Comments (11)
raphendyr
commented on August 11, 2024
1
Just as a workaround, @tiagoposse you could configure two containers to be run inside a pod (see docs. This way you could setup nginx proxy as a sidecar and use a unix socket for communication between the app and the proxy. I would also use a memory backing for the volume.
from drone-convert-pathschanged.
hwittenborn
commented on August 11, 2024
Would a reverse proxy like NGINX do the job? I use it personally, and it doesn't seem to add much of any performance overhead.
from drone-convert-pathschanged.
tiagoposse
commented on August 11, 2024
Unfortunately we need end-to-end encryption, so the reverse proxy wouldn't cut it :(
from drone-convert-pathschanged.
hwittenborn
commented on August 11, 2024
Could you explain what you mean by end-to-end encryption (are you talking about SSL)? Where/How do you plan on using it?
from drone-convert-pathschanged.
tiagoposse
commented on August 11, 2024
Sorry, should've been clearer. I'm indeed talking about SSL. Using a different pod as a reverse proxy still leaves the traffic between that pod and this plugin unencrypted. We want all possible traffic inside a cluster to be encrypted if possible.
from drone-convert-pathschanged.
hwittenborn
commented on August 11, 2024
When you say using a different pod, is the reverse proxy still on the same machine as the drone-convert-pathschanged image? (Not very familiar with Kubernetes)
from drone-convert-pathschanged.
tiagoposse
commented on August 11, 2024
There are ways of enforcing that both pods exist in the same node, but even then, pods in the same node would have access to the traffic
from drone-convert-pathschanged.
hwittenborn
commented on August 11, 2024
Would both pods being on the same node not create enough security between the two?
If I'm not mistaken, the pods would just be communicating with each other over localhost. (They would just communicate in a similar fashion to Docker networks, right?)
from drone-convert-pathschanged.
tiagoposse
commented on August 11, 2024
Although I can't speak with 100% confidence, I think this would work different.
- Docker creates an overlay network and you put 2 containers in the same network, isolated from the other containers.
- In kubernetes, if 10 pods are in the same node, they share the local network.
A set of other reasons why I think supporting TLS here would be better:
- Paying for an additional pod to be running 24/7 for this purpose is unnecessary
- Supporting TLS at the app level is the only way to achieve end-to-end encryption
- In case of cluster stress or node failure, a situation can arise where there is no node that could accommodate both nginx and converter pods, creating a failure unnecessarily (of course there would be more pressing matters here, but this is still valid)
from drone-convert-pathschanged.
hwittenborn
commented on August 11, 2024
That explains it well - I'm assuming you use the Kubernetes feature similar to what some Cloud providers offer?
In that case I see it working well, just not something I thought much of.
from drone-convert-pathschanged.
tiagoposse
commented on August 11, 2024
Sure. I'd do it a different way considering we've spent more time on justifications than we'd actually spend fixing this "natively". But I understand there's a satisfying workaround, so closing this now :)
from drone-convert-pathschanged.
Related Issues (20)
- [Debt] Token Removal 'drone-convert-pathschanged plugin'
- Does this plugin support GITLAB?
- Feature Request - Support bitbucket cloud HOT 1
- Support multiple Conversion Extensions? HOT 2
- Plans to support Jsonnet HOT 6
- Feature: Support both `event` and `paths` under `trigger` block HOT 5
- Feature request: Github Server HOT 2
- Move bitbucket-server support to stash
- trouble get it running - converter: cannot convert configuration HOT 2
- Add Gitea support HOT 5
- Missing env on bb server example HOT 1
- Feature: Support both event and paths under trigger block [REOPENED] HOT 2
- invalid signature in http.Request HOT 3
- Allow Stash users to specify Size parameter of scm.ListOptions, by default only picks up first 25 paths in diff HOT 1
- Support multiple .drone.yml files HOT 1
- Update Go module dependencies
- Invalidating Signed Pipeline Yaml
- pathschanged info is included for new tag push event
- Add gogs support HOT 1
- Pipelines with `include` triggers all ran when an empty commit was made #45
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from drone-convert-pathschanged.