-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(balancer): refresh uri and tls scheme in ai-proxy-advanced balancer phase #14007
Open
oowl
wants to merge
7
commits into
master
Choose a base branch
from
balancer-patch
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+336
−1
Open
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
10d6386
feat(patch): refresh upstream uri variable when proxy pass balancer r…
oowl 5bdb601
feat(patch): backport balancer.set_upstream_tls feature from openrest…
oowl 0728d8c
feat(pdk): dynamic control upstream tls when kong.service.request.set…
oowl 6814316
fix: fix code
oowl d07813a
fix: fix code
oowl a579037
fix: fix code
oowl da39959
fix: fix code
oowl File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
205 changes: 205 additions & 0 deletions
205
build/openresty/patches/lua-resty-core-0.1.28_02-balancer_set_upstream_tls.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,205 @@ | ||
diff --git a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua | ||
index 7d64d63..b0b7543 100644 | ||
--- a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua | ||
+++ b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.lua | ||
@@ -22,6 +22,7 @@ local ngx_lua_ffi_balancer_set_current_peer | ||
local ngx_lua_ffi_balancer_set_more_tries | ||
local ngx_lua_ffi_balancer_get_last_failure | ||
local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http | ||
+local ngx_lua_ffi_balancer_set_upstream_tls | ||
|
||
|
||
if subsystem == 'http' then | ||
@@ -41,6 +42,8 @@ if subsystem == 'http' then | ||
|
||
int ngx_http_lua_ffi_balancer_recreate_request(ngx_http_request_t *r, | ||
char **err); | ||
+ int ngx_http_lua_ffi_balancer_set_upstream_tls(ngx_http_request_t *r, | ||
+ int on, char **err); | ||
]] | ||
|
||
ngx_lua_ffi_balancer_set_current_peer = | ||
@@ -55,6 +58,9 @@ if subsystem == 'http' then | ||
ngx_lua_ffi_balancer_set_timeouts = | ||
C.ngx_http_lua_ffi_balancer_set_timeouts | ||
|
||
+ ngx_lua_ffi_balancer_set_upstream_tls = | ||
+ C.ngx_http_lua_ffi_balancer_set_upstream_tls | ||
+ | ||
elseif subsystem == 'stream' then | ||
ffi.cdef[[ | ||
int ngx_stream_lua_ffi_balancer_set_current_peer( | ||
@@ -228,6 +234,29 @@ if subsystem == 'http' then | ||
|
||
return nil, "failed to recreate the upstream request" | ||
end | ||
+ | ||
+ | ||
+ function _M.set_upstream_tls(on) | ||
+ local r = get_request() | ||
+ if not r then | ||
+ return error("no request found") | ||
+ end | ||
+ | ||
+ local rc | ||
+ | ||
+ if on == 0 or on == false then | ||
+ on = 0 | ||
+ else | ||
+ on = 1 | ||
+ end | ||
+ | ||
+ rc = ngx_lua_ffi_balancer_set_upstream_tls(r, on, errmsg); | ||
+ if rc == FFI_OK then | ||
+ return true | ||
+ end | ||
+ | ||
+ return nil, ffi_str(errmsg[0]) | ||
+ end | ||
end | ||
|
||
|
||
diff --git a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md | ||
index ef2f124..3ec8cb9 100644 | ||
--- a/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md | ||
+++ b/bundle/lua-resty-core-0.1.28/lib/ngx/balancer.md | ||
@@ -13,11 +13,12 @@ Table of Contents | ||
* [stream subsystem](#stream-subsystem) | ||
* [Description](#description) | ||
* [Methods](#methods) | ||
+ * [get_last_failure](#get_last_failure) | ||
+ * [recreate_request](#recreate_request) | ||
* [set_current_peer](#set_current_peer) | ||
* [set_more_tries](#set_more_tries) | ||
- * [get_last_failure](#get_last_failure) | ||
* [set_timeouts](#set_timeouts) | ||
- * [recreate_request](#recreate_request) | ||
+ * [set_upstream_tls](#set_upstream_tls) | ||
* [Community](#community) | ||
* [English Mailing List](#english-mailing-list) | ||
* [Chinese Mailing List](#chinese-mailing-list) | ||
@@ -270,6 +271,21 @@ This function was first added in the `0.1.20` version of this library. | ||
|
||
[Back to TOC](#table-of-contents) | ||
|
||
+set_upstream_tls | ||
+------------ | ||
+**syntax:** `ok, err = balancer.set_upstream_tls(on)` | ||
+ | ||
+**context:** *balancer_by_lua** | ||
+ | ||
+Turn off the HTTPs or reenable the HTTPs for the upstream connection. | ||
+ | ||
+- If `on` is `true`, then the https protocol will be used to connect to the upstream server. | ||
+- If `on` is `false`, then the http protocol will be used to connect to the upstream server. | ||
+ | ||
+This function was first added in the `0.1.29` version of this library. | ||
+ | ||
+[Back to TOC](#table-of-contents) | ||
+ | ||
Community | ||
========= | ||
|
||
diff --git a/bundle/lua-resty-core-0.1.28/t/balancer.t b/bundle/lua-resty-core-0.1.28/t/balancer.t | ||
index 3e9fb2f..6201b47 100644 | ||
--- a/bundle/lua-resty-core-0.1.28/t/balancer.t | ||
+++ b/bundle/lua-resty-core-0.1.28/t/balancer.t | ||
@@ -882,3 +882,98 @@ connect() failed (111: Connection refused) while connecting to upstream, client: | ||
--- no_error_log | ||
[warn] | ||
[crit] | ||
+ | ||
+ | ||
+ | ||
+=== TEST 20: set_upstream_tls off | ||
+--- skip_nginx: 5: < 1.7.5 | ||
+--- http_config | ||
+ lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH"; | ||
+ | ||
+ upstream backend { | ||
+ server 0.0.0.1; | ||
+ balancer_by_lua_block { | ||
+ local b = require "ngx.balancer" | ||
+ b.set_current_peer("127.0.0.1", tonumber(ngx.var.server_port)) | ||
+ b.set_upstream_tls(false) | ||
+ } | ||
+ keepalive 1; | ||
+ } | ||
+ | ||
+ server { | ||
+ listen $TEST_NGINX_RAND_PORT_1 ssl; | ||
+ ssl_certificate ../../cert/test.crt; | ||
+ ssl_certificate_key ../../cert/test.key; | ||
+ | ||
+ server_tokens off; | ||
+ location = /back { | ||
+ return 200 "ok"; | ||
+ } | ||
+ } | ||
+--- config | ||
+ location /t { | ||
+ proxy_pass https://backend/back; | ||
+ proxy_http_version 1.1; | ||
+ proxy_set_header Connection ""; | ||
+ } | ||
+ | ||
+ location /back { | ||
+ echo "Hello world!"; | ||
+ } | ||
+--- request | ||
+ GET /t | ||
+--- no_error_log | ||
+[alert] | ||
+[error] | ||
+--- response_body | ||
+Hello world! | ||
+ | ||
+--- no_check_leak | ||
+ | ||
+ | ||
+ | ||
+=== TEST 21: set_upstream_tls on | ||
+--- skip_nginx: 5: < 1.7.5 | ||
+--- http_config | ||
+ lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH"; | ||
+ | ||
+ upstream backend { | ||
+ server 0.0.0.1; | ||
+ balancer_by_lua_block { | ||
+ local b = require "ngx.balancer" | ||
+ b.set_current_peer("127.0.0.1", $TEST_NGINX_RAND_PORT_1) | ||
+ b.set_upstream_tls(false) | ||
+ b.set_upstream_tls(true) | ||
+ } | ||
+ | ||
+ keepalive 1; | ||
+ } | ||
+ | ||
+ server { | ||
+ listen $TEST_NGINX_RAND_PORT_1 ssl; | ||
+ ssl_certificate ../../cert/test.crt; | ||
+ ssl_certificate_key ../../cert/test.key; | ||
+ | ||
+ server_tokens off; | ||
+ location = /back { | ||
+ return 200 "ok"; | ||
+ } | ||
+ } | ||
+--- config | ||
+ location /t { | ||
+ proxy_pass https://backend/back; | ||
+ proxy_http_version 1.1; | ||
+ proxy_set_header Connection ""; | ||
+ } | ||
+ | ||
+ location /back { | ||
+ echo "Hello world!"; | ||
+ } | ||
+--- request | ||
+ GET /t | ||
+--- no_error_log | ||
+[alert] | ||
+[error] | ||
+--- response_body chomp | ||
+ok | ||
+--- no_check_leak |
18 changes: 18 additions & 0 deletions
18
build/openresty/patches/nginx-1.25.3_09-refresh-uri-when-proxy-pass-balancer-recreate.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
diff --git a/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c b/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c | ||
index 4eb6931..5a2f959 100644 | ||
--- a/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c | ||
+++ b/bundle/nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c | ||
@@ -1277,6 +1277,13 @@ ngx_http_proxy_create_request(ngx_http_request_t *r) | ||
|
||
ctx = ngx_http_get_module_ctx(r, ngx_http_proxy_module); | ||
|
||
+ // make sure we refresh the proxy upstream uri in balancer retry scenarios | ||
+ if (r->upstream_states && r->upstream_states->nelts > 0) { | ||
+ if (ngx_http_proxy_eval(r, ctx, plcf) != NGX_OK) { | ||
+ return NGX_HTTP_INTERNAL_SERVER_ERROR; | ||
+ } | ||
+ } | ||
+ | ||
if (method.len == 4 | ||
&& ngx_strncasecmp(method.data, (u_char *) "HEAD", 4) == 0) | ||
{ |
51 changes: 51 additions & 0 deletions
51
build/openresty/patches/ngx_lua-0.10.26_08-balancer_set_upstream_tls.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_balancer.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_balancer.c | ||
index af4da73..f119948 100644 | ||
--- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_balancer.c | ||
+++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_balancer.c | ||
@@ -808,5 +808,46 @@ ngx_http_lua_ffi_balancer_recreate_request(ngx_http_request_t *r, | ||
return u->create_request(r); | ||
} | ||
|
||
+int | ||
+ngx_http_lua_ffi_balancer_set_upstream_tls(ngx_http_request_t *r, int on, | ||
+ char **err) | ||
+{ | ||
+ ngx_http_lua_ctx_t *ctx; | ||
+ ngx_http_upstream_t *u; | ||
+ | ||
+ if (r == NULL) { | ||
+ *err = "no request found"; | ||
+ return NGX_ERROR; | ||
+ } | ||
+ | ||
+ u = r->upstream; | ||
+ | ||
+ if (u == NULL) { | ||
+ *err = "no upstream found"; | ||
+ return NGX_ERROR; | ||
+ } | ||
+ | ||
+ ctx = ngx_http_get_module_ctx(r, ngx_http_lua_module); | ||
+ if (ctx == NULL) { | ||
+ *err = "no ctx found"; | ||
+ return NGX_ERROR; | ||
+ } | ||
+ | ||
+ if ((ctx->context & NGX_HTTP_LUA_CONTEXT_BALANCER) == 0) { | ||
+ *err = "API disabled in the current context"; | ||
+ return NGX_ERROR; | ||
+ } | ||
+ | ||
+ if (on == 0) { | ||
+ u->ssl = 0; | ||
+ u->schema.len = sizeof("http://") - 1; | ||
+ | ||
+ } else { | ||
+ u->ssl = 1; | ||
+ u->schema.len = sizeof("https://") - 1; | ||
+ } | ||
+ | ||
+ return NGX_OK; | ||
+} | ||
|
||
/* vi:set ft=c ts=4 sw=4 et fdm=marker: */ |
3 changes: 3 additions & 0 deletions
3
changelog/unreleased/kong/backport-resty-balancer-set-upstream.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
message: backport balancer.set_upstream_tls feature from openresty upstream [openresty/lua-resty-core#460](https://github.com/openresty/lua-resty-core/pull/460) | ||
type: feature | ||
scope: Core |
3 changes: 3 additions & 0 deletions
3
changelog/unreleased/kong/dynamic-set-tls-in-pdk-set_scheme.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
message: dynamic control upstream tls when kong.service.request.set_scheme was called | ||
type: feature | ||
scope: PDK |
3 changes: 3 additions & 0 deletions
3
changelog/unreleased/kong/upstream-uri-refresh-when-recreate-request.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
message: refresh upstream uri variable when proxy pass balancer recreate | ||
type: feature | ||
scope: Core |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @ADD-SP this would need some performance test to validate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure the performance impact here, is there a way to detect if the upstream tls option has been changed, and then decide if we need to do the config parsing again here? e.g. could we use
ctx
to mark if the options has been changed from lua side, and if not changed, we just skip the refresh of variables here?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this patch is used to alter the TLS option. It looks like "reevaluating URI every time we make requests".
IIUC, before this patch, evaluating URI will perform only once when the config is processed and use evaluated value after that. Thus, altering some variables in URI will not be able to work normally.
I'm not sure if I understand correctly, Please correct me if I'm wrong. @oowl
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just confirmed "feat(patch): refresh upstream uri variable when proxy pass balancer recreate" will cause regressions in RPS, latency and DP memory usage in change-route scenario.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Oyami-Srk The option to alter TLS on/off is from another commit in this PR. The change here is to alter upstream_uri,
as kong uses a variable in proxy_pass, this patch make sure in a failover when we update the upstream_uri, the variable is re-evaluated so that nginx will build an updated request on it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@oowl I guess what we can do next to make sure this
ngx_http_proxy_eval
is only called the second time (aka in a failover) in a request.