kong icon indicating copy to clipboard operation
kong copied to clipboard
verified publisher icon Kong

fix(*) drop luasocket in CLI

Open fffonion opened this issue 3 years ago • 5 comments

WIP, need to add ssl cafile support in kong migrations CLI; maybe that will benefit to kong vaults as well.

Summary

Full changelog

  • [Implement ...]
  • [Add related tests]
  • ...

Issue reference

Fix #[issue number]

fffonion avatar Jun 22 '22 09:06 fffonion

@fffonion I don't think this can be done, for the reasons you found out. I discussed it with @bungle as well for Vaults and other pieces that need it as a fallback. Even if it can be done, I think it would take more hackery than would be wise... The only proper way out I see would be for OR to support sockets in those phases, but that's a whole new challenge 🤷

Tieske avatar Jun 22 '22 12:06 Tieske

@Tieske How do you feel about https://github.com/Kong/kong/pull/8993/commits/a6a1c72aaf33f461b7e5f509737e637f17584f52 🤔 ? I haven't really tested it, but it shows proof of concept.

fffonion avatar Jun 22 '22 12:06 fffonion

I feel it could be done. Not sure how hackery is respawning (but I think we were already doing it, perhaps we need to do it twice, once to gather trusted certs and then to do what it was already doing). On my mind I though about similar resolution to the issue. The vaults currently do resolving of process secrets on CLI in timer phase with cosockets (no fallback to cosockets and pass the secrets to init with env var or on reload with a file), but they are missing support for trusted_certs currently. I think lua-resty-secrets (which integrated vault solution does not use) may work differently as it uses resty.socket or similar lib embedded. I am excited if we can get this working.

bungle avatar Jun 27 '22 08:06 bungle

lua-resty-aws and lua-resty-gcp both use LuaSocket fallbacks as well. Not sure how that works/fails with the current Vaults solution.

Tieske avatar Jun 27 '22 14:06 Tieske

@Tieske it seems the only two parts that does network connection is:

  1. cluster_events update its initial time (https://github.com/Kong/kong/pull/8993/files#diff-bf75cd7b30a4bf3453f56734db348cbed164bf32a6be22107e950c6f64fcd079L129) updated to the fallback method to use ngx.time() (let me know if it's a sane change)
  2. cache_warmup: move to a timer, i think this is fine, as it's running at the last part of init_worker and no other components seems to rely on it.

emmm there's actually more... i don't think we can get rid of luasocket. in that case, i'm going to explore making a luasec compat layer for boringssl.

fffonion avatar Jun 28 '22 03:06 fffonion

Closing because of lack of activity. We would like to accept this contribution if anyone wishes to pick this back up.

hbagdi avatar Oct 25 '22 21:10 hbagdi