Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lua plugin system - MVP #3807

Merged
merged 1 commit into from Apr 4, 2019
Merged

Conversation

ElvinEfendi
Copy link
Member

@ElvinEfendi ElvinEfendi commented Feb 25, 2019

What this PR does / why we need it:

This is more of an experiment at the moment! The PR implements basics of enabling and running trusted custom Lua code in different Nginx phases.

What's a plugin?
A plugin is set of Lua modules placed in /etc/nginx/lua/plugins/<plugin name>/. Every plugin has to have main.lua in the root. Every plugin has to bundle all of its dependencies. For now you can manually mount your plugins into that folder.

How to configure a plugin?
In main.lua implement rewrite, access, header or log functions to run your code in the corresponding Nginx phases. For an example check hello_world plugin included with this PR.

How to enable and set the order of my plugins?
In order to enable plugins you have to use a custom template. In your custom template change the argument of plugins.init({}) with the plugin names you would like to enable. The order will be respected when running the plugins. That's all.

Can I enable a plugin for a specific app?
Currently no, your plugin will be executed for every app. What you can do is, condition your logic on ngx.var.proxy_upstream_name that uniquely identifies your app and apply it to a specific app only.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes size/M approved labels Feb 25, 2019
@ElvinEfendi ElvinEfendi changed the title lua plugin system [wip] lua plugin system Feb 25, 2019
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress label Feb 25, 2019
@k8s-ci-robot k8s-ci-robot requested review from aledbf and bowei Feb 25, 2019
@@ -1021,6 +1030,10 @@ stream {
{{ end }}

rewrite_by_lua_block {
-- for the plugins enabled for this location
-- in this phase, run the like following
Copy link
Member Author

@ElvinEfendi ElvinEfendi Feb 25, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one can argue that the plugin itself knows better where it should be run - so maybe make this part of the plugin?

but on the other side there can be plugins that can be run in any phase maybe? and you'd wanna run it only in certain phase for your app

Copy link
Member Author

@ElvinEfendi ElvinEfendi Feb 25, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

another question is do we wanna have two different apps configure the same plugin in different phases?

probably not

Copy link
Member Author

@ElvinEfendi ElvinEfendi Feb 25, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe it's better to have plugins to define their public API based on phase name
and have plugin runner to check whether there's a function defined for the given phase in the given plugin and if so then run it.

with this then the controller won't have to care about what plugin is enabled in what phase and instead if would call plugins.run with the all enabled plugins regardless of the phase for the location.

the cons is this will add an overhead of iterating through plugins and checking which one has implementation for the given phase - but is this really a concern given it's not realistic for an app to enable thousands of plugins.

Copy link
Contributor

@wayt wayt Apr 3, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to declare the phase a plugin must be run into the plugin definition itself (CRD).
or by using an exported array with phase list or having a separate function for each phase.

@discordianfish
Copy link
Contributor

@discordianfish discordianfish commented Mar 27, 2019

Nice!
@ElvinEfendi Are you still working on this? Or is this ready to get reviewed?

@ElvinEfendi
Copy link
Member Author

@ElvinEfendi ElvinEfendi commented Mar 27, 2019

@discordianfish still WIP, not ready for reviews yet

@ElvinEfendi
Copy link
Member Author

@ElvinEfendi ElvinEfendi commented Mar 27, 2019

but it would be really helpful if you describe your use case and how you'd like to plug in (configure) your plugin :) things like would you like it per app, or globally per ingress-nginx deployment etc.

@discordianfish
Copy link
Contributor

@discordianfish discordianfish commented Mar 28, 2019

@ElvinEfendi Oh sure! I came here from #1850. We have an internal service that provides a JWT after logging in and I want to redirect to that service, get the JWT and then decide in the ingress controller to allow/deny access.

Would strongly prefer doing it per app/ingress, so I can have a single nginx-ingress deployment for public and JWT authenticated endpoints etc.

Happy to help where I can, just let me know!

@mdarii
Copy link

@mdarii mdarii commented Mar 28, 2019

@ElvinEfendi do you have any ETA this feature could be ready?
I'm also interested in this feature

@ElvinEfendi ElvinEfendi changed the title [wip] lua plugin system lua plugin system Apr 4, 2019
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress label Apr 4, 2019
@ElvinEfendi ElvinEfendi changed the title lua plugin system lua plugin system - MVP Apr 4, 2019
@ElvinEfendi ElvinEfendi changed the title lua plugin system - MVP Lua plugin system - MVP Apr 4, 2019
@aledbf
Copy link
Member

@aledbf aledbf commented Apr 4, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Apr 4, 2019
@k8s-ci-robot
Copy link
Contributor

@k8s-ci-robot k8s-ci-robot commented Apr 4, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, ElvinEfendi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit acb36c0 into kubernetes:master Apr 4, 2019
2 of 3 checks passed
@ElvinEfendi ElvinEfendi deleted the lua-plugin-system branch Apr 4, 2019
@aledbf aledbf added this to done in 0.24.0 Apr 4, 2019
@aledbf
Copy link
Member

@aledbf aledbf commented Apr 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved cncf-cla: yes lgtm size/M
Projects
No open projects
0.24.0
  
done
Development

Successfully merging this pull request may close these issues.

None yet

6 participants