Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(plugins) allow cross-namespace plugin references #5965

Merged
merged 12 commits into from
May 16, 2024
Merged

Conversation

rainest
Copy link
Contributor

@rainest rainest commented May 4, 2024

What this PR does / why we need it:

Add a new colon-delimited value format for the konghq.com/plugins CSV annotation. The string before the colon indicates a remote KongPlugin namespace. This namespace must contain a ReferenceGrant that allows this reference.

While the existing konghq.com/plugins: foo,bar format loads plugins foo and bar from the same namespace as the annotated resource, the new konghq.com/plugins: foo,alpha:bar format loads foo from the local namespace and bar from the alpha namespace.

example_cross_plugin.yaml.txt provides a more complete example. Service one in namespace pwuh loads the test KongPlugin from the pwuh namespace as usual. Service two in namespace fwuh loads the same test KongPlugin from pwuh. It can do so because a ReferenceGrant in pwuh grants KongPlugin access to fwuh Services.

Which issue this PR fixes:

Fix #5355. Although the original request concerned KongClusterPlugins, using KongPlugins allows for a simpler security configuration model.

Review #5355 (comment) for additional background on why multi-entity plugins require grants to adhere to the Kubernetes namespace security model.

Special notes for your reviewer:

There was already a fair amount of code duplication in the plugin relationship builder. Ideally we'd do away with it, but I've left it around for the time being. The isRemotePluginReferenceAllowed() helper hopefully negates the worst of it by extracting most of the logic we need to duplicate into a separate function, so the duplicated code is just the function invocation.

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

  • the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR

Copy link

codecov bot commented May 4, 2024

Codecov Report

Attention: Patch coverage is 53.64238% with 70 lines in your changes are missing coverage. Please review.

Project coverage is 52.2%. Comparing base (d8c30ad) to head (bc9431b).
Report is 3 commits behind head on main.

❗ Current head bc9431b differs from pull request most recent head d779068. Consider uploading reports for the commit d779068 to get more accurate results

Files Patch % Lines
internal/gatewayapi/references.go 39.3% 35 Missing and 2 partials ⚠️
internal/dataplane/kongstate/kongstate.go 53.5% 32 Missing and 1 partial ⚠️
Additional details and impacted files
@@           Coverage Diff            @@
##            main   #5965      +/-   ##
========================================
- Coverage   74.0%   52.2%   -21.8%     
========================================
  Files        182     182              
  Lines      18345   18416      +71     
========================================
- Hits       13582    9624    -3958     
- Misses      3825    8164    +4339     
+ Partials     938     628     -310     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@rainest rainest changed the title feat(plugins) allow cross-namespace KCP plugins feat(plugins) allow cross-namespace plugin references May 8, 2024
@pull-request-size pull-request-size bot added size/XL and removed size/L labels May 8, 2024
internal/annotations/annotations.go Outdated Show resolved Hide resolved
internal/annotations/annotations.go Show resolved Hide resolved
internal/annotations/annotations.go Outdated Show resolved Hide resolved
internal/gatewayapi/contraints.go Outdated Show resolved Hide resolved
internal/gatewayapi/references.go Outdated Show resolved Hide resolved
internal/dataplane/kongstate/kongstate.go Show resolved Hide resolved
Copy link
Member

@pmalek pmalek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add an exemplar manifest for this functionality in examples/?

@rainest rainest requested a review from pmalek May 9, 2024 00:24
@rainest rainest force-pushed the feat/plugin-across branch 3 times, most recently from 98a7c41 to e87d9a1 Compare May 10, 2024 02:12
@rainest rainest force-pushed the feat/plugin-across branch 2 times, most recently from 3e2064b to 9859af0 Compare May 10, 2024 21:37
@rainest
Copy link
Contributor Author

rainest commented May 11, 2024

Some sort of nonsense apparently means the test... passes? but then leaves some of its resources around, furthermore preventing the test suite from finishing :(

Ed: I am an idiot and committed the thing I did to stall another test to play around with integration test design 🤦

rainest and others added 11 commits May 14, 2024 10:44
Add ReferenceGrant logic for KongPlugins. If a ReferenceGrant allows
access to a KongPlugin from some plugin-associable resource, resources
in the grant scope can apply the plugin as if they were a resource in
the same namespace as the KongPlugin itself.

For example, if a ReferenceGrant in namespace "alpha" allows
KongConsumers in namespace "beta" to reference KongPlugins, a KongPlugin
attached to a Service in alpha can generate service+consumer plugins
where the service is generated from a Service in "alpha" and the
consumer is generated from a KongConsumer in "beta". Without the grant,
the KongPlugin can only generate service+consumer plugins for
KongConsumers also in "alpha".
Disable a gosec lint that was obsoleted by Golang 1.22.
@rainest rainest marked this pull request as ready for review May 14, 2024 19:57
@rainest rainest requested a review from a team as a code owner May 14, 2024 19:57
Copy link
Contributor

@randmonkey randmonkey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly LGTM, some minor comments remaining.

internal/dataplane/kongstate/kongstate.go Show resolved Hide resolved
internal/gatewayapi/references.go Show resolved Hide resolved
@rainest rainest requested a review from randmonkey May 15, 2024 21:12
@rainest rainest merged commit e7b3048 into main May 16, 2024
37 checks passed
@rainest rainest deleted the feat/plugin-across branch May 16, 2024 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Plugin attachment to a group of resources from different namespaces
3 participants