You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/11/20 10:19:52 UTC
[GitHub] [apisix-helm-chart] cr7258 opened a new pull request, #401: fix: enable tls for the tcp address
cr7258 opened a new pull request, #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401
we need to [enable tls](https://apisix.apache.org/docs/apisix/stream-proxy/#accept-tls-over-tcp-connection) in APISIX config file to support SNI based TLS route.
```yaml
apisix:
stream_proxy: # TCP/UDP proxy
tcp: # TCP proxy address list
- addr: 9100
tls: true
```
Add host field in [apisixroutes CRD](https://github.com/apache/apisix-ingress-controller/pull/1051/files#diff-df521c61cf5f2cbf22dc2b191f7699e255b89e9408b3eb02385efe733fd39897) to support SNI based TLS route.
```yaml
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: redis-stream
spec:
stream:
- name: redis-stream
protocol: TCP
match:
ingressPort: 10000
host: test.redis.com # sni
backend:
serviceName: redis1
servicePort: 6379
- name: redis-stream-2
protocol: TCP
match:
ingressPort: 10000
host: test.redis-2.com
backend:
serviceName: redis2
servicePort: 6379
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] tao12345666333 commented on pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#issuecomment-1375261613
@cr7258 could you please resolve conflicts? thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] cr7258 commented on pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
cr7258 commented on PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#issuecomment-1377394655
> @cr7258 could you please resolve conflicts? thanks!
Done, Please review it, Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] tokers commented on a diff in pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
tokers commented on code in PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#discussion_r1034753524
##########
charts/apisix-ingress-controller/crds/customresourcedefinitions.yaml:
##########
@@ -1782,6 +1782,8 @@ spec:
match:
type: object
properties:
+ host:
Review Comment:
Also update the definition in apisix-ingress-controller. Cc @tao12345666333
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] cr7258 commented on pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
cr7258 commented on PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#issuecomment-1383158499
Use [`splitList`](https://pkg.go.dev/path/filepath#SplitList) to split a string into a list of strings, and get the last value of the list.
# Verify
## values.yaml
```yaml
gateway:
stream:
enabled: true
only: false
tcp:
- addr: 9100
tls: true
- addr: 127.0.0.1:9200
- addr: 127.0.0.1:9300
tls: true
```
Install apisix helm chart.
```bash
helm install apisix -n apisix apisix
```
## Generated Config
### Deployment
```bash
> kubectl get deployments -n apisix apisix -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: apisix
namespace: apisix
......
- containerPort: 9100
name: proxy-tcp-0
protocol: TCP
- containerPort: 9200
name: proxy-tcp-1
protocol: TCP
- containerPort: 9300
name: proxy-tcp-2
protocol: TCP
......
```
### Configmap
```bash
> kubectl get configmap -n apisix apisix -oyaml
apiVersion: v1
kind: ConfigMap
name: apisix
namespace: apisix
data:
config.yaml: |-
......
stream_proxy:
only: false
tcp:
- addr: 9100
tls: true
- addr: 9200
- addr: 9300
tls: true
......
```
### Service
```bash
kubectl get service -n apisix apisix-gateway -o yaml
apiVersion: v1
kind: Service
metadata:
name: apisix-gateway
namespace: apisix
......
- name: proxy-tcp-0
nodePort: 31062
port: 9100
protocol: TCP
targetPort: 9100
- name: proxy-tcp-1
nodePort: 32600
port: 9200
protocol: TCP
targetPort: 9200
- name: proxy-tcp-2
nodePort: 32367
port: 9300
protocol: TCP
targetPort: 9300
......
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] cr7258 commented on pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
cr7258 commented on PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#issuecomment-1321380703
I know this feature was implemented in [this PR](https://github.com/apache/apisix-ingress-controller/pull/1051) for apisix ingress, but apisix doesn't support to enable tls in helm chart now, we only can set tcp port in the `stream_proxy.tcp` field in the values.yaml file.
```yaml
apisix:
stream_proxy:
tcp:
- 9100
- 9200
```
if we want to use this feature in apisix ingress, we must enable tls in apisix first. [So we should have the helm templates support to enable tls](https://github.com/apache/apisix-helm-chart/pull/401/files). like this:
```yaml
apisix:
stream_proxy:
tcp:
- addr: 9100
tls: true # enable tls for tcp 9100
- 9200
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] tao12345666333 merged pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
tao12345666333 merged PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] cr7258 commented on pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
cr7258 commented on PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#issuecomment-1357132708
> Basically LGTM, could you also update the docs to introduce the new field?
@tokers, I add a document to introduce how to use this field: [docs: add match stream route with SNI tutorial](https://github.com/apache/apisix-ingress-controller/pull/1543).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] tokers commented on a diff in pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
tokers commented on code in PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#discussion_r1066498687
##########
charts/apisix/templates/_pod.tpl:
##########
@@ -62,7 +62,11 @@ spec:
{{- if (gt (len .tcp) 0) }}
{{- range $index, $port := .tcp }}
- name: proxy-tcp-{{ $index | toString }}
+ {{- if kindIs "map" $port }}
+ containerPort: {{ $port.addr }}
Review Comment:
`addr` might contains IP, so here we cannot treat it as a port, we may need to use `splitList` to fetch the port from the `addr`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] tao12345666333 commented on a diff in pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on code in PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#discussion_r1037396654
##########
charts/apisix-ingress-controller/crds/customresourcedefinitions.yaml:
##########
@@ -1782,6 +1782,8 @@ spec:
match:
type: object
properties:
+ host:
Review Comment:
It's OK.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] tao12345666333 commented on pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#issuecomment-1357864518
Great! I will add this one to my list.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] tao12345666333 commented on a diff in pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on code in PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#discussion_r1067820498
##########
charts/apisix/templates/_pod.tpl:
##########
@@ -62,7 +62,11 @@ spec:
{{- if (gt (len .tcp) 0) }}
{{- range $index, $port := .tcp }}
- name: proxy-tcp-{{ $index | toString }}
+ {{- if kindIs "map" $port }}
+ containerPort: {{ $port.addr }}
Review Comment:
@cr7258 PTAL
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-helm-chart] cr7258 commented on pull request #401: fix: enable tls for the tcp address
Posted by GitBox <gi...@apache.org>.
cr7258 commented on PR #401:
URL: https://github.com/apache/apisix-helm-chart/pull/401#issuecomment-1321381672
maybe I needn't change apisixroute CRD in [this commit](https://github.com/apache/apisix-helm-chart/pull/401/commits/71ecc8f98c2b90d1137c23112ddfe80726e87773)?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org