[HN Gopher] Traefik, Now With Native Go Plugins
___________________________________________________________________
Traefik, Now With Native Go Plugins
Author : emilevauge
Score : 118 points
Date : 2020-09-23 15:43 UTC (7 hours ago)
(HTM) web link (traefik.io)
(TXT) w3m dump (traefik.io)
| djsumdog wrote:
| I replaced my haproxy setup with Traefik and it works pretty
| wonderfully. The LetsEncrypt integration works really well.
|
| I don't really have any interest in plugins personally, but this
| is still quite an amazing project.
| rileymichael wrote:
| The only thing keeping me from switching is the removal of
| "distributed LetsEncrypt" in 2.0. I get that it's a non-issue
| for k8s setups with cert-manager, but people aren't always
| using k8s and it's still a feature in the enterprise edition.
| 3np wrote:
| Could you elaborate what you mean? While it'd be ideal to
| store certs in vault, I'm having it run fine in orchestrated
| containerization with the cert storage on a distributed
| filesystem.
| JanMa wrote:
| I am really happy to finally see them adding some functionality
| to add custom middlewares to Traefik. However it leaves a bad
| taste in my mouth that in order to use it, you have to sign up to
| their new SaaS. Especially when keeping in mind that this is the
| "most requested feature" of the community.
| castis wrote:
| There hadn't been an elegant way to get geoip information to
| downstream nginx servers until this.
|
| Fantastic, looking forward to playing with this.
| password4321 wrote:
| Does anyone have time to explain the downsides of the HashiCorp
| plugin approach (gRPC to another process) vs. creating an
| interpreter?
|
| https://github.com/hashicorp/go-plugin
| throwaway894345 wrote:
| Using an interpreter locks you into the interpreter's language
| (e.g., no NodeJS, Python, etc plugins), but you are able to
| pass around memory and call procedures from the host program
| directly instead of having to write an IPC shim layer.
|
| EDIT: Updated for accuracy
| thegeekpirate wrote:
| They actually created their own interpreter
| https://github.com/traefik/yaegi
|
| Here's their original announcement post
| https://traefik.io/blog/announcing-yaegi-263a1e2d070a
| throwaway894345 wrote:
| oof, I noticed that they referenced a different
| interpreter; didn't realize they also created it. My bad.
| tapirl wrote:
| I never built Traefik successfully. The same is for tag v2.3.0.
|
| $ go build ./... go: finding module for package
| github.com/traefik/traefik/v2/autogen/genstatic
| cmd/traefik/traefik.go:18:2: module
| github.com/traefik/traefik@latest found (v1.7.26), but does not
| contain package github.com/traefik/traefik/v2/autogen/genstatic
| jspdown wrote:
| In order to build Traefik you have to get go-bindata and run
| the go generate command. You can find more information on
| https://doc.traefik.io/traefik/contributing/building-testing...
| tapirl wrote:
| Got it. Built in successfully now. Thanks.
| d33 wrote:
| I wish I could like Traefik, but it really isn't easy.
|
| The use case in our Hackerspace was to dispatch different Docker
| containers through our wild-card subdomains. Traefik is supposed
| to also automatically create TLS certificates. I had numerous
| problems with the Let's Encrypt functionality.
|
| Debugging information is quite cryptic, the documentation seems
| all over to me, which is even more problematic given the number
| of breaking changes between 1.x and 2.x versions. The way you
| automatically configure things through Docker labels means that a
| simple typo can render your configuration ignored.
|
| Also, plugging in Traefik to complex docker-compose projects such
| as Sentry or Gitlab is next to impossible, because of networking:
| whatever I tried, Traefik just couldn't pick up containers and
| forward to them unless I changed the definition of every single
| container in the docker-compose to include an extra network. I
| don't feel this should be this complex.
|
| Sometimes I just feel that we should get back to using Nginx and
| write our rules manually. While the concept of Traefik is
| awesome, the way one uses it is extremely cumbersome.
| fuzzy2 wrote:
| I actually have the same setup and it's working perfectly fine,
| even with my IPv4+6 specific address only config + lots of
| file-based configuration. I absolutely recommend using the TLS
| challenge with Let's Encrypt.
|
| No problems with Docker (Compose) networks either, but I'm not
| using it with GitLab because I have enough IPs.
|
| The biggest problem I see is the accumulation of certificates
| that will all be kept up-to-date, whether in use or not.
| zwayhowder wrote:
| I also have a working system that I found very easy (for me)
| to setup.
|
| Recently it all came crashing down when an old domain I had
| expired and I was no longer able to update the DNS in Digital
| Ocean. The one - unused - domain failing stopped Traefik
| renewing all my certificates. But I'm also on 1.7 still and
| really should update to 2.x
| atombender wrote:
| I worked on a project last year where we tried using Traefik on
| Kubernetes together with Let's Encrypt certs. It worked...
| sometimes.
|
| We had significant issues with Traefik not allocating or
| renewing certs, resulting in some painful outages. The worst
| part was that there was no workaround; when adding a new domain
| to an ingress, it was completely incomprehensible why Traefik
| wasn't requesting a cert, or indeed why it wasn't renewing
| older ones that were close to expiration. We filed GitHub
| issues with concrete errors, but they were never addressed. At
| the time, I tried to debug Traefik to understand how it worked
| and maybe chase down some of those bugs. I don't like to speak
| ill of other people's code -- let's just say that peeking under
| the covers made me realize _perfectly_ why Traefik was so
| brittle and buggy.
|
| We eventually ditched Traefik in favour of Google Load Balancer
| ingresses, combined with Cert-Manager for Let's Encrypt, and
| this combination worked flawlessly out of the box despite not
| being a 1.0 release at the time. The beauty of this setup is
| that the control plane (cert and ingress configuration) is kept
| separate from the data plane (web server), so the two can be
| maintained and upgraded/replaced separately.
| pibefision wrote:
| I second this. It's incredible complex to debug how Traefik
| understand it's configuration, and also documentation and
| examples over the internet are very confusing because the
| version 1.x vs 2.x changes.
| kalev wrote:
| Ouch, we're currently using nginx but recently switched one
| service to use traefik. I'm so afraid what you describe is what
| will bite us in the end. I wrote treafik instead of traefik in
| one of the labels and only noticed it after hours of debugging.
| When it works, it works great. But to get it in that state..
| viraptor wrote:
| I see where the op is coming from, but I found the debugging
| quite easy in practice. If something doesn't work, go to the
| traefik panel and find the element you're looking for. If
| it's not there, it's normally fairly obvious.
| codethief wrote:
| I've been wanting to use Traefik for a long time but there's this
| security issue[0] that's almost two(!) years old now that's been
| keeping me from deploying it in production. As far as I can tell,
| there's still no out-of-the-box solution that's not overly
| complicated and won't come back to haunt me a year or two from
| now.
|
| [0] https://github.com/traefik/traefik/issues/4174
|
| [1] https://doc.traefik.io/traefik/providers/docker/#docker-
| api-...
| TheDong wrote:
| That so called "security issue" is silly.
|
| You don't have to deploy traefik with docker. If you want
| traefik to monitor new docker containers to add routes for
| them, of course traefik needs to talk to the docker api to do
| so.
|
| The docker api has no way to control access such that it's not
| equivalent to root access.
|
| However, there's no real vulnerability. I'm happy to provide
| you a url hosted by traefik with the docker integration
| enabled, no docker socket proxy, etc, and if you can manage to
| actually escalate permissions, I'll give you 500 bucks. But, of
| course, you can't. That security issue is just a "defense in
| depth" issue, and it's an issue for docker, not traefik.
|
| This would be like saying "traefik uses the linux kernel api to
| open files, but the linux kernel requires traefik validate what
| goes into that api or else it could allow file path
| traversal"... But traefik does validate filepaths and so no one
| makes that complaint.
|
| Similarly, traefik does validate that only safe docker api
| calls are made and works hard to prevent any sort of remote
| code execution, so the issue is not a security issue, but a
| defense in depth proposal that is really a feature request for
| the docker project.
| kayson wrote:
| This is very easily solved by using a proxy for the docker
| socket:
|
| https://github.com/Tecnativa/docker-socket-proxy
|
| https://github.com/traefik/traefik/issues/4174#issuecomment-
|
| Create a private network that only connects Traefik and the
| proxy, and limit Traefik's access to only the GET requests it
| needs to operate. Now the socket is only exposed to a local
| container.
| emilevauge wrote:
| This security issue is not that simple to manage as you
| probably know. It's mainly due to the fact that there is now
| way to have authorization on the the docker API. This is not
| the case on Kubernetes for example where you have RBAC to
| prevent this kind of issue. We have described this in detail in
| our documentation, and you have many solutions/workarounds to
| address this:
| https://doc.traefik.io/traefik/providers/docker/#docker-api-...
| Spivak wrote:
| Yeah, I'm surprised that this is such a sticking point.
| There's nothing that anyone who isn't Docker Inc. can do to
| fix the problem that, by default, Docker is all or nothing.
| It would be nice if Docker could expose a read-only endpoint
| but c'est la vie.
|
| The only solution I've seen/used that wasn't convoluted or
| brittle is running a little daemon to just shovel container
| metadata into Consul and going from there.
| 3np wrote:
| You've probably discounted this for some reason already, but
| why not use something more built for service discovery - e.g.
| Consul Catalog / k8s / etcd?
| rcarmo wrote:
| I would _really_ like to see social auth middleware (something
| like authelia, but simpler to setup and deploy, especially as an
| ingress).
| jerryoftheyear wrote:
| Sign me up for an easy to use 2FA layer I can put in front of
| services.
| thegagne wrote:
| I've been toying with Azure OpenID Connect w/ Cloudflare
| Workers. Not local to the datacenter but you could probably
| do something similar elsewhere?
| rad_gruchalski wrote:
| Like this but a plugin? https://github.com/thomseddon/traefik-
| forward-auth
| thomseddon wrote:
| I'm planning to release this as a plugin :)
| mvertes wrote:
| Awesome use of yaegi interpreter!
| kodablah wrote:
| So the Go middleware is interpreted? Curious how that works
| with a request lazy/large body reader and a response lazy/large
| body writer? What kind of overhead is added to each invocation
| of read/write there?
| mvertes wrote:
| from what we measured on a gzip compression plugin, only a
| few percents of overhead. Because the gzip part is compiled.
| Only the plugin glue is interpreted.
| johnchristopher wrote:
| Quick question: is this the beginning of monetization of some of
| traefik future features ?
| akerro wrote:
| yes, I think it's called marketplace for a reason.
| jdoliner wrote:
| I really wish Go plugins got some more love from the go team. It
| looks like this is using Yaegi a Go interpreter, which is
| probably the only reasonable choice. Go's plugin package requires
| that the plugin be compiled with exactly the same compiler
| version as the main binary. So you need to recompile every plugin
| for every new release, at least if you upgrade the compiler
| between releases which you often do. It also doesn't work on
| windows.
| emilevauge wrote:
| Indeed, go plugins were our initial choice
| (https://github.com/traefik/traefik/pull/1865). But you said
| everything about how bad/impossible the workflow would have
| been for users. Building from scratch a go interpreter was not
| the easiest way, but this was the best solution regarding the
| UX.
| slx26 wrote:
| There was a public doc talking about the golang linker that
| addressed this issue at the end. My comment at the time and the
| post can be found here [0]. I guess there's some hope, but I
| haven't looked into it again, so I don't know whether anything
| is moving forward or not.
|
| [0] https://news.ycombinator.com/item?id=20957741
| sagichmal wrote:
| > Rather than being pre-compiled and linked, however, plugins are
| executed on the fly by Yaegi, an embedded Go interpreter.
|
| Woof, no thank you.
|
| Go is basically incompatible with any kind of plugin-like dynamic
| linking. There are basically two reasonable models for doing
| something like plugins: the HashiCorp model, where plugins are
| actually separate processes that do some kind of intra-process
| communication with the host; or the Caddy model, where you select
| which plugins you want when downloading the binary, and they're
| built-in at compile time.
| unixhero wrote:
| I'm sure you're onto something. But I can't really decipher
| whats bad here and which of the two scenarios you mention apply
| to go interpreted plugins.
| alufers wrote:
| There is the "plugin" package which seems really cool and fits
| the simplistic style of Go (tbh I haven't tried this module
| myself, only glanced at the documentation), but it does not
| work on Windows, which I think is the reason it is not used.
| The ticket about adding Windows support to the plugin package
| is one of the highest rated ones on Go's GitHub, yet it is
| still open.
| slx26 wrote:
| See jdoliner's comment and replies on this thread for more
| context and information.
| hinkley wrote:
| Correct me if I'm wrong, but the Caddy model requires curation,
| doesn't it?
|
| Plugins and scripting languages flourish when they democratize
| the process of adding features to a piece of code. To have
| prebuilt binaries you need a build matrix, and the complexity
| of the build matrix is somewhere between exponential and
| factorial.
|
| This is a perverse incentive for the curators. The cost has to
| be justified, and as the friction grows you can only justify
| the things that you have a strong affinity for. Anything you
| don't understand or don't like gets voted off the island.
|
| In the best addon ecosystems, the core maintainers put some
| safety rails on the system so the addons can't do anything too
| crazy. Then they watch the cream of the crop and start trying
| to include them in the base functionality (limiting the number
| of optional features the majority of their users have to
| manually pick). The hard part here is how to reward the people
| whose ideas you just co-opted, and I don't have a great answer
| for that (although money and/or a free license for life is a
| good start)
| saurik wrote:
| How can they possibly be calling this "native"? :/
___________________________________________________________________
(page generated 2020-09-23 23:01 UTC)