From 0ebc358063569cb08bba8e8bdf1586c2146ed9a0 Mon Sep 17 00:00:00 2001
From: Chrono <chrono_cpp@me.com>
Date: Mon, 30 Dec 2024 10:26:25 +0800
Subject: [PATCH] feat(clustering/rpc): add support for cert details (#14050)

Follow up of https://github.com/Kong/kong/pull/14046

KAG-6084
---
 kong/clustering/rpc/manager.lua                     | 10 ++++++++--
 kong/clustering/services/sync/rpc.lua               |  1 +
 spec/02-integration/09-hybrid_mode/01-sync_spec.lua | 12 ++----------
 3 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/kong/clustering/rpc/manager.lua b/kong/clustering/rpc/manager.lua
index 142c90a194c..88dfa6a8594 100644
--- a/kong/clustering/rpc/manager.lua
+++ b/kong/clustering/rpc/manager.lua
@@ -146,7 +146,7 @@ end
 
 
 -- CP => DP
-function _M:_handle_meta_call(c)
+function _M:_handle_meta_call(c, cert)
   local data, typ, err = c:recv_frame()
   if err then
     return nil, err
@@ -226,11 +226,17 @@ function _M:_handle_meta_call(c)
     end
   end
 
+  -- values in cert_details must be strings
+  local cert_details = {
+    expiry_timestamp = cert:get_not_after(),
+  }
+
   -- store DP's ip addr
   self.client_info[node_id] = {
     ip = ngx_var.remote_addr,
     version = info.kong_version,
     labels = labels,
+    cert_details = cert_details,
   }
 
   return node_id
@@ -450,7 +456,7 @@ function _M:handle_websocket()
   end
 
   -- if timeout (default is 5s) we will close the connection
-  local node_id, err = self:_handle_meta_call(wb)
+  local node_id, err = self:_handle_meta_call(wb, cert)
   if not node_id then
     ngx_log(ngx_ERR, _log_prefix, "unable to handshake with client: ", err)
     return ngx_exit(ngx.HTTP_CLOSE)
diff --git a/kong/clustering/services/sync/rpc.lua b/kong/clustering/services/sync/rpc.lua
index e19960a45ee..26136ec025e 100644
--- a/kong/clustering/services/sync/rpc.lua
+++ b/kong/clustering/services/sync/rpc.lua
@@ -86,6 +86,7 @@ function _M:init_cp(manager)
       ip = node_info.ip,   -- get the correct ip
       version = node_info.version,    -- get from rpc call
       labels = node_info.labels,    -- get from rpc call
+      cert_details = node_info.cert_details,  -- get from rpc call
       sync_status = CLUSTERING_SYNC_STATUS.NORMAL,
       config_hash = fmt("%032d", default_namespace_version),
       rpc_capabilities = rpc_peers and rpc_peers[node_id] or {},
diff --git a/spec/02-integration/09-hybrid_mode/01-sync_spec.lua b/spec/02-integration/09-hybrid_mode/01-sync_spec.lua
index 9eea5ed30fb..040273da0e8 100644
--- a/spec/02-integration/09-hybrid_mode/01-sync_spec.lua
+++ b/spec/02-integration/09-hybrid_mode/01-sync_spec.lua
@@ -861,11 +861,7 @@ describe("CP/DP cert details(cluster_mtls = shared) #" .. strategy, function()
 
         for _, v in pairs(json.data) do
           if v.ip == "127.0.0.1" then
-            -- TODO: The API output does include labels and certs when the
-            --       rpc sync is enabled.
-            if rpc_sync == "off" then
-              assert.equal(1888983905, v.cert_details.expiry_timestamp)
-            end
+            assert.equal(1888983905, v.cert_details.expiry_timestamp)
             return true
           end
         end
@@ -930,11 +926,7 @@ describe("CP/DP cert details(cluster_mtls = pki) #" .. strategy, function()
 
         for _, v in pairs(json.data) do
           if v.ip == "127.0.0.1" then
-            -- TODO: The API output does include labels and certs when the
-            --       rpc sync is enabled.
-            if rpc_sync == "off" then
-              assert.equal(1897136778, v.cert_details.expiry_timestamp)
-            end
+            assert.equal(1897136778, v.cert_details.expiry_timestamp)
             return true
           end
         end