Lua plugin system - MVP #3807
Lua plugin system - MVP #3807
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
do-not-merge/work-in-progress
ElvinEfendi
force-pushed
the
lua-plugin-system
branch
from
4d06660
to
4351ccd
Compare
rootfs/etc/nginx/template/nginx.tmpl
Outdated
| @@ -1021,6 +1030,10 @@ stream { | |||
| {{ end }} | |||
|
|
|||
| rewrite_by_lua_block { | |||
| -- for the plugins enabled for this location | |||
| -- in this phase, run the like following | |||
There was a problem hiding this comment.
one can argue that the plugin itself knows better where it should be run - so maybe make this part of the plugin?
but on the other side there can be plugins that can be run in any phase maybe? and you'd wanna run it only in certain phase for your app
There was a problem hiding this comment.
another question is do we wanna have two different apps configure the same plugin in different phases?
probably not
There was a problem hiding this comment.
maybe it's better to have plugins to define their public API based on phase name
and have plugin runner to check whether there's a function defined for the given phase in the given plugin and if so then run it.
with this then the controller won't have to care about what plugin is enabled in what phase and instead if would call plugins.run with the all enabled plugins regardless of the phase for the location.
the cons is this will add an overhead of iterating through plugins and checking which one has implementation for the given phase - but is this really a concern given it's not realistic for an app to enable thousands of plugins.
There was a problem hiding this comment.
I think it makes sense to declare the phase a plugin must be run into the plugin definition itself (CRD).
or by using an exported array with phase list or having a separate function for each phase.
|
Nice! |
|
@discordianfish still WIP, not ready for reviews yet |
|
but it would be really helpful if you describe your use case and how you'd like to plug in (configure) your plugin :) things like would you like it per app, or globally per ingress-nginx deployment etc. |
|
@ElvinEfendi Oh sure! I came here from #1850. We have an internal service that provides a JWT after logging in and I want to redirect to that service, get the JWT and then decide in the ingress controller to allow/deny access. Would strongly prefer doing it per app/ingress, so I can have a single nginx-ingress deployment for public and JWT authenticated endpoints etc. Happy to help where I can, just let me know! |
|
@ElvinEfendi do you have any ETA this feature could be ready? |
ElvinEfendi
force-pushed
the
lua-plugin-system
branch
from
4351ccd
to
7fe299e
Compare
ElvinEfendi
force-pushed
the
lua-plugin-system
branch
from
041b354
to
8f81538
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf, ElvinEfendi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
That's the plan @xanonid but, we are limiting access to plugins until we
are confident about the structure and behavior. That's why this is an MVP
requiring a manual process
…On Mon, Apr 8, 2019 at 11:15 AM xanonid ***@***.***> wrote:
It would be really nice if the list of active lua plugins could be adapted
more easily. Maintaining a custom >1000 line template just with a modified
plugins.init({}) line seems to be too involved. My suggestion would be a
command-line parameter / a config map options.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#3807 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAJ3I85pV_tg8j77qZcdoiQiIgWFl5Fbks5ve10BgaJpZM4bPAmz>
.
|
What this PR does / why we need it:
This is more of an experiment at the moment! The PR implements basics of enabling and running trusted custom Lua code in different Nginx phases.
What's a plugin?
A plugin is set of Lua modules placed in
/etc/nginx/lua/plugins/<plugin name>/. Every plugin has to havemain.luain the root. Every plugin has to bundle all of its dependencies. For now you can manually mount your plugins into that folder.How to configure a plugin?
In
main.luaimplementrewrite,access,headerorlogfunctions to run your code in the corresponding Nginx phases. For an example checkhello_worldplugin included with this PR.How to enable and set the order of my plugins?
In order to enable plugins you have to use a custom template. In your custom template change the argument of
plugins.init({})with the plugin names you would like to enable. The order will be respected when running the plugins. That's all.Can I enable a plugin for a specific app?
Currently no, your plugin will be executed for every app. What you can do is, condition your logic on
ngx.var.proxy_upstream_namethat uniquely identifies your app and apply it to a specific app only.Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Special notes for your reviewer: