apisix-ingress-controller icon indicating copy to clipboard operation
apisix-ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon apache

request help: How to create a global rule for a cluster scoped plugin?

Open purefun opened this issue 2 years ago • 4 comments

Issue description

I can' find a config for enabling a global plugin. The only way to create a GlobalRule is apply a ApisixClusterConfig according to the code: https://github.com/apache/apisix-ingress-controller/blob/master/pkg/kube/translation/translator.go#L94-L97

But it can't config a plugin in ApisixClusterConfig spec.

Thank you for advance.

Environment

/ingress-apisix # ./apisix-ingress-controller version --long
Version: 1.4.1
Git SHA: no-git-module
Go Version: go1.16.15
Building OS/Arch: linux/amd64
Running OS/Arch: linux/amd64

Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.9", GitCommit:"9dd794e454ac32d97cde41ae10be801ae98f75df", GitTreeState:"clean", BuildDate:"2021-03-18T01:09:28Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.2", GitCommit:"092fbfbf53427de67cac1e9fa54aaa09a28371d7", GitTreeState:"clean", BuildDate:"2021-06-16T12:53:14Z", GoVersion:"go1.16.5", Compiler:"gc", Platform:"linux/amd64"}

purefun avatar Jun 27 '22 04:06 purefun

thanks for you report.

Currently ApisixClusterConfig only supports the configuration of two monitoring-related plugins, but this can be modified.

https://github.com/apache/apisix-ingress-controller/blob/9e0c658cd2387165b5e0b5fc8d91f6464e3ad406/samples/deploy/crd/v1/ApisixClusterConfig.yaml#L94-L110

I want to know if you have other specific scenarios that need to configure the global plugin. Another alternative is to create an ApisixPluginConfig to reduce some duplication of configuration.

tao12345666333 avatar Jun 27 '22 11:06 tao12345666333

We're using Argocd to achieve the GitOps principle. All route and plugin Configurations are templates of Helm chat. And we have two global plugins: request-id and http-logger. Because ApisixPluginConfig, ApisixRoute, and Service should be in the same namespace, It's hard to share ApisixPluginConfig when Service's namespaces are different.

purefun avatar Jun 27 '22 13:06 purefun

We're using response-rewrite plugin to remove sensitive infos from upstream or APISIX, such as x-apisix-upstream-status, x-envoy-upstream-service-time and so on.

So a global rule for a cluster scoped plugin will be easy to manager.

suninuni avatar Jul 28 '22 07:07 suninuni

Thanks for your information @purefun @suninuni

I will put this to v1.6

tao12345666333 avatar Jul 28 '22 11:07 tao12345666333

@AlinsRan can you make it happen?

tao12345666333 avatar Nov 25 '22 22:11 tao12345666333

This feature will be available in 1.7.0.

AlinsRan avatar Dec 08 '22 06:12 AlinsRan

Solution

  1. Added Plugins support on ApisixClusterConfig resources ApisixClusterConfig in the design and use of some ambiguity, in the multi-cluster architecture, ApisixClusterConfig currently used in the way and semantics are incorrect, its evolution direction to be discussed, in the unclear responsibilities are not recommended to change it. Similar to ApisixRoute, support more plugins by adding a Plugins field:
apiVersion: apisix.apache.org/v2
kind: ApisixClusterConfig
metadata:
  name: default
spec:
  plugins:
  - name: prometheus
    enable: true
  - name: limit-count
    enable: true
    config:
      time_window: 60
  1. Added Annotations support in ApisixPluginConfig By adding Annotations to extend the ability of ApisixPluginConfig to act globally, this approach improves the flexibility of ApisixPluginConfig. global: true Turn on global mode, allowing plugins to be applied to global: true rules.
apiVersion: apisix.apache.org/v2
kind: ApisixPluginConfig
metadata:
  name: plugin-config
  annotations:
   apisix.pache.org/global: true 
spec:
  plugins:
  - name: prometheus
    enable: true
  - name: limit-count
    enable: true
    config:
      time_window: 60
      policy: "local"
      count: 2
      key: "remote_addr"
      rejected_code: 503
  1. ApisixGlobalRule Added a new CRD resource, representing ApisixGlobalRule, which corresponds to the concept of APISIX global rules, is easy to understand, and can evolve with APISIX global rules.
apiVersion: apisix.apache.org/v2
kind: ApisixGlobalRule
metadata:
  name: apisix-plugins-cluster
spec:
  plugins:
  - name: prometheus
    enable: true
  - name: limit-count
    enable: true
    config:
      time_window: 60
      policy: "local"
      count: 2
      key: "remote_addr"
      rejected_code: 50

AlinsRan avatar Dec 30 '22 02:12 AlinsRan

I prefer the third way, which is simple enough to understand.

AlinsRan avatar Dec 30 '22 02:12 AlinsRan

Does it mean that with one of those approaches I'll see Prometheus plugin on Plugin List in APISIX Dashboard without additional manual clicking?

mkyc avatar Dec 30 '22 13:12 mkyc

Does it mean that with one of those approaches I'll see Prometheus plugin on Plugin List in APISIX Dashboard without additional manual clicking?

@mkyc I'm not sure what you mean by Plugin List. But if the global plugin is enabled, it means that the plugin will automatically take effect on the route

tao12345666333 avatar Jan 12 '23 06:01 tao12345666333