From 19d55a8c01684cf206677e05d20f081038d6f398 Mon Sep 17 00:00:00 2001 From: Guilherme Salazar Date: Wed, 19 Jul 2023 11:50:03 -0300 Subject: [PATCH] fix(wasm/config): correctly map inherited directives The Kong Wasm integration inherits certain configuration properties defined for Kong; among others, it inherits injected Nginx directives. As implemented in https://github.com/Kong/kong/pull/11218, the integration inherited certain directives from the `ngx_http_proxy_module`, while the desired behavior is to inherit from the `ngx_lua_module`, so that Lua and Wasm extensions operate under the same settings. This commit implements that change. --- kong/conf_loader/init.lua | 124 +++++++++--------------- spec/01-unit/04-prefix_handler_spec.lua | 80 +++++++++++---- 2 files changed, 107 insertions(+), 97 deletions(-) diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua index faab180ac067..fe370cc47b62 100644 --- a/kong/conf_loader/init.lua +++ b/kong/conf_loader/init.lua @@ -1856,6 +1856,53 @@ local function load(path, custom_conf, opts) end end + -- Wasm module support + if conf.wasm then + local wasm_filters = get_wasm_filters(conf.wasm_filters_path) + conf.wasm_modules_parsed = setmetatable(wasm_filters, _nop_tostring_mt) + + local function add_wasm_directive(directive, value, prefix) + local directive_name = (prefix or "") .. directive + conf[directive_name] = conf[directive_name] or value + end + + local wasm_main_prefix = "nginx_wasm_" + + -- proxy_wasm_lua_resolver is intended to be 'on' by default, but we can't + -- set it as such in kong_defaults, because it can only be used if wasm is + -- _also_ enabled. We inject it here if the user has not opted to set it + -- themselves. + add_wasm_directive("nginx_http_proxy_wasm_lua_resolver", "on") + + -- wasm vm properties are inherited from previously set directives + if conf.lua_ssl_trusted_certificate and #conf.lua_ssl_trusted_certificate >= 1 then + add_wasm_directive("tls_trusted_certificate", conf.lua_ssl_trusted_certificate[1], wasm_main_prefix) + end + + if conf.lua_ssl_verify_depth and conf.lua_ssl_verify_depth > 0 then + add_wasm_directive("tls_verify_cert", "on", wasm_main_prefix) + add_wasm_directive("tls_verify_host", "on", wasm_main_prefix) + add_wasm_directive("tls_no_verify_warn", "on", wasm_main_prefix) + end + + local wasm_inherited_injections = { + nginx_http_lua_socket_connect_timeout = "nginx_http_wasm_socket_connect_timeout", + nginx_proxy_lua_socket_connect_timeout = "nginx_proxy_wasm_socket_connect_timeout", + nginx_http_lua_socket_read_timeout = "nginx_http_wasm_socket_read_timeout", + nginx_proxy_lua_socket_read_timeout = "nginx_proxy_wasm_socket_read_timeout", + nginx_http_lua_socket_send_timeout = "nginx_http_wasm_socket_send_timeout", + nginx_proxy_lua_socket_send_timeout = "nginx_proxy_wasm_socket_send_timeout", + nginx_http_lua_socket_buffer_size = "nginx_http_wasm_socket_buffer_size", + nginx_proxy_lua_socket_buffer_size = "nginx_proxy_wasm_socket_buffer_size", + } + + for directive, wasm_directive in pairs(wasm_inherited_injections) do + if conf[directive] then + add_wasm_directive(wasm_directive, conf[directive]) + end + end + end + do local injected_in_namespace = {} @@ -1967,83 +2014,6 @@ local function load(path, custom_conf, opts) end end - -- WebAssembly module support - if conf.wasm then - - local wasm_directives = conf["nginx_wasm_main_directives"] - - local wasm_filters = get_wasm_filters(conf.wasm_filters_path) - conf.wasm_modules_parsed = setmetatable(wasm_filters, _nop_tostring_mt) - - -- wasm vm properties are inherited from previously set directives - if conf.lua_ssl_trusted_certificate then - if #conf.lua_ssl_trusted_certificate >= 1 then - insert(wasm_directives, { - name = "tls_trusted_certificate", - value = conf.lua_ssl_trusted_certificate[1], - }) - end - end - if conf.lua_ssl_verify_depth and conf.lua_ssl_verify_depth > 0 then - insert(wasm_directives, { - name = "tls_verify_cert", - value = "on", - }) - insert(wasm_directives, { - name = "tls_verify_host", - value = "on", - }) - insert(wasm_directives, { - name = "tls_no_verify_warn", - value = "on", - }) - end - - local found_proxy_wasm_lua_resolver = false - - for _, directive in ipairs(conf["nginx_http_directives"]) do - if directive.name == "proxy_connect_timeout" then - insert(wasm_directives, { - name = "socket_connect_timeout", - value = directive.value, - }) - elseif directive.name == "proxy_read_timeout" then - insert(wasm_directives, { - name = "socket_read_timeout", - value = directive.value, - }) - elseif directive.name == "proxy_send_timeout" then - insert(wasm_directives, { - name = "socket_send_timeout", - value = directive.value, - }) - elseif directive.name == "proxy_buffer_size" then - insert(wasm_directives, { - name = "socket_buffer_size", - value = directive.value, - }) - elseif directive.name == "large_client_header_buffers" then - insert(wasm_directives, { - name = "socket_large_buffers", - value = directive.value, - }) - elseif directive.name == "proxy_wasm_lua_resolver" then - found_proxy_wasm_lua_resolver = true - end - end - - -- proxy_wasm_lua_resolver is intended to be 'on' by default, but we can't - -- set it as such in kong_defaults, because it can only be used if wasm is - -- _also_ enabled. We inject it here if the user has not opted to set it - -- themselves. - if not found_proxy_wasm_lua_resolver then - insert(conf["nginx_http_directives"], { - name = "proxy_wasm_lua_resolver", - value = "on", - }) - end - end - for _, dyn_namespace in ipairs(DYNAMIC_KEY_NAMESPACES) do if dyn_namespace.injected_conf_name then sort(conf[dyn_namespace.injected_conf_name], function(a, b) diff --git a/spec/01-unit/04-prefix_handler_spec.lua b/spec/01-unit/04-prefix_handler_spec.lua index 26c1e15ae0a3..0f5bc0caf6d3 100644 --- a/spec/01-unit/04-prefix_handler_spec.lua +++ b/spec/01-unit/04-prefix_handler_spec.lua @@ -841,6 +841,7 @@ describe("NGINX conf compiler", function() return ngx_conf end local ngx_cfg = function(cfg, debug) return _compile(cfg, prefix_handler.compile_nginx_conf, debug) end + local kong_ngx_cfg = function(cfg, debug) return _compile(cfg, prefix_handler.compile_kong_conf, debug) end local debug = false it("has no wasm{} block by default", function() @@ -864,6 +865,18 @@ describe("NGINX conf compiler", function() ngx_cfg({ wasm = true, nginx_wasm_shm_cache="10m", nginx_wasm_shm_counters="10m"}, debug) ) end) + it("injects default configurations if wasm=on", function() + assert.matches( + ".+wasm_lua_resolver on;.+", + kong_ngx_cfg({ wasm = true, }, debug) + ) + end) + it("does not inject default configurations if wasm=off", function() + assert.not_matches( + ".+wasm_lua_resolver on;.+", + kong_ngx_cfg({ wasm = false, }, debug) + ) + end) it("injects runtime-specific directives (wasmtime)", function() assert.matches( "wasm {.+wasmtime {.+flag flag1 on;.+flag flag2 1m;.+}.+", @@ -938,48 +951,75 @@ describe("NGINX conf compiler", function() }, debug) ) end) - it("proxy_connect_timeout", function() + it("lua_socket_connect_timeout (http)", function() assert.matches( - "wasm {.+socket_connect_timeout 1s;.+}", - ngx_cfg({ + ".+wasm_socket_connect_timeout 1s;.+", + kong_ngx_cfg({ wasm = true, - nginx_http_proxy_connect_timeout = "1s", + nginx_http_lua_socket_connect_timeout = "1s", }, debug) ) end) - it("proxy_read_timeout", function() + it("lua_socket_connect_timeout (proxy)", function() assert.matches( - "wasm {.+socket_read_timeout 1s;.+}", - ngx_cfg({ + "server {.+wasm_socket_connect_timeout 1s;.+}", + kong_ngx_cfg({ wasm = true, - nginx_http_proxy_read_timeout = "1s", + nginx_proxy_lua_socket_connect_timeout = "1s", }, debug) ) end) - it("proxy_send_timeout", function() + it("lua_socket_read_timeout (http)", function() assert.matches( - "wasm {.+socket_send_timeout 1s;.+}", - ngx_cfg({ + ".+wasm_socket_read_timeout 1s;.+", + kong_ngx_cfg({ wasm = true, - nginx_http_proxy_send_timeout = "1s", + nginx_http_lua_socket_read_timeout = "1s", }, debug) ) end) - it("proxy_buffer_size", function() + it("lua_socket_read_timeout (proxy)", function() assert.matches( - "wasm {.+socket_buffer_size 1m;.+}", - ngx_cfg({ + "server {.+wasm_socket_read_timeout 1s;.+}", + kong_ngx_cfg({ wasm = true, - nginx_http_proxy_buffer_size = "1m", + nginx_proxy_lua_socket_read_timeout = "1s", }, debug) ) end) - it("large_client_header_buffers", function() + it("proxy_send_timeout (http)", function() assert.matches( - "wasm {.+socket_large_buffers 4 24k;.+}", - ngx_cfg({ + ".+wasm_socket_send_timeout 1s;.+", + kong_ngx_cfg({ + wasm = true, + nginx_http_lua_socket_send_timeout = "1s", + }, debug) + ) + end) + it("proxy_send_timeout (proxy)", function() + assert.matches( + "server {.+wasm_socket_send_timeout 1s;.+}", + kong_ngx_cfg({ + wasm = true, + nginx_proxy_lua_socket_send_timeout = "1s", + }, debug) + ) + end) + it("proxy_buffer_size (http)", function() + assert.matches( + ".+wasm_socket_buffer_size 1m;.+", + kong_ngx_cfg({ + wasm = true, + nginx_http_lua_socket_buffer_size = "1m", + }, debug) + ) + end) + it("proxy_buffer_size (proxy)", function() + assert.matches( + "server {.+wasm_socket_buffer_size 1m;.+}", + kong_ngx_cfg({ wasm = true, - nginx_http_large_client_header_buffers = "4 24k", + nginx_proxy_lua_socket_buffer_size = "1m", }, debug) ) end)