Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(healthchecks) add support for HTTPS in active health checks #3815

Merged
merged 4 commits into from
Oct 1, 2018

Conversation

hishamhm
Copy link
Contributor

  • Introduces three new fields to active healthchecks configuration:
    • type - "tcp", "http" or "https", mirrorring lua-resty-healthcheck 0.6.0, bumped dependency
    • https_verify_certificate - boolean, mirrorring lua-resty-healthcheck 0.6.0
    • https_sni - explicitly give an SNI, overriding the hostname configured in the Target
  • Adds tests using HTTPS, based on lua-http (new dependency)
    • lua-http is used for HTTPS tests, the mock server based on LuaSocket remains used for HTTP tests for performance reasons (faster startup on separate threads which are repeatedly spawned for various short-lived tests)
    • This PR also updates the certs in spec/fixtures, which were expired

@hishamhm hishamhm force-pushed the feat/https-healthchecks branch from 81d2a5e to e6c1109 Compare September 29, 2018 01:36
timeout = 1,
concurrency = 10,
http_path = "/",
https_sni = NO_DEFAULT,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https_sni expects a host typedef (which in turn, if of type string), but the default is a table? Doesn't this feel strange?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like the host typedef allows for IP addresses (https://github.com/Kong/kong/blob/master/kong/db/schema/typedefs.lua#L10-L19), while as per RFC 6066, an SNI can only contain DNS hostnames:

Currently, the only server names supported are DNS hostnames; [...] Literal IPv4 and IPv6 addresses are not permitted in "HostName".

This probably warrants the creation of a new sni typedef.

Copy link
Contributor Author

@hishamhm hishamhm Oct 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thibaultcha good catch! updated the code with the new sni typedef, and also applied it to the snis.name attribute while I was at it!

local def
local def, required
if default == NO_DEFAULT then
default = nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This answers the question in my first comment; ignore it :)

@hishamhm hishamhm force-pushed the feat/https-healthchecks branch from e6c1109 to ab2754f Compare October 1, 2018 19:22
end

return true
end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I were to specify ip:port, I would first receive an error stating that I should not specify a port, and after retrying, I would get an error that I should also not specify an IP. I think the "most not be an IP address" error should be thrown first.

Also, are we lacking tests for this function?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, are we lacking tests for this function?

It was being tested indirectly via the upstreams tests (as is the case for some other typedefs).

@thibaultcha
Copy link
Member

@hishamhm Ping on the failing CI suite - it looks related.

Introduces `typedefs.sni` for verifying the validity of hostnames.
Adds support to `https_verify_certificate` field.
* Introduces three new fields to `active` healthchecks configuration:
  * `type` ("tcp", "http" or "https", mirrorring lua-resty-healthcheck)
  * `https_verify_certificate` (boolean, mirrorring lua-resty-healthcheck)
  * `https_sni` - explicitly give an SNI, overriding the hostname configured
    in the Target
* Adds tests using HTTPS, based on lua-http
  * lua-http is used for HTTPS tests, the mock server based on
    LuaSocket remains used for HTTP tests for performance reasons
    (faster startup on separate threads which are repeatedly spawned
    for various short-lived tests)
  * This commit also updates the certs in spec/fixtures, which were
    expired
@hishamhm hishamhm force-pushed the feat/https-healthchecks branch from ab2754f to 20011dd Compare October 1, 2018 21:08
@hishamhm
Copy link
Contributor Author

hishamhm commented Oct 1, 2018

Re-pushed. Apparently snis needs to accept non-hostname name entries otherwise Kong's own certs are not stored.

Copy link
Member

@thibaultcha thibaultcha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@hishamhm hishamhm merged commit f3f7e68 into next Oct 1, 2018
@hishamhm hishamhm deleted the feat/https-healthchecks branch October 1, 2018 23:11
hbagdi added a commit to hbagdi/go-kong that referenced this pull request Apr 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants