[HN Gopher] Traefik, Now With Native Go Plugins ___________________________________________________________________ Traefik, Now With Native Go Plugins Author : emilevauge Score : 118 points Date : 2020-09-23 15:43 UTC (7 hours ago) (HTM) web link (traefik.io) (TXT) w3m dump (traefik.io) | djsumdog wrote: | I replaced my haproxy setup with Traefik and it works pretty | wonderfully. The LetsEncrypt integration works really well. | | I don't really have any interest in plugins personally, but this | is still quite an amazing project. | rileymichael wrote: | The only thing keeping me from switching is the removal of | "distributed LetsEncrypt" in 2.0. I get that it's a non-issue | for k8s setups with cert-manager, but people aren't always | using k8s and it's still a feature in the enterprise edition. | 3np wrote: | Could you elaborate what you mean? While it'd be ideal to | store certs in vault, I'm having it run fine in orchestrated | containerization with the cert storage on a distributed | filesystem. | JanMa wrote: | I am really happy to finally see them adding some functionality | to add custom middlewares to Traefik. However it leaves a bad | taste in my mouth that in order to use it, you have to sign up to | their new SaaS. Especially when keeping in mind that this is the | "most requested feature" of the community. | castis wrote: | There hadn't been an elegant way to get geoip information to | downstream nginx servers until this. | | Fantastic, looking forward to playing with this. | password4321 wrote: | Does anyone have time to explain the downsides of the HashiCorp | plugin approach (gRPC to another process) vs. creating an | interpreter? | | https://github.com/hashicorp/go-plugin | throwaway894345 wrote: | Using an interpreter locks you into the interpreter's language | (e.g., no NodeJS, Python, etc plugins), but you are able to | pass around memory and call procedures from the host program | directly instead of having to write an IPC shim layer. | | EDIT: Updated for accuracy | thegeekpirate wrote: | They actually created their own interpreter | https://github.com/traefik/yaegi | | Here's their original announcement post | https://traefik.io/blog/announcing-yaegi-263a1e2d070a | throwaway894345 wrote: | oof, I noticed that they referenced a different | interpreter; didn't realize they also created it. My bad. | tapirl wrote: | I never built Traefik successfully. The same is for tag v2.3.0. | | $ go build ./... go: finding module for package | github.com/traefik/traefik/v2/autogen/genstatic | cmd/traefik/traefik.go:18:2: module | github.com/traefik/traefik@latest found (v1.7.26), but does not | contain package github.com/traefik/traefik/v2/autogen/genstatic | jspdown wrote: | In order to build Traefik you have to get go-bindata and run | the go generate command. You can find more information on | https://doc.traefik.io/traefik/contributing/building-testing... | tapirl wrote: | Got it. Built in successfully now. Thanks. | d33 wrote: | I wish I could like Traefik, but it really isn't easy. | | The use case in our Hackerspace was to dispatch different Docker | containers through our wild-card subdomains. Traefik is supposed | to also automatically create TLS certificates. I had numerous | problems with the Let's Encrypt functionality. | | Debugging information is quite cryptic, the documentation seems | all over to me, which is even more problematic given the number | of breaking changes between 1.x and 2.x versions. The way you | automatically configure things through Docker labels means that a | simple typo can render your configuration ignored. | | Also, plugging in Traefik to complex docker-compose projects such | as Sentry or Gitlab is next to impossible, because of networking: | whatever I tried, Traefik just couldn't pick up containers and | forward to them unless I changed the definition of every single | container in the docker-compose to include an extra network. I | don't feel this should be this complex. | | Sometimes I just feel that we should get back to using Nginx and | write our rules manually. While the concept of Traefik is | awesome, the way one uses it is extremely cumbersome. | fuzzy2 wrote: | I actually have the same setup and it's working perfectly fine, | even with my IPv4+6 specific address only config + lots of | file-based configuration. I absolutely recommend using the TLS | challenge with Let's Encrypt. | | No problems with Docker (Compose) networks either, but I'm not | using it with GitLab because I have enough IPs. | | The biggest problem I see is the accumulation of certificates | that will all be kept up-to-date, whether in use or not. | zwayhowder wrote: | I also have a working system that I found very easy (for me) | to setup. | | Recently it all came crashing down when an old domain I had | expired and I was no longer able to update the DNS in Digital | Ocean. The one - unused - domain failing stopped Traefik | renewing all my certificates. But I'm also on 1.7 still and | really should update to 2.x | atombender wrote: | I worked on a project last year where we tried using Traefik on | Kubernetes together with Let's Encrypt certs. It worked... | sometimes. | | We had significant issues with Traefik not allocating or | renewing certs, resulting in some painful outages. The worst | part was that there was no workaround; when adding a new domain | to an ingress, it was completely incomprehensible why Traefik | wasn't requesting a cert, or indeed why it wasn't renewing | older ones that were close to expiration. We filed GitHub | issues with concrete errors, but they were never addressed. At | the time, I tried to debug Traefik to understand how it worked | and maybe chase down some of those bugs. I don't like to speak | ill of other people's code -- let's just say that peeking under | the covers made me realize _perfectly_ why Traefik was so | brittle and buggy. | | We eventually ditched Traefik in favour of Google Load Balancer | ingresses, combined with Cert-Manager for Let's Encrypt, and | this combination worked flawlessly out of the box despite not | being a 1.0 release at the time. The beauty of this setup is | that the control plane (cert and ingress configuration) is kept | separate from the data plane (web server), so the two can be | maintained and upgraded/replaced separately. | pibefision wrote: | I second this. It's incredible complex to debug how Traefik | understand it's configuration, and also documentation and | examples over the internet are very confusing because the | version 1.x vs 2.x changes. | kalev wrote: | Ouch, we're currently using nginx but recently switched one | service to use traefik. I'm so afraid what you describe is what | will bite us in the end. I wrote treafik instead of traefik in | one of the labels and only noticed it after hours of debugging. | When it works, it works great. But to get it in that state.. | viraptor wrote: | I see where the op is coming from, but I found the debugging | quite easy in practice. If something doesn't work, go to the | traefik panel and find the element you're looking for. If | it's not there, it's normally fairly obvious. | codethief wrote: | I've been wanting to use Traefik for a long time but there's this | security issue[0] that's almost two(!) years old now that's been | keeping me from deploying it in production. As far as I can tell, | there's still no out-of-the-box solution that's not overly | complicated and won't come back to haunt me a year or two from | now. | | [0] https://github.com/traefik/traefik/issues/4174 | | [1] https://doc.traefik.io/traefik/providers/docker/#docker- | api-... | TheDong wrote: | That so called "security issue" is silly. | | You don't have to deploy traefik with docker. If you want | traefik to monitor new docker containers to add routes for | them, of course traefik needs to talk to the docker api to do | so. | | The docker api has no way to control access such that it's not | equivalent to root access. | | However, there's no real vulnerability. I'm happy to provide | you a url hosted by traefik with the docker integration | enabled, no docker socket proxy, etc, and if you can manage to | actually escalate permissions, I'll give you 500 bucks. But, of | course, you can't. That security issue is just a "defense in | depth" issue, and it's an issue for docker, not traefik. | | This would be like saying "traefik uses the linux kernel api to | open files, but the linux kernel requires traefik validate what | goes into that api or else it could allow file path | traversal"... But traefik does validate filepaths and so no one | makes that complaint. | | Similarly, traefik does validate that only safe docker api | calls are made and works hard to prevent any sort of remote | code execution, so the issue is not a security issue, but a | defense in depth proposal that is really a feature request for | the docker project. | kayson wrote: | This is very easily solved by using a proxy for the docker | socket: | | https://github.com/Tecnativa/docker-socket-proxy | | https://github.com/traefik/traefik/issues/4174#issuecomment- | | Create a private network that only connects Traefik and the | proxy, and limit Traefik's access to only the GET requests it | needs to operate. Now the socket is only exposed to a local | container. | emilevauge wrote: | This security issue is not that simple to manage as you | probably know. It's mainly due to the fact that there is now | way to have authorization on the the docker API. This is not | the case on Kubernetes for example where you have RBAC to | prevent this kind of issue. We have described this in detail in | our documentation, and you have many solutions/workarounds to | address this: | https://doc.traefik.io/traefik/providers/docker/#docker-api-... | Spivak wrote: | Yeah, I'm surprised that this is such a sticking point. | There's nothing that anyone who isn't Docker Inc. can do to | fix the problem that, by default, Docker is all or nothing. | It would be nice if Docker could expose a read-only endpoint | but c'est la vie. | | The only solution I've seen/used that wasn't convoluted or | brittle is running a little daemon to just shovel container | metadata into Consul and going from there. | 3np wrote: | You've probably discounted this for some reason already, but | why not use something more built for service discovery - e.g. | Consul Catalog / k8s / etcd? | rcarmo wrote: | I would _really_ like to see social auth middleware (something | like authelia, but simpler to setup and deploy, especially as an | ingress). | jerryoftheyear wrote: | Sign me up for an easy to use 2FA layer I can put in front of | services. | thegagne wrote: | I've been toying with Azure OpenID Connect w/ Cloudflare | Workers. Not local to the datacenter but you could probably | do something similar elsewhere? | rad_gruchalski wrote: | Like this but a plugin? https://github.com/thomseddon/traefik- | forward-auth | thomseddon wrote: | I'm planning to release this as a plugin :) | mvertes wrote: | Awesome use of yaegi interpreter! | kodablah wrote: | So the Go middleware is interpreted? Curious how that works | with a request lazy/large body reader and a response lazy/large | body writer? What kind of overhead is added to each invocation | of read/write there? | mvertes wrote: | from what we measured on a gzip compression plugin, only a | few percents of overhead. Because the gzip part is compiled. | Only the plugin glue is interpreted. | johnchristopher wrote: | Quick question: is this the beginning of monetization of some of | traefik future features ? | akerro wrote: | yes, I think it's called marketplace for a reason. | jdoliner wrote: | I really wish Go plugins got some more love from the go team. It | looks like this is using Yaegi a Go interpreter, which is | probably the only reasonable choice. Go's plugin package requires | that the plugin be compiled with exactly the same compiler | version as the main binary. So you need to recompile every plugin | for every new release, at least if you upgrade the compiler | between releases which you often do. It also doesn't work on | windows. | emilevauge wrote: | Indeed, go plugins were our initial choice | (https://github.com/traefik/traefik/pull/1865). But you said | everything about how bad/impossible the workflow would have | been for users. Building from scratch a go interpreter was not | the easiest way, but this was the best solution regarding the | UX. | slx26 wrote: | There was a public doc talking about the golang linker that | addressed this issue at the end. My comment at the time and the | post can be found here [0]. I guess there's some hope, but I | haven't looked into it again, so I don't know whether anything | is moving forward or not. | | [0] https://news.ycombinator.com/item?id=20957741 | sagichmal wrote: | > Rather than being pre-compiled and linked, however, plugins are | executed on the fly by Yaegi, an embedded Go interpreter. | | Woof, no thank you. | | Go is basically incompatible with any kind of plugin-like dynamic | linking. There are basically two reasonable models for doing | something like plugins: the HashiCorp model, where plugins are | actually separate processes that do some kind of intra-process | communication with the host; or the Caddy model, where you select | which plugins you want when downloading the binary, and they're | built-in at compile time. | unixhero wrote: | I'm sure you're onto something. But I can't really decipher | whats bad here and which of the two scenarios you mention apply | to go interpreted plugins. | alufers wrote: | There is the "plugin" package which seems really cool and fits | the simplistic style of Go (tbh I haven't tried this module | myself, only glanced at the documentation), but it does not | work on Windows, which I think is the reason it is not used. | The ticket about adding Windows support to the plugin package | is one of the highest rated ones on Go's GitHub, yet it is | still open. | slx26 wrote: | See jdoliner's comment and replies on this thread for more | context and information. | hinkley wrote: | Correct me if I'm wrong, but the Caddy model requires curation, | doesn't it? | | Plugins and scripting languages flourish when they democratize | the process of adding features to a piece of code. To have | prebuilt binaries you need a build matrix, and the complexity | of the build matrix is somewhere between exponential and | factorial. | | This is a perverse incentive for the curators. The cost has to | be justified, and as the friction grows you can only justify | the things that you have a strong affinity for. Anything you | don't understand or don't like gets voted off the island. | | In the best addon ecosystems, the core maintainers put some | safety rails on the system so the addons can't do anything too | crazy. Then they watch the cream of the crop and start trying | to include them in the base functionality (limiting the number | of optional features the majority of their users have to | manually pick). The hard part here is how to reward the people | whose ideas you just co-opted, and I don't have a great answer | for that (although money and/or a free license for life is a | good start) | saurik wrote: | How can they possibly be calling this "native"? :/ ___________________________________________________________________ (page generated 2020-09-23 23:01 UTC)