feat(config) default lua_ssl_trusted_certificate to system

CHANGELOG.md

@@ -75,6 +75,13 @@
 - Bumped inspect from 3.1.2 to 3.1.3
   [#8589](https://github.com/Kong/kong/pull/8589)
 
+
+### Changes
+##### Configuration
+
+- Change the default of `lua_ssl_trusted_certificate` to `system`.
+  [#8602](https://github.com/Kong/kong/pull/8602)
+
 ### Fixes
 
 #### Core

kong/templates/kong_defaults.lua

@@ -163,7 +163,7 @@ worker_consistency = strict
 worker_state_update_frequency = 5
 
 lua_socket_pool_size = 30
-lua_ssl_trusted_certificate = NONE
+lua_ssl_trusted_certificate = system
 lua_ssl_verify_depth = 1
 lua_ssl_protocols = TLSv1.1 TLSv1.2 TLSv1.3
 lua_package_path = ./?.lua;./?/init.lua;

spec/01-unit/03-conf_loader_spec.lua

@@ -851,9 +851,8 @@ describe("Configuration loader", function()
             cluster_cert_key = "spec/fixtures/kong_clustering.key",
           })
           assert.is_nil(errors)
-          assert.same({
-            pl_path.abspath("spec/fixtures/kong_clustering.crt"),
-          }, conf.lua_ssl_trusted_certificate)
+          assert.has_value(conf.lua_ssl_trusted_certificate,
+            pl_path.abspath("spec/fixtures/kong_clustering.crt"))
           assert.matches(".ca_combined", conf.lua_ssl_trusted_certificate_combined)
 
           local conf, _, errors = conf_loader(nil, {
@@ -865,9 +864,8 @@ describe("Configuration loader", function()
             cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt",
           })
           assert.is_nil(errors)
-          assert.same({
-            pl_path.abspath("spec/fixtures/kong_clustering_ca.crt"),
-          }, conf.lua_ssl_trusted_certificate)
+          assert.has_value(conf.lua_ssl_trusted_certificate,
+            pl_path.abspath("spec/fixtures/kong_clustering_ca.crt"))
           assert.matches(".ca_combined", conf.lua_ssl_trusted_certificate_combined)
         end)
         it("doen't overwrite lua_ssl_trusted_certificate when autoload cluster_cert or cluster_ca_cert", function()
@@ -911,7 +909,8 @@ describe("Configuration loader", function()
             cluster_ca_cert = "spec/fixtures/kong_clustering_ca.crt",
           })
           assert.is_nil(errors)
-          assert.same({}, conf.lua_ssl_trusted_certificate)
+          assert.not_has_value(conf.lua_ssl_trusted_certificate,
+            pl_path.abspath("spec/fixtures/kong_clustering_ca.crt"))
         end)
         it("resolves SSL cert/key to absolute path", function()
           local conf, err = conf_loader(nil, {

spec/01-unit/04-prefix_handler_spec.lua

@@ -108,7 +108,7 @@ describe("NGINX conf compiler", function()
       assert.matches("listen%s+127%.0%.0%.1:9001;", kong_nginx_conf)
       assert.matches("server_name%s+kong;", kong_nginx_conf)
       assert.matches("server_name%s+kong_admin;", kong_nginx_conf)
-      assert.not_matches("lua_ssl_trusted_certificate", kong_nginx_conf, nil, true)
+      assert.matches("lua_ssl_trusted_certificate.+;", kong_nginx_conf)
     end)
     it("compiles with custom conf", function()
       local conf = assert(conf_loader(helpers.test_conf_path, {
@@ -235,10 +235,10 @@ describe("NGINX conf compiler", function()
       local kong_nginx_conf = prefix_handler.compile_kong_conf(conf)
       assert.matches("lua_ssl_verify_depth%s+1;", kong_nginx_conf)
     end)
-    it("does not include lua_ssl_trusted_certificate by default", function()
+    it("includes default lua_ssl_trusted_certificate", function()
       local conf = assert(conf_loader(helpers.test_conf_path))
       local kong_nginx_conf = prefix_handler.compile_kong_conf(conf)
-      assert.not_matches("lua_ssl_trusted_certificate", kong_nginx_conf, nil, true)
+      assert.matches("lua_ssl_trusted_certificate.+;", kong_nginx_conf)
     end)
     it("sets lua_ssl_trusted_certificate to a combined file (single entry)", function()
       local conf = assert(conf_loader(helpers.test_conf_path, {
@@ -780,6 +780,7 @@ describe("NGINX conf compiler", function()
       local config = assert(conf_loader(helpers.test_conf_path, {
         prefix = "inexistent"
       }))
+      prefix_handler.prepare_prefix(config)
       assert(prefix_handler.prepare_prefix(config))
       assert.truthy(exists("inexistent"))
     end)

spec/helpers.lua

@@ -1910,6 +1910,47 @@ luassert:register("assertion", "cn", assert_cn,
                   "assertion.cn.positive")
 
 
+--- Assertions to check whether a value exists in a table
+-- @function has_value
+-- @param table
+-- @param value
+-- @return exists?
+-- @usage
+-- assert.has_value({"foo"}, "foo") -- true
+-- assert.not_has_value({"foo"}, "bar") -- true
+local function assert_has_value(state, args)
+    assert(type(args[1]) == "table",
+      "Expected first argument to be a table")
+
+    for _, v in pairs(args[1]) do
+      if v == args[2] then
+        return true
+      end
+    end
+
+    return false
+end
+
+say:set("assertion.has_value.negative", [[
+Expected table to have the given value.
+Passed in
+%s
+Expected value
+%s
+]])
+say:set("assertion.has_value.positive", [[
+Expected table to not have the given value.
+Passed in
+%s
+Expected value
+%s
+]])
+
+luassert:register("assertion", "has_value", assert_has_value,
+                  "assertion.has_value.negative",
+                  "assertion.has_value.positive")
+
+
 do
   --- Generic modifier "logfile"
   -- Will set an "errlog_path" value in the assertion state.