3_in_server_context =
enable_http3_in_server_context
-
- if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then
- local cert_paths = {}
- local ssl_certificates = yaml_conf.apisix.ssl.ssl_trusted_certificate
- for cert_path in string.gmatch(ssl_certificates, '([^,]+)') do
- cert_path = util.trim(cert_path)
- if cert_path == "system" then
- local trusted_certs_path, err =
util.get_system_trusted_certs_filepath()
- if not trusted_certs_path then
- util.die(err)
- end
- table.insert(cert_paths, trusted_certs_path)
- else
- -- During validation, the path is relative to PWD
- -- When Nginx starts, the path is relative to conf
- -- Therefore we need to check the absolute version instead
- cert_path = pl_path.abspath(cert_path)
- if not pl_path.exists(cert_path) then
- util.die("certificate path", cert_path, "doesn't exist\n")
- end
-
- table.insert(cert_paths, cert_path)
- end
- end
-
- local combined_cert_filepath =
yaml_conf.apisix.ssl.ssl_trusted_combined_path
- or
"/usr/local/apisix/conf/ssl_trusted_combined.pem"
- util.gen_trusted_certs_combined_file(combined_cert_filepath,
cert_paths)
-
- yaml_conf.apisix.ssl.ssl_trusted_certificate = combined_cert_filepath
- end
-
-- enable ssl with place holder crt&key
yaml_conf.apisix.ssl.ssl_cert = "cert/ssl_PLACE_HOLDER.crt"
yaml_conf.apisix.ssl.ssl_cert_key = "cert/ssl_PLACE_HOLDER.key"
diff --git a/apisix/cli/schema.lua b/apisix/cli/schema.lua
index 1def95484..b6208bf74 100644
--- a/apisix/cli/schema.lua
+++ b/apisix/cli/schema.lua
@@ -208,9 +208,7 @@ local config_schema = {
properties = {
ssl_trusted_certificate = {
type = "string",
- },
- ssl_trusted_combined_path = {
- type = "string",
+ default = "system"
},
listen = {
type = "array",
diff --git a/apisix/core/config_local.lua b/apisix/core/config_local.lua
index 1c17086dc..2b8f92ff8 100644
--- a/apisix/core/config_local.lua
+++ b/apisix/core/config_local.lua
@@ -20,8 +20,6 @@
-- @module core.config_local
local file = require("apisix.cli.file")
-local schema = require("apisix.cli.schema")
-local error = error
local _M = {}
@@ -65,12 +63,6 @@ function _M.local_conf(force)
return nil, err
end
- -- fill the default value by the schema
- local ok, err = schema.validate(default_conf)
- if not ok then
- error(err)
- end
-
config_data = default_conf
return config_data
end
diff --git a/conf/config.yaml.example b/conf/config.yaml.example
index d18770985..c0da9c0bf 100644
--- a/conf/config.yaml.example
+++ b/conf/config.yaml.example
@@ -99,9 +99,7 @@ apisix:
# - ip: 127.0.0.3 # If not set, default to
`0.0.0.0`.
# port: 9445
# enable_http3: true
- ssl_trusted_combined_path: /usr/local/apisix/conf/ssl_trusted_combined.pem
# All the trusted certificates will be combined into a single file
- #ssl_trusted_certificate: system # Specifies comma separated
list of trusted CA. Value can be either "system"(for using system available ca
certs) or
- # a file path with trusted CA
certificates in the PEM format
+ #ssl_trusted_certificate: system # Specifies a file path with
trusted CA certificates in the PEM format. The default value is "system".
ssl_protocols: TLSv1.2 TLSv1.3 # TLS versions supported.
ssl_ciphers:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_session_tickets: false # If true, session tickets are used for
SSL/TLS connections.
diff --git a/t/cli/test_stream_config.sh b/t/cli/test_stream_config.sh
index 2843b5c5d..4eefb477e 100755
--- a/t/cli/test_stream_config.sh
+++ b/t/cli/test_stream_config.sh
@@ -74,26 +74,6 @@ fi
echo "passed: enable stream proxy and http proxy"
-echo "
-apisix:
- ssl:
- ssl_trusted_certificate: t/certs/mtls_ca.crt
- ssl_trusted_combined_path: t/certs/mtls_ca_combined.crt
- proxy_mode: http&stream
- stream_proxy:
- tcp:
- - addr: 9100
-" > conf/config.yaml
-
-make init
-
-if ! grep "t/certs/mtls_ca_combined.crt;" conf/nginx.conf > /dev/null; then
- echo "failed: failed to set trust certificate"
- exit 1
-fi
-
-echo "passed: set trust certificate"
-
echo "
apisix:
proxy_mode: http&stream
diff --git a/t/cli/test_upstream_mtls.sh b/t/cli/test_upstream_mtls.sh
index b2b366aa0..bb6c41a2e 100755
--- a/t/cli/test_upstream_mtls.sh
+++ b/t/cli/test_upstream_mtls.sh
@@ -155,7 +155,7 @@ echo "passed: when proxy_ssl_verify is enabled and
ssl_trusted_certificate is wr
echo '
apisix:
ssl:
- ssl_trusted_certificate: system, t/certs/apisix.crt
+ ssl_trusted_certificate: t/certs/apisix.crt
nginx_config:
http_configuration_snippet: |
server {
diff --git a/t/core/config_etcd.t b/t/core/config_etcd.t
index 75b0e9bb6..94251569f 100644
--- a/t/core/config_etcd.t
+++ b/t/core/config_etcd.t
@@ -59,8 +59,6 @@ qr/(connection refused){1,}/
--- yaml_config
apisix:
node_listen: 1984
- ssl:
- ssl_trusted_combined_path: t/servroot/conf/cert/etcd.pem
deployment:
role: traditional
role_traditional:
