feat(k8s-discovery): support mTLS

e1ijah1 · e1ijah1 · commit 831386b66ae8 · 2023-01-17T17:27:23.000+08:00
diff --git a/apisix/discovery/kubernetes/informer_factory.lua b/apisix/discovery/kubernetes/informer_factory.lua
@@ -23,6 +23,10 @@ local type = type
 local core = require("apisix.core")
 local http = require("resty.http")
 
+if not http.tls_handshake then
+    error("Bad http library. Should use api7-lua-resty-http instead")
+end
+
 local function list_query(informer)
     local arguments = {
         limit = informer.limit,
@@ -269,12 +273,18 @@ local function list_watch(informer, apiserver)
     informer.fetch_state = "connecting"
     core.log.info("begin to connect ", apiserver.host, ":", apiserver.port)
 
-    ok, message = httpc:connect({
+    local opt = {
         scheme = apiserver.schema,
         host = apiserver.host,
         port = apiserver.port,
-        ssl_verify = false
-    })
+        ssl_verify = apiserver.ssl_verify,
+    }
+    if apiserver.schema == "https" and apiserver.certificate ~= "" and apiserver.key ~= "" then
+        opt.ssl_cert_path = apiserver.certificate
+        opt.ssl_key_path = apiserver.key
+        opt.ssl_server_name = apiserver.host
+    end
+    ok, message = httpc:connect(opt)
 
     if not ok then
         informer.fetch_state = "connect failed"
diff --git a/apisix/discovery/kubernetes/init.lua b/apisix/discovery/kubernetes/init.lua
@@ -270,15 +270,42 @@ local function get_apiserver(conf)
         if err then
             return nil, err
         end
+    elseif conf.client.certificate and conf.client.key then
+        apiserver.certificate, err = read_env(conf.client.certificate)
+        if err then
+            return nil, err
+        end
+        apiserver.key, err = read_env(conf.client.key)
+        if err then
+            return nil, err
+        end
     else
-        return nil, "one of [client.token,client.token_file] should be set but none"
+        return nil, "one of [client.token,client.token_file, (client.certificate, client.key)] should be set but none"
+    end
+
+    apiserver.ssl_verify = false
+    if conf.client.ssl_verify then
+        apiserver.ssl_verify, err = read_env(conf.client.ssl_verify)
+        if err then
+            return nil, err
+        end
+        if apiserver.ssl_verify ~= "true" and apiserver.ssl_verify ~= "false" then
+            return nil, "client.ssl_verify should be set to one of [true,false] but " .. apiserver.ssl_verify
+        end
+        if apiserver.ssl_verify == "true" then
+            apiserver.ssl_verify = true
+        end
     end
 
     -- remove possible extra whitespace
     apiserver.token = apiserver.token:gsub("%s+", "")
+    apiserver.certificate = apiserver.certificate:gsub("%s+", "")
+    apiserver.key = apiserver.key:gsub("%s+", "")
 
-    if apiserver.schema == "https" and apiserver.token == "" then
-        return nil, "apiserver.token should set to non-empty string when service.schema is https"
+    if apiserver.schema == "https" then
+        if (apiserver.token == "" or apiserver.certificate == "" or apiserver.key == "") then
+            return nil, "apiserver.token or (apiserver.certificate and apiserver.key) should set to non-empty string when service.schema is https"
+        end
     end
 
     return apiserver
