Kong · raoxiaoyan · Oct 14, 2024 · Nov 11, 2024
diff --git a/changelog/unreleased/kong/services_certificate_support_grpcs.yml b/changelog/unreleased/kong/services_certificate_support_grpcs.yml
@@ -0,0 +1,3 @@
+message: Added the service's certificate to support the `grpcs` protocol.
+scope: Core
+type: feature
diff --git a/kong/clustering/compat/checkers.lua b/kong/clustering/compat/checkers.lua
@@ -39,6 +39,38 @@ do
 end
 
 local compatible_checkers = {
+  {
+    3009000000, -- [[ 3.9.0.0 ]]
+    function(config_table, dp_version, log_suffix)
+      -- remove tls_verify, ca_certificates, tls_verify_depth fields for core entity services
+      local config_services = config_table["services"]
+
+      local has_update
+      for _, t in ipairs(config_services or {}) do
+        if t["protocol"] == "grpcs" then
+          if t["tls_verify"] or
+              t["tls_verify_depth"] or
+              t["ca_certificates"] then
+            t["tls_verify"] = nil
+            t["tls_verify_depth"] = nil
+            t["ca_certificates"] = nil
+
+            has_update = true
+
+            if has_update then
+              log_warn_message("grpcs protocol service contains configuration 'service.tls_verify'" ..
+                "or 'service.tls_verify_depth' or 'service.ca_certificates'",
+                "be removed",
+                dp_version,
+                log_suffix)
+            end
+          end
+        end
+      end
+
+      return has_update
+    end
+  },
   { 3008000000, --[[ 3.8.0.0 ]]
     function (config_table, dp_version, log_suffix)
       local has_update

diff --git a/kong/db/schema/entities/services.lua b/kong/db/schema/entities/services.lua
@@ -59,15 +59,15 @@ return {
                       then_field = "client_certificate",
                       then_match = { eq = null }}},
     { conditional = { if_field = "protocol",
-                      if_match = { not_one_of = {"https", "tls"} },
+                      if_match = { not_one_of = { "https", "tls", "grpcs" } },
                       then_field = "tls_verify",
                       then_match = { eq = null }}},
     { conditional = { if_field = "protocol",
-                      if_match = { not_one_of = {"https", "tls"} },
+                      if_match = { not_one_of = { "https", "tls", "grpcs" } },
                       then_field = "tls_verify_depth",
                       then_match = { eq = null }}},
     { conditional = { if_field = "protocol",
-                      if_match = { not_one_of = {"https", "tls"} },
+                      if_match = { not_one_of = { "https", "tls", "grpcs" } },
                       then_field = "ca_certificates",
                       then_match = { eq = null }}},
   },

diff --git a/spec/01-unit/01-db/01-schema/05-services_spec.lua b/spec/01-unit/01-db/01-schema/05-services_spec.lua
@@ -579,6 +579,20 @@ describe("services", function()
       assert.is_true(ok)
     end)
 
+    it("'protocol' accepts 'grpcs' with tls_verify and ca_certificates", function()
+      local service = {
+        protocol = "grpcs",
+        host = "x.y",
+        port = 80,
+        enabled = true,
+        tls_verify = true,
+        ca_certificates = { "41f484e9-7888-495d-9283-1d4ce2168172" },
+      }
+      local ok, err = Services:validate(service)
+      assert.is_nil(err)
+      assert.is_true(ok)
+    end)
+
     it("if 'protocol = tcp/tls/udp/grpc/grpcs', then 'path' is empty", function()
       for _, v in ipairs({ "tcp", "tls", "udp", "grpc", "grpcs" }) do
         local service = {

diff --git a/spec/02-integration/05-proxy/19-grpc_proxy_spec.lua b/spec/02-integration/05-proxy/19-grpc_proxy_spec.lua
@@ -1,6 +1,7 @@
 local helpers = require "spec.helpers"
 local cjson = require "cjson"
 local pl_path = require "pl.path"
+local ssl_fixtures = require "spec.fixtures.ssl"
 
 local FILE_LOG_PATH = os.tmpname()
 
@@ -9,7 +10,6 @@ local function reload_router(flavor)
   helpers = require("spec.internal.module").reload_helpers(flavor)
 end
 
-
 -- TODO: remove it when we confirm it is not needed
 local function gen_route(flavor, r)
   return r
@@ -18,21 +18,23 @@ end
 
 for _, flavor in ipairs({ "traditional", "traditional_compatible", "expressions" }) do
 for _, strategy in helpers.each_strategy() do
-
   describe("gRPC Proxying [#" .. strategy .. ", flavor = " .. flavor .. "]", function()
     local proxy_client_grpc
     local proxy_client_grpcs
     local proxy_client
     local proxy_client_ssl
     local proxy_client_h2c
     local proxy_client_h2
+    local ca_certificate
+    local mock_grpcs_service
 
     reload_router(flavor)
 
     lazy_setup(function()
       local bp = helpers.get_db_utils(strategy, {
         "routes",
         "services",
+        "ca_certificates",
       })
 
       local service1 = assert(bp.services:insert {
@@ -50,6 +52,11 @@ for _, strategy in helpers.each_strategy() do
         url = "grpc://localhost:8765",
       })
 
+      mock_grpcs_service = assert(bp.services:insert {
+        name = "mock_grpcs_service",
+        url = helpers.grpcbin_ssl_url,
+      })
+
       local mock_grpc_service_retry = assert(bp.services:insert {
         name = "mock_grpc_service_retry",
         url = "grpc://grpc_retry",
@@ -95,6 +102,13 @@ for _, strategy in helpers.each_strategy() do
         preserve_host = false,
       })))
 
+      assert(bp.routes:insert(gen_route(flavor, {
+        protocols = { "grpcs" },
+        hosts = { "example.com" },
+        service = mock_grpcs_service,
+        preserve_host = false,
+      })))
+
       assert(bp.routes:insert(gen_route(flavor, {
         protocols = { "grpc" },
         hosts = { "grpc_authority_retry.example" },
@@ -111,6 +125,10 @@ for _, strategy in helpers.each_strategy() do
         },
       })
 
+      ca_certificate = assert(bp.ca_certificates:insert({
+        cert = ssl_fixtures.cert_ca2,
+      }))
+
       local fixtures = {
         http_mock = {}
       }
@@ -379,6 +397,85 @@ for _, strategy in helpers.each_strategy() do
         assert.matches("Message: gRPC request matched gRPCs route", resp, nil, true)
       end)
     end)
+
+    if strategy ~= "off" then
+      describe("grpcs with tls", function()
+        local function proxy_grpcs_with_ca_certificate()
+          local ok, resp = assert(proxy_client_grpcs({
+            service = "hello.HelloService.SayHello",
+            body = {
+              greeting = "world!"
+            },
+            opts = {
+              ["-authority"] = "example.com",
+            }
+          }))
+          assert.truthy(ok)
+          assert.truthy(resp)
+        end
+
+        it("proxies grpcs without ca_certificate", function()
+          proxy_grpcs_with_ca_certificate()
+        end)
+
+        describe("tls_verify", function()
+          it("default is off", function()
+            local admin_client = helpers.admin_client()
+            local res = assert(admin_client:patch("/services/" .. mock_grpcs_service.id, {
+              body = {
+                ca_certificates = { ca_certificate.id, },
+              },
+              headers = { ["Content-Type"] = "application/json" },
+            }))
+
+            assert.res_status(200, res)
+            proxy_grpcs_with_ca_certificate()
+          end)
+
+          it("turn it on", function()
+            local admin_client = helpers.admin_client()
+            local res = assert(admin_client:patch("/services/" .. mock_grpcs_service.id, {
+              body = {
+                tls_verify = true,
+                ca_certificates = { ca_certificate.id, },
+              },
+              headers = { ["Content-Type"] = "application/json" },
+            }))
+
+            assert.res_status(200, res)
+            proxy_grpcs_with_ca_certificate()
+          end)
+        end)
+
+        describe("tls_verify_depth", function()
+          lazy_setup(function()
+            local admin_client = helpers.admin_client()
+            local res = assert(admin_client:patch("/services/" .. mock_grpcs_service.id, {
+              body = {
+                tls_verify = true,
+                ca_certificates = { ca_certificate.id, },
+              },
+              headers = { ["Content-Type"] = "application/json" },
+            }))
+
+            assert.res_status(200, res)
+          end)
+
+          it("request is allowed through if depth limit is sufficient", function()
+            local admin_client = helpers.admin_client()
+            local res = assert(admin_client:patch("/services/" .. mock_grpcs_service.id, {
+              body = {
+                tls_verify_depth = 1,
+              },
+              headers = { ["Content-Type"] = "application/json" },
+            }))
+
+            assert.res_status(200, res)
+            proxy_grpcs_with_ca_certificate()
+          end)
+        end)
+      end)
+    end
   end)
 end
 end   -- flavor