Skip to content

Commit

Permalink
feat: sync conf via gRPC
Browse files Browse the repository at this point in the history 
TODO: support extra features like:
1. specific SNI
2. user/password
3. retry
4. healthcheck
5. IPv6
Signed-off-by: spacewander <[email protected]>
  • Loading branch information
@spacewander
spacewander committed Dec 6, 2022
1 parent edb8edf commit 6db8581
Show file tree
Hide file tree
Showing 32 changed files with 1,342 additions and 349 deletions.
2 changes: 2 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ luac.out
*.orig
*.rej
t/servroot
t/certs/*.csr
t/certs/*.srl
t/xds-library/libxds.h
conf/apisix.uid
conf/nginx.conf
Expand Down
12 changes: 12 additions & 0 deletions apisix/cli/env.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,12 +89,24 @@ return function (apisix_home, pkg_cpath_org, pkg_path_org)
local openresty_args = openresty_path_abs .. [[ -p ]] .. apisix_home .. [[ -c ]]
.. apisix_home .. [[/conf/nginx.conf]]

local or_info, err = util.execute_cmd("openresty -V 2>&1")
if not or_info then
error("failed to exec cmd \'openresty -V 2>&1\', err: " .. err)
end

local use_apisix_base = true
if not or_info:find("apisix-nginx-module", 1, true) then
use_apisix_base = false
end

local min_etcd_version = "3.4.0"

return {
apisix_home = apisix_home,
is_root_path = is_root_path,
openresty_args = openresty_args,
openresty_info = or_info,
use_apisix_base = use_apisix_base,
pkg_cpath_org = pkg_cpath_org,
pkg_path_org = pkg_path_org,
min_etcd_version = min_etcd_version,
Expand Down
16 changes: 8 additions & 8 deletions apisix/cli/ngx_tpl.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ env {*name*};
{% end %}
{% end %}
{% if use_apisix_openresty then %}
{% if use_apisix_base then %}
thread_pool grpc-client-nginx-module threads=1;
lua {
Expand Down Expand Up @@ -90,7 +90,7 @@ http {
}
server {
{% if use_apisix_openresty then %}
{% if use_apisix_base then %}
listen {* prometheus_server_addr *} enable_process=privileged_agent;
{% else %}
listen {* prometheus_server_addr *};
Expand Down Expand Up @@ -215,7 +215,7 @@ stream {
proxy_pass apisix_backend;
{% if use_apisix_openresty then %}
{% if use_apisix_base then %}
set $upstream_sni "apisix_backend";
proxy_ssl_server_name on;
proxy_ssl_name $upstream_sni;
Expand Down Expand Up @@ -395,7 +395,7 @@ http {
upstream apisix_backend {
server 0.0.0.1;
{% if use_apisix_openresty then %}
{% if use_apisix_base then %}
keepalive {* http.upstream.keepalive *};
keepalive_requests {* http.upstream.keepalive_requests *};
keepalive_timeout {* http.upstream.keepalive_timeout *};
Expand Down Expand Up @@ -431,7 +431,7 @@ http {
}
{% end %}
{% if use_apisix_openresty then %}
{% if use_apisix_base then %}
apisix_delay_client_max_body_check on;
apisix_mirror_on_demand on;
{% end %}
Expand Down Expand Up @@ -483,7 +483,7 @@ http {
{% if enabled_plugins["prometheus"] and prometheus_server_addr then %}
server {
{% if use_apisix_openresty then %}
{% if use_apisix_base then %}
listen {* prometheus_server_addr *} enable_process=privileged_agent;
{% else %}
listen {* prometheus_server_addr *};
Expand Down Expand Up @@ -746,7 +746,7 @@ http {
apisix.grpc_access_phase()
}
{% if use_apisix_openresty then %}
{% if use_apisix_base then %}
# For servers which obey the standard, when `:authority` is missing,
# `host` will be used instead. When used with apisix-base, we can do
# better by setting `:authority` directly
Expand Down Expand Up @@ -799,7 +799,7 @@ http {
location = /proxy_mirror {
internal;
{% if not use_apisix_openresty then %}
{% if not use_apisix_base then %}
if ($upstream_mirror_uri = "") {
return 200;
}
Expand Down
11 changes: 3 additions & 8 deletions apisix/cli/ops.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,17 +259,12 @@ Please modify "admin_key" in conf/config.yaml .
util.die("openresty version must >=", need_ver, " current ", or_ver, "\n")
end

local or_info = util.execute_cmd("openresty -V 2>&1")
if or_info and not or_info:find("http_stub_status_module", 1, true) then
local or_info = env.openresty_info
if not or_info:find("http_stub_status_module", 1, true) then
util.die("'http_stub_status_module' module is missing in ",
"your openresty, please check it out.\n")
end

local use_apisix_openresty = true
if or_info and not or_info:find("apisix-nginx-module", 1, true) then
use_apisix_openresty = false
end

local enable_http = true
if not yaml_conf.apisix.enable_admin and yaml_conf.apisix.stream_proxy and
yaml_conf.apisix.stream_proxy.only ~= false
Expand Down Expand Up @@ -543,7 +538,7 @@ Please modify "admin_key" in conf/config.yaml .
os_name = util.trim(util.execute_cmd("uname")),
apisix_lua_home = env.apisix_home,
deployment_role = env.deployment_role,
use_apisix_openresty = use_apisix_openresty,
use_apisix_base = env.use_apisix_base,
error_log = {level = "warn"},
enable_http = enable_http,
enabled_discoveries = enabled_discoveries,
Expand Down
169 changes: 93 additions & 76 deletions apisix/cli/snippet.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,95 @@ local ipairs = ipairs

-- this module provide methods to generate snippets which will be used in the nginx.conf template
local _M = {}
local conf_server_tpl = [[
upstream apisix_conf_backend {
server 0.0.0.0:80;
balancer_by_lua_block {
local conf_server = require("apisix.conf_server")
conf_server.balancer()
}
}
{% if trusted_ca_cert then %}
lua_ssl_trusted_certificate {* trusted_ca_cert *};
{% end %}
server {
{% if control_plane then %}
listen {* control_plane.listen *} ssl;
ssl_certificate {* control_plane.cert *};
ssl_certificate_key {* control_plane.cert_key *};
{% if control_plane.client_ca_cert then %}
ssl_verify_client on;
ssl_client_certificate {* control_plane.client_ca_cert *};
{% end %}
{% else %}
listen unix:{* home *}/conf/config_listen.sock;
{% end %}
access_log off;
set $upstream_host '';
access_by_lua_block {
local conf_server = require("apisix.conf_server")
conf_server.access()
}
location / {
{% if enable_https then %}
{* directive_prefix *}_pass {* scheme_name *}s://apisix_conf_backend;
{* directive_prefix *}_ssl_protocols TLSv1.2 TLSv1.3;
{* directive_prefix *}_ssl_server_name on;
{% if etcd_tls_verify then %}
{* directive_prefix *}_ssl_verify on;
{* directive_prefix *}_ssl_trusted_certificate {* ssl_trusted_certificate *};
{% end %}
{% if sni then %}
{* directive_prefix *}_ssl_name {* sni *};
{% else %}
{* directive_prefix *}_ssl_name $upstream_host;
{% end %}
{% if client_cert then %}
{* directive_prefix *}_ssl_certificate {* client_cert *};
{* directive_prefix *}_ssl_certificate_key {* client_cert_key *};
{% end %}
{% else %}
{* directive_prefix *}_pass {* scheme_name *}://apisix_conf_backend;
{% end %}
{% if scheme_name == "http" then %}
proxy_http_version 1.1;
proxy_set_header Connection "";
{% end %}
{* directive_prefix *}_set_header Host $upstream_host;
{* directive_prefix *}_next_upstream error timeout non_idempotent
http_500 http_502 http_503 http_504;
}
log_by_lua_block {
local conf_server = require("apisix.conf_server")
conf_server.log()
}
}
]]


local function is_grpc_used(env, etcd)
local is_grpc_available = env.use_apisix_base
if etcd.user then
-- TODO: support user/password
is_grpc_available = false
end
return is_grpc_available and etcd.use_grpc
end


function _M.generate_conf_server(env, conf)
Expand Down Expand Up @@ -69,87 +158,13 @@ function _M.generate_conf_server(env, conf)
end
end

local conf_render = template.compile([[
upstream apisix_conf_backend {
server 0.0.0.0:80;
balancer_by_lua_block {
local conf_server = require("apisix.conf_server")
conf_server.balancer()
}
}
{% if trusted_ca_cert then %}
lua_ssl_trusted_certificate {* trusted_ca_cert *};
{% end %}
server {
{% if control_plane then %}
listen {* control_plane.listen *} ssl;
ssl_certificate {* control_plane.cert *};
ssl_certificate_key {* control_plane.cert_key *};
{% if control_plane.client_ca_cert then %}
ssl_verify_client on;
ssl_client_certificate {* control_plane.client_ca_cert *};
{% end %}
{% else %}
listen unix:{* home *}/conf/config_listen.sock;
{% end %}
access_log off;
set $upstream_host '';
access_by_lua_block {
local conf_server = require("apisix.conf_server")
conf_server.access()
}
location / {
{% if enable_https then %}
proxy_pass https://apisix_conf_backend;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_server_name on;
{% if etcd_tls_verify then %}
proxy_ssl_verify on;
proxy_ssl_trusted_certificate {* ssl_trusted_certificate *};
{% end %}
{% if sni then %}
proxy_ssl_name {* sni *};
{% else %}
proxy_ssl_name $upstream_host;
{% end %}
{% if client_cert then %}
proxy_ssl_certificate {* client_cert *};
proxy_ssl_certificate_key {* client_cert_key *};
{% end %}
{% else %}
proxy_pass http://apisix_conf_backend;
{% end %}
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $upstream_host;
proxy_next_upstream error timeout non_idempotent http_500 http_502 http_503 http_504;
}
log_by_lua_block {
local conf_server = require("apisix.conf_server")
conf_server.log()
}
}
]])

local conf_render = template.compile(conf_server_tpl)
local tls = etcd.tls
local client_cert
local client_cert_key
local ssl_trusted_certificate
local etcd_tls_verify
local use_grpc = is_grpc_used(env, etcd)
if tls then
if tls.cert then
client_cert = pl_path.abspath(tls.cert)
Expand All @@ -175,6 +190,8 @@ function _M.generate_conf_server(env, conf)
trusted_ca_cert = trusted_ca_cert,
etcd_tls_verify = etcd_tls_verify,
ssl_trusted_certificate = ssl_trusted_certificate,
scheme_name = use_grpc and "grpc" or "http",
directive_prefix = use_grpc and "grpc" or "proxy",
})
end

Expand Down
Loading

0 comments on commit 6db8581

Please sign in to comment.