feat: support mTLS with etcd

apisix/core/config_etcd.lua

@@ -506,8 +506,15 @@ do
 
         -- default to verify etcd cluster certificate
         etcd_conf.ssl_verify = true
-        if etcd_conf.tls and etcd_conf.tls.verify == false then
-            etcd_conf.ssl_verify = false
+        if etcd_conf.tls then
+            if etcd_conf.tls.verify == false then
+                etcd_conf.ssl_verify = false
+            end
+
+            if etcd_conf.tls.cert then
+                etcd_conf.ssl_cert_path = etcd_conf.tls.cert
+                etcd_conf.ssl_key_path = etcd_conf.tls.key
+            end
         end
 
         local err

apisix/core/etcd.lua

@@ -24,6 +24,7 @@ local tonumber         = tonumber
 local _M = {}
 
 
+-- this function create the etcd client instance used in the Admin API
 local function new()
     local local_conf, err = fetch_local_conf()
     if not local_conf then
@@ -40,8 +41,16 @@ local function new()
     etcd_conf.ssl_verify = true
 
     -- default to verify etcd cluster certificate
-    if etcd_conf.tls and etcd_conf.tls.verify == false then
-        etcd_conf.ssl_verify = false
+    etcd_conf.ssl_verify = true
+    if etcd_conf.tls then
+        if etcd_conf.tls.verify == false then
+            etcd_conf.ssl_verify = false
+        end
+
+        if etcd_conf.tls.cert then
+            etcd_conf.ssl_cert_path = etcd_conf.tls.cert
+            etcd_conf.ssl_key_path = etcd_conf.tls.key
+        end
     end
 
     local etcd_cli

apisix/patch.lua

@@ -14,6 +14,7 @@
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
+local require = require
 local socket = require("socket")
 local unix_socket = require("socket.unix")
 local ssl = require("ssl")
@@ -30,9 +31,19 @@ local setmetatable = setmetatable
 local type = type
 
 
+local config_local
 local _M = {}
 
 
+local function get_local_conf()
+    if not config_local then
+        config_local = require("apisix.core.config_local")
+    end
+
+    return config_local.local_conf()
+end
+
+
 local function flatten(args)
     local buf = new_tab(#args, 0)
     for i, v in ipairs(args) do
@@ -119,7 +130,12 @@ local luasocket_wrapper = {
         return self.sock:settimeout(time)
     end,
 
-    sslhandshake = function (self, reused_session, server_name, verify, send_status_req)
+    tlshandshake = function (self, options)
+        local reused_session = options.reused_session
+        local server_name = options.server_name
+        local verify = options.verify
+        local send_status_req = options.ocsp_status_req
+
         if reused_session then
             log(WARN, "reused_session is not supported yet")
         end
@@ -132,6 +148,8 @@ local luasocket_wrapper = {
             mode = "client",
             protocol = "any",
             verify = verify and "peer" or "none",
+            certificate = options.client_cert_path,
+            key = options.client_priv_key_path,
             options = {
                 "all",
                 "no_sslv2",
@@ -140,6 +158,16 @@ local luasocket_wrapper = {
             }
         }
 
+        local local_conf, err = get_local_conf()
+        if not local_conf then
+            return nil, err
+        end
+
+        local apisix_ssl = local_conf.apisix.ssl
+        if apisix_ssl and apisix_ssl.ssl_trusted_certificate then
+            params.cafile = apisix_ssl.ssl_trusted_certificate
+        end
+
         local sec_sock, err = ssl.wrap(self.sock, params)
         if not sec_sock then
             return false, err
@@ -157,6 +185,15 @@ local luasocket_wrapper = {
 
         self.sock = sec_sock
         return true
+    end,
+
+    sslhandshake = function (self, reused_session, server_name, verify, send_status_req)
+        return self:tlshandshake({
+            reused_session = reused_session,
+            server_name = server_name,
+            verify = verify,
+            ocsp_status_req = send_status_req,
+        })
     end
 }
 

rockspec/apisix-master-0.rockspec

@@ -34,7 +34,7 @@ dependencies = {
     "lua-resty-ctxdump = 0.1-0",
     "lua-resty-dns-client = 5.2.0",
     "lua-resty-template = 1.9",
-    "lua-resty-etcd = 1.4.3",
+    "lua-resty-etcd = 1.5.0",
     "lua-resty-balancer = 0.02rc5",
     "lua-resty-ngxvar = 0.5.2",
     "lua-resty-jit-uuid = 0.0.7",

t/APISIX.pm

@@ -298,8 +298,9 @@ _EOC_
             apisix.stream_balancer_phase()
         }
     }
+_EOC_
 
-    init_by_lua_block {
+    my $stream_init_by_lua_block = $block->stream_init_by_lua_block // <<_EOC_;
         if os.getenv("APISIX_ENABLE_LUACOV") == "1" then
             require("luacov.runner")("t/apisix.luacov")
             jit.off()
@@ -309,8 +310,12 @@ _EOC_
 
         apisix = require("apisix")
         apisix.stream_init()
-    }
+_EOC_
 
+    $stream_config .= <<_EOC_;
+    init_by_lua_block {
+        $stream_init_by_lua_block
+    }
     init_worker_by_lua_block {
         apisix.stream_init_worker()
     }