-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(plugins) allow cross-namespace plugin references #5965
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5965 +/- ##
========================================
- Coverage 74.0% 52.2% -21.8%
========================================
Files 182 182
Lines 18345 18416 +71
========================================
- Hits 13582 9624 -3958
- Misses 3825 8164 +4339
+ Partials 938 628 -310 ☔ View full report in Codecov by Sentry. |
0cad672
to
39b4d3c
Compare
39b4d3c
to
69b454a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add an exemplar manifest for this functionality in examples/
?
98a7c41
to
e87d9a1
Compare
3e2064b
to
9859af0
Compare
Some sort of nonsense apparently means the test... passes? but then leaves some of its resources around, furthermore preventing the test suite from finishing :( Ed: I am an idiot and committed the thing I did to stall another test to play around with integration test design 🤦 |
Add ReferenceGrant logic for KongPlugins. If a ReferenceGrant allows access to a KongPlugin from some plugin-associable resource, resources in the grant scope can apply the plugin as if they were a resource in the same namespace as the KongPlugin itself. For example, if a ReferenceGrant in namespace "alpha" allows KongConsumers in namespace "beta" to reference KongPlugins, a KongPlugin attached to a Service in alpha can generate service+consumer plugins where the service is generated from a Service in "alpha" and the consumer is generated from a KongConsumer in "beta". Without the grant, the KongPlugin can only generate service+consumer plugins for KongConsumers also in "alpha".
Disable a gosec lint that was obsoleted by Golang 1.22.
bc9431b
to
ba47279
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly LGTM, some minor comments remaining.
What this PR does / why we need it:
Add a new colon-delimited value format for the
konghq.com/plugins
CSV annotation. The string before the colon indicates a remote KongPlugin namespace. This namespace must contain a ReferenceGrant that allows this reference.While the existing
konghq.com/plugins: foo,bar
format loads pluginsfoo
andbar
from the same namespace as the annotated resource, the newkonghq.com/plugins: foo,alpha:bar
format loadsfoo
from the local namespace andbar
from thealpha
namespace.example_cross_plugin.yaml.txt provides a more complete example. Service
one
in namespacepwuh
loads thetest
KongPlugin from thepwuh
namespace as usual. Servicetwo
in namespacefwuh
loads the sametest
KongPlugin frompwuh
. It can do so because a ReferenceGrant inpwuh
grants KongPlugin access tofwuh
Services.Which issue this PR fixes:
Fix #5355. Although the original request concerned KongClusterPlugins, using KongPlugins allows for a simpler security configuration model.
Review #5355 (comment) for additional background on why multi-entity plugins require grants to adhere to the Kubernetes namespace security model.
Special notes for your reviewer:
There was already a fair amount of code duplication in the plugin relationship builder. Ideally we'd do away with it, but I've left it around for the time being. The
isRemotePluginReferenceAllowed()
helper hopefully negates the worst of it by extracting most of the logic we need to duplicate into a separate function, so the duplicated code is just the function invocation.PR Readiness Checklist:
Complete these before marking the PR as
ready to review
:CHANGELOG.md
release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR