rollouts-plugin-trafficrouter-gatewayapi icon indicating copy to clipboard operation
rollouts-plugin-trafficrouter-gatewayapi copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

Proxy the plugin download via private registry

Open AnaGabrieleSoares opened this issue 10 months ago • 3 comments

Hi Argo team,

I hope you're doing well! My team is currently working on utilizing the trafficrouter-gatewayapi plugin, and for security reasons, we need to proxy the plugin download via Artifactory. Could you please advise on the best way to pass the Artifactory credentials to the plugin download process? Is something like this supported?

trafficRouterPlugins: |
  - name: "plugin-name"
    location: "plugin-path"
    args:
      - "--username=$(ARTIFACTORY_USERNAME)"
      - "--password=$(ARTIFACTORY_PASSWORD)"

We've also noticed that, regardless of whether the download was successful or not, the controller displays a message indicating that the download was successful. Increasing the log level didn't provide much additional information. Do you have any tips on how to troubleshoot the download process? especially since the Argo Rollouts image doesn't have a shell, which makes it a bit difficult to inspect the container

Thanks a lot for your help!

AnaGabrieleSoares avatar Jan 22 '25 16:01 AnaGabrieleSoares

In the last release we now package the plugin as a container image as well.

So you could upload the image in the docker registry of Artifactory and bring it in with an init container.

Something like this (values.yaml for the Helm chart of Argo Rollouts)

controller:
    initContainers:                                   
      - name: copy-gwapi-plugin
        image: ghcr.io/argoproj-labs/rollouts-plugin-trafficrouter-gatewayapi:v0.5.0
        command: ["/bin/sh", "-c"]                    
        args:
          - cp /bin/rollouts-plugin-trafficrouter-gatewayapi /plugins
        volumeMounts:                                 
          - name: gwapi-plugin
            mountPath: /plugins
    trafficRouterPlugins:                             
      trafficRouterPlugins: |-
        - name: argoproj-labs/gatewayAPI
          location: "file:///plugins/rollouts-plugin-trafficrouter-gatewayapi"  
    volumes:                                           
      - name: gwapi-plugin
        emptyDir: {}
    volumeMounts:                                      
      - name: gwapi-plugin
        mountPath: /plugins

In that case authentication happens with the same way that you already use for Artifactory images. The pull secrets of the cluster apply to init containers as well.

Would that process work for you?

We've also noticed that, regardless of whether the download was successful or not, the controller displays a message indicating that the download was successful. Increasing the log level didn't provide much additional information.

This sounds like a bug that should be reported in the main GitHub repo of the Argo Rollouts controller.

kostis-codefresh avatar Jan 23 '25 09:01 kostis-codefresh

Thank you @kostis-codefresh, let me give it a try!

AnaGabrieleSoares avatar Jan 23 '25 19:01 AnaGabrieleSoares

Also documented at https://rollouts-plugin-trafficrouter-gatewayapi.readthedocs.io/en/latest/installation/#installing-the-plugin-via-init-containers

kostis-codefresh avatar Feb 28 '25 11:02 kostis-codefresh