search

ngrok / kubernetes-ingress-controller

The official ngrok Ingress Controller for Kubernetes
https://ngrok.com
MIT License
184 stars 20 forks source link

Changes applied to `NgrokModuleSet` do not propagate to managed `Edge` #287

Closed pmalek closed 10 months ago

pmalek commented 11 months ago

What happened

After applying NgrokModuleSet with e.g. oauth set to google email address and changing the email address there's no change in the managed Edge.

What you think should happen instead

After applying NgrokModuleSet with e.g. oauth set to google email address and changing the email address, managed Edge should be changed

How to reproduce

  1. Apply (e.g. via kubectl apply ...) below listed manifest (substitute domain and email address with your own)

    apiVersion: v1
kind: Service
metadata:
  name: proxy
  namespace: infra
spec:
  ports:
  - name: http
    port: 80
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
  namespace: infra
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
    spec:
      containers:
      - image: kong/httpbin:0.1.0
        name: httpbin
        ports:
        - containerPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: proxy
  namespace: infra
  annotations:
    k8s.ngrok.com/modules: oauth
spec:
  ingressClassName: ngrok
  rules:
  - host: <DOMAIN>.ngrok-free.app
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: proxy
            port:
              number: 80
---
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
  name: oauth
  namespace: infra
modules:
  oauth:
    google:
      emailAddresses:
      - <EMAIL>

  2. Verify that you can access <DOMAIN> using <EMAIL> address via google authentication.

  3. Change <EMAIL> to <EMAIL2> and apply the changes (e.g. kubectl apply ...)

  4. Verify that you can still access <DOMAIN> using <EMAIL> address via google authentication and not via <EMAIL2>

nikolay-ngrok commented 11 months ago

Thank you for the report @pmalek ! Currently, the controller is watching NgrokModuleSet CRs for changes, but it is not triggering reconciliation. We’ll be looking into addressing this gotcha next, but for the time being, operators either need to restart the controller or change some of the ingress objects to trigger reconciliation. One neat way you could do this is to create and set a new NgrokModuleSet CR for your ingress, instead of updating the old CR.

Also, we are happy to look over a PR if you wanna explore the fix yourself.

pmalek commented 11 months ago

Thanks for response. I'll wait until you provide the fix as it's not obvious to me where and how to change (ingress controller https://github.com/ngrok/kubernetes-ingress-controller/blob/main/internal/controllers/ingress_controller.go I suppose) the code to make it work.