API: EnvoyExtensionPolicy

[guydc]

What this PR does / why we need it:

This PR introduces a new policy type, EnvoyExtensionPolicy, that can be used to add multiple HTTP and Network extension filters (such as lua, wasm, golang, ext-proc), and define their order of execution.

Relates to #2546, #2025, #2877

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.57%. Comparing base (23fa358) to head (b0dea04).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2570   +/-   ##
=======================================
  Coverage   64.57%   64.57%           
=======================================
  Files         122      122           
  Lines       21115    21115           
=======================================
  Hits        13636    13636           
  Misses       6632     6632           
  Partials      847      847           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[arkodg]

prefer EnvoyExtensionPolicy since these extensions are specific to envoy or ExtensionPolicy if these extensions are common across proxy implementations

[guydc]

In yesterday's community meeting, @arkodg raised the following requirements:

• Users may need to attach multiple policies in order to configure multiple extension filters (a common use case for WASM, LUA)
• Users may need to control the logical phase of filter execution (e.g. before auth, before rate limit, ... )
• Users may need to control the order of execution of extension filters amongst themselves (within a specific phase)

Istio's implementation for WASM plugins uses phase and priority to achieve this. Envoy Gateway can follow similar principles. The definition of such phases can have an impact on #2571, for example limiting the level of flexibility that users will have when re-arranging the Envoy Gateway built-in extensions.

@envoyproxy/gateway-maintainers - WDYT? Should we follow the istio pattern and implement phases and priorities for user-defined extensions?

[liorokman]

In order to be consistent with other enums defined in the various EnvoyGateway CRDs, the enum values should not be all-caps.

	AuthzEnvoyExtensionPhase     EnvoyExtensionPhase = "AuthZ"
        AuthnEnvoyExtensionPhase     EnvoyExtensionPhase = "AuthN"
 	RateLimitEnvoyExtensionPhase EnvoyExtensionPhase = "RateLimit"

[liorokman]

Does this really need to be an aliased type?

Similar definitions in the APIs don't define an aliased type for map[string]string. See KubernetesPodSpec for example.

[liorokman]

Add a +kubebuilder:default comment for MessageTimeout.

[liorokman]

This shortName is the same as the shortName defined for the SecurityPolicy resource.

Consider removing the short name, or changing it to ep.

[guydc]

Incorporated points from the discussion in today's community meeting:

• Filter Ordering in EnvoyProxy
• Disablement of Extensibility by default, enablement in EnvoyGateway
• Remove distinction between HTTP/Network in the interface
• Allow route attachment

[arkodg]

@zhaohuabing lets pause on #2877 until this API is done, and the WASM API can be incorporated as a field within this API

[arkodg]

probably PolicyStatus here

[arkodg]

suggest keep filter ordering out of scope of this API, and solving it separately in #2571

[zhaohuabing]

Should the spec support defining extensions as a list?

Unlike "normal" filters(Rate Limit, CORS, Basic Auth, OAuth2, JWT, etc), where typically only one filter per HTTPRoute is needed, users often require multiple custom Envoy extensions(wasm, lua, golang, ext auth?, etc.) of the same type for different purposes. For example, they might use a wasm filter for WAF and another for auth on the same HTTPRoute.

The current spec only supports defining a single extension per HTTPRoute, and it would block those use cases.

We may need to make it a list, like the below yaml snippet shows:

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: EnvoyExtensionPolicy
metadata:
  name: my-extensions
spec:
  targetRef:
    kind: HTTPRoute
    name: backend
  wasm:
    - name: wasm_plugin_waf
     ...
    - name: my_plugin_auth
      ...
  ExtProc:
    - name: exproc_plugin_1 
      ....
    - name: exproc_plugin_2     
  Lua:
    - name: lua_plugin_1 
      ....
    - name: lua_plugin_2 
.....        

[guydc]

Should the spec support defining extensions as a list?

+1

I think that's a reasonable ask, when considering that we allow something similar with envoy patches and it is indeed a very common use case. Maybe we can even avoid dealing with priority and multi-attachment in the first phases for this policy, if we support this + route attachment in the initial iteration.

[arkodg]

as per huabing's point, should we make this a list ?

[guydc]

To make things a bit simpler, I removed ext-proc from this PR. After the top-level resource is added, @zhaohuabing and I can work on ext-proc/wasm in parallel.

[arkodg]

should target Gateway and Route

[arkodg]

@envoyproxy/gateway-maintainers @envoyproxy/gateway-reviewers thoughts on this ?

[zirain]

I'm fine to remove all these, it will not happen unless you create a CR.

[arkodg]

can we incorporate some of these below points in this doc

• there are now 2 kinds of extensibility today
  • extending EG API by configuring xDS directly using EnvoyPatchPolicy & ExtensionManager
  • the other kind, highlighted in this doc that extends and adds newer functionality on top of what Envoy offers

Also a note around how users have been using EnvoyPatchPolicy & ExtensionManager to directly configure this extensions, but this API provides a safer and more scoped API

[guydc]

/retest

[arkodg]

LGTM thanks !