Ingress-nginx: Feature request: Allow custom Lua snippets
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): No
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): lua, custom
Is this a BUG REPORT or FEATURE REQUEST? (choose one): FEATURE REQUEST
It would be useful to have the ability to customize the init_lua_by_block configuration through the use of a configmap setting as with other things such as the http-snippet. Since you may only have one init_lua_by* block in an Nginx config, the only way to insert code that must live in the lua init presently is by utilizing an entirely custom nginx template. This would alleviate that requirement, and make it easier to keep custom code snippets while remaining on the current base image.
(This request is coming from a need to initialize a custom module, but I am sure that it would have other potential uses)
NGINX Ingress controller version: 0.13.0
Kubernetes version (use kubectl version): 1.9.4
- Cloud provider or hardware configuration: Irrelevant
- OS (e.g. from /etc/os-release): Irrelevant
- Kernel (e.g.
uname -a): Irrelevant - Install tools: N/A
- Others: N/A
What happened:
Needed to add a require statement within a init_lua_by* block, but no init_by_lua* blocks are customizable via ConfigMap.
What you expected to happen:
Providing a lua-snippet to the ConfigMap for ingress-nginx would allow dynamic insertion of code into the init_lua_by_block block.
How to reproduce it (as minimally and precisely as possible):
N/A
Anything else we need to know:
I've got a PR I'll be submitting with my idea for how to implement.
joshsouza
All 21 comments
@joshsouza I am not sure we should start adding this lua feature without a planning of what we want to support and how we are going to test it (from a dynamic lua point of view)
aledbf
on 26 Apr 2018
ping @ElvinEfendi
aledbf
on 26 Apr 2018
Totally understandable @aledbf, which is why I created a feature request. This is for consideration, and I'm providing a prototype PR for one way to achieve it, but as I lack the bigger vision for where things are going here I definitely think that the team should consider whether it's appropriate and how to support it.
joshsouza
on 26 Apr 2018
ut as I lack the bigger vision for where things are going here I definitely think that the team should consider whether it's appropriate and how to support it.
We need to write this in a proposal and include the doc in this repository.
Give us some time to prepare this and I will post a comment here so you can provide any feedback or suggestion in that PR
aledbf
on 26 Apr 2018
Any ETA on this?
I have a workaround for the issue we are trying to solve with this suggestion that I'd like to avoid, but if it will take more than a few weeks for this to go through proper process, I'll go ahead an pull the trigger on the workaround. If it won't take that long, we're ok holding off for the right solution.
joshsouza
on 16 May 2018
@joshsouza we don't have a concrete plan yet. Could you describe your use case?
We wanna build a proper plugin system. The current idea is to introduce CRD where users configure their plugin written in Lua and the controller automatically configures it.
It will definitely take more than a few weeks.
ElvinEfendi
on 16 May 2018
I want to use it for two main use cases around auth:
- to implement Auth0 - https://github.com/maxamante/auth0-nginx
- to extract custom jwt fields and inject them into headers #1850
I think using a CRD for that sounds great.
derekperkins
on 16 May 2018
We are attempting to utilize the Signal Sciences Nginx lua module as part of our ingress controllers. Critical information here: https://docs.signalsciences.net/faq/multiple-nginx-lua-scripts/
Basically, we have the module installed/available in the Nginx container, but in order to load it the Nginx configuration needs to be altered within the init_by_lua block, which is presently not something we can edit via the template.
The current workaround is to provide the entire Nginx config via configmap, which works, but then requires us to maintain parity between our configmap version and any future upgrades/changes, introducing technical debt, drift, and the risk of misconfiguration that would not be there if we could inject the necessary lua code via the template.
I think it'd be a great feature for you guys to consider, but for now we'll go ahead with the workaround we've got.
joshsouza
on 16 May 2018
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 14 Aug 2018
Was this work ever completed? It looks like the PR activity went quiet in June, and I can't seem to find any info other than removing the stale tag here.
We also have a use case for adding additional lua modules.
sudermanjr
on 5 Sep 2018
@sudermanjr not yet. In 0.19.0 a feature to handle SSL certificates with LUA was added (details). I think in the next two releases we could start with this feature
aledbf
on 5 Sep 2018
A nice feature. Is this in roadmap?
fkpwolf
on 9 Oct 2018
@fkpwolf yes it is
ElvinEfendi
on 9 Oct 2018
I would also really like to see this. Currently, I am able to run LUA as it seems access_by_lua is not yet used by ingress-nginx anywhere, so I can just add it to server snippet. It does feel like I am doing something that could break at any minute though....
It would also be nice to have a way of loading or including some other LUA modules (namely the rest of the open resty bundle).
The module I am using in particular is redis, not that its too relevant
rlees85
on 23 Oct 2018
Is this being worked on? I'd love to use the resty oidc modules to authenticate requests instead of using the auth-request method with the (now defunct?) bitly/oauth2_proxy.
logicfox
on 14 Dec 2018
Looks like both the issues refer each other and both are closed. Is this item planned.
raushan2016
on 10 Jan 2019
Please follow https://github.com/kubernetes/ingress-nginx/pull/3807 for the lua plugins implementation
aledbf
on 25 Feb 2019
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 26 May 2019
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
fejta-bot
on 25 Jun 2019
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
fejta-bot
on 25 Jul 2019
@fejta-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen.
Mark the issue as fresh with/remove-lifecycle rotten.Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 25 Jul 2019
Related issues
natemurthy
路
3Comments
briananstett
路
3Comments
cehoffman
路
3Comments
whereisaaron
路
3Comments
oilbeater
路
3Comments
Most helpful comment
I want to use it for two main use cases around auth:
I think using a CRD for that sounds great.