Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support secret plugin config #1486

Merged
merged 4 commits into from
Dec 12, 2022
Merged

feat: support secret plugin config #1486

merged 4 commits into from
Dec 12, 2022

Conversation

An-DJ
Copy link
Contributor

@An-DJ An-DJ commented Dec 4, 2022
edited
Loading

Type of change:

  • Bugfix
  • New feature provided
  • Improve performance
  • Backport patches

What this PR does / why we need it:

Config in ApisixRoute and ApisixPluginConfig can be stored into and referred from the kubernetes secret.

A echo plugin demo is like below, the before_body and after_body can be stored in their corresponding secret.

apiVersion: v1
kind: Secret
metadata:
  name: echo
data:
  before_body: IlRoaXMgaXMgdGhlIHByZWZhY2Ui
  after_body: IlRoaXMgaXMgdGhlIGVwaWxvZ3VlIg==
---
apiVersion: apisix.apache.org/v2beta3
kind: ApisixRoute
metadata:
 name: httpbin-route
spec:
 http:
 - name: rule1
   match:
     hosts:
     - httpbin.org
     paths:
       - /ip
   backends:
   - serviceName: %s
     servicePort: %d
     weight: 10
   plugins:
   - name: echo
     enable: true
     config:
       headers:
         X-Foo: v1
         X-Foo2: v2
     secretRef: echo

Close #1408

Pre-submission checklist:

  • Did you explain what problem does this PR solve? Or what new features have been added?
  • Have you added corresponding test cases?
  • Have you modified the corresponding document?
  • Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

@An-DJ
feat: support secret plugin config
4e4e700 
Config in ApisixRoute and ApisixPluginConfig can be stored into and referred from kubernetes secret

Close apache#1408
@An-DJ
Copy link
Contributor Author

An-DJ commented Dec 4, 2022

@tao12345666333 PTAL

AlinsRan
AlinsRan reviewed Dec 5, 2022
View reviewed changes
pkg/providers/apisix/translation/apisix_pluginconfig.go Outdated
@@ -42,6 +42,11 @@ func (t *translator) TranslatePluginConfigV2beta3(config *configv2beta3.ApisixPl
zap.Any("new", plugin.Config),
)
}
if sec, err := t.SecretLister.Secrets(config.Namespace).Get(plugin.SecretConfig); err == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there should be logs here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are errors being ignored here? There is no way for the user to know why their configuration (although wrong) is being ignored. At least we should print a log or add an error message to the sync status field.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

tao12345666333
tao12345666333 requested changes Dec 5, 2022
View reviewed changes
Copy link
Member

@tao12345666333 tao12345666333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for your contribution.

There are some things that need to be modified:

pkg/kube/apisix/apis/config/v2/types.go Outdated
@@ -170,6 +170,8 @@ type ApisixRoutePlugin struct {
Enable bool `json:"enable" yaml:"enable"`
// Plugin configuration.
Config ApisixRoutePluginConfig `json:"config" yaml:"config"`
// Plugin configuration secretRef.
SecretConfig string `json:"secretConfig" yaml:"secretConfig"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer it called SecretRef. The semantics are clearer, this is a reference to the secret

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can be left unset, right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

pkg/kube/apisix/apis/config/v2beta3/types.go Outdated
@@ -161,6 +161,8 @@ type ApisixRouteHTTPPlugin struct {
Enable bool `json:"enable" yaml:"enable"`
// Plugin configuration.
Config ApisixRouteHTTPPluginConfig `json:"config" yaml:"config"`
// Plugin configuration secretRef.
SecretConfig string `json:"secretConfig" yaml:"secretConfig"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

v2beta3 is deprecated, we don't need to modify it anymore.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

lingsamuel
lingsamuel requested changes Dec 5, 2022
View reviewed changes
Copy link
Member

@lingsamuel lingsamuel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also need to update the documentation. And please fix the CI errors.

pkg/kube/apisix/apis/config/v2beta3/types.go Outdated Show resolved Hide resolved
pkg/providers/apisix/translation/apisix_pluginconfig.go Outdated
@@ -42,6 +42,11 @@ func (t *translator) TranslatePluginConfigV2beta3(config *configv2beta3.ApisixPl
zap.Any("new", plugin.Config),
)
}
if sec, err := t.SecretLister.Secrets(config.Namespace).Get(plugin.SecretConfig); err == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are errors being ignored here? There is no way for the user to know why their configuration (although wrong) is being ignored. At least we should print a log or add an error message to the sync status field.

test/e2e/suite-plugins/suite-plugins-general/echo.go Outdated
resp.Status(http.StatusOK)
resp.Header("X-Foo").Equal("v1")
resp.Header("X-Foo2").Equal("v2")
resp.Body().Contains("This is the preface")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any way to check if it actually appears before the later one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

pkg/kube/apisix/apis/config/v2beta3/types.go Outdated
@@ -161,6 +161,8 @@ type ApisixRouteHTTPPlugin struct {
Enable bool `json:"enable" yaml:"enable"`
// Plugin configuration.
Config ApisixRouteHTTPPluginConfig `json:"config" yaml:"config"`
// Plugin configuration secretRef.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have a document/field comment that explains how the priority work if this conflicts with the Config fields.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An additional section Config with secretRef in apisix_route.md is added to explain that.

@An-DJ
feat: remove secretRef of plugins.config in v2beta3
dd9e470 
* remove secretRef of plugins.config in v2beta3
* add key logs output
* add test case to validate the plugins config priority
* add the corresponding doc section

Close apache#1408
@codecov-commenter
Copy link

Codecov Report

Merging #1486 (dd9e470) into master (ed92690) will decrease coverage by 0.20%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master    #1486      +/-   ##
==========================================
- Coverage   41.26%   41.06%   -0.21%     
==========================================
  Files          83       83              
  Lines        7365     7401      +36     
==========================================
  Hits         3039     3039              
- Misses       3972     4008      +36     
  Partials      354      354
Impacted Files Coverage Δ
...roviders/apisix/translation/apisix_pluginconfig.go 30.55% <0.00%> (-6.12%) ⬇️
pkg/providers/apisix/translation/apisix_route.go 30.48% <0.00%> (-1.03%) ⬇️
pkg/config/config.go 64.13% <0.00%> (ø)
pkg/apisix/cluster.go 36.12% <0.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@An-DJ
Copy link
Contributor Author

An-DJ commented Dec 7, 2022

Perhaps the unit-test-ci error was caused by network random delay. My local test has passed.

Could the test workflow be retriggered by hand?

@tao12345666333
Copy link
Member

OK

@tao12345666333 tao12345666333 merged commit 0009b5d into apache:master Dec 12, 2022
@tao12345666333 tao12345666333 added this to the v1.6.0 milestone Dec 12, 2022
@tao12345666333 tao12345666333 mentioned this pull request Dec 12, 2022
Closed
@An-DJ An-DJ deleted the secret-plugin-config branch December 13, 2022 01:00
@lpiob lpiob mentioned this pull request Mar 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlinsRan AlinsRan AlinsRan left review comments

@lingsamuel lingsamuel lingsamuel approved these changes

@tao12345666333 tao12345666333 tao12345666333 approved these changes

Assignees
No one assigned
Labels
area/controller
Projects
Apache APISIX Ingress controller
Status: Done
Milestone
v1.6.0
Development

Successfully merging this pull request may close these issues.

feat: Allow use of config maps and secrets in plugin configs
5 participants
@An-DJ @codecov-commenter @tao12345666333 @lingsamuel @AlinsRan