-
Notifications
You must be signed in to change notification settings - Fork 590
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implement support for custom entities in DB-less mode #630
Conversation
Minor: we may want to support YAML here also, but it's trivial to add later if we want.
Any custom auth plugins that define credentials should fit this, but are presumably already covered by secret-based credentials. Do you have anything offhand that we can use for practical testing? I guess the OIDC JWKS entity works, even though it's weird to configure those statically.
Using a single key and single secret seems to be limiting this a bit too strictly. Would it make sense to use a label-based system like we use for secret credentials? I have several concerns with the current strategy:
|
I intentionally left those out. If this really comes up, we can add it.
Enterprise rate-limiting plugin for GraphQL. There are no OSS plugins using this currently. There are some plugins by community which could use this but will take longer to search on Github.
Do you mean label based flow for CACertificates? If so, this is intentionally designed to not do that. We want the owner of the controller to configure the reference for the secret containing the secret data. The secret itself could be managed by a different team but the owner of the controller should have the authority over which secret to use. This can be made more self-service if this feature actually takes off and users start using it.
I agree here and I did consider using this approach early on but decided against it for the following reason: Having said the above, it is important to figure out how the above concerns can be eliminated in future in a backwards compatible way. To do this, I think we can accomplish this in future if the need arises:
|
5e681c7
to
23c8c1d
Compare
Problem ------- As of today, there is no support in the controller for custom entities inside Kong. The core custom entities related to auth plugins are supported out of the box to cover all features that Kong supports out of the box. For Kong deployments backed by a database, a custom entity can be populated via the Admin API and the controller will leave those entities as is. These custom entities can then be referenced in plugin configuration. While not perfect, this works currently. For Kong deployments running without a database, there currently is no way to setup custom entities. Solution -------- This patch adds the ability to add in custom entities into DB-less instances via a Secret. The secret should have a JSON encoded representation of he custom entities inside a key with the name 'config'. The controller then ensures that the custom entities are populated into Kong. The solution only works for DB-less modes. Caveats ------- The solution here addresses only a limited number of cases where the custom entity is used by plugin configurations. There could be a number of cases where the custom entities have a direct relationship with core entities. Such cases are currently not supported as the controller doesn't provide any stable UUIDs for core entities. Future-work ----------- - Supporting custom entities which refer core entities of Kong can be added in future. As of today, I'm not aware of any use-cases that fall into this category. - Adding support for controller-managed entities for DB-mode is important but not supported by decK (the underlying sync library). decK's static nature makes it hard to extend it in any way currently. - There is no validation performed by the controller. In future, the controller can use `/schemas` endpoint on Kong's Admin API to perform validation and be more resilient.
23c8c1d
to
ee74626
Compare
Problem
As of today, there is no support in the controller
for custom entities inside Kong. The core custom entities related to
auth plugins are supported out of the box to cover all features that
Kong supports out of the box.
For Kong deployments backed by a database, a custom entity can be
populated via the Admin API and the controller will leave those entities
as is. These custom entities can then be referenced in plugin
configuration. While not perfect, this works currently.
For Kong deployments running without a database, there currently is no
way to setup custom entities.
Solution
This patch adds the ability to add in custom entities into DB-less
instances via a Secret. The secret should have a JSON encoded
representation of he custom entities inside a key with the name
'config'. The controller then ensures that the custom entities are
populated into Kong. The solution only works for DB-less modes.
Caveats
The solution here addresses only a limited number of cases where the
custom entity is used by plugin configurations.
There could be a number of cases where the custom entities have a direct
relationship with core entities. Such cases are currently not supported
as the controller doesn't provide any stable UUIDs for core entities.
Future-work
Supporting custom entities which refer core entities of Kong can be
added in future. As of today, I'm not aware of any use-cases that fall
into this category.
Adding support for controller-managed entities for DB-mode is important
but not supported by decK (the underlying sync library).
decK's static nature makes it hard to extend it in any way currently.
There is no validation performed by the controller. In future, the
controller can use
/schemas
endpoint on Kong's Admin API to performvalidation and be more resilient.