bug: stream_proxy upstream cannot resolve properly

[wey-gu]

Current Behavior

They could be resolved in apisix pod(am I right?)

bash-5.1# ping nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local -c 1
PING nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local (172.17.0.13): 56 data bytes
64 bytes from 172.17.0.13: seq=0 ttl=64 time=0.123 ms

--- nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.123/0.123/0.123 ms
bash-5.1# nslookup nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local
Server:     10.96.0.10
Address:    10.96.0.10:53

*** Can't find nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local: No answer

Name:   nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local
Address: 172.17.0.13

bash-5.1# hostname
apisix-6d89854bc5-5m788

While it ended up with following errors:

2022/11/15 12:26:59 [error] 44#44: *9538531 stream [lua] resolver.lua:47: parse_domain(): failed to parse domain: nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local, error: failed to query the DNS server: dns client error: 101 empty record received while prereading client data, client: 172.17.0.1, server: 0.0.0.0:9779
2022/11/15 12:26:59 [error] 44#44: *9538531 stream [lua] upstream.lua:79: parse_domain_for_nodes(): dns resolver domain: nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local error: failed to query the DNS server: dns client error: 101 empty record received while prereading client data, client: 172.17.0.1, server: 0.0.0.0:9779
2022/11/15 12:26:59 [error] 44#44: *9538531 stream [lua] init.lua:965: stream_preread_phase(): failed to set upstream: no valid upstream node while prereading client data, client: 172.17.0.1, server: 0.0.0.0:9779

Expected Behavior

Those stream_routes with upstream nodes like nebula-storaged-2.nebula-storaged-headless.default.svc.cluster.local could resolved

Error Logs

2022/11/15 12:26:59 [error] 44#44: *9538531 stream [lua] resolver.lua:47: parse_domain(): failed to parse domain: nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local, error: failed to query the DNS server: dns client error: 101 empty record received while prereading client data, client: 172.17.0.1, server: 0.0.0.0:9779
2022/11/15 12:26:59 [error] 44#44: *9538531 stream [lua] upstream.lua:79: parse_domain_for_nodes(): dns resolver domain: nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local error: failed to query the DNS server: dns client error: 101 empty record received while prereading client data, client: 172.17.0.1, server: 0.0.0.0:9779
2022/11/15 12:26:59 [error] 44#44: *9538531 stream [lua] init.lua:965: stream_preread_phase(): failed to set upstream: no valid upstream node while prereading client data, client: 172.17.0.1, server: 0.0.0.0:9779

Steps to Reproduce

minikube start --addons="default-storageclass" --extra-config=apiserver.service-node-port-range=1-65535
# NebulaGraph
curl -sL nebula-kind.siwei.io/install-on-k8s.sh | bash

#apisix
helm repo add apisix https://charts.apiseven.com
helm repo add bitnami https://charts.bitnami.com/bitnami

helm repo update

helm install apisix apisix/apisix \
  --set gateway.type=NodePort \
  --set gateway.stream.enabled=true \
  --set ingress-controller.enabled=true

kubectl edit ConfigMap apisix
# https://github.com/apache/apisix-helm-chart/issues/348
#      stream_proxy:                 # TCP/UDP proxy
#        only: false
#        tcp:                        # TCP proxy port list
#          - addr: 9100
#            tls: true
#          - addr: 9779
#            tls: true
#          - addr: 9559
#            tls: true

apisix_pod=$(kubectl get po -l \
    "app.kubernetes.io/name=apisix" -o name)

kubectl delete $apisix_pod

helm install apisix-dashboard apisix/apisix-dashboard 

# sign certs in host of minikube
mkcert -CAROOT
mkcert \
  'demo.siwei.io' localhost 127.0.0.1 ::1 \
  $(minikube ip) 10.1.1.168 \
  '*.nebula-storaged-headless.default.svc.cluster.local' \
  '*.nebula-metad-headless.default.svc.cluster.local'

# now add the certs in apisix siwth dashboard

apisix_pod=$(kubectl get po -l \
    "app.kubernetes.io/name=apisix" -o name)

kubectl exec -it $apisix_pod -- \
    curl http://127.0.0.1:9180/apisix/admin/stream_routes/1 \
    -H "X-API-KEY: $apisix_api_key" -X PUT -d \
'{
    "sni": "nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local",
    "upstream": {
        "nodes": {
            "nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local:9779": 1
        },
        "type": "roundrobin"
    }
}'

kubectl exec -it $apisix_pod -- \
    curl http://127.0.0.1:9180/apisix/admin/stream_routes/2 \
    -H "X-API-KEY: $apisix_api_key" -X PUT -d \
'{
    "sni": "nebula-storaged-1.nebula-storaged-headless.default.svc.cluster.local",
    "upstream": {
        "nodes": {
            "nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local:9779": 1
        },
        "type": "roundrobin"
    }
}'

kubectl exec -it $apisix_pod -- \
    curl http://127.0.0.1:9180/apisix/admin/stream_routes/3 \
    -H "X-API-KEY: $apisix_api_key" -X PUT -d \
'{
    "sni": "nebula-storaged-2.nebula-storaged-headless.default.svc.cluster.local",
    "upstream": {
        "nodes": {
            "nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local:9779": 1
        },
        "type": "roundrobin"
    }
}'

kubectl apply -f svc.yaml

# svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: apisix-svc
  labels:
    app.kubernetes.io/instance: apisix
    app.kubernetes.io/name: apisix
spec:
  selector:
    app.kubernetes.io/instance: apisix
    app.kubernetes.io/name: apisix
  ports:
    - protocol: TCP
      port: 9779
      targetPort: 9779
      name: thrift
      nodePort: 9779
  type: NodePort
###########
# expose the service
minikube service apisix-svc

Then call tcp over tls from the host like nebula-storaged-0.nebula-storaged-headless.default.svc.cluster.local:9779

BTW. After I changed upstream to the IP address, everything worked like a charm.

Environment

• APISIX version (run apisix version):

  ❯ helm list
  NAME                NAMESPACE   REVISION    UPDATED                                 STATUS      CHART                   APP VERSION
  apisix              default     1           2022-11-15 03:10:02.695689968 +0000 UTC deployed    apisix-0.11.2           2.15.0
  apisix-dashboard    default     1           2022-11-15 03:31:47.722413097 +0000 UTC deployed    apisix-dashboard-0.6.1  2.13.0

• Operating system (run uname -a):

❯ kubectl exec -it $apisix_pod -- uname -a
Defaulted container "apisix" out of: apisix, wait-etcd (init)
Linux apisix-6d89854bc5-5m788 5.4.0-131-generic #147-Ubuntu SMP Fri Oct 14 17:07:22 UTC 2022 x86_64 Linux

• OpenResty / Nginx version (run openresty -V or nginx -V):

  ❯ kubectl exec -it $apisix_pod -- openresty -V
  Defaulted container "apisix" out of: apisix, wait-etcd (init)
  nginx version: openresty/1.21.4.1
  built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424)
  built with OpenSSL 1.1.1g  21 Apr 2020
  TLS SNI support enabled
  configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.21.4.1.1 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.21 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.11 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.M4fAebVwPS/openresty-1.21.4.1/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.M4fAebVwPS/openresty-1.21.4.1/../ngx_multi_upstream_module-1.1.1 --add-module=/tmp/tmp.M4fAebVwPS/openresty-1.21.4.1/../apisix-nginx-module-1.9.0 --add-module=/tmp/tmp.M4fAebVwPS/openresty-1.21.4.1/../apisix-nginx-module-1.9.0/src/stream --add-module=/tmp/tmp.M4fAebVwPS/openresty-1.21.4.1/../apisix-nginx-module-1.9.0/src/meta --add-module=/tmp/tmp.M4fAebVwPS/openresty-1.21.4.1/../wasm-nginx-module-0.6.2 --add-module=/tmp/tmp.M4fAebVwPS/openresty-1.21.4.1/../lua-var-nginx-module-v0.5.3 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module

• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):

• APISIX Dashboard version, if relevant: n/a

• Plugin runner version, for issues related to plugin runners:

• LuaRocks version, for installation issues (run luarocks --version):

  ❯ kubectl exec -it $apisix_pod -- luarocks --version
  Defaulted container "apisix" out of: apisix, wait-etcd (init)
  /usr/local/bin/luarocks 3.8.0
  LuaRocks main command-line interface

[tzssangglass]

this is a known issue, ref: https://github.com/apache/apisix/issues/7733#issuecomment-1220852352

[spacewander]

Let's track them in one issue: #7733