feat: support configurating the node listening address

[wayne-cheng]

Signed-off-by: wayne-cheng [email protected]

What this PR does / why we need it:

support configurating the node listening address,
The config.yaml example as below：

apisix:
  node_listen:
  - 9080
  - port: 9380
    ip: 127.0.0.2            # If not given, the default is 0.0.0.0
    allow_ssl: True        # if False, the ip connot be ued to config ssl.

Fix #4853

Pre-submission checklist:

• Did you explain what problem does this PR solve? Or what new features have been added?
• Have you added corresponding test cases?
• Have you modified the corresponding document?
• Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

[wayne-cheng]

@spacewander Hi, PTAL

[nic-chen]

@wayne-cheng tanks.need test cases

[spacewander]

A test under t/cli is in need.

[spacewander]

Better to use enable_ssl.

[wayne-cheng]

ok，and should I explain these params in the doc FAQ.md ?

apisix:
  node_listen:
  - 9080
  - port: 9380
    ip: 127.0.0.1            # If not given, the default is `0.0.0.0`.
    enable_ssl: True         # If `False`, the ip connot be ued to enable ssl. If not given, the default is `True`.

[spacewander]

IMHO, document it in the conf/config-default.yaml as a comment is enough.

[spacewander]

And the default value of "enable_ssl" should not be true, since 9080 doesn't have "enable_ssl", and it doesn't enable SSL by default.

[spacewander]

Actually, we are planning to reduce the length of the current FAQ, let each answer go to suitable places, instead of putting them together.

[wayne-cheng]

It is better to modify the config apisix.ssl.listen_port ,like this:

apisix:
  ssl:
    listen_port:
    - ip: 127.0.0.1
       port: 9443

The ssl config in the param apisix.node_listen[] could be confusing，for example:

apisix:
  node_listen:
    - ip: 127.0.0.2
      port: 9082
      enable_ssl: true
    - ip: 127.0.0.2
      port: 9083
      enable_ssl: false

What do you think? @spacewander

[spacewander]

Agree. Personally, I prefer to use a new key "listen" since it is not just with port. Maybe we need to move "enable_http2" under "listen" too. Like this one:

apisix:
  ssl:
    # enable_http2: false
    # listen_port: ...
    listen:
    - ip: 127.0.0.1
      port: 9443
      enable_http2: true # per listen configuration

@wayne-cheng
What's your opinion?

[wayne-cheng]

@spacewander
I cannot agree any more. BTW, do I need to consider compatibility with the old configuration about ssl? There are something troublesome to deal with, the new config need to be merged with the old config.

[spacewander]

Yes. We need to keep backward compatibility.

[wayne-cheng]

@spacewander I have updated the code, please take a look.

[spacewander]

Please comment out the example

[wayne-cheng]

done

[spacewander]

Ditto

[spacewander]

Please remove the irrelative line

[spacewander]

We can refactor the repeated code in a function, which accepts enable_http2, enable_ipv6 and other arguments

[wayne-cheng]

Thx, the code is much clearer now

[spacewander]

Need to add a comment to show that this way still supports, but is no longer recommended

[wayne-cheng]

ok，I will comment it like this:

apisix:
  node_listen: 9080                # APISIX listening port
  # node_listen:                   # This style support multiple ports
  # - 9080
  # - ip: 127.0.0.2                # Specific IP, If not set, the default value is `0.0.0.0`.
  #   port: 9082
  ssl:
    enable: true
    # listen:                       # APISIX listening port in https.
    # - 9443
    # - ip: 127.0.0.3               # Specific IP, If not set, the default value is `0.0.0.0`.
    #   port: 9444
    #   enable_http2: true          # If not set, the default value is `false`.
    enable_http2: true              # Not recommend: This parameter should be set via the `listen`.
    listen_port: 9443               # Not recommend: This parameter should be set via the `listen`.

[spacewander]

I prefer to:

apisix:
  # node_listen: 9080                # APISIX listening port
  node_listen:                       # This style support multiple ports
   - 9080
   # - ip: 127.0.0.2                # Specific IP, If not set, the default value is `0.0.0.0`.
   #   port: 9082
  ssl:
    enable: true
    listen:                       # APISIX listening port in https.
      - 9443
    # - ip: 127.0.0.3               # Specific IP, If not set, the default value is `0.0.0.0`.
    #   port: 9444
    #   enable_http2: true          # If not set, the default value is `false`.
    enable_http2: true              # Not recommend: This parameter should be set via the `listen`.
    # listen_port: 9443               # Not recommend: This parameter should be set via the `listen`.

Let's encourage users to use the new style.

[wayne-cheng]

done

[spacewander]

Ditto

[wayne-cheng]

done

[wayne-cheng]

@spacewander A new commit has been pushed, PTAL

[spacewander]

http port also need to enable_http2

[wayne-cheng]

OK, and it means that the config apisix.node_listen[] also has the property enable_http2 , right?

apisix:
  # node_listen: 9080                # APISIX listening port
  node_listen:                   # This style support multiple ports
  - 9080
  # - ip: 127.0.0.2                # Specific IP, If not set, the default value is `0.0.0.0`.
  #   port: 9082
  #   enable_http2: true  

[wayne-cheng]

done

[spacewander]

it means that the config apisix.node_listen[] also has the property enable_http2 , right?

Yes.

[spacewander]

We can add scheme to this key so that we can reduce a branch

[wayne-cheng]

Since the config apisix.node_listen[] also has the property enable_http2, the branch can be reduced.
Port conflicts should be checked at the TCP layer, not the scheme http/https, so the scheme would not be add to this key.

[wayne-cheng]

done

[wayne-cheng]

The conifg apisix.port_admin also need to be compatible, now all changes have been pushed.
PTAL @spacewander

[spacewander]

I don't like the idea that the admin requires multiple ports.

[spacewander]

Multiple admin ports are useless. You only need to set one in the API client.

[wayne-cheng]

I did not change the config port_admin. It is still the same as before, only one port_admin can be set.
The idea is to match the specific ip in the config node_listen，not for multiple ports.

[spacewander]

Please don't change the port_admin, thanks!

[wayne-cheng]

@spacewander
Please see this after that code:

{% if item.only_admin then %}
listen {* item.ip *}:{* item.port *} ssl;
{% end %}

In my environment, the apisix bind the VIP. If the port_admin is bound to all IP addresses, those programs with the same port but different IP will not work.

[spacewander]

Maybe we can add an "admin_listen" section like what we have done with ssl.listen_port? We can do it in the next PR. This PR is big enough and should pass the CI first.

[wayne-cheng]

Agree，Of course this way is better. Next, Do I undo the changes about port_admin and push commit again？

[spacewander]

Yes

[wayne-cheng]

OK，PTAL @spacewander

[wayne-cheng]

@spacewander
The config apisix.node_listen in previous config-default.yaml is the type number, but the new has been the type table.
If a user still uses the type number to set the config apisix.node_listen like this:

apisix:
  node_listen: 9081

The error will occur when exec make init，and it also appeared in the CI test:

./bin/apisix init
/usr/local/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua init
failed to read local yaml config of apisix: failed to merge, path[apisix->ssl->listen] expect: table, but got: number
make: *** [Makefile:127: init] Error 1

This bug should have existed before, but it was missed, since the previous file config-default.yaml used the number type.
Should I fix the function merge_conf in the code file apisix/cli/file.lua(+151) ?

 -- ...           
            elseif type(base[key]) ~= type_val then
                if (ppath == "nginx_config" or str_sub(ppath, 1, 14) == "nginx_config->") and
                    (type_val == "number" or type_val == "string")
                then
                    base[key] = val
                else
                    local path = ppath == "" and key or ppath .. "->" .. key
                    return nil, "failed to merge, path[" .. path ..  "] expect: " ..
                                type(base[key]) .. ", but got: " .. type_val
                end
            else
                base[key] = val
            end
-- ...

[spacewander]

Thanks for your report. Let's add it to the allow list.

I think you can submit it via a separate PR. I can merge it first, so that you are no longer a first-time contributor, then you can see the CI result without approval.

[spacewander]

I think we should only support table format for the new configuration, this will make it easier to understand.

[wayne-cheng]

ok，I have removed it in the config-default.yaml.

[spacewander]

Could we remove it now?

[spacewander]

Ditto

[wayne-cheng]

Got it, the related code has also been removed.

[wayne-cheng]

@spacewander Thanks for your patience to review, I'll submit next PR to add the config admin_listen.

[jagerzhang]

Hi, When will this feature be released to the docker image?