How to reload custom go plugin configuration

Hi,

I’m writing a custom go plugin to validate scopes in JWT.
The plugin takes the “allowed scopes” for a given path as plugin configuration.
Although the plugin configuration is loaded correctly the first time, subsequent updates to the config are not picked up. Is there a way to rollout config changes or somehow send a signal to the plugin to reload its config?

Here is what the custom plugin configuration looks like.
The custom plugin is backed in the kong docker image

apiVersion: configuration.konghq.com/v1
config:
jwksUri: https://some-url/certs
protectedPaths:
- allowedScopes:
- tenant-two-scope
path: /ip
kind: KongPlugin
metadata:
name: hello-oauth2
namespace: kong-tenant-two
plugin: mygoplugin

Many thanks!

@sebbonnet Are you aware of the configure function as documented here? You could start with adding some logging to the function to see if it’s being called when you expect.

@rick thanks for the response

The doc you’re pointing me to is for LUA plugins, when I’m creating a Golang one.
There isn’t an equivalent init_worker as far as I can see in go-pdk/server/instance.go at v0.11.0 · Kong/go-pdk · GitHub

I’ve implemented all the methods of the interface, but none are being invoked when the KongPlugin config changes.

certificater interface{ Certificate(*pdk.PDK) }|
rewriter interface{ Rewrite(*pdk.PDK) }|
accesser interface{ Access(*pdk.PDK) }|
responser interface{ Response(*pdk.PDK) }|
prereader interface{ Preread(*pdk.PDK) }|
logger interface{ Log(*pdk.PDK) }|

Besides deleting the KongPlugin configuration CR as no effect either, so it does seem that the plugin configuration is cached for the duration of the plugin server at least.
In fact looking at bit more in instance.go, there is a comment suggesting here that a new instance should be started in case of plugin config changes and the old one stopped. Are there any examples / guides on how to do that? How can I retrieve the current instance status to stop the old instance and how to generate a new instance status to start a new one?

Hi @sebbonnet ,

Thanks for opening up this issue, welcome to the Kong community.

What Kong version is this? We have recently fixed an issue that sounds like the same as you are facing; check out [backport -> release/3.6.x] fix(pluginserver): ensure a change to plugin config takes effect by team-gateway-bot · Pull Request #12729 · Kong/kong · GitHub. It has been merged and will go out in 3.7.0 (or 3.6.2 if we release one).

If that does not help, please consider opening up an issue in our Git repos GitHub - Kong/kong: 🦍 The Cloud-Native API Gateway and AI Gateway. or even GitHub - Kong/go-pdk: Write Kong plugins in Go! 🦍.

Thanks and happy Konging!

Hi @salazar,

The bug fix sounds promising.
I’m using kong docker image 3.6.0-ubuntu (I need the docker image as I’m bundling the custom plugin in it). I can see there is 3.6.1-ubuntu available but not 3.7.0 (or 3.6.2) yet - will you be releasing them soon, so I can test again?

I’ve also raised Question: How to reload plugin configuration? · Issue #198 · Kong/go-pdk · GitHub yesterday

Thanks!

@sebbonnet,

3.7 is planned for mid-May. We do not have a date for the next 3.6 patch release.

In the meantime, you can test the fix with our nightly builds Docker – note that this build is for testing only and should not be used in prod environments.

Hi @salazar,

Thanks for the feedback and sorry for the late reply - I was on leave

I’ve used the nightly build 3ff9ea0de5a9 and can confirm that the KongPlugin config is now correctly getting reloaded on changes. I’ve also checked that deleting a KongPlugin configuration CR is correctly picked up.

Thanks for your help with it.

I’ll be watching the next Kong releases to get the permanent fix in either 3.6.2 or 3.7

Glad it resolved the issue; thanks for testing and reporting back.

Hi @salazar,
Is there a plan to port this fix to the 3.4.x LTS?

@cassioconti It has already been done - and released in 3.4.3.6.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.