Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add a _before hook for plugins #7542

Closed
wants to merge 3 commits into from
Closed

feat: add a _before hook for plugins #7542

wants to merge 3 commits into from
+50 −1

Conversation

guilhem
Copy link
Contributor

@guilhem guilhem commented Aug 25, 2021

Current plugin implementation prevents executing before ingress logic.
For example, can be used to correctly set X-Forwarded-Proto before redirect logic.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Aug 25, 2021
@k8s-ci-robot
Copy link
Contributor

Welcome @guilhem!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot
Copy link
Contributor

Hi @guilhem. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Aug 25, 2021
@rikatz
Copy link
Contributor

rikatz commented Oct 24, 2021

Hi @guilhem and thanks for your PR.

Can you please clarify me when this hook would be required? I can see you adding it into the code but couldn't see why/the use case.

Thanks

@guilhem
Copy link
Contributor Author

guilhem commented Oct 25, 2021
edited
Loading

Hi @guilhem and thanks for your PR.

Can you please clarify me when this hook would be required? I can see you adding it into the code but couldn't see why/the use case.

Thanks

Hi @rikatz,
In my case, cloudflare forward request without a X-Forwarded-Proto set. Making backend url rewrite failing.
Some may set it for all sites, but I can't in my case and I have to identify exactly.
I created a Lua cloudflare plugin to set X-Forwarded-Proto correctly but this plugin can't work without this change.

Problem is because, in rewrite_by_lua_block, balancer.rewrite() is before plugins.run()

@guilhem
Copy link
Contributor Author

guilhem commented Oct 25, 2021
edited
Loading

Current implementation is a custom template with plugin.run() set before balancer.rewrite(). It works in my case, but it can change current behavior in numerous instances.
Having a before hook looks better.

https://gist.github.com/guilhem/52a2722eceffcd7a29b3b5687deedcd6#file-main-lua

@rikatz
Copy link
Contributor

rikatz commented Oct 25, 2021

@tao12345666333 @ElvinEfendi thoughts on this?

@guilhem you use those with custom-snippets or something like that? Just curious :)

@guilhem
Copy link
Contributor Author

guilhem commented Oct 25, 2021

@guilhem you use those with custom-snippets or something like that? Just curious :)

Nope, it's a plugin installed on all ingress-nginx instances.

@tao12345666333
Copy link
Member

Adding a hook does mean that we can do some things more flexibly.
But I would like to know if there are other usage scenarios?

@guilhem
Copy link
Contributor Author

guilhem commented Oct 26, 2021

Adding a hook does mean that we can do some things more flexibly.
But I would like to know if there are other usage scenarios?

Main reason for me:
before hook for rewrite is mandatory.
It would be very strange and prone to error if only some steps have one and not others.

Other common usage of "before" hook can be to execute before all other plugins. Ordering can be important.

@rikatz
Copy link
Contributor

rikatz commented Dec 30, 2021

Gotta say I'm still just worried about if this can be used for the evil :D

We've had some problems in past with us not sanitizing properly things in Lua side, so can this be, somehow used by a malicious user to run something just appending the _before suffix in some crafted annotation value?

Sorry for the dumb question :)

@guilhem
Copy link
Contributor Author

guilhem commented Dec 30, 2021

You are questioning far beyond my skills ^^
I hope someone can answer it.

@rikatz
Copy link
Contributor

rikatz commented Dec 30, 2021

No problem @guilhem :)

I will try to think a bit more as well. I'm not opposed to the feature, just don't wanna add something more that can turn into a future concern :)

@rikatz
Copy link
Contributor

rikatz commented Jan 9, 2022

As per @theunrealgeek mention in Slack:

"Following up on #7542 which adds the before hook to Lua plugins. At least in my opinion getting the Lua plugin installed needs quite elevated privileges, and any CVE like possibility is perhaps already present with what support exists and adding the before doesn't make it any worse.".

I can take that, so this is approved.

/approve
/lgtm
Thanks, and thanks @theunrealgeek for the review!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 9, 2022
@rikatz
Copy link
Contributor

rikatz commented Jan 9, 2022

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 9, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: guilhem, rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 9, 2022
@rikatz
Copy link
Contributor

rikatz commented Jan 9, 2022

/ok-to-test
Let's just leave the e2e tests run first ;)

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 9, 2022
@k8s-ci-robot k8s-ci-robot added the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label May 16, 2022
@guilhem guilhem mentioned this pull request Jun 15, 2022
Closed
iamNoah1
iamNoah1 reviewed Jun 15, 2022
View reviewed changes
Copy link
Contributor

@iamNoah1 iamNoah1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/kind bug
/triage accepted
/priority important-longterm

#6358

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Jun 15, 2022
@iamNoah1
Copy link
Contributor

/lifecycle frozen

@k8s-ci-robot
Copy link
Contributor

@iamNoah1: The lifecycle/frozen label cannot be applied to Pull Requests.

In response to this:

/lifecycle frozen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@iamNoah1
Copy link
Contributor

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jun 15, 2022
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 15, 2022
guilhem added 3 commits June 17, 2022 17:26
@guilhem
feat: add a _before hook for plugins
0c7aa13 
Current plugin implementation prevents executing before ingress logic.
For example, can be used to correctly set X-Forwarded-Proto before
redirect logic.

Signed-off-by: Guilhem Lettron <guilhem@barpilot.io>
@guilhem
fix: lua linting
4bc35db
@guilhem
test: Add test for run_before plugin hook
79bb6ff
@guilhem
Copy link
Contributor Author

guilhem commented Jul 15, 2022

Gentle Ping

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 13, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 12, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Reopen this PR with /reopen
  • Mark this PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Reopen this PR with /reopen
  • Mark this PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iamNoah1 iamNoah1 iamNoah1 left review comments

@cmluciano cmluciano Awaiting requested review from cmluciano

@tao12345666333 tao12345666333 Awaiting requested review from tao12345666333

Assignees

@rikatz rikatz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/lua Issues or PRs related to lua code cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@guilhem @k8s-ci-robot @rikatz @tao12345666333 @ElvinEfendi @k8s-triage-robot @iamNoah1