feat: add support for multiple nacos instances and replace events library with shdict

[Revolyssup]

Description

• Currently nacos discovery uses event library and during testing it was found out that when using lua-resty-events, sometimes not all workers get the events. And inconsistencies emerge. Moreover the idiomatic way to share data between workers is through a shared dict. Therefore this PR migrates nacos from older events mechanism to newer shared dict way. Now only priviliged agent will fetch data from nacos and write to shdict while all workers will read from it.
• Currently nacos supports only a single nacos registry but users have use case of supporting multiple nacos registries. This PR adds support to specify discovery.nacos as an array of nacos instances each with unique ID.

NOTE: The older way of configuring nacos is still supported and older data will be valid. The older configuration now gets converted internally to new configuration before being passed onto the logic therefore making this change backwards compatible. Meaning users can use the single-instance configuration as well as multi instance configuration.

Fixes #11252

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

[kayx23]

Can remove this sentence and just add "title", e.g.

```yaml title="conf/config.yaml"

to the single and multi instances examples

[kayx23]

Put the single instance before multi, so the reading flows better because

[kayx23]

Not the right place to have this note under L7. Move it one level up.

[Revolyssup]

Do you mean the :::note section? It was here already. Do you want me to move it?

[bzp2010]

There are quite a few issues. I have already checked the hot paths in the code (excluding the utils section). You can take a look and refute the errors I have pointed out.

[bzp2010]

indent

[bzp2010]

Why is it necessary to retrieve potentially stale data using get_stale instead of get?

[Revolyssup]

This is to retrieve the old data when nacos is down.

[nic-6443]

Note that the value of an expired key is not guaranteed to be available so one should never rely on the availability of expired items.

try to use get_stale to retrieve expired item is unstable way.

[bzp2010]

What does this code mean?

Currently, nodes have been reduced to a mechanism that only reads from shdict. Before the code I selected, you did not attempt to initiate a request, so nodes would not suddenly be filled.
I understand that filling shdict is done by a decoupled privileged process, but I don't understand the value of using a spin lock-like mechanism for waiting here.

In my opinion, it should fast fail, which would cause APISIX to return a 503 error and print the log.

No matter how I look at it, it's strange that the request was blocked for 5 seconds because the service discovery provider did not return nodes.

[Revolyssup]

dict:get_stale is called before starting the wait. And if no value is found then it waits for "step" and tries again. It does that for 5 seconds. This waiting mechanism was already there before my PR. The only thing I have done here is replace get with get_stale for reasons mentioned in above comment.

[bzp2010]

It really depends on how you think the purpose of this PR is.

As I mentioned above, this logic is weird, so my suggestion is to remove it. Let this logic failfast instead of waiting for something.

If the upstream on a route is not loaded or does not exist at all, APISIX will obviously return 503 immediately.

You can request opinions from other reviewers here.

[Revolyssup]

@nic-6443 What do you think?

[nic-6443]

Aggre to remove it , this is weird.

[bzp2010]

Why check for configuration changes and rebuild the client?

1. init_worker is not called frequently; it is only called once when the privileged process starts. Therefore, when do you check for configuration changes?

2. You store nacos_clients in a global variable in the init.lua file, but regardless, the scope of this variable is limited to the LuaVM. Restarting the privileged process is equivalent to restarting the worker, which causes the LuaVM to be rebuilt, thereby clearing the table.
   Comparing the configuration version with an old client stored there seems pointless, as it will always fall into a branch where the old client no longer exists.

[bzp2010]

It seems that printing configurations are not secure.

If users are responsible for maintaining APISIX deployments, they can view these in the configuration files. The Control API itself should also be used by maintenance personnel, but we know that security controls on APIs are always difficult to configure correctly.

[Revolyssup]

I don't think so there is sensitive data in this configuration.

[bzp2010]

According to APISIX convention, you should use the meta table and _index. I don't remember us having such a precedent.

[bzp2010]

Suggested change

	["username"] = username,
	["password"] = password,
	username = username,
	password = password,

[bzp2010]

Suggested change

	local function is_grpc(scheme)
	if scheme == 'grpc' or scheme == 'grpcs' then
	return true
	end
	return false
	end
	local function is_grpc(scheme)
	return scheme == "grpc" or scheme == "grpcs"
	end

[bzp2010]

It seems unsafe.

[Revolyssup]

I think its okay to allow for non tls traffic for service discovery. Eureka service discovery code also has the same logic.

[bzp2010]

Is it possible to share services directly between http and stream, i.e., using meta shdict?

The specific reasons are as follows:
We do not configure discovery separately for http and stream in the configuration file; they always use the same provider or the same provider ID.
The only difference is that they may use different service names. However, we do not seem to need to concern ourselves with this.
In fact, you have already set https://github.com/apache/apisix/pull/12263/files#diff-ac8ce1b2b70b12a55abac8b1d508079cab4136f5bf830052ba325e543b04bf9eR130-R148, which includes both routes and stream routes.

[Revolyssup]

okay makes sense

[nic-6443]

CAUTION Avoid calling this method on dictionaries with a very large number of keys as it may lock the dictionary for significant amount of time and block Nginx worker processes trying to access the dictionary.

According to the OpenResty documentation, I realized that get_keys should be avoided. We can record services_in_use in a module variable so that by comparing the values of services_in_use of last time and this time executing the fetch_full_registry function, we can determine the changes without using get_keys.