feat: support specify custom sni in etcd conf (#5206)

2024-11-30 02:57:49 +08:00 · 2021-10-13 18:58:46 +08:00 · 2021-10-13 18:58:46 +08:00 · 2b23907743
commit 2b23907743
parent 9e3ce03865
6 changed files with 86 additions and 1 deletions
--- a/apisix/core/etcd.lua
+++ b/apisix/core/etcd.lua
@ -50,6 +50,10 @@ local function new()
            etcd_conf.ssl_cert_path = etcd_conf.tls.cert
            etcd_conf.ssl_key_path = etcd_conf.tls.key
        end
+
+        if etcd_conf.tls.sni then
+            etcd_conf.sni = etcd_conf.tls.sni
+        end
    end

    local etcd_cli
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@ -272,6 +272,7 @@ etcd:

    verify: true                  # whether to verify the etcd endpoint certificate when setup a TLS connection to etcd,
                                  # the default value is true, e.g. the certificate will be verified strictly.
+    #sni:                         # the SNI for etcd TLS requests. If missed, the host part of the URL will be used.

 #discovery:                       # service discovery center
 #  dns:
--- a/rockspec/apisix-master-0.rockspec
+++ b/rockspec/apisix-master-0.rockspec
@ -34,7 +34,7 @@ dependencies = {
    "lua-resty-ctxdump = 0.1-0",
    "lua-resty-dns-client = 5.2.0",
    "lua-resty-template = 2.0",
-    "lua-resty-etcd = 1.5.5",
+    "lua-resty-etcd = 1.6.0",
    "api7-lua-resty-http = 0.2.0",
    "lua-resty-balancer = 0.04",
    "lua-resty-ngxvar = 0.5.2",
--- a/t/cli/test_etcd_healthcheck.sh
+++ b/t/cli/test_etcd_healthcheck.sh
@ -36,6 +36,7 @@ etcd:
    - "http://127.0.0.1:23791"
    - "http://127.0.0.1:23792"
  health_check_timeout: '"$HEALTH_CHECK_RETRY_TIMEOUT"'
+  timeout: 2
 ' > conf/config.yaml

 docker-compose -f ./t/cli/docker-compose-etcd-cluster.yaml up -d
@ -44,6 +45,8 @@ docker-compose -f ./t/cli/docker-compose-etcd-cluster.yaml up -d
 make init && make run

 docker stop ${ETCD_NAME_0}
+# wait to etcd health check marks ETCD_NAME_0 as unhealthy
+sleep 3
 code=$(curl -o /dev/null -s -w %{http_code} http://127.0.0.1:9080/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1')
 if [ ! $code -eq 200 ]; then
    echo "failed: apisix got effect when one etcd node out of a cluster disconnected"
@ -52,6 +55,9 @@ fi
 docker start ${ETCD_NAME_0}

 docker stop ${ETCD_NAME_1}
+# after 2 rounds of timeout, etcd health check marks ETCD_NAME_1 as unhealthy,
+# and ETCD_NAME_1 is in fail_timeout state, it won't be selected to create a new etcd connection
+sleep 5
 code=$(curl -o /dev/null -s -w %{http_code} http://127.0.0.1:9080/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1')
 if [ ! $code -eq 200 ]; then
    echo "failed: apisix got effect when one etcd node out of a cluster disconnected"
--- a/t/cli/test_etcd_mtls.sh
+++ b/t/cli/test_etcd_mtls.sh
@ -125,3 +125,62 @@ if grep "\[error\]" logs/error.log; then
 fi

 echo "passed: certificate verify in stream subsystem successfully"
+
+# use host in etcd.host as sni by default
+git checkout conf/config.yaml
+echo '
+apisix:
+  ssl:
+    ssl_trusted_certificate: t/certs/mtls_ca.crt
+etcd:
+  host:
+    - "https://127.0.0.1:22379"
+  prefix: "/apisix"
+  tls:
+    cert: t/certs/mtls_client.crt
+    key: t/certs/mtls_client.key
+  ' > conf/config.yaml
+
+rm logs/error.log || true
+make init
+make run
+sleep 1
+make stop
+
+if ! grep -E 'certificate host mismatch' logs/error.log; then
+    echo "failed: should got certificate host mismatch when use host in etcd.host as sni"
+    exit 1
+fi
+
+
+echo "passed: use host in etcd.host as sni by default"
+
+# specify custom sni instead of using etcd.host
+git checkout conf/config.yaml
+echo '
+apisix:
+  ssl:
+    ssl_trusted_certificate: t/certs/mtls_ca.crt
+etcd:
+  host:
+    - "https://127.0.0.1:22379"
+  prefix: "/apisix"
+  tls:
+    cert: t/certs/mtls_client.crt
+    key: t/certs/mtls_client.key
+    sni: "admin.apisix.dev"
+  ' > conf/config.yaml
+
+rm logs/error.log || true
+make init
+make run
+sleep 1
+make stop
+
+if grep -E 'certificate host mismatch' logs/error.log; then
+    echo "failed: should use specify custom sni"
+    exit 1
+fi
+
+echo "passed: specify custom sni instead of using etcd.host"
+
--- a/t/core/config_etcd.t
+++ b/t/core/config_etcd.t
@ -57,6 +57,11 @@ apisix:
 etcd:
  host:
    - "https://127.0.0.1:2379"
+--- extra_init_by_lua
+local health_check = require("resty.etcd.health_check")
+health_check.get_target_status = function()
+    return true
+end
 --- config
    location /t {
        content_by_lua_block {
@ -105,6 +110,11 @@ apisix:
 etcd:
  host:
    - "https://127.0.0.1:12379"
+--- extra_init_by_lua
+local health_check = require("resty.etcd.health_check")
+health_check.get_target_status = function()
+    return true
+end
 --- config
    location /t {
        content_by_lua_block {
@ -244,6 +254,11 @@ etcd:
  timeout: 1
  user: root                    # root username for etcd
  password: 5tHkHhYkjr6cQY      # root password for etcd
+--- extra_init_by_lua
+local health_check = require("resty.etcd.health_check")
+health_check.get_target_status = function()
+    return true
+end
 --- config
    location /t {
        content_by_lua_block {