This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 2b23907 feat: support specify custom sni in etcd conf (#5206)
2b23907 is described below
commit 2b239077432a8af1812c5f95fc5f01b748abaabf
Author: tzssangglass <[email protected]>
AuthorDate: Wed Oct 13 18:58:46 2021 +0800
feat: support specify custom sni in etcd conf (#5206)
---
apisix/core/etcd.lua | 4 +++
conf/config-default.yaml | 1 +
rockspec/apisix-master-0.rockspec | 2 +-
t/cli/test_etcd_healthcheck.sh | 6 ++++
t/cli/test_etcd_mtls.sh | 59 +++++++++++++++++++++++++++++++++++++++
t/core/config_etcd.t | 15 ++++++++++
6 files changed, 86 insertions(+), 1 deletion(-)
diff --git a/apisix/core/etcd.lua b/apisix/core/etcd.lua
index 1375470..40a44ec 100644
--- a/apisix/core/etcd.lua
+++ b/apisix/core/etcd.lua
@@ -50,6 +50,10 @@ local function new()
etcd_conf.ssl_cert_path = etcd_conf.tls.cert
etcd_conf.ssl_key_path = etcd_conf.tls.key
end
+
+ if etcd_conf.tls.sni then
+ etcd_conf.sni = etcd_conf.tls.sni
+ end
end
local etcd_cli
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 7e45007..9436821 100644
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -272,6 +272,7 @@ etcd:
verify: true # whether to verify the etcd endpoint
certificate when setup a TLS connection to etcd,
# the default value is true, e.g. the
certificate will be verified strictly.
+ #sni: # the SNI for etcd TLS requests. If missed,
the host part of the URL will be used.
#discovery: # service discovery center
# dns:
diff --git a/rockspec/apisix-master-0.rockspec
b/rockspec/apisix-master-0.rockspec
index cb8569b..4f8557a 100644
--- a/rockspec/apisix-master-0.rockspec
+++ b/rockspec/apisix-master-0.rockspec
@@ -34,7 +34,7 @@ dependencies = {
"lua-resty-ctxdump = 0.1-0",
"lua-resty-dns-client = 5.2.0",
"lua-resty-template = 2.0",
- "lua-resty-etcd = 1.5.5",
+ "lua-resty-etcd = 1.6.0",
"api7-lua-resty-http = 0.2.0",
"lua-resty-balancer = 0.04",
"lua-resty-ngxvar = 0.5.2",
diff --git a/t/cli/test_etcd_healthcheck.sh b/t/cli/test_etcd_healthcheck.sh
index f94b8f6..75dd78d 100755
--- a/t/cli/test_etcd_healthcheck.sh
+++ b/t/cli/test_etcd_healthcheck.sh
@@ -36,6 +36,7 @@ etcd:
- "http://127.0.0.1:23791";
- "http://127.0.0.1:23792";
health_check_timeout: '"$HEALTH_CHECK_RETRY_TIMEOUT"'
+ timeout: 2
' > conf/config.yaml
docker-compose -f ./t/cli/docker-compose-etcd-cluster.yaml up -d
@@ -44,6 +45,8 @@ docker-compose -f ./t/cli/docker-compose-etcd-cluster.yaml up
-d
make init && make run
docker stop ${ETCD_NAME_0}
+# wait to etcd health check marks ETCD_NAME_0 as unhealthy
+sleep 3
code=$(curl -o /dev/null -s -w %{http_code}
http://127.0.0.1:9080/apisix/admin/routes -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1')
if [ ! $code -eq 200 ]; then
echo "failed: apisix got effect when one etcd node out of a cluster
disconnected"
@@ -52,6 +55,9 @@ fi
docker start ${ETCD_NAME_0}
docker stop ${ETCD_NAME_1}
+# after 2 rounds of timeout, etcd health check marks ETCD_NAME_1 as unhealthy,
+# and ETCD_NAME_1 is in fail_timeout state, it won't be selected to create a
new etcd connection
+sleep 5
code=$(curl -o /dev/null -s -w %{http_code}
http://127.0.0.1:9080/apisix/admin/routes -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1')
if [ ! $code -eq 200 ]; then
echo "failed: apisix got effect when one etcd node out of a cluster
disconnected"
diff --git a/t/cli/test_etcd_mtls.sh b/t/cli/test_etcd_mtls.sh
index 60a0924..ebceef6 100755
--- a/t/cli/test_etcd_mtls.sh
+++ b/t/cli/test_etcd_mtls.sh
@@ -125,3 +125,62 @@ if grep "\[error\]" logs/error.log; then
fi
echo "passed: certificate verify in stream subsystem successfully"
+
+# use host in etcd.host as sni by default
+git checkout conf/config.yaml
+echo '
+apisix:
+ ssl:
+ ssl_trusted_certificate: t/certs/mtls_ca.crt
+etcd:
+ host:
+ - "https://127.0.0.1:22379";
+ prefix: "/apisix"
+ tls:
+ cert: t/certs/mtls_client.crt
+ key: t/certs/mtls_client.key
+ ' > conf/config.yaml
+
+rm logs/error.log || true
+make init
+make run
+sleep 1
+make stop
+
+if ! grep -E 'certificate host mismatch' logs/error.log; then
+ echo "failed: should got certificate host mismatch when use host in
etcd.host as sni"
+ exit 1
+fi
+
+
+echo "passed: use host in etcd.host as sni by default"
+
+# specify custom sni instead of using etcd.host
+git checkout conf/config.yaml
+echo '
+apisix:
+ ssl:
+ ssl_trusted_certificate: t/certs/mtls_ca.crt
+etcd:
+ host:
+ - "https://127.0.0.1:22379";
+ prefix: "/apisix"
+ tls:
+ cert: t/certs/mtls_client.crt
+ key: t/certs/mtls_client.key
+ sni: "admin.apisix.dev"
+ ' > conf/config.yaml
+
+rm logs/error.log || true
+make init
+make run
+sleep 1
+make stop
+
+if grep -E 'certificate host mismatch' logs/error.log; then
+ echo "failed: should use specify custom sni"
+ exit 1
+fi
+
+echo "passed: specify custom sni instead of using etcd.host"
+
diff --git a/t/core/config_etcd.t b/t/core/config_etcd.t
index 97c5481..1377afa 100644
--- a/t/core/config_etcd.t
+++ b/t/core/config_etcd.t
@@ -57,6 +57,11 @@ apisix:
etcd:
host:
- "https://127.0.0.1:2379";
+--- extra_init_by_lua
+local health_check = require("resty.etcd.health_check")
+health_check.get_target_status = function()
+ return true
+end
--- config
location /t {
content_by_lua_block {
@@ -105,6 +110,11 @@ apisix:
etcd:
host:
- "https://127.0.0.1:12379";
+--- extra_init_by_lua
+local health_check = require("resty.etcd.health_check")
+health_check.get_target_status = function()
+ return true
+end
--- config
location /t {
content_by_lua_block {
@@ -244,6 +254,11 @@ etcd:
timeout: 1
user: root # root username for etcd
password: 5tHkHhYkjr6cQY # root password for etcd
+--- extra_init_by_lua
+local health_check = require("resty.etcd.health_check")
+health_check.get_target_status = function()
+ return true
+end
--- config
location /t {
content_by_lua_block {
