-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(healthchecks) add support for HTTPS in active health checks #3815
Conversation
81d2a5e
to
e6c1109
Compare
timeout = 1, | ||
concurrency = 10, | ||
http_path = "/", | ||
https_sni = NO_DEFAULT, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https_sni
expects a host
typedef (which in turn, if of type string
), but the default is a table? Doesn't this feel strange?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like the host
typedef allows for IP addresses (https://github.com/Kong/kong/blob/master/kong/db/schema/typedefs.lua#L10-L19), while as per RFC 6066, an SNI can only contain DNS hostnames:
Currently, the only server names supported are DNS hostnames; [...] Literal IPv4 and IPv6 addresses are not permitted in "HostName".
This probably warrants the creation of a new sni
typedef.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thibaultcha good catch! updated the code with the new sni
typedef, and also applied it to the snis.name
attribute while I was at it!
local def | ||
local def, required | ||
if default == NO_DEFAULT then | ||
default = nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This answers the question in my first comment; ignore it :)
e6c1109
to
ab2754f
Compare
end | ||
|
||
return true | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I were to specify ip:port
, I would first receive an error stating that I should not specify a port, and after retrying, I would get an error that I should also not specify an IP. I think the "most not be an IP address"
error should be thrown first.
Also, are we lacking tests for this function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, are we lacking tests for this function?
It was being tested indirectly via the upstreams tests (as is the case for some other typedefs).
@hishamhm Ping on the failing CI suite - it looks related. |
Introduces `typedefs.sni` for verifying the validity of hostnames.
Adds support to `https_verify_certificate` field.
* Introduces three new fields to `active` healthchecks configuration: * `type` ("tcp", "http" or "https", mirrorring lua-resty-healthcheck) * `https_verify_certificate` (boolean, mirrorring lua-resty-healthcheck) * `https_sni` - explicitly give an SNI, overriding the hostname configured in the Target * Adds tests using HTTPS, based on lua-http * lua-http is used for HTTPS tests, the mock server based on LuaSocket remains used for HTTP tests for performance reasons (faster startup on separate threads which are repeatedly spawned for various short-lived tests) * This commit also updates the certs in spec/fixtures, which were expired
ab2754f
to
20011dd
Compare
Re-pushed. Apparently |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
active
healthchecks configuration:type
- "tcp", "http" or "https", mirrorring lua-resty-healthcheck 0.6.0, bumped dependencyhttps_verify_certificate
- boolean, mirrorring lua-resty-healthcheck 0.6.0https_sni
- explicitly give an SNI, overriding the hostname configured in the Target