refactor

Author: AlinsRan

.github/workflows/notify-ee-build.yaml

@@ -0,0 +1,32 @@
+# Triggers a build in api7/aisix-ee whenever this repo is pushed to main or tagged.
+# On main push: dev-build event (aisix-ee uses branch="main" in Cargo.toml)
+# On v* tag: release-build event (aisix-ee CI patches Cargo.toml to use the tag)
+name: Notify EE Build
+
+on:
+  push:
+    branches: ["main"]
+    tags: ["v*"]
+
+jobs:
+  notify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dispatch to aisix-ee (dev build)
+        if: github.ref == 'refs/heads/main'
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # 4.0.1
+        with:
+          # PAT with repo scope for api7/aisix-ee, stored in api7/aisix secrets
+          token: ${{ secrets.EE_DISPATCH_TOKEN }}
+          repository: api7/aisix-ee
+          event-type: dev-build
+          client-payload: '{"sha": "${{ github.sha }}"}'
+
+      - name: Dispatch to aisix-ee (release build)
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # 4.0.1
+        with:
+          token: ${{ secrets.EE_DISPATCH_TOKEN }}
+          repository: api7/aisix-ee
+          event-type: release-build
+          client-payload: '{"tag": "${{ github.ref_name }}"}'

Cargo.lock

@@ -33,7 +33,7 @@ axum = { version = "0.8.9", features = [
 ], default-features = false }
 serde = "1.0.228"
 serde_json = "1.0"
-etcd-client = "0.18.0"
+etcd-client = { version = "0.18.0", features = ["tls-openssl"] }
 async-trait = "0.1"
 futures = "0.3"
 bytes = "1.0"
@@ -80,6 +80,11 @@ axum-server = { version = "0.8.0", default-features = false, features = [
 backon = { version = "1.6.0", default-features = false, features = [
   "tokio-sleep",
 ] }
+base64 = "0.22"
+
+[build-dependencies]
+vergen-git2 = { version = "9.1.0" }
+anyhow = "1"
 
 [dev-dependencies]
 tokio-test = "0.4"
@@ -88,10 +93,6 @@ pretty_assertions = "1.4"
 rstest = "0.26"
 tempfile = "3"
 
-[build-dependencies]
-anyhow = "1"
-vergen-git2 = { version = "9.1.0" }
-
 [patch.crates-io]
 opentelemetry = { git = "https://github.com/open-telemetry/opentelemetry-rust.git", rev = "965078315b58ae14725721735f1c8e2bc2d3b445" }
 opentelemetry_sdk = { git = "https://github.com/open-telemetry/opentelemetry-rust.git", rev = "965078315b58ae14725721735f1c8e2bc2d3b445" }

Cargo.toml

@@ -1,27 +1,37 @@
 use std::{env, fs, process};
 
-use anyhow::{Result, anyhow};
+use anyhow::{anyhow, Result};
 use vergen_git2::{Emitter, Git2Builder};
 
 fn main() -> Result<()> {
     build_ui()?;
 
-    Emitter::default()
+    // When built as a git dependency (no .git directory present), vergen_git2
+    // cannot read the SHA. We emit a fallback value and continue rather than
+    // failing the build.
+    let result = Emitter::default()
         .add_instructions(&Git2Builder::default().sha(true).build()?)?
-        .emit()?;
+        .emit();
+
+    if result.is_err() {
+        // Emit a placeholder so that code referencing VERGEN_GIT_SHA compiles.
+        println!("cargo:rustc-env=VERGEN_GIT_SHA=unknown");
+    }
 
     println!("cargo:rerun-if-changed=build.rs");
 
     Ok(())
 }
 
 fn build_ui() -> Result<()> {
+    let manifest_dir = env::var("CARGO_MANIFEST_DIR").unwrap_or_else(|_| ".".to_string());
+
     if env::var("CARGO_FEATURE_BUILD_UI").is_ok() {
         println!("cargo:rerun-if-changed=ui");
 
         let status = process::Command::new("pnpm")
             .args(["install", "--frozen-lockfile"])
-            .current_dir("ui")
+            .current_dir(format!("{manifest_dir}/ui"))
             .stdout(std::process::Stdio::inherit())
             .stderr(std::process::Stdio::inherit())
             .status()?;
@@ -35,7 +45,7 @@ fn build_ui() -> Result<()> {
 
         let status = process::Command::new("pnpm")
             .args(["run", "build"])
-            .current_dir("ui")
+            .current_dir(format!("{manifest_dir}/ui"))
             .stdout(std::process::Stdio::inherit())
             .stderr(std::process::Stdio::inherit())
             .status()?;
@@ -44,7 +54,7 @@ fn build_ui() -> Result<()> {
             return Err(anyhow!("failed to build ui with status: {}", status));
         }
     } else {
-        fs::create_dir_all("ui/dist")?;
+        fs::create_dir_all(format!("{manifest_dir}/ui/dist"))?;
     }
     Ok(())
 }

build.rs

@@ -20,13 +20,21 @@ const MAX_BACKOFF: Duration = Duration::from_secs(60);
 /// Initial backoff delay.
 const INITIAL_BACKOFF: Duration = Duration::from_secs(1);
 
+#[derive(Clone, Debug, Default, Deserialize)]
+pub struct EtcdTlsConfig {
+    pub ca_pem: Option<String>,
+    pub cert_pem: Option<String>,
+    pub key_pem: Option<String>,
+}
+
 #[derive(Clone, Debug, Deserialize)]
 pub struct Config {
     pub host: Vec<String>,
     pub prefix: String,
     pub timeout: u32,
     pub user: Option<String>,
     pub password: Option<String>,
+    pub tls: Option<EtcdTlsConfig>,
 }
 
 impl Default for Config {
@@ -37,6 +45,7 @@ impl Default for Config {
             timeout: 5,
             user: None,
             password: None,
+            tls: None,
         }
     }
 }
@@ -89,6 +98,64 @@ impl EtcdConfigProvider {
             opts = opts.with_user(user, password);
         }
 
+        // Enable TLS when any host uses the https:// scheme.
+        //
+        // We use the openssl-tls backend (not rustls) because the control-plane
+        // etcd certificate may have a misconfigured SAN (e.g. only an empty DNS
+        // name instead of the server IP).  With OpenSSL we can skip hostname
+        // verification while still validating the certificate chain against the
+        // supplied CA, which is equivalent to `curl --cacert` without `-k`.
+        let use_tls = config.host.iter().any(|h| h.starts_with("https://"));
+        if use_tls {
+            use openssl::ssl::SslVerifyMode;
+
+            let mut ssl_cfg = etcd_client::OpenSslClientConfig::default();
+
+            if let Some(tls_cfg) = &config.tls {
+                if let Some(ca_pem) = &tls_cfg.ca_pem {
+                    // ca_cert_pem() only loads the first certificate in a PEM
+                    // bundle.  Use stack_from_pem so that multi-cert bundles
+                    // (e.g. intermediate + root) are all added to the store.
+                    let ca_bytes = ca_pem.as_bytes().to_vec();
+                    ssl_cfg = ssl_cfg.manually(move |b| {
+                        for cert in openssl::x509::X509::stack_from_pem(&ca_bytes)? {
+                            b.cert_store_mut().add_cert(cert)?;
+                        }
+                        Ok(())
+                    });
+                }
+
+                if let (Some(cert_pem), Some(key_pem)) =
+                    (&tls_cfg.cert_pem, &tls_cfg.key_pem)
+                {
+                    ssl_cfg =
+                        ssl_cfg.client_cert_pem_and_key(cert_pem.as_bytes(), key_pem.as_bytes());
+                }
+            }
+
+            // Skip hostname/IP verification: the CP certificate SAN may not match
+            // the endpoint IP/hostname.  We still validate the certificate chain
+            // (preverify_ok covers chain errors).  Error code 64 is
+            // X509_V_ERR_IP_ADDRESS_MISMATCH; we allow it explicitly so that
+            // IP-addressed endpoints with a non-matching SAN still connect.
+            ssl_cfg = ssl_cfg.manually(|b| {
+                b.set_verify_callback(SslVerifyMode::PEER, |preverify_ok, ctx| {
+                    if preverify_ok {
+                        return true;
+                    }
+                    // Allow IP address mismatch and hostname mismatch errors.
+                    matches!(
+                        ctx.error().as_raw(),
+                        64 // X509_V_ERR_IP_ADDRESS_MISMATCH
+                        | 62 // X509_V_ERR_HOSTNAME_MISMATCH
+                    )
+                });
+                Ok(())
+            });
+
+            opts = opts.with_openssl_tls(ssl_cfg);
+        }
+
         let mut client = etcd_client::Client::connect(
             config
                 .host
@@ -99,7 +166,10 @@ impl EtcdConfigProvider {
         )
         .await?;
 
-        client.status().await.map(|_| Ok(client))?
+        // Use a KV.Get as the connectivity probe instead of Maintenance.Status.
+        // The API7 dp-manager only implements KV/Watch/Lease; calling Status
+        // returns HTTP 404 which tonic misparses as a gRPC framing error.
+        client.get("__probe__", None).await.map(|_| Ok(client))?
     }
 
     /// Spawn the long-running supervisor task that manages the watch stream