This is an automated email from the ASF dual-hosted git repository.
monkeydluffy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new a57241fca fix: remove etcd.use_grpc (#10015)
a57241fca is described below
commit a57241fcaf4417bc9df27fd27c0b7b25a95249c0
Author: jinhua luo <[email protected]>
AuthorDate: Fri Sep 1 14:51:29 2023 +0800
fix: remove etcd.use_grpc (#10015)
---
apisix/cli/etcd.lua | 115 +--------
apisix/cli/schema.lua | 5 -
apisix/cli/snippet.lua | 11 +-
apisix/core/config_etcd.lua | 67 +-----
apisix/core/etcd.lua | 16 --
ci/linux_openresty_runner.sh | 1 -
conf/config-default.yaml | 2 -
t/APISIX.pm | 11 -
t/cli/test_etcd_grpc.sh | 104 --------
t/cli/test_etcd_grpc_healthcheck.sh | 155 ------------
t/cli/test_etcd_grpc_mtls.sh | 182 --------------
t/cli/test_etcd_grpc_tls.sh | 78 ------
t/core/etcd-grpc-auth-fail.t | 106 ---------
t/core/etcd-grpc-auth.t | 108 ---------
t/core/etcd-grpc-mtls.t | 292 -----------------------
t/deployment/grpc/conf_server.t | 458 ------------------------------------
t/deployment/grpc/mtls.t | 118 ----------
17 files changed, 6 insertions(+), 1823 deletions(-)
diff --git a/apisix/cli/etcd.lua b/apisix/cli/etcd.lua
index 51cac2a50..b67248095 100644
--- a/apisix/cli/etcd.lua
+++ b/apisix/cli/etcd.lua
@@ -280,103 +280,7 @@ local function prepare_dirs_via_http(yaml_conf, args,
index, host, host_count)
end
-local function grpc_request(url, yaml_conf, key)
- local cmd
-
- local auth = ""
- if yaml_conf.etcd.user then
- local user = yaml_conf.etcd.user
- local password = yaml_conf.etcd.password
- auth = str_format("--user=%s:%s", user, password)
- end
-
- if str_sub(url, 1, 8) == "https://"; then
- local host = url:sub(9)
-
- local verify = true
- local certificate, pkey, cafile
- if yaml_conf.etcd.tls then
- local cfg = yaml_conf.etcd.tls
-
- if cfg.verify == false then
- verify = false
- end
-
- certificate = cfg.cert
- pkey = cfg.key
-
- local apisix_ssl = yaml_conf.apisix.ssl
- if apisix_ssl and apisix_ssl.ssl_trusted_certificate then
- cafile = apisix_ssl.ssl_trusted_certificate
- end
- end
-
- cmd = str_format(
- "etcdctl --insecure-transport=false %s %s %s %s " ..
- "%s --endpoints=%s put %s init_dir",
- verify and "" or "--insecure-skip-tls-verify",
- certificate and "--cert " .. certificate or "",
- pkey and "--key " .. pkey or "",
- cafile and "--cacert " .. cafile or "",
- auth, host, key)
- else
- local host = url:sub(#("http://";) + 1)
-
- cmd = str_format(
- "etcdctl %s --endpoints=%s put %s init_dir",
- auth, host, key)
- end
-
- local res, err = util.execute_cmd(cmd)
- return res, err
-end
-
-
-local function prepare_dirs_via_grpc(yaml_conf, args, index, host)
- local is_success = true
-
- local errmsg
- local dirs = {}
- for name in pairs(constants.HTTP_ETCD_DIRECTORY) do
- dirs[name] = true
- end
- for name in pairs(constants.STREAM_ETCD_DIRECTORY) do
- dirs[name] = true
- end
-
- for dir_name in pairs(dirs) do
- local key = (yaml_conf.etcd.prefix or "") .. dir_name .. "/"
- local res, err
- local retry_time = 0
- while retry_time < 2 do
- res, err = grpc_request(host, yaml_conf, key)
- retry_time = retry_time + 1
- if res then
- break
- end
- print(str_format("Warning! Request etcd endpoint \'%s\' error, %s,
retry time=%s",
- host, err, retry_time))
- end
-
- if not res then
- errmsg = str_format("request etcd endpoint \"%s\" error, %s\n",
host, err)
- util.die(errmsg)
- end
-
- if args and args["verbose"] then
- print(res)
- end
- end
-
- return is_success
-end
-
-
-local function prepare_dirs(use_grpc, yaml_conf, args, index, host, host_count)
- if use_grpc then
- return prepare_dirs_via_grpc(yaml_conf, args, index, host)
- end
-
+local function prepare_dirs(yaml_conf, args, index, host, host_count)
return prepare_dirs_via_http(yaml_conf, args, index, host, host_count)
end
@@ -400,8 +304,6 @@ function _M.init(env, args)
util.die("failed to read `etcd` field from yaml file when init etcd")
end
- local etcd_conf = yaml_conf.etcd
-
-- convert old single etcd config to multiple etcd config
if type(yaml_conf.etcd.host) == "string" then
yaml_conf.etcd.host = {yaml_conf.etcd.host}
@@ -477,22 +379,9 @@ function _M.init(env, args)
util.die("the etcd cluster needs at least 50% and above healthy
nodes\n")
end
- if etcd_conf.use_grpc and not env.use_apisix_base then
- io_stderr:write("'use_grpc: true' in the etcd configuration " ..
- "is not supported by vanilla OpenResty\n")
- end
-
- local use_grpc = etcd_conf.use_grpc and env.use_apisix_base
- if use_grpc then
- local ok, err = util.execute_cmd("command -v etcdctl")
- if not ok then
- util.die("can't find etcdctl: ", err, "\n")
- end
- end
-
local etcd_ok = false
for index, host in ipairs(etcd_healthy_hosts) do
- if prepare_dirs(use_grpc, yaml_conf, args, index, host, host_count)
then
+ if prepare_dirs(yaml_conf, args, index, host, host_count) then
etcd_ok = true
break
end
diff --git a/apisix/cli/schema.lua b/apisix/cli/schema.lua
index 3684232f1..59bb9acc7 100644
--- a/apisix/cli/schema.lua
+++ b/apisix/cli/schema.lua
@@ -62,11 +62,6 @@ local etcd_schema = {
minimum = 1,
description = "etcd connection timeout in seconds",
},
- use_grpc = {
- type = "boolean",
- -- TODO: set true by default in v3.2
- default = false,
- },
},
required = {"prefix", "host"}
}
diff --git a/apisix/cli/snippet.lua b/apisix/cli/snippet.lua
index 95069a0ab..16515b77e 100644
--- a/apisix/cli/snippet.lua
+++ b/apisix/cli/snippet.lua
@@ -113,12 +113,6 @@ server {
]]
-local function is_grpc_used(env, etcd)
- local is_grpc_available = env.use_apisix_base
- return is_grpc_available and etcd.use_grpc
-end
-
-
function _M.generate_conf_server(env, conf)
if not (conf.deployment and (
conf.deployment.role == "traditional" or
@@ -171,7 +165,6 @@ function _M.generate_conf_server(env, conf)
local client_cert_key
local ssl_trusted_certificate
local etcd_tls_verify
- local use_grpc = is_grpc_used(env, etcd)
if tls then
if tls.cert then
client_cert = pl_path.abspath(tls.cert)
@@ -197,8 +190,8 @@ function _M.generate_conf_server(env, conf)
trusted_ca_cert = trusted_ca_cert,
etcd_tls_verify = etcd_tls_verify,
ssl_trusted_certificate = ssl_trusted_certificate,
- scheme_name = use_grpc and "grpc" or "http",
- directive_prefix = use_grpc and "grpc" or "proxy",
+ scheme_name = "http",
+ directive_prefix = "proxy",
})
end
diff --git a/apisix/core/config_etcd.lua b/apisix/core/config_etcd.lua
index e3e40672c..357f24fa1 100644
--- a/apisix/core/config_etcd.lua
+++ b/apisix/core/config_etcd.lua
@@ -362,40 +362,6 @@ local function readdir(etcd_cli, key, formatter)
end
-local function grpc_waitdir(self, etcd_cli, key, modified_index, timeout)
- local watching_stream = self.watching_stream
- if not watching_stream then
- local attr = {}
- attr.start_revision = modified_index
- local opts = {}
- opts.timeout = timeout
-
- local st, err = etcd_cli:create_grpc_watch_stream(key, attr, opts)
- if not st then
- log.error("create watch stream failed: ", err)
- return nil, err
- end
-
- log.info("create watch stream for key: ", key, ", modified_index: ",
modified_index)
-
- self.watching_stream = st
- watching_stream = st
- end
-
- return etcd_cli:read_grpc_watch_stream(watching_stream)
-end
-
-
-local function flush_watching_streams(self)
- local etcd_cli = self.etcd_cli
- if not etcd_cli.use_grpc then
- return
- end
-
- self.watching_stream = nil
-end
-
-
local function http_waitdir(self, etcd_cli, key, modified_index, timeout)
if not watch_ctx.idx[key] then
watch_ctx.idx[key] = 1
@@ -470,12 +436,7 @@ local function waitdir(self)
return nil, "not inited"
end
- local res, err
- if etcd_cli.use_grpc then
- res, err = grpc_waitdir(self, etcd_cli, key, modified_index, timeout)
- else
- res, err = http_waitdir(self, etcd_cli, key, modified_index, timeout)
- end
+ local res, err = http_waitdir(self, etcd_cli, key, modified_index, timeout)
if not res then
-- log.error("failed to get key from etcd: ", err)
@@ -620,13 +581,9 @@ local function sync_data(self)
return nil, "missing 'key' arguments"
end
- if not self.etcd_cli.use_grpc then
- init_watch_ctx(self.key)
- end
+ init_watch_ctx(self.key)
if self.need_reload then
- flush_watching_streams(self)
-
local res, err = readdir(self.etcd_cli, self.key)
if not res then
return false, err
@@ -916,7 +873,6 @@ local function _automatic_fetch(premature, self)
end
if not exiting() and self.running then
- flush_watching_streams(self)
ngx_timer_at(0, _automatic_fetch, self)
end
end
@@ -1118,10 +1074,6 @@ function _M.init()
return true
end
- if local_conf.etcd.use_grpc then
- return true
- end
-
-- don't go through proxy during start because the proxy is not available
local etcd_cli, prefix, err = etcd_apisix.new_without_proxy()
if not etcd_cli then
@@ -1147,21 +1099,6 @@ function _M.init_worker()
return true
end
- if not local_conf.etcd.use_grpc then
- return true
- end
-
- -- don't go through proxy during start because the proxy is not available
- local etcd_cli, prefix, err = etcd_apisix.new_without_proxy()
- if not etcd_cli then
- return nil, "failed to start a etcd instance: " .. err
- end
-
- local res, err = readdir(etcd_cli, prefix, create_formatter(prefix))
- if not res then
- return nil, err
- end
-
return true
end
diff --git a/apisix/core/etcd.lua b/apisix/core/etcd.lua
index b52517cd4..6d041016e 100644
--- a/apisix/core/etcd.lua
+++ b/apisix/core/etcd.lua
@@ -28,7 +28,6 @@ local clone_tab = require("table.clone")
local health_check = require("resty.etcd.health_check")
local pl_path = require("pl.path")
local ipairs = ipairs
-local pcall = pcall
local setmetatable = setmetatable
local string = string
local tonumber = tonumber
@@ -72,17 +71,6 @@ local function _new(etcd_conf)
end
end
- if etcd_conf.use_grpc then
- if ngx_get_phase() == "init" then
- etcd_conf.use_grpc = false
- else
- local ok = pcall(require, "resty.grpc")
- if not ok then
- etcd_conf.use_grpc = false
- end
- end
- end
-
local etcd_cli, err = etcd.new(etcd_conf)
if not etcd_cli then
return nil, nil, err
@@ -349,10 +337,6 @@ do
return nil, nil, err
end
- if tmp_etcd_cli.use_grpc then
- etcd_cli_init_phase = tmp_etcd_cli
- end
-
return tmp_etcd_cli, prefix
end
diff --git a/ci/linux_openresty_runner.sh b/ci/linux_openresty_runner.sh
index 877248913..2e39224ef 100755
--- a/ci/linux_openresty_runner.sh
+++ b/ci/linux_openresty_runner.sh
@@ -18,5 +18,4 @@
export OPENRESTY_VERSION=source
-#export TEST_CI_USE_GRPC=true
. ./ci/linux_openresty_common_runner.sh
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 6123e9260..dd114558b 100755
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -675,9 +675,7 @@ deployment: # Deployment configurations
host: # Set etcd address(es) in the same etcd
cluster.
- "http://127.0.0.1:2379"; # If TLS is enabled for etcd, use
https://127.0.0.1:2379.
prefix: /apisix # Set etcd prefix.
- use_grpc: false # Use gRPC (experimental) for etcd
configuration sync.
timeout: 30 # Set timeout in seconds.
- # Set a higher timeout (e.g. an hour) if
`use_grpc` is true.
# resync_delay: 5 # Set resync time in seconds after a sync
failure.
# The actual resync time would be
resync_delay plus 50% random jitter.
# health_check_timeout: 10 # Set timeout in seconds for etcd health
check.
diff --git a/t/APISIX.pm b/t/APISIX.pm
index 0738f3ecf..a2749f041 100644
--- a/t/APISIX.pm
+++ b/t/APISIX.pm
@@ -878,17 +878,6 @@ deployment:
_EOC_
if ($yaml_config !~ m/deployment:/) {
- # TODO: remove this temporary option once we have using gRPC by default
- if ($ENV{TEST_CI_USE_GRPC}) {
- $default_deployment .= <<_EOC_;
- etcd:
- host:
- - "http://127.0.0.1:2379";
- prefix: /apisix
- use_grpc: true
-_EOC_
- }
-
$yaml_config = $default_deployment . $yaml_config;
}
diff --git a/t/cli/test_etcd_grpc.sh b/t/cli/test_etcd_grpc.sh
deleted file mode 100755
index 47266c3e4..000000000
--- a/t/cli/test_etcd_grpc.sh
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/usr/bin/env bash
-
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# 'make init' operates scripts and related configuration files in the current
directory
-# The 'apisix' command is a command in the /usr/local/apisix,
-# and the configuration file for the operation is in the /usr/local/apisix/conf
-
-. ./t/cli/common.sh
-
-exit_if_not_customed_nginx
-
-# check etcd while enable auth
-git checkout conf/config.yaml
-
-export ETCDCTL_API=3
-etcdctl version
-etcdctl --endpoints=127.0.0.1:2379 user add "root:apache-api6"
-etcdctl --endpoints=127.0.0.1:2379 role add root
-etcdctl --endpoints=127.0.0.1:2379 user grant-role root root
-etcdctl --endpoints=127.0.0.1:2379 user get root
-etcdctl --endpoints=127.0.0.1:2379 auth enable
-etcdctl --endpoints=127.0.0.1:2379 --user=root:apache-api6 del /apisix --prefix
-
-echo '
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- host:
- - http://127.0.0.1:2379
- prefix: /apisix
- timeout: 30
- use_grpc: true
- user: root
- password: apache-api6
-' > conf/config.yaml
-
-make run
-sleep 1
-
-code=$(curl -o /dev/null -s -w %{http_code}
http://127.0.0.1:9180/apisix/admin/routes -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1')
-make stop
-
-if [ ! $code -eq 200 ]; then
- echo "failed: could not work with etcd"
- exit 1
-fi
-
-echo "passed: work well with etcd auth enabled"
-
-etcdctl --endpoints=127.0.0.1:2379 --user=root:apache-api6 auth disable
-etcdctl --endpoints=127.0.0.1:2379 role delete root
-etcdctl --endpoints=127.0.0.1:2379 user delete root
-
-# check connect to etcd with ipv6 address in cli
-git checkout conf/config.yaml
-
-echo '
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- host:
- - http://[::1]:2379
- prefix: /apisix
- use_grpc: true
- timeout: 30
-' > conf/config.yaml
-
-rm logs/error.log || true
-make run
-sleep 0.1
-
-if grep "update endpoint: http://\[::1\]:2379 to unhealthy" logs/error.log;
then
- echo "failed: connect to etcd via ipv6 address failed"
- exit 1
-fi
-
-if grep "host or service not provided, or not known" logs/error.log; then
- echo "failed: luasocket resolve ipv6 addresses failed"
- exit 1
-fi
-
-make stop
-
-echo "passed: connect to etcd via ipv6 address successfully"
diff --git a/t/cli/test_etcd_grpc_healthcheck.sh
b/t/cli/test_etcd_grpc_healthcheck.sh
deleted file mode 100755
index 3a977e026..000000000
--- a/t/cli/test_etcd_grpc_healthcheck.sh
+++ /dev/null
@@ -1,155 +0,0 @@
-#!/usr/bin/env bash
-
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# 'make init' operates scripts and related configuration files in the current
directory
-# The 'apisix' command is a command in the /usr/local/apisix,
-# and the configuration file for the operation is in the /usr/local/apisix/conf
-
-. ./t/cli/common.sh
-
-exit_if_not_customed_nginx
-
-custom_clean_up() {
- clean_up
-
- # stop etcd docker container
- docker-compose -f ./t/cli/docker-compose-etcd-cluster.yaml down
-}
-
-trap custom_clean_up EXIT
-
-export ETCD_ENABLE_GRPC_GATEWAY=false
-
-# create 3 node etcd cluster in docker
-ETCD_NAME_0=etcd0
-ETCD_NAME_1=etcd1
-ETCD_NAME_2=etcd2
-HEALTH_CHECK_RETRY_TIMEOUT=10
-
-if [ -f "logs/error.log" ]; then
- rm logs/error.log
-fi
-touch logs/error.log
-
-echo '
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "http://0.0.0.0:23790";
- - "http://0.0.0.0:23791";
- - "http://0.0.0.0:23792";
- health_check_timeout: '"$HEALTH_CHECK_RETRY_TIMEOUT"'
- timeout: 2
-' > conf/config.yaml
-
-docker-compose -f ./t/cli/docker-compose-etcd-cluster.yaml up -d
-
-# case 1: Check apisix not got effected when one etcd node disconnected
-make init && make run
-
-docker stop ${ETCD_NAME_0}
-code=$(curl -o /dev/null -s -w %{http_code}
http://127.0.0.1:9180/apisix/admin/routes -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1')
-if [ ! $code -eq 200 ]; then
- echo "failed: apisix got effect when one etcd node out of a cluster
disconnected"
- exit 1
-fi
-docker start ${ETCD_NAME_0}
-
-docker stop ${ETCD_NAME_1}
-code=$(curl -o /dev/null -s -w %{http_code}
http://127.0.0.1:9180/apisix/admin/routes -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1')
-if [ ! $code -eq 200 ]; then
- echo "failed: apisix got effect when one etcd node out of a cluster
disconnected"
- exit 1
-fi
-docker start ${ETCD_NAME_1}
-
-make stop
-
-echo "passed: apisix not got effected when one etcd node disconnected"
-
-# case 2: Check when all etcd nodes disconnected, apisix trying to reconnect
with backoff, and could successfully recover when reconnected
-make init && make run
-
-docker stop ${ETCD_NAME_0} && docker stop ${ETCD_NAME_1} && docker stop
${ETCD_NAME_2}
-
-sleep_till=$(date +%s -d "$DATE + $HEALTH_CHECK_RETRY_TIMEOUT second")
-
-code=$(curl -o /dev/null -s -w %{http_code}
http://127.0.0.1:9180/apisix/admin/routes -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1')
-if [ $code -eq 200 ]; then
- echo "failed: apisix not got effect when all etcd nodes disconnected"
- exit 1
-fi
-
-docker start ${ETCD_NAME_0} && docker start ${ETCD_NAME_1} && docker start
${ETCD_NAME_2}
-
-# case 3: sleep till etcd health check try to check again
-current_time=$(date +%s)
-sleep_seconds=$(( $sleep_till - $current_time + 3))
-if [ "$sleep_seconds" -gt 0 ]; then
- sleep $sleep_seconds
-fi
-
-code=$(curl -o /dev/null -s -w %{http_code}
http://127.0.0.1:9180/apisix/admin/routes -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1')
-if [ ! $code -eq 200 ]; then
- echo "failed: apisix could not recover when etcd node recover"
- docker ps
- cat logs/error.log
- exit 1
-fi
-
-make stop
-
-echo "passed: when all etcd nodes disconnected, apisix trying to reconnect
with backoff, and could successfully recover when reconnected"
-
-# case 4: stop one etcd node (result: start successful)
-docker stop ${ETCD_NAME_0}
-
-out=$(make init 2>&1)
-if echo "$out" | grep "23790" | grep "connection refused"; then
- echo "passed: APISIX successfully to start, stop only one etcd node"
-else
- echo "failed: stop only one etcd node APISIX should start normally"
- exit 1
-fi
-
-# case 5: stop two etcd nodes (result: start failure)
-docker stop ${ETCD_NAME_1}
-
-out=$(make init 2>&1 || true)
-if echo "$out" | grep "23791" | grep "connection refused"; then
- echo "passed: APISIX failed to start, etcd cluster must have two or more
healthy nodes"
-else
- echo "failed: two etcd nodes have been stopped, APISIX should fail to
start"
- exit 1
-fi
-
-# case 6: stop all etcd nodes (result: start failure)
-docker stop ${ETCD_NAME_2}
-
-out=$(make init 2>&1 || true)
-if echo "$out" | grep "23792" | grep "connection refused"; then
- echo "passed: APISIX failed to start, all etcd nodes have stopped"
-else
- echo "failed: all etcd nodes have stopped, APISIX should not be able to
start"
- exit 1
-fi
diff --git a/t/cli/test_etcd_grpc_mtls.sh b/t/cli/test_etcd_grpc_mtls.sh
deleted file mode 100755
index 90c151a62..000000000
--- a/t/cli/test_etcd_grpc_mtls.sh
+++ /dev/null
@@ -1,182 +0,0 @@
-#!/usr/bin/env bash
-
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-. ./t/cli/common.sh
-
-exit_if_not_customed_nginx
-
-# The 'admin.apisix.dev' is injected by ci/common.sh@set_coredns
-
-# etcd mTLS verify
-echo '
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://admin.apisix.dev:22379";
- prefix: "/apisix"
- tls:
- cert: t/certs/mtls_client.crt
- key: t/certs/mtls_client.key
- verify: false
- ' > conf/config.yaml
-
-out=$(make init 2>&1 || echo "ouch")
-if echo "$out" | grep "bad certificate"; then
- echo "failed: apisix should not echo \"bad certificate\""
- exit 1
-fi
-
-echo "passed: certificate verify success expectedly"
-
-echo '
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://admin.apisix.dev:22379";
- prefix: "/apisix"
- tls:
- verify: false
- ' > conf/config.yaml
-
-out=$(make init 2>&1 || echo "ouch")
-if ! echo "$out" | grep "bad certificate"; then
- echo "failed: apisix should echo \"bad certificate\""
- exit 1
-fi
-
-echo "passed: certificate verify fail expectedly"
-
-# etcd mTLS verify with CA
-echo '
-apisix:
- ssl:
- ssl_trusted_certificate: t/certs/mtls_ca.crt
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://admin.apisix.dev:22379";
- prefix: "/apisix"
- tls:
- cert: t/certs/mtls_client.crt
- key: t/certs/mtls_client.key
- ' > conf/config.yaml
-
-out=$(make init 2>&1 || echo "ouch")
-if echo "$out" | grep "certificate verify failed"; then
- echo "failed: apisix should not echo \"certificate verify failed\""
- exit 1
-fi
-
-if echo "$out" | grep "ouch"; then
- echo "failed: apisix should not fail"
- exit 1
-fi
-
-echo "passed: certificate verify with CA success expectedly"
-
-# etcd mTLS in stream subsystem
-echo '
-apisix:
- proxy_mode: http&stream
- stream_proxy:
- tcp:
- - addr: 9100
- ssl:
- ssl_trusted_certificate: t/certs/mtls_ca.crt
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://admin.apisix.dev:22379";
- prefix: "/apisix"
- tls:
- cert: t/certs/mtls_client.crt
- key: t/certs/mtls_client.key
- ' > conf/config.yaml
-
-out=$(make init 2>&1 || echo "ouch")
-if echo "$out" | grep "certificate verify failed"; then
- echo "failed: apisix should not echo \"certificate verify failed\""
- exit 1
-fi
-
-if echo "$out" | grep "ouch"; then
- echo "failed: apisix should not fail"
- exit 1
-fi
-
-rm logs/error.log || true
-make run
-sleep 1
-make stop
-
-if grep "\[error\]" logs/error.log; then
- echo "failed: veirfy etcd certificate during sync should not fail"
-fi
-
-echo "passed: certificate verify in stream subsystem successfully"
-
-# use host in etcd.host as sni by default
-git checkout conf/config.yaml
-echo '
-apisix:
- ssl:
- ssl_trusted_certificate: t/certs/mtls_ca.crt
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://127.0.0.2:22379";
- prefix: "/apisix"
- tls:
- cert: t/certs/mtls_client.crt
- key: t/certs/mtls_client.key
- ' > conf/config.yaml
-
-rm logs/error.log || true
-make init
-make run
-sleep 1
-make stop
-
-if ! grep -E "cannot validate certificate for 127.0.0.2 because it doesn't
contain any IP SANs" logs/error.log; then
- echo "failed: should got certificate host mismatch when use host in
etcd.host as sni"
- exit 1
-fi
-
-
-echo "passed: use host in etcd.host as sni by default"
diff --git a/t/cli/test_etcd_grpc_tls.sh b/t/cli/test_etcd_grpc_tls.sh
deleted file mode 100755
index 9e429e41b..000000000
--- a/t/cli/test_etcd_grpc_tls.sh
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/usr/bin/env bash
-
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# 'make init' operates scripts and related configuration files in the current
directory
-# The 'apisix' command is a command in the /usr/local/apisix,
-# and the configuration file for the operation is in the /usr/local/apisix/conf
-
-. ./t/cli/common.sh
-
-exit_if_not_customed_nginx
-
-# Check etcd tls verify failure
-git checkout conf/config.yaml
-
-echo '
-apisix:
- ssl:
- ssl_trusted_certificate: t/certs/mtls_ca.crt
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://127.0.0.1:12379";
- prefix: "/apisix"
- ' > conf/config.yaml
-
-out=$(make init 2>&1 || true)
-if ! echo "$out" | grep "certificate verify failed"; then
- echo "failed: apisix should echo \"certificate verify failed\""
- exit 1
-fi
-
-echo "passed: Show certificate verify failed info successfully"
-
-
-# Check etcd tls without verification
-git checkout conf/config.yaml
-
-echo '
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://127.0.0.1:12379";
- prefix: "/apisix"
- tls:
- verify: false
- ' > conf/config.yaml
-
-out=$(make init 2>&1 || true)
-if echo "$out" | grep "certificate verify failed"; then
- echo "failed: apisix should not echo \"certificate verify failed\""
- exit 1
-fi
-
-echo "passed: Certificate verification successfully"
diff --git a/t/core/etcd-grpc-auth-fail.t b/t/core/etcd-grpc-auth-fail.t
deleted file mode 100644
index b11f51ae2..000000000
--- a/t/core/etcd-grpc-auth-fail.t
+++ /dev/null
@@ -1,106 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-BEGIN {
- $ENV{"ETCD_ENABLE_AUTH"} = "false";
- delete $ENV{"FLUSH_ETCD"};
-}
-
-use t::APISIX;
-
-my $nginx_binary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
-my $version = eval { `$nginx_binary -V 2>&1` };
-
-if ($version !~ m/\/apisix-nginx-module/) {
- plan(skip_all => "apisix-nginx-module not installed");
-} else {
- plan('no_plan');
-}
-
-
-repeat_each(1);
-no_long_string();
-no_root_location();
-log_level("info");
-
-# Authentication is enabled at etcd and credentials are set
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user add
root:5tHkHhYkjr6cQY');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; role add root');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user grant-role root
root');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; role list');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user user list');
-# Grant the user access to the specified directory
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user add apisix:abc123');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; role add apisix');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user grant-role apisix
apisix');
-system('etcdctl --endpoints=http://127.0.0.1:2379 role grant-permission apisix
--prefix=true readwrite /apisix/');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; auth enable');
-
-run_tests;
-
-# Authentication is disabled at etcd
-system('etcdctl --endpoints="http://127.0.0.1:2379"; --user root:5tHkHhYkjr6cQY
auth disable');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user delete root');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; role delete root');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user delete apisix');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; role delete apisix');
-__DATA__
-
-=== TEST 1: Set and Get a value pass
---- config
- location /t {
- content_by_lua_block {
- local core = require("apisix.core")
- local key = "/test_key"
- local val = "test_value"
- local res, err = core.etcd.set(key, val)
- ngx.say(err)
- }
- }
---- request
-GET /t
---- error_log eval
-qr /(insufficient credentials code: 401|etcdserver: user name is empty)/
-
-
-
-=== TEST 2: etcd grants permissions with a different prefix than the one used
by apisix, etcd will forbidden
---- config
- location /t {
- content_by_lua_block {
- local core = require("apisix.core")
- local key = "/test_key"
- local val = "test_value"
- local res, err = core.etcd.set(key, val)
- ngx.say(err)
- }
- }
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- host:
- - "http://127.0.0.1:2379";
- use_grpc: false
- prefix: "/apisix"
- user: apisix
- password: abc123
---- request
-GET /t
---- error_log eval
-qr /etcd forbidden code: 403/
diff --git a/t/core/etcd-grpc-auth.t b/t/core/etcd-grpc-auth.t
deleted file mode 100644
index 12e2ce280..000000000
--- a/t/core/etcd-grpc-auth.t
+++ /dev/null
@@ -1,108 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-BEGIN {
- $ENV{"ETCD_ENABLE_AUTH"} = "true";
- delete $ENV{"FLUSH_ETCD"};
-}
-
-use t::APISIX;
-
-my $nginx_binary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
-my $version = eval { `$nginx_binary -V 2>&1` };
-
-if ($version !~ m/\/apisix-nginx-module/) {
- plan(skip_all => "apisix-nginx-module not installed");
-} else {
- plan('no_plan');
-}
-
-
-repeat_each(1);
-no_long_string();
-no_root_location();
-log_level("info");
-
-# Authentication is enabled at etcd and credentials are set
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user add
root:5tHkHhYkjr6cQY');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; role add root');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user grant-role root
root');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; role list');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user user list');
-# Grant the user access to the specified directory
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user add apisix:abc123');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; role add apisix');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user grant-role apisix
apisix');
-system('etcdctl --endpoints=http://127.0.0.1:2379 role grant-permission apisix
--prefix=true readwrite /apisix');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; auth enable');
-
-run_tests;
-
-# Authentication is disabled at etcd
-system('etcdctl --endpoints="http://127.0.0.1:2379"; --user root:5tHkHhYkjr6cQY
auth disable');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user delete root');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; role delete root');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; user delete apisix');
-system('etcdctl --endpoints="http://127.0.0.1:2379"; role delete apisix');
-
-
-__DATA__
-
-=== TEST 1: Set and Get a value pass with authentication
---- config
- location /t {
- content_by_lua_block {
- local core = require("apisix.core")
- local key = "/test_key"
- local val = "test_value"
- core.etcd.set(key, val)
- local res, err = core.etcd.get(key)
- ngx.say(res.body.node.value)
- core.etcd.delete(val)
- }
- }
---- request
-GET /t
---- response_body
-test_value
-
-
-
-=== TEST 2: etcd grants permissions with the same prefix as apisix uses, etcd
is normal
---- config
- location /t {
- content_by_lua_block {
- local core = require("apisix.core")
- local key = "/test_key"
- local val = "test_value"
- local res, err = core.etcd.set(key, val)
- ngx.say(err)
- }
- }
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "http://127.0.0.1:2379";
- prefix: "/apisix"
- user: apisix
- password: abc123
---- request
-GET /t
diff --git a/t/core/etcd-grpc-mtls.t b/t/core/etcd-grpc-mtls.t
deleted file mode 100644
index 4e9ca306e..000000000
--- a/t/core/etcd-grpc-mtls.t
+++ /dev/null
@@ -1,292 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-use t::APISIX;
-
-my $nginx_binary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
-my $version = eval { `$nginx_binary -V 2>&1` };
-
-if ($version !~ m/\/apisix-nginx-module/) {
- plan(skip_all => "apisix-nginx-module not installed");
-} else {
- plan('no_plan');
-}
-
-run_tests;
-
-__DATA__
-
-=== TEST 1: run etcd in init_worker phase
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://127.0.0.1:22379";
- prefix: "/apisix"
- tls:
- cert: t/certs/mtls_client.crt
- key: t/certs/mtls_client.key
- verify: false
---- extra_init_worker_by_lua
- if ngx.worker.id() ~= 0 then
- return
- end
-
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/a", "ab"))
-
- local out = ""
- local res, err = etcd.get("/a")
- if not res then
- ngx.log(ngx.ERR, err)
- return
- end
- out = out .. res.body.node.value
-
- local res, err = etcd.delete("/a")
- if not res then
- ngx.log(ngx.ERR, err)
- return
- end
- out = out .. res.status
-
- local res, err = etcd.get("/a")
- if not res then
- ngx.log(ngx.ERR, err)
- return
- end
- out = out .. res.status
- ngx.log(ngx.WARN, out)
---- config
- location /t {
- return 200;
- }
---- request
-GET /t
---- grep_error_log eval
-qr/init_worker_by_lua:\d+: [^,]+/
---- grep_error_log_out
-init_worker_by_lua:31: ab200404
-
-
-
-=== TEST 2: run etcd in init phase (stream)
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://127.0.0.1:22379";
- prefix: "/apisix"
- tls:
- cert: t/certs/mtls_client.crt
- key: t/certs/mtls_client.key
- verify: false
---- stream_extra_init_worker_by_lua
- if ngx.worker.id() ~= 0 then
- return
- end
-
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/a", "ab"))
-
- local out = ""
- local res, err = etcd.get("/a")
- if not res then
- ngx.log(ngx.ERR, err)
- return
- end
- out = out .. res.body.node.value
-
- local res, err = etcd.delete("/a")
- if not res then
- ngx.log(ngx.ERR, err)
- return
- end
- out = out .. res.status
-
- local res, err = etcd.get("/a")
- if not res then
- ngx.log(ngx.ERR, err)
- return
- end
- out = out .. res.status
- ngx.log(ngx.WARN, out)
---- stream_server_config
- content_by_lua_block {
- ngx.say("ok")
- }
---- stream_enable
---- grep_error_log eval
-qr/init_worker_by_lua:\d+: \S+/
---- grep_error_log_out
-init_worker_by_lua:31: ab200404,
-
-
-
-=== TEST 3: sync
---- extra_yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://127.0.0.1:22379";
- prefix: "/apisix"
- tls:
- cert: t/certs/mtls_client.crt
- key: t/certs/mtls_client.key
- verify: false
---- config
- location /t {
- content_by_lua_block {
- local core = require("apisix.core")
- local t = require("lib.test_admin").test
-
- local consumers, _ = core.config.new("/consumers", {
- automatic = true,
- item_schema = core.schema.consumer,
- })
-
- ngx.sleep(0.6)
- local idx = consumers.prev_index
-
- local code, body = t('/apisix/admin/consumers',
- ngx.HTTP_PUT,
- [[{
- "username": "jobs",
- "plugins": {
- "basic-auth": {
- "username": "jobs",
- "password": "678901"
- }
- }
- }]])
-
- ngx.sleep(2)
- local new_idx = consumers.prev_index
- if new_idx > idx then
- ngx.say("prev_index updated")
- else
- ngx.say("prev_index not update")
- end
- }
- }
---- request
-GET /t
---- response_body
-prev_index updated
---- error_log
-waitdir key
-
-
-
-=== TEST 4: sync (stream)
---- extra_yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://127.0.0.1:22379";
- prefix: "/apisix"
- tls:
- cert: t/certs/mtls_client.crt
- key: t/certs/mtls_client.key
- verify: false
---- stream_server_config
- content_by_lua_block {
- local core = require("apisix.core")
-
- local sr, _ = core.config.new("/stream_routes", {
- automatic = true,
- item_schema = core.schema.stream_routes,
- })
-
- ngx.sleep(0.6)
- local idx = sr.prev_index
-
- assert(core.etcd.set("/stream_routes/1",
- {
- plugins = {
- }
- }))
-
- ngx.sleep(2)
- local new_idx = sr.prev_index
- if new_idx > idx then
- ngx.say("prev_index updated")
- else
- ngx.say("prev_index not update")
- end
- }
---- stream_enable
---- stream_response
-prev_index updated
---- error_log
-waitdir key
-
-
-
-=== TEST 5: ssl_trusted_certificate
---- yaml_config
-apisix:
- ssl:
- ssl_trusted_certificate: t/certs/mtls_ca.crt
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- host:
- - "https://admin.apisix.dev:22379";
- prefix: "/apisix"
- tls:
- cert: t/certs/mtls_client.crt
- key: t/certs/mtls_client.key
---- extra_init_worker_by_lua
- if ngx.worker.id() ~= 0 then
- return
- end
-
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/a", "ab"))
- local res, err = etcd.get("/a")
- if not res then
- ngx.log(ngx.ERR, err)
- return
- end
- ngx.log(ngx.WARN, res.body.node.value)
---- config
- location /t {
- return 200;
- }
---- request
-GET /t
---- error_log
-init_worker_by_lua:14: ab
diff --git a/t/deployment/grpc/conf_server.t b/t/deployment/grpc/conf_server.t
deleted file mode 100644
index 5ea0bbe21..000000000
--- a/t/deployment/grpc/conf_server.t
+++ /dev/null
@@ -1,458 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-use t::APISIX;
-
-my $nginx_binary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
-my $version = eval { `$nginx_binary -V 2>&1` };
-
-if ($version !~ m/\/apisix-nginx-module/) {
- plan(skip_all => "apisix-nginx-module not installed");
-} else {
- plan('no_plan');
-}
-
-add_block_preprocessor(sub {
- my ($block) = @_;
-
- if (!$block->request) {
- $block->set_value("request", "GET /t");
- }
-
-});
-
-run_tests();
-
-__DATA__
-
-=== TEST 1: sync in https
---- config
- location /t {
- content_by_lua_block {
- local core = require("apisix.core")
- local t = require("lib.test_admin").test
-
- local consumers, _ = core.config.new("/consumers", {
- automatic = true,
- item_schema = core.schema.consumer,
- })
-
- ngx.sleep(0.6)
- local idx = consumers.prev_index
-
- local code, body = t('/apisix/admin/consumers',
- ngx.HTTP_PUT,
- [[{
- "username": "jobs",
- "plugins": {
- "basic-auth": {
- "username": "jobs",
- "password": "678901"
- }
- }
- }]])
-
- ngx.sleep(2)
- local new_idx = consumers.prev_index
- if new_idx > idx then
- ngx.say("prev_index updated")
- else
- ngx.say("prev_index not update")
- end
- }
- }
---- response_body
-prev_index updated
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- admin:
- admin_key: ~
- etcd:
- use_grpc: true
- prefix: "/apisix"
- host:
- - https://127.0.0.1:12379
- tls:
- verify: false
-
-
-
-=== TEST 2: mix ip & domain
---- config
- location /t {
- content_by_lua_block {
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/apisix/test", "foo"))
- local res = assert(etcd.get("/apisix/test"))
- ngx.say(res.body.node.value)
- }
- }
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- prefix: "/apisix"
- host:
- - http://127.0.0.2:2379
- - http://localhost:2379
- - http://[::1]:2379
---- response_body
-foo
-
-
-
-=== TEST 3: check default SNI
---- http_config
-server {
- listen 12345 http2 ssl;
- ssl_certificate cert/apisix.crt;
- ssl_certificate_key cert/apisix.key;
-
- ssl_certificate_by_lua_block {
- local ngx_ssl = require "ngx.ssl"
- ngx.log(ngx.WARN, "Receive SNI: ", ngx_ssl.server_name())
- }
-
- location / {
- grpc_pass grpc://127.0.0.1:2379;
- }
-}
---- config
- location /t {
- content_by_lua_block {
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/apisix/test", "foo"))
- local res = assert(etcd.get("/apisix/test"))
- ngx.say(res.body.node.value)
- }
- }
---- response_body
-foo
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- prefix: "/apisix"
- host:
- - https://127.0.0.1:12379
- - https://localhost:12345
- timeout: 1
- tls:
- verify: false
---- error_log
-Receive SNI: localhost
-
-
-
-=== TEST 4: check configured SNI
---- http_config
-server {
- listen 12345 http2 ssl;
- ssl_certificate cert/apisix.crt;
- ssl_certificate_key cert/apisix.key;
-
- ssl_certificate_by_lua_block {
- local ngx_ssl = require "ngx.ssl"
- ngx.log(ngx.WARN, "Receive SNI: ", ngx_ssl.server_name())
- }
-
- location / {
- grpc_pass grpc://127.0.0.1:2379;
- }
-}
---- config
- location /t {
- content_by_lua_block {
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/apisix/test", "foo"))
- local res = assert(etcd.get("/apisix/test"))
- ngx.say(res.body.node.value)
- }
- }
---- response_body
-foo
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- prefix: "/apisix"
- host:
- - https://127.0.0.1:12379
- - https://127.0.0.1:12345
- timeout: 1
- tls:
- verify: false
- sni: "x.com"
---- error_log
-Receive SNI: x.com
-
-
-
-=== TEST 5: ipv6
---- config
- location /t {
- content_by_lua_block {
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/apisix/test", "foo"))
- local res = assert(etcd.get("/apisix/test"))
- ngx.say(res.body.node.value)
- }
- }
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- prefix: "/apisix"
- host:
- - http://[::1]:2379
-
-
-
-=== TEST 6: resolve domain, result changed
---- extra_init_by_lua
- local resolver = require("apisix.core.resolver")
- local old_f = resolver.parse_domain
- local counter = 0
- resolver.parse_domain = function (domain)
- if domain == "localhost" then
- counter = counter + 1
- if counter % 2 == 0 then
- return "127.0.0.2"
- else
- return "127.0.0.3"
- end
- else
- return old_f(domain)
- end
- end
---- config
- location /t {
- content_by_lua_block {
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/apisix/test", "foo"))
- local res = assert(etcd.get("/apisix/test"))
- ngx.say(res.body.node.value)
- }
- }
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- prefix: "/apisix"
- host:
- # use localhost so the connection is OK in the situation that the
DNS
- # resolve is not done in APISIX
- - http://localhost:2379
---- response_body
-foo
---- error_log
-localhost is resolved to: 127.0.0.3
-localhost is resolved to: 127.0.0.2
-
-
-
-=== TEST 7: update balancer if the DNS result changed
---- extra_init_by_lua
- local etcd = require("apisix.core.etcd")
- etcd.get_etcd_syncer = function ()
- return etcd.new()
- end
-
- local resolver = require("apisix.core.resolver")
- local old_f = resolver.parse_domain
- package.loaded.counter = 0
- resolver.parse_domain = function (domain)
- if domain == "x.com" then
- local counter = package.loaded.counter
- package.loaded.counter = counter + 1
- if counter % 2 == 0 then
- return "127.0.0.2"
- else
- return "127.0.0.3"
- end
- else
- return old_f(domain)
- end
- end
-
- local picker = require("apisix.balancer.least_conn")
- package.loaded.n_picker = 0
- local old_f = picker.new
- picker.new = function (nodes, upstream)
- package.loaded.n_picker = package.loaded.n_picker + 1
- return old_f(nodes, upstream)
- end
---- config
- location /t {
- content_by_lua_block {
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/apisix/test", "foo"))
- local res = assert(etcd.get("/apisix/test"))
- ngx.say(res.body.node.value)
- local counter = package.loaded.counter
- local n_picker = package.loaded.n_picker
- if counter == n_picker then
- ngx.say("OK")
- else
- ngx.say(counter, " ", n_picker)
- end
- }
- }
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- timeout: 1
- prefix: "/apisix"
- host:
- - http://127.0.0.1:2379
- - http://x.com:2379
---- response_body
-foo
-OK
---- error_log
-x.com is resolved to: 127.0.0.3
-x.com is resolved to: 127.0.0.2
-
-
-
-=== TEST 8: retry
---- config
- location /t {
- content_by_lua_block {
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/apisix/test", "foo"))
- local res = assert(etcd.get("/apisix/test"))
- ngx.say(res.body.node.value)
- }
- }
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- timeout: 1
- prefix: "/apisix"
- host:
- - http://127.0.0.1:1979
- - http://[::1]:1979
- - http://localhost:2379
---- error_log
-connect() failed
---- response_body
-foo
-
-
-
-=== TEST 9: check Host header
---- http_config
-server {
- listen 12345 http2;
- location / {
- access_by_lua_block {
- ngx.log(ngx.WARN, "Receive Host: ", ngx.var.http_host)
- }
- grpc_pass grpc://127.0.0.1:2379;
- }
-}
---- config
- location /t {
- content_by_lua_block {
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/apisix/test", "foo"))
- local res = assert(etcd.get("/apisix/test"))
- ngx.say(res.body.node.value)
- }
- }
---- response_body
-foo
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- timeout: 1
- prefix: "/apisix"
- host:
- - http://127.0.0.1:12345
- - http://localhost:12345
---- error_log
-Receive Host: localhost
-Receive Host: 127.0.0.1
-
-
-
-=== TEST 10: check Host header after retry
---- http_config
-server {
- listen 12345 http2;
- location / {
- access_by_lua_block {
- ngx.log(ngx.WARN, "Receive Host: ", ngx.var.http_host)
- }
- grpc_pass grpc://127.0.0.1:2379;
- }
-}
---- config
- location /t {
- content_by_lua_block {
- local etcd = require("apisix.core.etcd")
- assert(etcd.set("/apisix/test", "foo"))
- local res = assert(etcd.get("/apisix/test"))
- ngx.say(res.body.node.value)
- }
- }
---- response_body
-foo
---- yaml_config
-deployment:
- role: traditional
- role_traditional:
- config_provider: etcd
- etcd:
- use_grpc: true
- timeout: 1
- prefix: "/apisix"
- host:
- - http://127.0.0.1:1979
- - http://localhost:12345
---- error_log
-Receive Host: localhost
diff --git a/t/deployment/grpc/mtls.t b/t/deployment/grpc/mtls.t
deleted file mode 100644
index 1aca2576d..000000000
--- a/t/deployment/grpc/mtls.t
+++ /dev/null
@@ -1,118 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-use t::APISIX;
-
-my $nginx_binary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
-my $version = eval { `$nginx_binary -V 2>&1` };
-
-if ($version !~ m/\/apisix-nginx-module/) {
- plan(skip_all => "apisix-nginx-module not installed");
-} else {
- plan('no_plan');
-}
-
-add_block_preprocessor(sub {
- my ($block) = @_;
-
- if (!$block->request) {
- $block->set_value("request", "GET /t");
- }
-
-});
-
-run_tests();
-
-__DATA__
-
-=== TEST 1: mTLS for control plane
---- exec
-grpcurl -import-path ./t/lib -proto etcd.proto -d '{}' -cert
t/certs/mtls_client.crt -key t/certs/mtls_client.key -insecure localhost:12345
etcdserverpb.Maintenance.Status
---- response_body eval
-qr/"version":/
---- yaml_config
-deployment:
- role: control_plane
- role_control_plane:
- config_provider: etcd
- conf_server:
- listen: 0.0.0.0:12345
- cert: t/certs/mtls_server.crt
- cert_key: t/certs/mtls_server.key
- client_ca_cert: t/certs/mtls_ca.crt
- etcd:
- use_grpc: true
- prefix: "/apisix"
- host:
- - http://127.0.0.1:2379
- certs:
- cert: t/certs/mtls_client.crt
- cert_key: t/certs/mtls_client.key
- trusted_ca_cert: t/certs/mtls_ca.crt
-
-
-
-=== TEST 2: no client certificate
---- exec
-curl -k https://localhost:12345/version
---- response_body eval
-qr/No required SSL certificate was sent/
---- yaml_config
-deployment:
- role: control_plane
- role_control_plane:
- config_provider: etcd
- conf_server:
- listen: 0.0.0.0:12345
- cert: t/certs/mtls_server.crt
- cert_key: t/certs/mtls_server.key
- client_ca_cert: t/certs/mtls_ca.crt
- etcd:
- use_grpc: true
- prefix: "/apisix"
- host:
- - http://127.0.0.1:2379
- certs:
- cert: t/certs/mtls_client.crt
- cert_key: t/certs/mtls_client.key
- trusted_ca_cert: t/certs/mtls_ca.crt
-
-
-
-=== TEST 3: wrong client certificate
---- exec
-curl --cert t/certs/apisix.crt --key t/certs/apisix.key -k
https://localhost:12345/version
---- response_body eval
-qr/The SSL certificate error/
---- yaml_config
-deployment:
- role: control_plane
- role_control_plane:
- config_provider: etcd
- conf_server:
- listen: 0.0.0.0:12345
- cert: t/certs/mtls_server.crt
- cert_key: t/certs/mtls_server.key
- client_ca_cert: t/certs/mtls_ca.crt
- etcd:
- use_grpc: true
- prefix: "/apisix"
- host:
- - http://127.0.0.1:2379
- certs:
- cert: t/certs/mtls_client.crt
- cert_key: t/certs/mtls_client.key
- trusted_ca_cert: t/certs/mtls_ca.crt
