Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Diagnostic UI in the internal k8s network only #3074

Closed
jfrabaute opened this issue Nov 16, 2020 · 5 comments
Closed

Enable Diagnostic UI in the internal k8s network only #3074

jfrabaute opened this issue Nov 16, 2020 · 5 comments

Comments

@jfrabaute
Copy link
Contributor

Please describe your use case / problem.
Since 1.6, when the diagnostics is disabled, the admin UI is not exposed to envoy, but it is also not exposed to the pod IP. It is only exposed the 127.0.0.1.
This makes exposing the UI difficult.
Our use case is that we have another ambassador group running, for all the admin UIs and we were exposing the public ambassador admin with this admin ambassador group. Now it returns Not found.

Describe the solution you'd like
Right now, there is a flag diagnotics.enabled which is "true" or "false".
There are two options: Either we make this flag accept multiple values (ex: "disabled", "enabled", "pod_enabled_only") instead of a bool, or we add a second flag, (ex pod_enabled: true) to enable the admin UI outside of the pod (but not publicly).
(Names are probably bad, it's just provided as example).

Additional context
Initial discussion: https://datawire-oss.slack.com/archives/CAULN7S76/p1605206931353900
@stale
Copy link

stale bot commented Jan 16, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale Issue is stale and will be closed label Jan 16, 2021
@jfrabaute
Copy link
Contributor Author

/notstale

@stale stale bot removed the stale Issue is stale and will be closed label Jan 20, 2021
@kflynn
Copy link
Member

kflynn commented Feb 25, 2021

As mentioned on Slack:

I would probably lean more towards a second variable like diag_bind_address maybe, since I think that’s what would actually be changing? I’m not opposed to more granularity here.

@jfrabaute
Copy link
Contributor Author

jfrabaute commented Mar 1, 2021
edited
Loading

Actually.... this is not related to the bind address. It's just hardcoded in the code:

    enabled = app.ir.ambassador_module.diagnostics.get("enabled", False)
    if not enabled and not _is_local_request():
        return Response("Not found\n", 404)

so when I set diagnostics.enabled to false, it blocks the request from the request handler.
diagnostics.enabled to true is adding the mappings which expose the diag UI to the outside world.

I might need to add something like expose_non_local: true ? So something like that?

      config:
        diagnostics:
          enabled: false
          expose_non_local: true

Maybe there is another way...

@kflynn
Copy link
Member

kflynn commented Mar 5, 2021

I'd go with allow_non_local, but yes, after our discussion on Slack, I think that's as good as you're gonna get. Go for it. 🙂

jfrabaute added a commit to jfrabaute/ambassador that referenced this issue Mar 23, 2021
@jfrabaute
Add diagnostics.allow_non_local feature
712e740 
This option allows to expose the diag UI to non-local clients, even when
the diag UI is disabled.

Implements emissary-ingress#3074
@jfrabaute jfrabaute mentioned this issue Mar 23, 2021
Merged
16 tasks
jfrabaute added a commit to jfrabaute/ambassador that referenced this issue Mar 24, 2021
@jfrabaute
Add diagnostics.allow_non_local feature
de5c9e0 
This option allows to expose the diag UI to non-local clients, even when
the diag UI is disabled.

Implements emissary-ingress#3074
jfrabaute added a commit to jfrabaute/ambassador that referenced this issue Mar 24, 2021
@jfrabaute
Add diagnostics.allow_non_local feature
ad415e4 
This option allows to expose the diag UI to non-local clients, even when
the diag UI is disabled.

Implements emissary-ingress#3074
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jfrabaute @kflynn