Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(admin-api) support for SSL in the admin API #1706

Merged
merged 2 commits into from
Oct 28, 2016
Merged

feat(admin-api) support for SSL in the admin API #1706

merged 2 commits into from
Oct 28, 2016

Conversation

subnetmarco
Copy link
Member

@subnetmarco subnetmarco commented Oct 1, 2016
edited
Loading

Serving the Admin API over HTTPs as a first step to implement first-class authentication in the Admin API (most likely Basic Authentication) without the ugly hack of adding the Admin API as a regular API on Kong.

Full changelog

  • The Admin API now also supports HTTPs.

@subnetmarco subnetmarco added this to the 0.10 milestone Oct 3, 2016
thibaultcha
thibaultcha requested changes Oct 18, 2016
View reviewed changes
Copy link
Member

@thibaultcha thibaultcha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It all looks good except for small concerns.

kong/cmd/utils/prefix_handler.lua

if not pl_path.exists(ssl_cert) and not pl_path.exists(ssl_cert_key) then
log.verbose("generating default SSL certificate and key")
log.verbose("generating "..(admin and "admin" or "default").." SSL certificate and key")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's make this more concise:

log.verbose("generating %s SSL certificate and key",
                     admin and "admin" or "default") -- notice the line jump to avoid >80 cols

kong/cmd/utils/prefix_handler.lua
end
end
else
log.verbose("default SSL certificate found at %s", ssl_cert)
log.verbose((admin and "admin" or "default").." SSL certificate found at %s", ssl_cert)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

spec/kong_tests.conf
@@ -8,6 +8,9 @@ cluster_listen_rpc = 127.0.0.1:9373
ssl_cert = spec/fixtures/kong_spec.crt
ssl_cert_key = spec/fixtures/kong_spec.key

admin_ssl_cert = spec/fixtures/kong_spec.crt
admin_ssl_cert_key = spec/fixtures/kong_spec.key
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should disable admin_ssl (and ssl altogether) from being used in our tests. We do not have any test even making use of them, and if that is or becomes the case, we can enable SSL for this particular test when starting kong in its setup() hook.

We should keep the test instance as lean as possible.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is using them https://github.com/Mashape/kong/pull/1706/files#diff-7c3103b7930d1a3b80a29ec77ef516cd

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then as I said, in the context of this test and this test only should it be enabled.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am testing it the same way we are testing the HTTPs proxy port. These things should be tested.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

? I am not saying they shouldn't be tested, I am saying to only enable SSL in the related tests.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why complicating our lives in tests? If anything, the admin API should only be available on SSL since it's being used to provision security credentials.

@thibaultcha thibaultcha added pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done. and removed pr/status/needs review labels Oct 18, 2016
@subnetmarco subnetmarco removed the pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done. label Oct 18, 2016
@thibaultcha thibaultcha added the pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done. label Oct 18, 2016
@subnetmarco subnetmarco merged commit 7c60809 into next Oct 28, 2016
@subnetmarco subnetmarco deleted the feat/admin-ssl branch October 28, 2016 00:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thibaultcha thibaultcha thibaultcha requested changes

Assignees
No one assigned
Labels
pr/changes requested Changes were requested to this PR by a maintainer. Please address them and ping back once done.
Projects
None yet
Milestone
0.10 RC
Development

Successfully merging this pull request may close these issues.
2 participants
@subnetmarco @thibaultcha