From 57472861b629d51ae1ec36a74c8434217d5d8c2c Mon Sep 17 00:00:00 2001 From: Nick Muerdter <12112+GUI@users.noreply.github.com> Date: Wed, 24 Jan 2024 20:27:00 -0700 Subject: [PATCH] Bring back Trafficserver DNS configuration to try and improve resilience Now that Envoy may be a remote server, it's possible it requires DNS lookups to connect. So bring back some of our older configuration to explicitly configure the DNS and keepalive settings, but with hard-coded long timeouts to try and ensure any DNS outages don't affect the Trafficserver to Envoy communication hop. --- .../utils/generate_runtime_config.lua | 1 + .../etc/trafficserver/records.config.etlua | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/src/api-umbrella/utils/generate_runtime_config.lua b/src/api-umbrella/utils/generate_runtime_config.lua index 206a5c4c7..f91c74e7f 100644 --- a/src/api-umbrella/utils/generate_runtime_config.lua +++ b/src/api-umbrella/utils/generate_runtime_config.lua @@ -288,6 +288,7 @@ local function set_computed_config(config) end if #config["dns_resolver"]["_nameservers_nginx"] > 0 then config["dns_resolver"]["_nameservers_nginx"] = table.concat(config["dns_resolver"]["_nameservers_nginx"], " ") + config["dns_resolver"]["_nameservers_trafficserver"] = config["dns_resolver"]["_nameservers_nginx"] else config["dns_resolver"]["_nameservers_nginx"] = nil end diff --git a/templates/etc/trafficserver/records.config.etlua b/templates/etc/trafficserver/records.config.etlua index 01c942d2c..1a6de7465 100644 --- a/templates/etc/trafficserver/records.config.etlua +++ b/templates/etc/trafficserver/records.config.etlua @@ -171,6 +171,27 @@ CONFIG proxy.config.http.response_server_enabled INT 0 # that each host gets cached separately. CONFIG proxy.config.url_remap.pristine_host_hdr INT 1 +# Set the DNS nameservers used to potentially resolve a remote envoy layer. +CONFIG proxy.config.dns.resolv_conf STRING NULL +<% if config["dns_resolver"]["_nameservers_trafficserver"] then %> +CONFIG proxy.config.dns.nameservers STRING <%= config["dns_resolver"]["_nameservers_trafficserver"] %> +<% end %> + +<% if config["dns_resolver"]["allow_ipv6"] then %> +CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;ipv6;only +<% else %> +CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;only +<% end %> + +# Allow old DNS results to be used while new ones are fetched in the +# background. Since we're only resolving the possible remote envoy host at this +# layer, this just helps things remain up even if DNS goes down temporarily. +CONFIG proxy.config.hostdb.serve_stale_for INT 5184000 # 60 days + +# For hosts that don't exist, remember the invalid DNS responses, since we +# assume the Envoy resolution really shouldn't fail. +CONFIG proxy.config.hostdb.fail.timeout INT 5184000 # 60 days + # Use more standard round-robin for DNS results (rather than sticky). CONFIG proxy.config.hostdb.strict_round_robin INT 1 @@ -179,6 +200,11 @@ CONFIG proxy.config.hostdb.strict_round_robin INT 1 CONFIG proxy.config.net.sock_option_flag_in INT 3 CONFIG proxy.config.net.sock_option_flag_out INT 3 +# Keepalive connections to backend Envoy server. Retain some idle connections +# open to improve performance. +CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT <%= config["router"]["api_backends"]["keepalive_idle_timeout"] %> +CONFIG proxy.config.http.per_server.connection.min INT <%= config["router"]["api_backends"]["keepalive_connections"] %> + <% if config["envoy"]["scheme"] == "https" then %> CONFIG proxy.config.ssl.client.verify.server.properties STRING ALL CONFIG proxy.config.ssl.client.verify.server.policy STRING ENFORCED