Kong · dndx · Apr 6, 2022 · Mar 29, 2022 · Mar 29, 2022 · Mar 29, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -91,6 +91,16 @@
 - Bumped inspect from 3.1.2 to 3.1.3
   [#8589](https://github.com/Kong/kong/pull/8589)
 
+
+### Breaking Changes
+
+##### Configuration
+
+- Change the default of `lua_ssl_trusted_certificate` to `system`
+  [#8602](https://github.com/Kong/kong/pull/8602). If you are upgrading from 2.x and want this variable to keep
+  working as before, please manually set it to empty
+  (`lua_ssl_trusted_certificate = [nothing in here]`) before upgrading. 
-  [#8602](https://github.com/Kong/kong/pull/8602). If you are upgrading from 2.x and want this variable to keep
-  working as before, please manually set it to empty
-  (`lua_ssl_trusted_certificate = [nothing in here]`) before upgrading. 
+  [#8602](https://github.com/Kong/kong/pull/8602).
-  [#8602](https://github.com/Kong/kong/pull/8602). If you are upgrading from 2.x and want this variable to keep
-  working as before, please manually set it to empty
-  (`lua_ssl_trusted_certificate = [nothing in here]`) before upgrading. 
+  [#8602](https://github.com/Kong/kong/pull/8602).
+
 ### Additions
 
 #### Plugins

diff --git a/kong.conf.default b/kong.conf.default
@@ -1379,33 +1379,33 @@
 # https://github.com/openresty/lua-nginx-module
 
 
-#lua_ssl_trusted_certificate =   # Comma-separated list of paths to certificate
-                                 # authority files for Lua cosockets in PEM format.
-                                 #
-                                 # The special value `system` attempts to search for the
-                                 # "usual default" provided by each distro, according
-                                 # to an arbitrary heuristic. In the current implementation,
-                                 # The following pathnames will be tested in order,
-                                 # and the first one found will be used:
-                                 #
-                                 # - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo)
-                                 # - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
-                                 # - /etc/ssl/ca-bundle.pem (OpenSUSE)
-                                 # - /etc/pki/tls/cacert.pem (OpenELEC)
-                                 # - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
-                                 # - /etc/ssl/cert.pem (OpenBSD, Alpine)
-                                 #
-                                 # If no file is found on any of these paths, an error will
-                                 # be raised.
-                                 #
-                                 # `system` can be used by itself or in conjunction with other
-                                 # CA filepaths.
-                                 #
-                                 # When `pg_ssl_verify` or `cassandra_ssl_verify`
-                                 # are enabled, these certificate authority files will be
-                                 # used for verifying Kong's database connections.
-                                 #
-                                 # See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate
+#lua_ssl_trusted_certificate = system   # Comma-separated list of paths to certificate
+                                        # authority files for Lua cosockets in PEM format.
+                                        #
+                                        # The special value `system` attempts to search for the
+                                        # "usual default" provided by each distro, according
+                                        # to an arbitrary heuristic. In the current implementation,
+                                        # The following pathnames will be tested in order,
+                                        # and the first one found will be used:
+                                        #
+                                        # - /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo)
+                                        # - /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
+                                        # - /etc/ssl/ca-bundle.pem (OpenSUSE)
+                                        # - /etc/pki/tls/cacert.pem (OpenELEC)
+                                        # - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
+                                        # - /etc/ssl/cert.pem (OpenBSD, Alpine)
+                                        #
+                                        # If no file is found on any of these paths, an error will
+                                        # be raised.
+                                        #
+                                        # `system` can be used by itself or in conjunction with other
+                                        # CA filepaths.
+                                        #
+                                        # When `pg_ssl_verify` or `cassandra_ssl_verify`
+                                        # are enabled, these certificate authority files will be
+                                        # used for verifying Kong's database connections.
+                                        #
+                                        # See https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate
 
 #lua_ssl_verify_depth = 1        # Sets the verification depth in the server
                                  # certificates chain used by Lua cosockets,

diff --git a/kong/templates/kong_defaults.lua b/kong/templates/kong_defaults.lua
@@ -166,7 +166,7 @@ worker_consistency = strict
 worker_state_update_frequency = 5
 
 lua_socket_pool_size = 30
-lua_ssl_trusted_certificate = NONE
+lua_ssl_trusted_certificate = system
 lua_ssl_verify_depth = 1
 lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
 lua_package_path = ./?.lua;./?/init.lua;

diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua
@@ -851,9 +851,10 @@ describe("Configuration loader", function()
             cluster_cert_key = "spec/fixtures/kong_clustering.key",
           })
           assert.is_nil(errors)
-          assert.same({
+          assert.contains(
             pl_path.abspath("spec/fixtures/kong_clustering.crt"),
-          }, conf.lua_ssl_trusted_certificate)
+            conf.lua_ssl_trusted_certificate
+          )
           assert.matches(".ca_combined", conf.lua_ssl_trusted_certificate_combined)
 
           local conf, _, errors = conf_loader(nil, {
@@ -865,9 +866,10 @@ describe("Configuration loader", function()
             cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt",
           })
           assert.is_nil(errors)
-          assert.same({
+          assert.contains(
             pl_path.abspath("spec/fixtures/kong_clustering_ca.crt"),
-          }, conf.lua_ssl_trusted_certificate)
+            conf.lua_ssl_trusted_certificate
+          )
           assert.matches(".ca_combined", conf.lua_ssl_trusted_certificate_combined)
         end)
         it("doen't overwrite lua_ssl_trusted_certificate when autoload cluster_cert or cluster_ca_cert", function()
@@ -911,7 +913,10 @@ describe("Configuration loader", function()
             cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt",
           })
           assert.is_nil(errors)
-          assert.same({}, conf.lua_ssl_trusted_certificate)
+          assert.not_contains(
+            pl_path.abspath("spec/fixtures/kong_clustering_ca.crt"),
+            conf.lua_ssl_trusted_certificate
+          )
         end)
         it("resolves SSL cert/key to absolute path", function()
           local conf, err = conf_loader(nil, {

diff --git a/spec/01-unit/04-prefix_handler_spec.lua b/spec/01-unit/04-prefix_handler_spec.lua
@@ -108,7 +108,7 @@ describe("NGINX conf compiler", function()
       assert.matches("listen%s+127%.0%.0%.1:9001;", kong_nginx_conf)
       assert.matches("server_name%s+kong;", kong_nginx_conf)
       assert.matches("server_name%s+kong_admin;", kong_nginx_conf)
-      assert.not_matches("lua_ssl_trusted_certificate", kong_nginx_conf, nil, true)
+      assert.matches("lua_ssl_trusted_certificate.+;", kong_nginx_conf)
     end)
     it("compiles with custom conf", function()
       local conf = assert(conf_loader(helpers.test_conf_path, {
@@ -235,10 +235,10 @@ describe("NGINX conf compiler", function()
       local kong_nginx_conf = prefix_handler.compile_kong_conf(conf)
       assert.matches("lua_ssl_verify_depth%s+1;", kong_nginx_conf)
     end)
-    it("does not include lua_ssl_trusted_certificate by default", function()
+    it("includes default lua_ssl_trusted_certificate", function()
       local conf = assert(conf_loader(helpers.test_conf_path))
       local kong_nginx_conf = prefix_handler.compile_kong_conf(conf)
-      assert.not_matches("lua_ssl_trusted_certificate", kong_nginx_conf, nil, true)
+      assert.matches("lua_ssl_trusted_certificate.+;", kong_nginx_conf)
     end)
     it("sets lua_ssl_trusted_certificate to a combined file (single entry)", function()
       local conf = assert(conf_loader(helpers.test_conf_path, {

diff --git a/spec/helpers.lua b/spec/helpers.lua
@@ -1909,7 +1909,6 @@ luassert:register("assertion", "cn", assert_cn,
                   "assertion.cn.negative",
                   "assertion.cn.positive")
 
-
 do
   --- Generic modifier "logfile"
   -- Will set an "errlog_path" value in the assertion state.