feat(deployment): data plane connects to control plane (apache#7417)

Signed-off-by: spacewander <[email protected]>

apisix/cli/file.lua

@@ -263,6 +263,17 @@ function _M.read_yaml_conf(apisix_home)
             default_conf.etcd = default_conf.deployment.role_data_plane.control_plane
             default_conf.apisix.enable_admin = false
         end
+
+        if default_conf.etcd and default_conf.deployment.certs then
+            -- copy certs configuration to keep backward compatible
+            local certs = default_conf.deployment.certs
+            local etcd = default_conf.etcd
+            if not etcd.tls then
+                etcd.tls = {}
+            end
+            etcd.tls.cert = certs.cert
+            etcd.tls.key = certs.cert_key
+        end
     end
 
     return default_conf

apisix/cli/schema.lua

@@ -327,6 +327,32 @@ local deployment_schema = {
             },
         },
         required = {"etcd", "role_control_plane"}
+    },
+    data_plane = {
+        properties = {
+            role_data_plane = {
+                properties = {
+                    config_provider = {
+                        enum = {"control_plane", "yaml"}
+                    },
+                },
+                required = {"config_provider"}
+            },
+            certs = {
+                properties = {
+                    cert = { type = "string" },
+                    cert_key = { type = "string" },
+                    trusted_ca_cert = { type = "string" },
+                },
+                dependencies = {
+                    cert = {
+                        required = {"cert_key"},
+                    },
+                },
+                default = {},
+            },
+        },
+        required = {"role_data_plane"}
     }
 }
 

apisix/core/etcd.lua

@@ -114,6 +114,19 @@ local function new()
             end
 
             proxy_by_conf_server = true
+
+        elseif local_conf.deployment.role == "data_plane" then
+            if has_mtls_support() and local_conf.deployment.certs.cert then
+                local cert = local_conf.deployment.certs.cert
+                local cert_key = local_conf.deployment.certs.cert_key
+
+                if not etcd_conf.tls then
+                    etcd_conf.tls = {}
+                end
+
+                etcd_conf.tls.cert = cert
+                etcd_conf.tls.key = cert_key
+            end
         end
     end
 

t/cli/test_deployment_data_plane.sh

@@ -30,13 +30,11 @@ deployment:
         config_provider: control_plane
         control_plane:
             host:
-                - http://127.0.0.1:2379
+                - https://127.0.0.1:12379
             prefix: "/apisix"
             timeout: 30
-    certs:
-        cert: /path/to/ca-cert
-        cert_key: /path/to/ca-cert
-        trusted_ca_cert: /path/to/ca-cert
+            tls:
+                verify: false
 ' > conf/config.yaml
 
 make run
@@ -61,3 +59,24 @@ if [ ! $code -eq 404 ]; then
 fi
 
 echo "passed: data_plane should not enable Admin API"
+
+echo '
+deployment:
+    role: data_plane
+    role_data_plane:
+        config_provider: control_plane
+        control_plane:
+            host:
+                - https://127.0.0.1:12379
+            prefix: "/apisix"
+            timeout: 30
+' > conf/config.yaml
+
+out=$(make run 2>&1 || true)
+make stop
+if ! echo "$out" | grep 'failed to load the configuration: https://127.0.0.1:12379: certificate verify failed'; then
+    echo "failed: should verify certificate by default"
+    exit 1
+fi
+
+echo "passed: should verify certificate by default"

t/cli/test_deployment_control_plane_customed_nginx.sh → t/cli/test_deployment_mtls.sh

@@ -55,3 +55,34 @@ if [ ! $code -eq 200 ]; then
 fi
 
 echo "passed: work well with etcd in control plane"
+
+echo '
+deployment:
+    role: data_plane
+    role_data_plane:
+        config_provider: control_plane
+        control_plane:
+            host:
+            - "https://admin.apisix.dev:22379"
+            prefix: "/apisix"
+            timeout: 30
+            tls:
+                verify: false
+    certs:
+        cert: t/certs/mtls_client.crt
+        cert_key: t/certs/mtls_client.key
+        trusted_ca_cert: t/certs/mtls_ca.crt
+' > conf/config.yaml
+
+rm logs/error.log
+make run
+sleep 1
+
+make stop
+
+if grep '\[error\] .\+ https://admin.apisix.dev:22379' logs/error.log; then
+    echo "failed: work well with control plane in data plane"
+    exit 1
+fi
+
+echo "passed: work well with control plane in data plane"