From 6d44e81235738a0466ec158dccfb73cb78af3f5a Mon Sep 17 00:00:00 2001
From: Chrono <chrono_cpp@me.com>
Date: Wed, 29 Nov 2023 11:15:13 +0800
Subject: [PATCH] feat(templates): add LMDB validation tag directive (#12026)

This PR adds validation of LMDB cache by Kong's version (major + minor),
wiping the content if tag mismatch to avoid compatibility issues
during minor version upgrade.

KAG-3093
---
 .requirements                                          |  2 +-
 .../unreleased/kong/bump-lua-resty-lmdb-1.4.0.yml      |  3 ---
 .../unreleased/kong/bump-lua-resty-lmdb-1.4.1.yml      |  3 +++
 .../unreleased/kong/introduce_lmdb_validation_tag.yml  |  6 ++++++
 kong/conf_loader/init.lua                              | 10 ++++++++++
 kong/templates/nginx_inject.lua                        |  5 +++++
 spec/01-unit/03-conf_loader_spec.lua                   |  8 ++++++++
 spec/01-unit/04-prefix_handler_spec.lua                |  6 ++++++
 spec/fixtures/custom_nginx.template                    |  5 +++++
 9 files changed, 44 insertions(+), 4 deletions(-)
 delete mode 100644 changelog/unreleased/kong/bump-lua-resty-lmdb-1.4.0.yml
 create mode 100644 changelog/unreleased/kong/bump-lua-resty-lmdb-1.4.1.yml
 create mode 100644 changelog/unreleased/kong/introduce_lmdb_validation_tag.yml

diff --git a/.requirements b/.requirements
index 0c18973a4b6..d3543e59b81 100644
--- a/.requirements
+++ b/.requirements
@@ -7,7 +7,7 @@ PCRE=8.45
 LIBEXPAT=2.5.0
 
 LUA_KONG_NGINX_MODULE=4fbc3ddc7dcbc706ed286b95344f3cb6da17e637 # 0.8.0
-LUA_RESTY_LMDB=d236fc5ba339897e8f2c6ada1c1b4ab9311feee8 # 1.4.0
+LUA_RESTY_LMDB=19a6da0616db43baf8197dace59e64244430b3c4 # 1.4.1
 LUA_RESTY_EVENTS=8448a92cec36ac04ea522e78f6496ba03c9b1fd8 # 0.2.0
 LUA_RESTY_WEBSOCKET=60eafc3d7153bceb16e6327074e0afc3d94b1316 # 0.4.0
 ATC_ROUTER=7a2ad42d4246598ba1f753b6ae79cb1456040afa # 1.3.1
diff --git a/changelog/unreleased/kong/bump-lua-resty-lmdb-1.4.0.yml b/changelog/unreleased/kong/bump-lua-resty-lmdb-1.4.0.yml
deleted file mode 100644
index ea9b62f3d99..00000000000
--- a/changelog/unreleased/kong/bump-lua-resty-lmdb-1.4.0.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-message: Bumped lua-resty-lmdb from 1.3.0 to 1.4.0
-type: dependency
-scope: Core
diff --git a/changelog/unreleased/kong/bump-lua-resty-lmdb-1.4.1.yml b/changelog/unreleased/kong/bump-lua-resty-lmdb-1.4.1.yml
new file mode 100644
index 00000000000..c355f59c972
--- /dev/null
+++ b/changelog/unreleased/kong/bump-lua-resty-lmdb-1.4.1.yml
@@ -0,0 +1,3 @@
+message: Bumped lua-resty-lmdb from 1.3.0 to 1.4.1
+type: dependency
+scope: Core
diff --git a/changelog/unreleased/kong/introduce_lmdb_validation_tag.yml b/changelog/unreleased/kong/introduce_lmdb_validation_tag.yml
new file mode 100644
index 00000000000..6fd2ea4357a
--- /dev/null
+++ b/changelog/unreleased/kong/introduce_lmdb_validation_tag.yml
@@ -0,0 +1,6 @@
+message: |
+  Validate LMDB cache by Kong's version (major + minor),
+  wiping the content if tag mismatch to avoid compatibility issues
+  during minor version upgrade.
+type: feature
+scope: Configuration
diff --git a/kong/conf_loader/init.lua b/kong/conf_loader/init.lua
index 7d8fb7a3f8c..b9823e7f260 100644
--- a/kong/conf_loader/init.lua
+++ b/kong/conf_loader/init.lua
@@ -1,6 +1,7 @@
 local require = require
 
 
+local kong_meta = require "kong.meta"
 local kong_default_conf = require "kong.templates.kong_defaults"
 local process_secrets = require "kong.cmd.utils.process_secrets"
 local nginx_signals = require "kong.cmd.utils.nginx_signals"
@@ -683,6 +684,12 @@ local _nop_tostring_mt = {
 }
 
 
+-- using kong version, "major.minor"
+local LMDB_VALIDATION_TAG = string.format("%d.%d",
+                                          kong_meta._VERSION_TABLE.major,
+                                          kong_meta._VERSION_TABLE.minor)
+
+
 local function parse_value(value, typ)
   if type(value) == "string" then
     value = strip(value)
@@ -2008,6 +2015,9 @@ local function load(path, custom_conf, opts)
     end
   end
 
+  -- lmdb validation tag
+  conf.lmdb_validation_tag = LMDB_VALIDATION_TAG
+
   -- Wasm module support
   if conf.wasm then
     local wasm_filters = get_wasm_filters(conf.wasm_filters_path)
diff --git a/kong/templates/nginx_inject.lua b/kong/templates/nginx_inject.lua
index 37164044ad5..06a0912e009 100644
--- a/kong/templates/nginx_inject.lua
+++ b/kong/templates/nginx_inject.lua
@@ -2,5 +2,10 @@ return [[
 > if database == "off" then
 lmdb_environment_path ${{LMDB_ENVIRONMENT_PATH}};
 lmdb_map_size         ${{LMDB_MAP_SIZE}};
+
+> if lmdb_validation_tag then
+lmdb_validation_tag   $(lmdb_validation_tag);
+> end
+
 > end
 ]]
diff --git a/spec/01-unit/03-conf_loader_spec.lua b/spec/01-unit/03-conf_loader_spec.lua
index 9a79256e3fa..10743b25eff 100644
--- a/spec/01-unit/03-conf_loader_spec.lua
+++ b/spec/01-unit/03-conf_loader_spec.lua
@@ -1,3 +1,4 @@
+local kong_meta = require "kong.meta"
 local conf_loader = require "kong.conf_loader"
 local utils = require "kong.tools.utils"
 local log = require "kong.cmd.utils.log"
@@ -16,6 +17,11 @@ ffi.cdef([[
 ]])
 
 
+local KONG_VERSION = string.format("%d.%d",
+                                   kong_meta._VERSION_TABLE.major,
+                                   kong_meta._VERSION_TABLE.minor)
+
+
 local function kong_user_group_exists()
   if C.getpwnam("kong") == nil or C.getgrnam("kong") == nil then
     return false
@@ -68,6 +74,7 @@ describe("Configuration loader", function()
     assert.same(nil, conf.privileged_agent)
     assert.same(true, conf.dedicated_config_processing)
     assert.same(false, conf.allow_debug_header)
+    assert.same(KONG_VERSION, conf.lmdb_validation_tag)
     assert.is_nil(getmetatable(conf))
   end)
   it("loads a given file, with higher precedence", function()
@@ -85,6 +92,7 @@ describe("Configuration loader", function()
     assert.same({"127.0.0.1:9001"}, conf.admin_listen)
     assert.same({"0.0.0.0:9000", "0.0.0.0:9443 http2 ssl",
                  "0.0.0.0:9002 http2"}, conf.proxy_listen)
+    assert.same(KONG_VERSION, conf.lmdb_validation_tag)
     assert.is_nil(getmetatable(conf))
   end)
   it("preserves default properties if not in given file", function()
diff --git a/spec/01-unit/04-prefix_handler_spec.lua b/spec/01-unit/04-prefix_handler_spec.lua
index 35c1d703e76..63052c965c0 100644
--- a/spec/01-unit/04-prefix_handler_spec.lua
+++ b/spec/01-unit/04-prefix_handler_spec.lua
@@ -1453,6 +1453,7 @@ describe("NGINX conf compiler", function()
       local main_inject_conf = prefix_handler.compile_nginx_main_inject_conf(helpers.test_conf)
       assert.not_matches("lmdb_environment_path", main_inject_conf, nil, true)
       assert.not_matches("lmdb_map_size", main_inject_conf, nil, true)
+      assert.not_matches("lmdb_validation_tag", main_inject_conf, nil, true)
     end)
 
     it("compiles a main NGINX inject conf #database=off", function()
@@ -1462,6 +1463,11 @@ describe("NGINX conf compiler", function()
       local main_inject_conf = prefix_handler.compile_nginx_main_inject_conf(conf)
       assert.matches("lmdb_environment_path%s+dbless.lmdb;", main_inject_conf)
       assert.matches("lmdb_map_size%s+2048m;", main_inject_conf)
+
+      local kong_meta = require "kong.meta"
+      local major = kong_meta._VERSION_TABLE.major
+      local minor = kong_meta._VERSION_TABLE.minor
+      assert.matches("lmdb_validation_tag%s+" .. major .. "%." .. minor .. ";", main_inject_conf)
     end)
   end)
 
diff --git a/spec/fixtures/custom_nginx.template b/spec/fixtures/custom_nginx.template
index abee4616d9b..e6498c1ef19 100644
--- a/spec/fixtures/custom_nginx.template
+++ b/spec/fixtures/custom_nginx.template
@@ -16,6 +16,11 @@ $(el.name) $(el.value);
 > if database == "off" then
 lmdb_environment_path ${{LMDB_ENVIRONMENT_PATH}};
 lmdb_map_size         ${{LMDB_MAP_SIZE}};
+
+> if lmdb_validation_tag then
+lmdb_validation_tag   $(lmdb_validation_tag);
+> end
+
 > end
 
 events {