feat(services): added the service's certificate to support the `grpcs…

…` protocol.
Kong · Oct 14, 2024 · fa1b5dc · fa1b5dc
1 parent 0b0cbed
commit fa1b5dc
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 3 deletions.
diff --git a/changelog/unreleased/kong/services_certificate_support_grpcs.yml b/changelog/unreleased/kong/services_certificate_support_grpcs.yml
@@ -0,0 +1,3 @@
+message: Added the service's certificate to support the `grpcs` protocol.
+scope: Core
+type: feature
diff --git a/kong/clustering/compat/checkers.lua b/kong/clustering/compat/checkers.lua
@@ -39,6 +39,38 @@ do
 end
 
 local compatible_checkers = {
+  {
+    3009000000, -- [[ 3.9.0.0 ]]
+    function(config_table, dp_version, log_suffix)
+      -- remove tls_verify, ca_certificates, tls_verify_depth fields for core entity services
+      local config_services = config_table["services"]
+
+      local has_update
+      for _, t in ipairs(config_services or {}) do
+        if t["protocol"] == "grpcs" then
+          if t["tls_verify"] or
+              t["tls_verify_depth"] or
+              t["ca_certificates"] then
+            t["tls_verify"] = nil
+            t["tls_verify_depth"] = nil
+            t["ca_certificates"] = nil
+
+            has_update = true
+
+            if has_update then
+              log_warn_message("grpcs protocol service contains configuration 'service.tls_verify'" ..
+                "or 'service.tls_verify_depth' or 'service.ca_certificates'",
+                "be removed",
+                dp_version,
+                log_suffix)
+            end
+          end
+        end
+      end
+
+      return has_update
+    end
+  },
   { 3008000000, --[[ 3.8.0.0 ]]
     function (config_table, dp_version, log_suffix)
       local has_update

diff --git a/kong/db/schema/entities/services.lua b/kong/db/schema/entities/services.lua
@@ -59,15 +59,15 @@ return {
                       then_field = "client_certificate",
                       then_match = { eq = null }}},
     { conditional = { if_field = "protocol",
-                      if_match = { not_one_of = {"https", "tls"} },
+                      if_match = { not_one_of = { "https", "tls", "grpcs" } },
                       then_field = "tls_verify",
                       then_match = { eq = null }}},
     { conditional = { if_field = "protocol",
-                      if_match = { not_one_of = {"https", "tls"} },
+                      if_match = { not_one_of = { "https", "tls", "grpcs" } },
                       then_field = "tls_verify_depth",
                       then_match = { eq = null }}},
     { conditional = { if_field = "protocol",
-                      if_match = { not_one_of = {"https", "tls"} },
+                      if_match = { not_one_of = { "https", "tls", "grpcs" } },
                       then_field = "ca_certificates",
                       then_match = { eq = null }}},
   },

diff --git a/spec/01-unit/01-db/01-schema/05-services_spec.lua b/spec/01-unit/01-db/01-schema/05-services_spec.lua
@@ -579,6 +579,20 @@ describe("services", function()
       assert.is_true(ok)
     end)
 
+    it("'protocol' accepts 'grpcs' with tls_verify and ca_certificates", function()
+      local service = {
+        protocol = "grpcs",
+        host = "x.y",
+        port = 80,
+        enabled = true,
+        tls_verify = true,
+        ca_certificates = { "41f484e9-7888-495d-9283-1d4ce2168172" },
+      }
+      local ok, err = Services:validate(service)
+      assert.is_nil(err)
+      assert.is_true(ok)
+    end)
+
     it("if 'protocol = tcp/tls/udp/grpc/grpcs', then 'path' is empty", function()
       for _, v in ipairs({ "tcp", "tls", "udp", "grpc", "grpcs" }) do
         local service = {