feat(balancer): tls protocol upstream support upstream tls config

CHANGELOG.md

@@ -114,6 +114,8 @@
   their consumers fail to process the entries.  Instead, old batches are now dropped
   and an error is logged.
   [#10046](https://github.com/Kong/kong/pull/10046)
+- tls protocol upstream support upstream tls config
+  [#9947](https://github.com/Kong/kong/pull/9947)
 
 #### Plugins
 

kong/db/schema/entities/services.lua

@@ -53,19 +53,19 @@ return {
                       then_field = "path",
                       then_match = { eq = null }}},
     { conditional = { if_field = "protocol",
-                      if_match = { ne = "https" },
+                      if_match = { not_one_of = {"https", "tls"} },
                       then_field = "client_certificate",
                       then_match = { eq = null }}},
     { conditional = { if_field = "protocol",
-                      if_match = { ne = "https" },
+                      if_match = { not_one_of = {"https", "tls"} },
                       then_field = "tls_verify",
                       then_match = { eq = null }}},
     { conditional = { if_field = "protocol",
-                      if_match = { ne = "https" },
+                      if_match = { not_one_of = {"https", "tls"} },
                       then_field = "tls_verify_depth",
                       then_match = { eq = null }}},
     { conditional = { if_field = "protocol",
-                      if_match = { ne = "https" },
+                      if_match = { not_one_of = {"https", "tls"} },
                       then_field = "ca_certificates",
                       then_match = { eq = null }}},
   },

kong/runloop/balancer/init.lua

@@ -36,10 +36,11 @@ local EMPTY_T = pl_tablex.readonly {}
 
 
 local set_authority
-local set_upstream_cert_and_key
+
+local set_upstream_cert_and_key = require("resty.kong.tls").set_upstream_cert_and_key
+
 if ngx.config.subsystem ~= "stream" then
   set_authority = require("resty.kong.grpc").set_authority
-  set_upstream_cert_and_key = require("resty.kong.tls").set_upstream_cert_and_key
 end
 
 

kong/runloop/handler.lua

@@ -11,7 +11,7 @@ local certificate  = require "kong.runloop.certificate"
 local concurrency  = require "kong.concurrency"
 local lrucache     = require "resty.lrucache"
 local marshall     = require "kong.cache.marshall"
-
+local ktls         = require("resty.kong.tls")
 
 local PluginsIterator = require "kong.runloop.plugins_iterator"
 local instrumentation = require "kong.tracing.instrumentation"
@@ -96,26 +96,22 @@ local STREAM_TLS_TERMINATE_SOCK
 local STREAM_TLS_PASSTHROUGH_SOCK
 
 
-local set_upstream_cert_and_key
-local set_upstream_ssl_verify
-local set_upstream_ssl_verify_depth
-local set_upstream_ssl_trusted_store
 local set_authority
 local set_log_level
+local set_upstream_cert_and_key = ktls.set_upstream_cert_and_key
+local set_upstream_ssl_verify = ktls.set_upstream_ssl_verify
+local set_upstream_ssl_verify_depth = ktls.set_upstream_ssl_verify_depth
+local set_upstream_ssl_trusted_store = ktls.set_upstream_ssl_trusted_store
+
 if is_http_module then
-  local tls = require("resty.kong.tls")
-  set_upstream_cert_and_key = tls.set_upstream_cert_and_key
-  set_upstream_ssl_verify = tls.set_upstream_ssl_verify
-  set_upstream_ssl_verify_depth = tls.set_upstream_ssl_verify_depth
-  set_upstream_ssl_trusted_store = tls.set_upstream_ssl_trusted_store
   set_authority = require("resty.kong.grpc").set_authority
   set_log_level = require("resty.kong.log").set_log_level
 end
 
 
 local disable_proxy_ssl
 if is_stream_module then
-  disable_proxy_ssl = require("resty.kong.tls").disable_proxy_ssl
+  disable_proxy_ssl = ktls.disable_proxy_ssl
 end
 
 
@@ -731,7 +727,7 @@ do
     ctx.route            = route
     ctx.balancer_data    = balancer_data
 
-    if is_http_module and service then
+    if service then
       local res, err
       local client_certificate = service.client_certificate
 
@@ -1078,6 +1074,7 @@ return {
                        upstream_url_t.host,
                        upstream_url_t.port,
                        service, route)
+      var.upstream_host = upstream_url_t.host
     end,
     after = function(ctx)
       local ok, err, errcode = balancer_execute(ctx)

kong/templates/nginx_kong_stream.lua

@@ -116,11 +116,11 @@ server {
     }
 > end
 
-    set $tls_sni_name 'kong_upstream';
+    set $upstream_host '';
     preread_by_lua_block {
         Kong.preread()
     }
-    proxy_ssl_name $tls_sni_name;
+    proxy_ssl_name $upstream_host;
 
     proxy_ssl on;
     proxy_ssl_server_name on;

spec/02-integration/03-db/02-db_core_entities_spec.lua

@@ -1539,7 +1539,7 @@ for _, strategy in helpers.each_strategy() do
           }, err_t)
         end)
 
-        it("cannot create assign ca_certificates when protocol is not https", function()
+        it("cannot create assign ca_certificates when protocol is not https or tls", function()
           -- insert 2
           local service, _, err_t = db.services:insert {
             name = "cc_test",
@@ -1560,7 +1560,7 @@ for _, strategy in helpers.each_strategy() do
           }, err_t)
         end)
 
-        it("cannot create assign tls_verify when protocol is not https", function()
+        it("cannot create assign tls_verify when protocol is not https or tls", function()
           -- insert 2
           local service, _, err_t = db.services:insert {
             name = "cc_test",
@@ -1581,7 +1581,7 @@ for _, strategy in helpers.each_strategy() do
           }, err_t)
         end)
 
-        it("cannot create assign tls_verify_depth when protocol is not https", function()
+        it("cannot create assign tls_verify_depth when protocol is not https or tls", function()
           -- insert 2
           local service, _, err_t = db.services:insert {
             name = "cc_test",